ProxyZeus

Blacklist or Hidden Score: How Platforms Really Detect Proxies

Many affiliates and agencies assume proxy blocking is just about getting into a DNSBL — a public blacklist. But reality is far more complex. Algorithms used by TikTok, Meta, and other platforms no longer rely on a single signal. They build advanced risk models based on network characteristics, timing variations, cookie contexts, and even behavioral side-patterns.

In this article — a technical breakdown of which signals actually expose proxies, how AI systems interpret traffic, and why even a “clean” IP can trigger bans.


1. ASN: The network’s digital passport

ASN (Autonomous System Number) identifies the provider that owns the IP range. It reveals whether the traffic is coming from a data center, mobile operator, hosting provider, etc.

How platforms use ASN:

  • Cross-reference with RIPE, APNIC, and local regulator databases
  • Associate with historical behavior: spam, bots, or flagged accounts
  • Assign a trust score: mobile ASNs (e.g., Vodafone, Kyivstar) are high-trust; data center ASNs (e.g., OVH, Hetzner) are low-trust

Example: Meta’s Trust Score system automatically lowers quality baseline for IPs from AS16276 (OVH), even if the IP itself is not in a public blocklist.


2. TTL and TTL Variance: Proxies “breathe” differently

TTL (Time to Live) is a packet parameter showing the number of hops from source to destination.

Typical values:

  • Home/mobile users: TTL = 52–64
  • Data centers: TTL = 118–128

Why it matters:

  • Platforms log TTL values per session
  • Fixed TTL (e.g., 128 with zero variation) = suspicious
  • TTL Variance is key — real users have small fluctuations; static TTLs often mean bot traffic

Fact: TikTok’s Trust Safety model raises suspicion score to “auto-review” level for TTL >120 with zero variance.


3. Connection speed and jitter

Speed and response time are often-overlooked but strong indicators:

  • Mobile traffic typically has jitter (ping = 40–100 ms)
  • Data center IPs show ultra-stable low-latency (ping = 10–15 ms)

Why this is used:

  • If a platform detects “perfect” connection stats on an IP labeled as mobile — flags are raised
  • Even if the ASN is mobile, if real-time speed looks like a tunnel or datacenter — risk increases

4. Cookie profile and fingerprint mismatch

Even the cleanest proxy can be compromised if:

  • Cookies carry session data linked to banned profiles (e.g., fbp, datr, fr)
  • LocalStorage or SessionStorage leak traces of past logins
  • Device fingerprint doesn’t match IP — e.g., Ukrainian IP with macOS Canvas fingerprint, while regionally Mac usage is <5%

Pro tip: Before login, clean cookies + test fingerprints via CreepJS or PixelScan, and align Device-ID.


5. DNSBL is not the main threat

Yes, an IP can get listed in Spamhaus, FireHOL, SORBS — but this is not the primary filter:

  • DNSBLs are used as coarse-grained checks
  • More important is the platform’s internal hidden score — a non-public trust score updated in real-time using thousands of data points

What we know:

  • TikTok uses a 120+ factor behavioral model to assess IP trustworthiness
  • Meta builds a full IP Risk Graph: links IPs to prior accounts, device fingerprints, ban histories, and creative types
  • Google uses ML classifiers to detect abnormal visit patterns and click fraud

How to stay out of auto-flag traps

✅ Use IPs from mobile operators with strong ASN reputations (check RIPE database)

✅ Simulate natural TTL with small variance (±2–3 hops)

✅ Check your fingerprint stack: Canvas, WebGL, AudioContext, timezone, and UI language

✅ Align your speed, user-agent, and geolocation with IP origin

✅ Use anti-detect browsers that simulate full user stacks, not just spoof user-agent

✅ Avoid random IP rotations — rotate only after session ends or on a logical action


Conclusion

Blacklists are just the tip of the iceberg. Modern platforms don’t catch violators with one signal — they build full behavioral profiles based on dozens of technical parameters. One mistake — and even a fresh IP may be flagged.

Understanding these signals is the key to keeping affiliate campaigns, scraping tasks, and multi-accounting stable and ban-free.

If you want to work safely — analyze your digital fingerprint as carefully as you do your creatives.

Scroll to Top