Unfortunately that approach wouldn't work, because the filtering Cloudfront uses doesn't even get as far as contacting us before it kicks in and the filtering we can do on our end kicks in so much earlier in the process that letting it get as far as reading cookies would be a major performance hit (since it's the same system used to filter DDOS style traffic). We have almost no control over AWS other than "stick this specific IP fully on the allow list", and our only feasible control on our end is expiring the block early, neither of which is feasible for IPs that change ownership rapidly like VPN IPs because it has to be done manually and the legitimate user who had the connection is almost certainly no longer the person who has the connection by the time we would be able to handle it and with most VPN IPs the chance the next person who has the IP is a spammer is very, very high. (Fanlore in particular that nerakrose was talking about is an OTW project, and OTW only implemented the intermediary-based DDOS protections that most everyone on the internet is running a few months ago, and only for AO3 and not any of their other projects -- Fanlore has nothing like Cloudfront doing intermediary garbage filtering, which is where most of the restrictions on VPN IPs comes from. Fanlore only uses Mediawiki's software based spam protections, which happen very very late in the call.)

It's extremely shit, we know it's extremely shit, every person who runs internet infrastructure knows it's extremely shit, we all wish we didn't have to do it, but this kind of IP-based reputation system is the only thing that even slightly works and the collateral damage is something no one has ever been able to contain 100%.