I am going to share my two cents here... I couldn't find a SmarterStats-specific topic for x-forwarded-for, so I decided to add to this one.
X-forwarded-for is VERY commonly used to identify the source of user activity from outside a load balancer. It's not just used for proxies.
We host our infrastructure in AWS, behind an Elastic Load Balancer. Because the c-ip column in the IIS logs then reflects the IP addresses of the load balancers, all our website traffic appears to come from three IP addresses in SmarterStats. This effectively makes the product almost useless.
I don't fully follow the security concern. Even if someone was trying to parse logs from a proxy, they already have access to the raw logs and can see the originating IP address anyway.
I disagree with the IPgeolocation functionality being broken by adding support for this. You would simply create a dropdown in the stats property profile to use x-forwarded-for instead of c-ip from the logs. This would be used or any IP-specific features, including geolocating the IP of the ACTUAL end user. It is completely useless to geolocate the IP of our load balancers in the c-ip column -- we know where they are (sitting down the isle from the web servers).
In summary, I feel that your SmarterStats product is effectively broken without supporting x-forwarded-for, which is becoming way more popular as more and more websites migrate to multi-machine web farms and/or the cloud.