We Tested 25 Proxy IPs Against 10 Detection Services — What a Real "Proxy IP Test" Shows in 2025
When your infrastructure team runs a proxy IP test against IPQualityScore, MaxMind, and Cloudflare, the same residential proxy can receive a fraud score of 24 from one service, 75 from another, and pass completely undetected through a third. This isn't a bug—it's how modern proxy detection works.
Independent testing of 25 residential proxies against leading detection services revealed that even the best-performing tool (IPQualityScore) detected only 24% of proxies, while MaxMind detected 0%. This 76% detection gap represents billions in potential fraud exposure for enterprises relying solely on IP reputation checks.
This article provides the technical framework, reproducible methodologies, and executable code for conducting meaningful proxy IP tests that predict real-world behavior rather than generating false confidence.
How Proxy IP Detection Actually Works
Modern proxy detection combines multiple signals into probabilistic risk assessments rather than binary flags.
Core Detection Signals
IP Reputation and Classification
Detection services maintain databases categorizing IPs by network type: datacenter ranges, VPN providers, Tor exits, and residential proxy networks. MaxMind's minFraud provides an Anonymous IP flag identifying hosting providers and known VPNs. However, residential proxies route through legitimate ISP-assigned addresses from real devices, making them indistinguishable from normal consumer traffic at the network layer.
ASN and ISP Analysis
Autonomous System Number (ASN) analysis identifies the organization controlling an IP block. Datacenter proxies originate from hosting ASNs (AWS, DigitalOcean), while residential proxies map to consumer ISPs (Comcast, AT&T). Testing revealed contamination—one provider's "residential" pool contained 12% IPs from hosting ASNs.
TLS Fingerprinting (JA3/JA4)
TLS handshakes reveal SSL/TLS implementation through the ClientHello message. JA3 creates a hash from cipher suites, extensions, and curves, distinguishing browsers from automation tools. Cloudflare uses JA3/JA4 fingerprinting as core detection. JA4 evolved after Google implemented TLS extension randomization in Chromium, being resistant to extension order changes and including ALPN data.
HTTP Header Anomalies
Legitimate browsers send predictable header combinations. Proxy tools often generate technically valid but behaviorally suspicious headers: User-Agent inconsistent with Accept-Language, missing standard headers, non-standard ordering, TCP window sizes mismatched to declared OS.
Behavioral Scoring
Services like SEON and Fingerprint.com analyze interaction patterns: keystroke dynamics, mouse movement naturalness, navigation depth, session consistency across IP changes and timezone shifts.
Detection Workflow Diagrams
Cloudflare Bot Management Pipeline
┌─────────────────┐ │ Incoming Request│ └────────┬────────┘ ▼ ┌─────────────────────┐ │ TLS Handshake │ └─────────┬───────────┘ ▼ ┌────────────────────────┐ │ JA3/JA4 Generation │ └───────────┬────────────┘ ▼ ┌───────────────────────────┐ │ Bot Score (1-99) │ │ ML models + heuristics │ └──────────┬────────────────┘ ▼ ┌──────────────────────────┐ │ Detection IDs & Labels │ └─────────┬────────────────┘ ▼ ┌────┴─────┐ ▼ ▼ ┌───────┐ ┌──────────┐ ┌───────┐ │ Allow │ │Challenge │ │ Block │ └───────┘ └──────────┘ └───────┘
Cloudflare's bot score ranges 1-99, where lower scores indicate higher bot likelihood. Scores below 30 indicate automated traffic.
AWS WAF Bot Control Flow
┌──────────────────┐ │ Incoming Request │ └────────┬─────────┘ ▼ ┌─────────────────────────────┐ │ Common Detection │ │ Static analysis + patterns │ └───────────┬─────────────────┘ ▼ ┌─────────────────────────────┐ │ Targeted Detection │ │ Browser interrogation + ML │ └───────────┬─────────────────┘ ▼ ┌─────────────────────────────┐ │ Label Assignment │ │ bot:category:*, verified │ └───────────┬─────────────────┘ ▼ ┌──────┴────────┐ ▼ ▼ ┌─────────┐ ┌──────────────┐ │ Allow │ │ Block/CAPTCHA│ └─────────┘ └──────────────┘
AWS Bot Control provides Common level (static analysis) and Targeted level (browser interrogation + TGT_ML anomaly detection).
Why Detection Results Vary
The 76% detection gap stems from fundamental differences:
Data Source Divergence: IPQualityScore operates proprietary honeypots generating real-time intelligence. MaxMind's minFraud relies on ML models trained on transaction data rather than network-level proxy detection. IP2Proxy maintains daily-updated databases from crawled proxy lists.
Update Frequency: New residential proxy networks launch infrastructure hourly. Static databases publishing daily/weekly updates remain perpetually behind. Services using real-time behavioral analysis adapt faster but require JavaScript execution.
Detection Philosophy: Conservative detectors (MaxMind) prioritize avoiding false positives—critical when false declines cost 13x more than fraud losses. Aggressive detectors (IPQualityScore strictness 3) maximize detection accepting higher false positive rates.
Residential Proxy Architecture: Modern residential proxies use Carrier-Grade NAT (CGNAT), where carriers share single public IPs across hundreds of users. Blocking a suspicious IP behind CGNAT blocks all legitimate users sharing that address.
Tool Comparison — What Different Detection Services Actually See
| Service | Primary Signals | Strength | Known Limitations | False Positive Risk |
|---|---|---|---|---|
| IPQualityScore | Proprietary honeypots, fraud scoring, velocity analysis | Residential proxy detection (claimed 99.95%, real-world 24%) | High FP at strictness 2+ | Strictness 2+: HIGH<br>0-1: LOW |
| MaxMind minFraud | ML on transaction data, geolocation, Anonymous IP flag | Overall fraud prediction (7x better than IP flag alone) | Anonymous IP detected 0% residential proxies | LOW |
| Cloudflare Bot Mgmt | JA3/JA4 TLS fingerprinting, bot score | TLS client identification, automation detection | Requires TLS connection | MODERATE |
| AWS WAF Bot Control | Browser interrogation, TGT_ML anomaly detection | Behavioral analysis, traffic patterns | Requires AWS infrastructure | MODERATE |
| Fingerprint.com | 100+ browser signals, device fingerprinting | Device intelligence, Selenium/Puppeteer detection | Requires JavaScript agent | MODERATE |
| Scamalytics | ML, behavioral patterns, shared blacklists | Dating/social platform specialization | Limited public methodology | MODERATE |
| IP2Proxy | Static database of proxy addresses | Simple integration, 12 package levels | New proxies undetected until update | LOW |
| SEON | Email/phone/social lookup, device fingerprinting | Multi-signal approach | Requires multiple data points | MODERATE |
Key Insights: Static IP blocklists struggle against residential proxies where underlying addresses legitimately belong to consumer ISPs. Tools incorporating behavioral analysis achieve better detection by analyzing how requests happen rather than where they originate. CGNAT remains inadequately addressed by all services.
A Practical, Reproducible "Proxy IP Test" Workflow
Pre-Test Preparation Checklist
Define Test Objectives
□ Proxy quality assessment for web scraping
□ Anti-fraud validation and false positive calibration
□ Vendor evaluation for proxy IP service procurement
□ Security posture testing against residential proxy threats
Select Representative Sample
□ Minimum 20-50 IPs per proxy type (residential, datacenter, mobile)
□ Geographic diversity: 3+ regions
□ ASN diversity: >200 ASNs for residential proxies
□ Protocol coverage: HTTP, HTTPS, SOCKS5
Identify Target Detection Services
□ IP reputation: IPQualityScore, MaxMind, IP2Proxy
□ Behavioral: Fingerprint.com, SEON, AWS Bot Control
□ TLS-based: Cloudflare Bot Management
Core Testing Methodology
Phase 1: Connectivity Validation
Test: Basic Connectivity Method: curl -x http://proxy:port https://api.ipify.org?format=json Success: Returns proxy's exit IP within 10 seconds Test: Authentication Method: curl -x http://username:password@proxy:port https://api.ipify.org Success: No 407 Proxy Authentication Required
Phase 2: IP Reputation and Classification
For each proxy IP: 1. Query IPQualityScore (strictness 0, 1, 2) Record: fraud_score, proxy, vpn, tor, recent_abuse 2. Query MaxMind minFraud Record: risk_score, ip_risk_score, anonymizer 3. Query IP2Proxy database Record: proxy_type (VPN/TOR/DCH/RES) 4. Check Spamhaus, AbuseIPDB 5. ASN lookup Validate: Residential = consumer ISP ASNs
Phase 3: Real-World Target Testing
Platform Test Matrix: - Amazon: 99% success rate benchmark for residential - Google Search: Aggressive automated query detection - Instagram: 1 proxy per account, 10-14 day warm-up - Target Application: Your specific use case Measure: 1. Success rate (% requests returning expected response) 2. Latency (median, p95, p99) 3. Failure modes (blocks, CAPTCHAs, rate limits) 4. Session stability
Phase 4: Performance Benchmarking
Latency: Target 600-1100ms RTT, 450-800ms TTFB for residential Throughput: 12-50 Mbps download by region Stability: Session duration before rotation/failure
Phase 5: False Positive Analysis
Test High-Risk Scenarios: 1. Corporate proxy: Should NOT flag as high-risk 2. University networks: Should NOT trigger velocity alerts 3. Hotel/airport WiFi: Allow with appropriate settings 4. VPN detection: Flag but risk-appropriate to use case 5. Mobile CGNAT: Should not assume single-user behavior
Decision Framework
IPQualityScore Interpretation
| Fraud Score | Proxy Flag | Interpretation | Action |
|---|---|---|---|
| <75 | False | Low risk | Allow |
| 75-84 | True | Medium risk | Challenge or context-dependent |
| 85-89 | True | High risk | Strong challenge (MFA) |
| ≥90 | True | Very high risk | Block |
Special cases:
allow_public_access_points=true: Reduces scoring for hotels, universitieslighter_penalties=true: For mixed-quality IPs
MaxMind Risk Score
0.01-20: Low risk → Standard processing 20-50: Medium risk → Enhanced verification 50-75: Elevated risk → Strong authentication 75-90: High risk → Manual review 90-99: Very high risk → Block
MaxMind's overall risk score is 7x better than Anonymous IP flag alone. Using only the anonymizer flag wastes the multi-signal intelligence.
Cloudflare Bot Scores (inverted scale)
1-29: Likely automated → Block or challenge 30-60: Suspicious → Challenge (CAPTCHA) 61-99: Likely human → Allow
Executable Examples — Run Your Own Proxy IP Tests
Python: Comprehensive Testing Script
import requests
import time
import json
class ProxyTester:
def __init__(self, proxy_url: str, auth: tuple = None):
if auth:
username, password = auth
self.proxies = {
'http': f'http://{username}:{password}@{proxy_url}',
'https': f'http://{username}:{password}@{proxy_url}'
}
else:
self.proxies = {'http': f'http://{proxy_url}', 'https': f'http://{proxy_url}'}
self.timeout = 10
self.results = {}
def test_connectivity(self):
print("[1/4] Testing connectivity...")
try:
start = time.time()
response = requests.get('https://api.ipify.org?format=json',
proxies=self.proxies, timeout=self.timeout)
latency = time.time() - start
if response.status_code == 200:
exit_ip = response.json()['ip']
self.results['connectivity'] = {
'status': 'success', 'exit_ip': exit_ip,
'latency_seconds': round(latency, 3)
}
print(f"✓ Connected via {exit_ip} ({latency:.3f}s)")
return self.results['connectivity']
else:
raise Exception(f"Status {response.status_code}")
except requests.exceptions.ProxyError as e:
self.results['connectivity'] = {'status': 'failed', 'error': 'Proxy connection refused'}
print(f"✗ Proxy connection failed")
return self.results['connectivity']
except requests.exceptions.Timeout:
self.results['connectivity'] = {'status': 'failed', 'error': 'Connection timeout'}
print(f"✗ Connection timeout")
return self.results['connectivity']
def test_ipqs_detection(self, api_key: str, strictness: int = 1):
print(f"[2/4] Testing IPQualityScore (strictness {strictness})...")
if 'connectivity' not in self.results or self.results['connectivity']['status'] != 'success':
return {'status': 'skipped'}
exit_ip = self.results['connectivity']['exit_ip']
try:
url = f"https://ipqualityscore.com/api/json/ip/{api_key}/{exit_ip}"
params = {'strictness': strictness, 'allow_public_access_points': 'true'}
response = requests.get(url, params=params, timeout=10)
if response.status_code == 200:
data = response.json()
self.results['ipqs'] = {
'fraud_score': data.get('fraud_score'),
'proxy': data.get('proxy'), 'vpn': data.get('vpn'),
'connection_type': data.get('connection_type')
}
print(f"✓ Fraud Score: {data.get('fraud_score')}, Proxy: {data.get('proxy')}")
return self.results['ipqs']
except Exception as e:
self.results['ipqs'] = {'status': 'error', 'error': str(e)}
return self.results['ipqs']
def test_performance(self, test_url: str = 'https://httpbin.org/get'):
print("[3/4] Testing performance...")
if 'connectivity' not in self.results or self.results['connectivity']['status'] != 'success':
return {'status': 'skipped'}
latencies = []
success_count = 0
for i in range(5):
try:
start = time.time()
response = requests.get(test_url, proxies=self.proxies, timeout=self.timeout)
if response.status_code == 200:
latencies.append(time.time() - start)
success_count += 1
except:
pass
if latencies:
self.results['performance'] = {
'success_rate': f"{(success_count/5)*100:.1f}%",
'median_latency': round(sorted(latencies)[len(latencies)//2], 3)
}
print(f"✓ Success: {(success_count/5)*100:.1f}%, Median: {self.results['performance']['median_latency']}s")
return self.results.get('performance', {'status': 'failed'})
def test_target_platform(self, target_url: str):
print(f"[4/4] Testing target: {target_url}")
if 'connectivity' not in self.results or self.results['connectivity']['status'] != 'success':
return {'status': 'skipped'}
try:
start = time.time()
response = requests.get(target_url, proxies=self.proxies, timeout=self.timeout,
headers={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'})
latency = time.time() - start
blocked = any(['captcha' in response.text.lower(), response.status_code in [403, 429]])
self.results['target_test'] = {
'status_code': response.status_code,
'latency_seconds': round(latency, 3),
'likely_blocked': blocked
}
print(f"✓ Status {response.status_code}, {latency:.3f}s")
return self.results['target_test']
except Exception as e:
self.results['target_test'] = {'status': 'failed', 'error': str(e)}
return self.results['target_test']
# Usage
tester = ProxyTester("proxy.example.com:8080", auth=("username", "password"))
tester.test_connectivity()
tester.test_ipqs_detection("your_api_key", strictness=1)
tester.test_performance()
tester.test_target_platform("https://www.amazon.com")
print(json.dumps(tester.results, indent=2))Node.js: Bulk Testing Script
const axios = require('axios');
class ProxyTester {
constructor(proxyConfig) {
this.proxy = {host: proxyConfig.host, port: proxyConfig.port, auth: proxyConfig.auth};
this.timeout = 10000;
this.results = {};
}
async testConnectivity() {
try {
const start = performance.now();
const response = await axios.get('https://api.ipify.org?format=json',
{proxy: this.proxy, timeout: this.timeout});
const latency = ((performance.now() - start) / 1000).toFixed(3);
this.results.connectivity = {
status: 'success', exit_ip: response.data.ip, latency_seconds: parseFloat(latency)
};
console.log(`✓ Connected via ${response.data.ip} (${latency}s)`);
} catch (error) {
this.results.connectivity = {status: 'failed', error: error.message};
console.log('✗ Connection failed');
}
return this.results.connectivity;
}
async testPerformance(testUrl = 'https://httpbin.org/get', iterations = 5) {
if (!this.results.connectivity || this.results.connectivity.status !== 'success') {
return {status: 'skipped'};
}
const latencies = [];
for (let i = 0; i < iterations; i++) {
try {
const start = performance.now();
await axios.get(testUrl, {proxy: this.proxy, timeout: this.timeout});
latencies.push((performance.now() - start) / 1000);
} catch {}
}
if (latencies.length > 0) {
latencies.sort((a, b) => a - b);
this.results.performance = {
success_rate: `${(latencies.length/iterations*100).toFixed(1)}%`,
median_latency: latencies[Math.floor(latencies.length/2)].toFixed(3)
};
console.log(`✓ Success: ${this.results.performance.success_rate}`);
}
return this.results.performance;
}
}
// Bulk testing
async function testProxyList(proxyList, targetUrl) {
const reports = [];
for (const proxyConfig of proxyList) {
const tester = new ProxyTester(proxyConfig);
await tester.testConnectivity();
await tester.testPerformance();
reports.push(tester.results);
}
return reports;
}Bash: Quick Command-Line Testing
#!/bin/bash
PROXY_URL="http://user:pass@proxy.example.com:8080"
echo "[1/3] Testing connectivity..."
curl -x "$PROXY_URL" -s https://api.ipify.org?format=json
echo "[2/3] Measuring latency (5 requests)..."
for i in {1..5}; do
curl -x "$PROXY_URL" -s -w "Request $i: %{time_total}s\n" -o /dev/null https://httpbin.org/get
done
echo "[3/3] Testing for blocking..."
RESPONSE=$(curl -x "$PROXY_URL" -s https://httpbin.org/user-agent)
if echo "$RESPONSE" | grep -qi "captcha\|blocked"; then
echo "⚠ Blocking detected"
else
echo "✓ No blocking"
fiInterpreting Proxy IP Test Results — Turning Scores Into Decisions
IPQualityScore Nuances
Proxy/VPN connections with average risk score 70-75 range. Score 72 doesn't automatically indicate fraud—context matters:
Scenario 1: Score 72 + proxy=true + recent_abuse=false + bot=false → Likely legitimate VPN user → Allow Scenario 2: Score 72 + proxy=true + recent_abuse=true + bot=true → Known abusive proxy → Block Scenario 3: Score 72 + proxy=false + connection_type=Corporate → Corporate proxy false positive → Allow
Strictness Impact: Levels 2+ dramatically increase false positives. Use strictness 0-1 with parameter tuning rather than increasing strictness.
MaxMind Optimal Usage
# Suboptimal: Only proxy detection if response['ip_address']['is_anonymous']: block_transaction() # Optimal: Full risk score with context risk_score = response['risk_score'] if risk_score >= 90: block_transaction() elif risk_score >= 75: require_manual_review() elif risk_score >= 50: require_additional_verification() else: approve_transaction()
MinFraud overall score is 7x better than Anonymous IP flag, 2x better than IP risk score alone.
Multi-Service Decision Matrix
Residential Proxy Disagreement
IPQS: Score 24, proxy=false MaxMind: risk=15.3, anonymous=false Cloudflare: bot_score=68 IP2Proxy: RES (residential detected) Analysis: IP2Proxy caught what others missed (76% detection gap) Decision: For fraud → Allow; For scraping → Challenge
VPN with Clean History
IPQS: Score 71, vpn=true, recent_abuse=false MaxMind: risk=22.8, anonymous=true, type=vpn Cloudflare: bot_score=82 Decision: E-commerce → Allow (privacy user) Banking → Step-up authentication
Case Studies — When Proxy IP Tests Fail
Case Study 1: The 76% Detection Gap
Problem: Testing 25 residential proxies showed MaxMind 0% detection, IPQS 24%, others 0-4%.
Root Cause: Residential proxies route through real consumer devices with legitimate ISP IPs. Network-layer characteristics identical to actual homeowners. Only behavioral analysis reveals automation.
Lesson: IP reputation alone cannot stop residential proxies. Must implement keystroke dynamics, mouse patterns, device fingerprinting, session consistency analysis. Security must assume IP provides minimal signal and prioritize behavioral detection.
Case Study 2: Python TLS Fingerprint Detection
Problem: Python requests library with residential proxies experienced 100% block rate on Cloudflare despite passing IPQualityScore.
Root Cause: Python's TLS handshake creates JA3 hash appearing in zero legitimate browsers. Even perfect residential IP immediately revealed by TLS layer.
Evasion Results:
User-Agent spoofing: Failed (TLS occurs before HTTP)
Playwright + stealth: Detected via prototype manipulation
DrissionPage (CDP-based): Bypassed detection
Lesson: Proxy quality and browser fingerprinting are orthogonal. Residential proxy IP insufficient if TLS/device fingerprint reveals automation. Must test with actual application stack. Trade-offs: HTTP clients (0.5-2s) vs browser automation (5-15s).
Case Study 3: University Network False Positive
Problem: SaaS platform blocking 67% of university students after enabling IPQS strictness 2.
Results:
Default: Fraud Score 78, proxy=true
With
allow_public_access_points=true: Score 32
Root Cause: Universities exhibit suspicious patterns—thousands sharing IPs via NAT, forward proxy infrastructure, mass simultaneous access, geographic clustering. Default settings treat corporate proxies as elevated risk.
Lesson: False positive prevention requires understanding legitimate user populations. Enable allow_public_access_points for institutional users. Test with 500-1000 legitimate customer IPs, target <1% false positive rate. False positive costs 13-69x fraud costs—aggressive blocking destroys more value than fraud causes.
Case Study 4: Browser Fingerprint Spoofing
Problem: Playwright with stealth plugins consistently detected by Fingerprint.com despite residential proxies.
Detection Method: Prototype magic detects tampered JavaScript properties. Stealth plugins modify properties leaving traces.
Successful Bypass: DrissionPage uses Chrome DevTools Protocol directly, avoiding WebDriver artifacts entirely.
Lesson: Sophisticated attacks use residential proxies + browser automation. IP reputation catches unsophisticated datacenter attacks. High-value targets require behavioral biometrics to detect residential proxy + automation combinations.
Final Checklist — Reliable Proxy IP Test in 2025
Pre-Test Planning
□ Define use case: fraud prevention / web scraping / security testing
□ Minimum 20-50 IPs per type across 3+ regions
□ Choose detection services: IP reputation + behavioral + TLS
□ Test with actual client library (Python/Node.js/browser)
Execution
□ Test connectivity and authentication
□ Query IPQS (strictness 1), MaxMind, IP2Proxy
□ Verify ASN legitimacy (residential = ISP ASNs)
□ Test against real target platforms (not generic endpoints)
□ Measure success rate, latency, session stability
□ Test false positive scenarios (corporate, university, hotel WiFi)
Interpretation
□ IPQS: Scores 70-75 expected for average proxies, ≥90 high risk
□ MaxMind: Use full risk score (7x better than IP flag alone)
□ Cloudflare: <30 likely bot (inverted scale), respect verified_bot
□ Multi-service conflicts: Prioritize behavioral over IP reputation
Red Flags
⚠ Detection >30% across services
⚠ ASN contamination (hosting in residential pool)
⚠ High abuse scores (>50 on Spamhaus/AbuseIPDB)
⚠ Success rate <90% on targets
⚠ Latency >2x regional benchmarks
Ongoing Validation
□ Re-test quarterly (platforms update continuously)
□ Monitor success rate, latency, blacklist appearance
□ Alert if success drops >10% or latency increases >50%
Conclusion
"Proxy IP test" in 2025 requires moving beyond simple binary checks. The 76% residential proxy detection gap shows even sophisticated services struggle with modern infrastructure. False positive costs exceeding fraud by 13-69x demonstrate overly aggressive detection causes more damage than fraud.
Effective testing combines network signals, TLS fingerprinting, device intelligence, and behavioral biometrics. Test against actual use cases, interpret results in business context, validate technical detections align with operational outcomes. As residential proxies achieve 99% Amazon success rates and CGNAT expands, continuous testing and methodology updates ensure results remain meaningful rather than providing false security confidence.
