Detecting Residential Proxies
& Stopping Trial Abuse
VPNs are easy to spot. They come from datacenters (AWS, DigitalOcean, M247). But Residential Proxies are the nightmare of modern fraud prevention.
These IPs belong to real people—Comcast subscribers, mobile phones, home wifi—whose devices have been compromised or rented out as part of a botnet. When a fraudster routes traffic through them, they look exactly like your legitimate customers.
This is how "Trial Abuse" happens. A single user creates 50 accounts to exploit your free tier, appearing to come from 50 different "clean" home IPs.
The Proxy Rotation Attack
You can't just block the IP, because tomorrow that IP will belong to a real grandma in Ohio. You can't block the ISP, because it's Verizon. So how do you stop it?
Detection Strategy: Behavior over Identity
Since the IPs look real, CandycornDB relies on subtle behavioral markers that residential proxies inadvertently leak.
- TCP/IP Fingerprinting: A Windows PC IP sending packets that look like a Linux server is a red flag.
- Open Ports: Residential devices shouldn't have proxy ports (8080, 1080, 3128) open to the public internet. If we can ping a proxy port on a "home" IP, it's a compromised device.
- Subnet Velocity: If 5 different "residential" IPs from the same /24 subnet hit your signup page in 10 minutes, that's unnatural. It's a rotation attack.
The Solution for Trial Abuse
Don't auto-ban. Instead, when you detect a high risk_score on a residential IP, disable the "Free Trial" button or require a credit card upfront. This kills the ROI for the attacker without blocking potential real customers.
Start Scoring Proxy Risk Smarter
You don’t have to choose between blocking fraud and hurting conversion rates. By detecting the underlying proxy infrastructure, you can stop the bots while keeping the door open for real humans.