Should you allow proxypots?

If you run a decent ISP, you have a policy that forbids open proxies. You might wonder whether it's a good idea to extend that policy to also forbid open proxy honeypots. Here's a list of the pros and cons of having proxypots on your network.


  1. Proxypots are good for the Internet as a whole - they stop spam and expose spammers.
  2. If your network is known to be populated with honeypots, bad guys might decide to avoid it, for fear of getting caught. This means less trouble for you.


  1. If you scan your own users for open proxies, you will have to do a more thorough scan to distinguish proxypots from genuine open proxies. A superficial scan will be fooled.
  2. Outsiders who scan your network may be fooled too, and you could be publicly criticized for running an insecure network. It could be difficult to effectively counter such criticism without publicizing the locations of the proxypots, which will make them much less effective.
  3. If a proxypot contacts a server run by a highly sensitive administrator, you will have to deal with accusations that your user attacked the server. You can respond to that by pointing them to the Server admin information page, or avoid the situation by requiring your users to configure their proxypots in a way that does not generate any outgoing traffic.
  4. People who maintain public and private blacklists of open proxies may list your user's IP address. This is not normally a problem for you because your user has chosen this path for himself, and he is the one affected by the blacklisting. But if you reassign the IP address to a different user, the new user may find himself banned from some servers.
  5. If you have a lot of proxypots on your network, or a few proxypots that have been up for a long time, aggressive blacklist maintainers may think that you are an irresponsible ISP and list your entire network. Please refer blacklist maintainers to the Blacklist information page.