I think checking for open ports (80, 8080) is a wrong approach. Some people have webservers running.
we will change it to create a combination check between multiple cases.
my advice, use an euristic method.
i explain it
IP have 8080 port used >>> + 10 points
IP is present in spam list >>> + 10 points
IP have mail service >>> + 20 points
if SUM >= 40
isVPN
else
isntVPN
clear?