<p dir="ltr">Wouldn't it be interesting if we could set up some kind of central "Tor Abuse Center" where all the complaints go, and all the relay operators can help respond to them. I suppose it would be pretty chaotic though... </p>
<div class="gmail_extra"><br><div class="gmail_quote">On Oct 4, 2016 11:18 AM, "pa011" <<a href="mailto:pa011@web.de">pa011@web.de</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Yes its ISP - plus 10 times more fire-power both, Markus and me<br>
which is 10 times more work, sadly :-(<br>
<br>
<br>
Am 04.10.2016 um 18:12 schrieb Markus Koch:<br>
> Short answer: ISP<br>
><br>
> I got 2 abuse mails (1 false positive) from Hostwinds in 4 months and<br>
> I get weekly mass reports from DigitalOcean.<br>
> And the thing that pisses me off is: Its all bots or Tax spam or other<br>
> stuff I got weeks/months ago. Different day, same shitty abuse mail.<br>
><br>
> Markus<br>
><br>
><br>
> 2016-10-04 18:03 GMT+02:00 Tristan <<a href="mailto:supersluether@gmail.com">supersluether@gmail.com</a>>:<br>
>> I don't know what I'm doing different, because I only got 2 complaints in<br>
>> the last 2 months, and that was for SSH and SQL stuff.<br>
>><br>
>><br>
>> On Oct 4, 2016 11:01 AM, "pa011" <<a href="mailto:pa011@web.de">pa011@web.de</a>> wrote:<br>
>>><br>
>>> Me too Markus -could fill a folder with that tax issue :-((<br>
>>> Costing a lot of time to answer and restrict the IPs<br>
>>><br>
>>> Plus my ISP moaning with good reason: "It's not just about you, but you're<br>
>>> giving a bad reputation to one /21 and one /22 subnet. That's ~ 3000 IPs<br>
>>> which are potentionaly endagered to be marked as source of malicious content<br>
>>> / blacklisted / whatever ... so you see, this is quite critical for us."<br>
>>><br>
>>> Am 04.10.2016 um 17:48 schrieb Markus Koch:<br>
>>>> same shit here:<br>
>>>><br>
>>>> Dear User,<br>
>>>> We are contacting you because of unusual activity coming from your IP<br>
>>>> address towards the IT infrastructure of the European Commission.<br>
>>>> In specific, since 03/10/2016, IP addresses 95.85.45.159 &<br>
>>>> 104.236.225.19 of Digital Ocean, located in the Netherlands (NL) and<br>
>>>> the USA respectively, have submitted a significantly large number of<br>
>>>> invalid VAT number requests as compared to the total number of<br>
>>>> requests (89,59% & 89,96% respectively) towards VAT numbers from a<br>
>>>> multiple of EU member States (MS) through the VIES on the Web service<br>
>>>> (<a href="http://ec.europa.eu/taxation_customs/vies/" rel="noreferrer" target="_blank">http://ec.europa.eu/taxation_<wbr>customs/vies/</a>). For more information on<br>
>>>> Invalid VAT number requests please refer to FAQ, questions 7, 11, 12,<br>
>>>> 13 and 20 of the VIES on the WEB site<br>
>>>> (<a href="http://ec.europa.eu/taxation_customs/vies/faq.html" rel="noreferrer" target="_blank">http://ec.europa.eu/taxation_<wbr>customs/vies/faq.html</a>).<br>
>>>> The scope of our team is to monitor on a daily basis the performance<br>
>>>> of the VIES-on-the-Web (VoW) service in order to ensure its<br>
>>>> performance in accordance with the standards agreed upon between EU's<br>
>>>> Directorate General for Taxation and Customs Union (DG TAXUD) and the<br>
>>>> EU Member States.<br>
>>>> Our objective is to secure constant and uninterrupted availability and<br>
>>>> flow of traffic (requests for VAT validation) at all times.<br>
>>>> Under this framework, our team intervenes whenever there is out of the<br>
>>>> ordinary, unusual and potentially suspicious use of the system that<br>
>>>> violates the rules of use as they are stated in the Specific<br>
>>>> disclaimer for this service, which is available at the VoW site<br>
>>>> (<a href="http://ec.europa.eu/taxation_customs/vies/disclaimer.html" rel="noreferrer" target="_blank">http://ec.europa.eu/taxation_<wbr>customs/vies/disclaimer.html</a>).<br>
>>>> Consequently, in order to allow flawless use of the service, we were<br>
>>>> obliged to block the access to VIES on the Web for the IP address<br>
>>>> 88.198.110.130.<br>
>>>> Following our action, we would like to know if you are aware of this<br>
>>>> situation. Furthermore, your cooperation and contribution is necessary<br>
>>>> in order to determine the reason for this occurrence.<br>
>>>> Please inform us if this behaviour is normal and if such, how often it<br>
>>>> should occur; we would then take action to unblock the traffic coming<br>
>>>> from the corresponding IP address assuming you will agree to follow a<br>
>>>> set ITSM VIES/Web Team<br>
>>>> "ITSM2 is a contracted support partner for the IT Service Management<br>
>>>> of the European Commission.<br>
>>>> This e-mail is a reply to your message sent to the<br>
>>>> <a href="mailto:TAXUD-VIESWEB@ec.europa.eu">TAXUD-VIESWEB@ec.europa.eu</a><<wbr>mailto:<a href="mailto:TAXUD-VIESWEB@ec.europa.eu">TAXUD-VIESWEB@ec.<wbr>europa.eu</a>> e-mail.<br>
>>>> Answers provided by the contactor are on behalf and according to<br>
>>>> policy guidelines of DG TAXUD, but not binding for the European<br>
>>>> Commission."<br>
>>>><br>
>>>> I am so done with it, I added<br>
>>>><br>
>>>> ExitPolicy reject 147.67.136.103 # TAX SPAM<br>
>>>> ExitPolicy reject 147.67.136.21 # TAX SPAM<br>
>>>> ExitPolicy reject 147.67.119.103 # TAX SPAM<br>
>>>> ExitPolicy reject 147.67.119.3 # TAX SPAM<br>
>>>> ExitPolicy reject 147.67.136.3 # TAX SPAM<br>
>>>> ExitPolicy reject 147.67.119.21 # TAX SPAM<br>
>>>><br>
>>>> Thats going on for months now and by all means, this is not free speech<br>
>>>> ...<br>
>>>><br>
>>>> Markus.<br>
>>>><br>
>>>><br>
>>>><br>
>>>> 2016-10-04 17:42 GMT+02:00 pa011 <<a href="mailto:pa011@web.de">pa011@web.de</a>>:<br>
>>>>> Am 04.10.2016 um 16:48 schrieb krishna e bera:<br>
>>>>>> On 04/10/16 08:48 AM, pa011 wrote:<br>
>>>>>>> One of my main ISP is going mad with the number of abuses he gets<br>
>>>>>>> from my Exits (currently most on port 80).<br>
>>>>>>> He asks me to install "Intrusion Prevention System Software" or<br>
>>>>>>> shutting down the servers.<br>
>>>>>><br>
>>>>>> You can first ask him for a copy of the complaints in order to<br>
>>>>>> understand what sort of alleged abuses are taking place. Are the<br>
>>>>>> complaints about spam or scraping or web server exploits or something<br>
>>>>>> else?<br>
>>>>><br>
>>>>> I do get a copy of every complaint - they are unfortunately:<br>
>>>>><br>
>>>>> - Http browser intrucion -<br>
>>>>> /var/log/apache2/other_vhosts_<wbr>access.log:<a href="http://soldierx.com:80" rel="noreferrer" target="_blank">soldierx.com:80</a> xxx.xxx.xxx.xxx - -<br>
>>>>> [30/Sep/2016:11:14:34 -0400] "HEAD / HTTP/1.0" 302 192 "-" "Mozilla/5.0<br>
>>>>> (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12)<br>
>>>>> Gecko/20080201Firefox/<a href="http://2.0.0.12" rel="noreferrer" target="_blank">2.0.0.12</a><wbr>"<br>
>>>>><br>
>>>>> - invalid VAT number requests<br>
>>>>><br>
>>>>> -recorded connection attempt(s) from your hosts to our honeypots<br>
>>>>><br>
>>>>> - Issue: Source has attempted the following botnet activity: Semalt<br>
>>>>> Referrer Spam Tor Exit Bot<br>
>>>>><br>
>>>>> - botnet drone|Description: Ramnit botnet victim connection to sinkhole<br>
>>>>> details,<br>
>>>>><br>
>>>>> - attackers used the method/service: *imap*<br>
>>>>><br>
>>>>>> You can change your exit policy to reduce likelihood of complaints:<br>
>>>>>> <a href="https://blog.torproject.org/blog/tips-running-exit-node" rel="noreferrer" target="_blank">https://blog.torproject.org/<wbr>blog/tips-running-exit-node</a><br>
>>>>><br>
>>>>> I know, but I hardly like to block port 80<br>
>>>>><br>
>>>>>>> As far as I understand implementing such a software is not going<br>
>>>>>>> together with Tor - am I right?<br>
>>>>>><br>
>>>>>> If your exit nodes tamper with traffic in any way they will be<br>
>>>>>> labelled<br>
>>>>>> as Bad Exit. (Tor tries to be net neutral.)<br>
>>>>>> <a href="https://trac.torproject.org/projects/tor/wiki/doc/badRelays" rel="noreferrer" target="_blank">https://trac.torproject.org/<wbr>projects/tor/wiki/doc/<wbr>badRelays</a><br>
>>>>>><br>
>>>>>><br>
>>>>>> ______________________________<wbr>_________________<br>
>>>>>> tor-relays mailing list<br>
>>>>>> <a href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.<wbr>org</a><br>
>>>>>> <a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" rel="noreferrer" target="_blank">https://lists.torproject.org/<wbr>cgi-bin/mailman/listinfo/tor-<wbr>relays</a><br>
>>>>>><br>
>>>>> ______________________________<wbr>_________________<br>
>>>>> tor-relays mailing list<br>
>>>>> <a href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.<wbr>org</a><br>
>>>>> <a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" rel="noreferrer" target="_blank">https://lists.torproject.org/<wbr>cgi-bin/mailman/listinfo/tor-<wbr>relays</a><br>
>>>> ______________________________<wbr>_________________<br>
>>>> tor-relays mailing list<br>
>>>> <a href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.<wbr>org</a><br>
>>>> <a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" rel="noreferrer" target="_blank">https://lists.torproject.org/<wbr>cgi-bin/mailman/listinfo/tor-<wbr>relays</a><br>
>>>><br>
>>> ______________________________<wbr>_________________<br>
>>> tor-relays mailing list<br>
>>> <a href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.<wbr>org</a><br>
>>> <a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" rel="noreferrer" target="_blank">https://lists.torproject.org/<wbr>cgi-bin/mailman/listinfo/tor-<wbr>relays</a><br>
>><br>
>><br>
>> ______________________________<wbr>_________________<br>
>> tor-relays mailing list<br>
>> <a href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.<wbr>org</a><br>
>> <a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" rel="noreferrer" target="_blank">https://lists.torproject.org/<wbr>cgi-bin/mailman/listinfo/tor-<wbr>relays</a><br>
>><br>
> ______________________________<wbr>_________________<br>
> tor-relays mailing list<br>
> <a href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.<wbr>org</a><br>
> <a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" rel="noreferrer" target="_blank">https://lists.torproject.org/<wbr>cgi-bin/mailman/listinfo/tor-<wbr>relays</a><br>
><br>
______________________________<wbr>_________________<br>
tor-relays mailing list<br>
<a href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.<wbr>org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" rel="noreferrer" target="_blank">https://lists.torproject.org/<wbr>cgi-bin/mailman/listinfo/tor-<wbr>relays</a><br>
</blockquote></div></div>