<div dir="ltr"><div><font face="arial, sans-serif">I believe you are exactly right, Javntea.  Thank you for the insight. I opened up Privoxy for a few seconds on my node (below) and had similar results.    I had no idea that pay for click advertisers would even accept referrals from Tor.  It is pretty basic to filter identified exit relays and other anonymous proxies.  So apparently the return of investment from this sort of clickfraud pays the leasing bills of thousands of servers?   </font></div>
<div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">WoW, I have been schooled...</font></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif"> - Kent</font></div>
<div style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div><div><div><font face="arial, sans-serif">09:21:01.419951 IP 23.19.89.126.2318 > my.exit.node.8118: Flags [P.], seq 1:416, ack 1, win 65535, length 415</font></div><div><font face="arial, sans-serif">E.....@.u.u/..Y~B...    ...^.]^M....P.......GET <a href="http://ad.media-servers.net/st?ad_type=iframe&ad_size=160x600&section=4432147">http://ad.media-servers.net/st?ad_type=iframe&ad_size=160x600&section=4432147</a> HTTP/1.0</font></div>
<div><font face="arial, sans-serif">Accept: */*</font></div><div><font face="arial, sans-serif">Referer: <a href="http://giftcardsrus.net/index.php?option=com_content&view=article&id=1741:when-you-are-not-able-to-get-standard-loans&catid=54:financial-services-&Itemid=412">http://giftcardsrus.net/index.php?option=com_content&view=article&id=1741:when-you-are-not-able-to-get-standard-loans&catid=54:financial-services-&Itemid=412</a></font></div>
<div><font face="arial, sans-serif">Accept-Language: en-us</font></div><div><font face="arial, sans-serif">User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)</font></div><div><font face="arial, sans-serif">Host: <a href="http://ad.media-servers.net">ad.media-servers.net</a></font></div>
<div><font face="arial, sans-serif">Connection: Keep-Alive</font></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">09:21:01.419973 IP my.exit.node.8118 > 23.19.89.126.2318: Flags [.], ack 416, win 6432, length 0</font></div>
<div><font face="arial, sans-serif">E..(..@.@...B.....Y~..  .....^.^.P.. .k..</font></div><div><font face="arial, sans-serif">09:21:01.420501 IP my.exit.node.8118 > 23.19.89.126.2318: Flags [P.], seq 1:256, ack 416, win 6432, length 255</font></div>
<div><font face="arial, sans-serif">E..'..@.@...B.....Y~..  .....^.^.P.. .j..HTTP/1.0 403 Request blocked by Privoxy</font></div><div><font face="arial, sans-serif">Content-Type: image/png</font></div><div><font face="arial, sans-serif">Content-Length: 102</font></div>
<div><font face="arial, sans-serif">Cache-Control: no-cache</font></div><div><font face="arial, sans-serif">Date: Mon, 22 Jul 2013 09:21:01 GMT</font></div><div><font face="arial, sans-serif">Last-Modified: Wed, 08 Jun 1955 12:00:00 GMT</font></div>
<div><font face="arial, sans-serif">Expires: Sat, 17 Jun 2000 12:00:00 GMT</font></div><div><font face="arial, sans-serif">Pragma: no-cache</font></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif"><br>
</font></div><div><font face="arial, sans-serif">09:21:01.430712 IP 173.208.16.93.1094 > my.exit.node.8118: Flags [.], ack 1, win 65535, length 0</font></div><div><font face="arial, sans-serif">E..(...........]B....F...._..x..P....~........</font></div>
<div><font face="arial, sans-serif">09:21:01.431701 IP 173.208.16.93.1094 > my.exit.node.8118: Flags [P.], seq 1:511, ack 1, win 65535, length 510</font></div><div><font face="arial, sans-serif">E..&...........]B....F...._..x..P.......GET <a href="http://ad.globe7.com/st?ad_type=pop&ad_size=0x0&section=3910946&banned_pop_types=29&pop_times=1&pop_frequency=0&pop_nofreqcap=1&pub_url=${PUB_URL}">http://ad.globe7.com/st?ad_type=pop&ad_size=0x0&section=3910946&banned_pop_types=29&pop_times=1&pop_frequency=0&pop_nofreqcap=1&pub_url=${PUB_URL}</a> HTTP/1.0</font></div>
<div><font face="arial, sans-serif">Accept: */*</font></div><div><font face="arial, sans-serif">Referer: <a href="http://twicemagic.com/index.php?option=com_content&view=category&layout=blog&id=44&Itemid=100&limitstart=48">http://twicemagic.com/index.php?option=com_content&view=category&layout=blog&id=44&Itemid=100&limitstart=48</a></font></div>
<div><font face="arial, sans-serif">Accept-Language: en-us</font></div><div><font face="arial, sans-serif">User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)</font></div>
<div><font face="arial, sans-serif">Host: <a href="http://ad.globe7.com">ad.globe7.com</a></font></div><div><font face="arial, sans-serif">Connection: Keep-Alive</font></div><div><font face="arial, sans-serif"><br></font></div>
<div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">09:21:01.431722 IP my.exit.node.8118 > 173.208.16.93.1094: Flags [.], ack 511, win 6432, length 0</font></div><div><font face="arial, sans-serif">E..(..@.@.b.B......]...F.x....a.P.. ....</font></div>
<div><font face="arial, sans-serif">09:21:01.432462 IP my.exit.node.8118 > 173.208.16.93.1094: Flags [P.], seq 1:256, ack 511, win 6432, length 255</font></div><div><font face="arial, sans-serif">E..'..@.@.a.B......]...F.x....a.P.. ....HTTP/1.0 403 Request blocked by Privoxy</font></div>
<div><font face="arial, sans-serif">Content-Type: image/png</font></div><div><font face="arial, sans-serif">Content-Length: 102</font></div><div><font face="arial, sans-serif">Cache-Control: no-cache</font></div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div></div><div style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div><div style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><font face="arial, sans-serif">Message: 3</font><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Date: </span><span class="" tabindex="0" style="font-family:arial,sans-serif;font-size:13px"><span class="">Mon, 22 Jul 2013 00:09:55 -0700</span></span><span style="font-family:arial,sans-serif;font-size:13px"> (PDT)</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">From: Javantea <</span><a href="mailto:jvoss@altsci.com" style="font-family:arial,sans-serif;font-size:13px">jvoss@altsci.com</a><span style="font-family:arial,sans-serif;font-size:13px">></span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">To: </span><a href="mailto:tor-relays@lists.torproject.org" style="font-family:arial,sans-serif;font-size:13px">tor-relays@lists.torproject.org</a><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Subject: Re: [tor-relays] Exit relay operators: a call for packets on</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">        port    8118</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Message-ID: <</span><a href="mailto:20130722070955.1CF571380F1@mail.altsci.com" style="font-family:arial,sans-serif;font-size:13px">20130722070955.1CF571380F1@mail.altsci.com</a><span style="font-family:arial,sans-serif;font-size:13px">></span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Content-Type: text/plain; charset="us-ascii"</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Hi Kent,</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">I am getting 125 packets per second sustained incoming on port 8118 like you on my exit node. I noticed this last year but forgot about it because it was such low bandwidth. I count 2582 unique IPs in 20 minutes.</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">I think you've found something significant. The obvious question is why since sending data in the clear is pretty worthless and it's going to come out of a tor exit node just like if they were using tor.</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">I'm a security researcher and would be happy to help you learn more about these silly systems. You've already done most of the basic research though: who, what, and where. When I open port 8118 with netcat a few times I get this:</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">GET </span><a href="http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=4211101&pub_url=${PUB_URL}" target="_blank" style="font-family:arial,sans-serif;font-size:13px">http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300x250&section=4211101&pub_url=${PUB_URL}</a><span style="font-family:arial,sans-serif;font-size:13px"> HTTP/1.0</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Accept: */*</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Referer: </span><a href="http://www.lotsoffree.com/index.php?option=com_content&view=article&id=84:free-gift-card-microsoft-privacy&catid=39:free-gift-cards&Itemid=106Accept-Language" target="_blank" style="font-family:arial,sans-serif;font-size:13px">http://www.lotsoffree.com/index.php?option=com_content&view=article&id=84:free-gift-card-microsoft-privacy&catid=39:free-gift-cards&Itemid=106<br>
Accept-Language</a><span style="font-family:arial,sans-serif;font-size:13px">: en-us</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Host: </span><a href="http://ad.yieldmanager.com/" target="_blank" style="font-family:arial,sans-serif;font-size:13px">ad.yieldmanager.com</a><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Connection: Keep-Alive</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">GET </span><a href="http://ib.adnxs.com/ttj?id=1284883" target="_blank" style="font-family:arial,sans-serif;font-size:13px">http://ib.adnxs.com/ttj?id=1284883</a><span style="font-family:arial,sans-serif;font-size:13px"> HTTP/1.0</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Accept: */*</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Referer: </span><a href="http://www.psxobs.com/privacy-policy" target="_blank" style="font-family:arial,sans-serif;font-size:13px">http://www.psxobs.com/privacy-policy</a><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Accept-Language: en-us</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Host: </span><a href="http://ib.adnxs.com/" target="_blank" style="font-family:arial,sans-serif;font-size:13px">ib.adnxs.com</a><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">Connection: Keep-Alive</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">That looks like clickfraud to me. Perhaps someone wrote a quick script that downloads the list of tor exit nodes and sends clickfraud requests to 8118 and was too lazy to add tor. That would mean that the sites in the referrer are the attackers and the url on the first line is the ad service which is being defrauded. Of course there is the possibility of a joe job occuring, but we know that at least some of them are the bad actors. Whois on both referrers returns China. I'm surprised that the script doesn't remove servers from the list that have the port closed. It's a very inefficient script.</span><br style="font-family:arial,sans-serif;font-size:13px">
<br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Regards,</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">Javantea</span><br>
</div>