July 2014 - tor-relays - lists.torproject.org

Re: [tor-relays] German company Webtropia: Terminated contract without notice because of abuse
by tor＠t-3.net 30 Jul '14

30 Jul '14

Let's not confuse two things, here. The customer wanting to host a Tor exit relay is a different service request than wanting to run a wide-open SMTP relay. No reputable ISP would agree to host an open SMTP relay and I'm sure this one did not knowingly do so. It would be unfortunate for ISPs to come under the incorrect impression that hosting Tor is equal to hosting open SMTP. ISPs which might have been Tor-friendly at the outset would do a 180 and unnecessarily adopt a No-Tor service policy. On 07/30/2014 03:39 PM, Lunar wrote: > tor(a)t-3.net: >> You somewhat made a mistake here - you've got to have an exit policy that >> (minimally) rejects ports 25 and 465, or else your relay becomes a giant >> abuse tool for spammers, scammers, and phishers instead of what you intended >> it to be (which was a standard-functioning Tor relay). > > Please don't blame the victim. If this ISP acted differently than what > they initially promised, then they are the problem. >

1 0

German company Webtropia: Terminated contract without notice because of abuse
by uf＠riseup.net 30 Jul '14

30 Jul '14

Hi all, I've been running two exit relays, [1] and [2], at the German company Webtropia [3] for the past two weeks. Things went quite nice and smoothly, the speed of the server was decent and the network great, pushing quite some terabyte. Before renting the server, I told them what I wanted to do, if the would forward abuse etc. They said there were fine with this and forwarding would be no problem, given that I would deal with such mails in a timely manner. So I decided to rent the server, maybe naive? Yesterday (29th) they stopped routing/switching traffic to the server, so it wasn't accessible anymore. They sent me a mail, the subject read "termination without notice", claiming they did this because I didn't pay the invoice. I replied that I doubt this and sent them the transaction details. Their reply claimed that my contract wasn't quited because of this, but instead of abuse: They wrote that they got "52 mails" the day before (28th) dealing with phishing mails, bittorent downloads, ddos, etc. I told them once again that this server is housing tor exit nodes, and I'm not responsible for the traffic. However, I asked if we could find an agreement and "meet in the middle": Closing some ports (25 for example) and forward the mails to me, so I would take care of these and they could lie back and think "not our department" (actually as spoken about beforehand). Sadly there wasn't any negotiation possible, the denied me (up until now at least) even a refund of the money I already paid (is this legal?). Just to inform you about this. Stay away of them - they don't keep their words. Cheers, uf [1] https://globe.torproject.org/#/relay/94CB5C820BF97391BFDCAF8DD1B3176A452E8F… [2] https://globe.torproject.org/#/relay/55A463CAB24AFB91073C6D6D7CC6CA741A1430… [3] https://www.webtropia.com/en/

2 1

Re: [tor-relays] German company Webtropia: Terminated contract without notice because of abuse
by tor＠t-3.net 30 Jul '14

30 Jul '14

IMO, even relaying SMTP-like for the email which typically requires auth first isn't a great idea if there is any concern about an upstream getting abuse complaints about a relay (such as a leased box). A frequent way that spammers get their garbage out these days is to compromise a user account, I say this as a mail server admin who has to deal with the mess regularly. Oftentimes they guess the PW via dictionary attacks, but sometimes they keylog the user's box to get the email login. If the spammer has compromised an account and is forced to use webmail to dump the spam instead of an SMTP-like means, your relay doesn't show up in the email headers in the same way and may even be obfuscated. The differences are good things if you want to minimize abuse complaints of this sort. Also the SMTP-like sending seems to get more spam out the door faster than something which must use webmail instead. On 07/30/2014 03:08 PM, krishna e bera wrote: > On 14-07-30 05:11 AM, tor(a)t-3.net wrote: >> >> You somewhat made a mistake here - you've got to have an exit policy >> that (minimally) rejects ports 25 and 465, or else your relay becomes a >> giant abuse tool for spammers, scammers, and phishers instead of what >> you intended it to be (which was a standard-functioning Tor relay). >> >> You might try telling your ISP that you made a mistake in your >> configuration which allowed spam email to go out, and you're willing to >> correct that error and move forward. >> >> >> ExitPolicy reject *:25 >> ExitPolicy reject *:465 > > Most SMTP servers i have seen listening on port 465 and 587 require > authentication, so it shouldnt be necessary to block those ports. Can > anyone name some that dont need authentication to send email? > > _______________________________________________ > tor-relays mailing list > tor-relays(a)lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 0

Re: [tor-relays] Relay not on Atlas or Globe?
by Mike Patton 30 Jul '14

30 Jul '14

Yes is there now. Very strange. I restarted it today because of a Tor update and a few hours later it was fine. M. On 30/07/2014 9:48 pm, Neuman1812 <neuman1812(a)gmail.com> wrote: > > Its there... > > https://atlas.torproject.org/#details/527ACFA6E729CF1CF3203444BA7E5E6CA6CE7… > > > On 07/29/2014 07:58 PM, Michael Patton wrote: >> >> Hello all, >> >> I have started a new exit relay recently (NetFreedomTest3 - 527ACFA6E729CF1CF3203444BA7E5E6CA6CE7F89) and it has been up over 5 days now. It has started seeing some decent traffic lately too. However I can't find the relay in Atlas or Globe? >> >> Any ideas? >> >> M. >> >> >> _______________________________________________ >> >> tor-relays mailing list >> >> tor-relays(a)lists.torproject.org >> >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >> >

1 0

Relay not on Atlas or Globe?
by Michael Patton 30 Jul '14

30 Jul '14

Hello all, I have started a new exit relay recently (NetFreedomTest3 - 527ACFA6E729CF1CF3203444BA7E5E6CA6CE7F89) and it has been up over 5 days now. It has started seeing some decent traffic lately too. However I can't find the relay in Atlas or Globe? Any ideas? M.

2 1

Possible tor usage by Dragonfly aka Energetic Bear
by manuel＠myops.de 29 Jul '14

29 Jul '14

Hi, today I received a registered mail by the BKA, the german federal police, alerting me that some stuff related to the Dragonfly aka Energetic Bear backdoor Oldrea/Havex could be traced back to one of my ips. The ip in questions is the one with which I run my tor exit node. I phoned the BKA and asked if they would be aware that Dragonfly uses the tor network to connect to their C&C servers. At least the BKA-person at the phone wasn't aware. Just thought to let you know. Regards, M.

3 2

providers with AES-NI?
by Michael Ball 25 Jul '14

25 Jul '14

hey folks does anyone here know of any decent (and somewhat cheap) dedicated server providers that offer AES-NI crypto acceleration? the only decent and affordable one i've found so far is this from online.net: http://www.online.net/en/dedicated-server/dedibox-xc the bandwidth seems a bit low for the price... i assume what you're paying for is the processor and the memory. hit me up with all the providers you guys know of. thanks. michael ball

4 3

Speed of my relay not correct on global list
by B00ze/Empire 23 Jul '14

23 Jul '14

Good day. I hope this is the correct mailing list for this. I run a small relay, alias "Empire64" (I tried an exit once, but my IP was then banned at several places, so back to only a relay) on Win Xp. It is very small (bandwidth 80k, burst 160k) but it used to be smaller (64k). Back when it was 64k, I still had a lot of traffic, and in Vidalia's "View the network" list of relays, I was listed as a 64k node. Now that I have increased bandwidth and would like to increase it more depending on how much traffic this creates, I see that no one uses my relay, I have practically no traffic. I think this is because in the "View the network" list, I am listed as a 10k node! I know that Tor has changed since I ran the relay at 64k. If I understand correctly, the Tor network now TESTS for bandwidth before accepting the declared bandwidth in the torRC file. Well obviously, this testing is not working for me. I have "attached" a screenshot of one of the rare times when I do have traffic - as you can see, my node DOES run @ 80k. But, see the other "attached" pic, I am showing in the list as a 10k node. Also, the Atlas shows me as UNNAMMED, I don't understand why, I am the only one with that alias... Tor80k screenshot: <https://unsee.cc/sumipoge/> (it needs javascript) Tor10k screenshot: <https://unsee.cc/deguzoba/> Can you guys help me with this? I'd like to contribute to the network but its not working for me now, and besides, the more traffic goes through me, the better it hides my own traffic; I want more :-) My uptime (from the Atlas): 22 days 3 hours 23 minutes and 16 seconds Fingerprint: E1DFC86060848E0FDCC7B0F072FA9EBAC639DA66 Platform: Tor 0.2.4.21 on Windows XP (updated to 2.4.22 just now) Thank you. Best Regards, -- ' _\|/_ Sylvain / B00ze64(a)hotmail.com ' (o o) Member-+-David-Suzuki-Foundation-+-Planetary-Society- oO-( )-Oo Pentium of Borg: Division's futile; You will be approximated.

9 12

Re: [tor-relays] [tor-dev] Hidden service policies
by grarpamp 21 Jul '14

21 Jul '14

On Sun, Jul 20, 2014 at 6:34 PM, Mike Hearn <mike(a)plan99.net> wrote: > Hello, > > As we know, hidden services can be useful for all kinds of legitimate things > (Pond's usage is particularly interesting), however they do also sometimes > get used by botnets and other problematic things. > > Tor provides exit policies to let exit relay operators restrict traffic they > consider to be unwanted or abusive. In this way a kind of international > group consensus emerges about what is and is not acceptable usage of Tor. > For instance, SMTP out is widely restricted. > > Has there been any discussion of implementing similar controls for hidden > services, where relays would refuse to act as introduction points for hidden > services that match certain criteria e.g. have a particular key, or whose > key appears in a list downloaded occasionally via Tor itself. In this way > relay operators could avoid their resources being used for establishing > communication with botnet CnC servers. > > Obviously such a scheme would require a protocol and client upgrade to avoid > nodes building circuits to relays that then refuse to introduce. > > The downside is additional complexity. The upside is potentially recruiting > new relay operators. HS's will just change their HS keys out from under your list. Then it becomes whack a mole. And you'll also be taking out shared services with the bathwater. Are you funding maintenance of that list? Ready to be called a censor when you exceed your noble intent as all have done before? And to be ignored by those operators who don't care to subscribe to your censor list thus nullifying your efforts (not least of why because it may be illegal for them to look at services on the list to verify it, or to look at and make decisions regarding content of traffic that transits them). And ignored by botnet ops who will surely run their own relays and internal pathing.

4 8

Fwd: [Abuse[...]] GameoverZeus-Infektionen
by Ch'Gans 20 Jul '14

20 Jul '14

Hi there, I'm here to look for advice or comments on how to handle abuse reports when you run a TOR relay exit on a "server for the mass". I'm running the TOR exit node 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk (50E/month, this is my contribution to the TOR project) So far I had to deal with few "easy" abuse reports (ssh scan, forum insults, spams, ...), I think i performed pretty well so far (thanks to Hetzner cooperation?) But today I just received this botnet related one. I do take this report seriously, I know that malware are more and more using the TOR network as an anonymous covert, I don't like malware, I don't like malicious botnet and I don't like spammers. Still I end up being identify as one of them. I knew from day one that it was a risky business to run an exit TOR node, but I want to stand up and fight. If only I can convince people of my right doing. First of all I am quite surprised that cert-bund.de (the complainant) didn't notice that I am a TOR exit node, so my first question (for people familiar with these guys) is: - How legit are these guys? Do they run for the German government? Are their simply trying to scare the shit out of me by citing europol.europa.eu, and us-cert.gov? (see redacted forwarded message below, my own opinion is "Yes") Then - Do they simply spam hosting company each time they have a probe sensing something somewhere (I know it's vague, but I can use that as a "this complainant is a spammer" kind of argument) Any other thoughts/remarks/comment on that matter? Regards, Chris Thought of the day: Nowadays it looks like server administrator tend to send abuse report each time they receive an illegal ping request! Testimony of the day: Last time I received an "SSH scan" abuse report, I sent back my SSH honeypot logs, which contains more than 5k login attempts per day. -------- Original Message -------- [..] ----- attachment ----- Dear Sir or Madam "Gameover Zeus" is malicious software which is primarily used by cybercriminals to carry out online banking fraud and to spy out login credentials for online services on infected PCs. It can also be used to install further malicious software (including blackmailing trojans such as "CryptoLocker" ransomware) on PCs or to carry out DDoS attacks. In a joint international campaign since the end of May 2014, law enforcement agencies, with the support of private sector partners, have taken action against the "Gameover Zeus" botnet [1]. As part of this campaign, it has now been possible to identify the IP addresses of systems infected with "Gameover Zeus" [2]. We are sending you a list of infected systems in your net area. Would you please examine the situation thoroughly and take appropriate measures to cleanse the systems. Sources: [1] Europol: International action against 'Gameover Zeus' botnet and 'CryptoLocker' ransomware <https://www.europol.europa.eu/content/international-action-against- gameover-zeus-botnet-and-cryptolocker-ransomware> [2] ShadowServer: Gameover Zeus & Cryptolocker <http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/> [3] US-CERT: GameOver Zeus P2P Malware <https://www.us-cert.gov/ncas/alerts/TA14-150A> A list of infected systems in your net area: [...] Kind regards, Team CERT-Bund

6 8