I was wondering whether anyone could explain me how a node gets the "Bad Exit" flag? The thing is this, my router: http://torstatus.blutmagie.de/router_detail.php?FP=6c7c819f808ac125c69e1d981... As you can see, it has the "Bad Exit" flag even though it's not an exit and hasn't been for months. So I suppose that's something manually assigned? To do with POP/IMAP sniffing honeypots maybe?
Seeing that quite a lot of people use unencrypted mail protocols over TOR, I wrote script about a year ago to try and warn them about it: - run ulogd and dsniff to capture logins - try and do a login to the account to see if it succeeded, to see whether it's just an unsuccessful hacking attempt (dsniff doesn't tell me and I was too lazy to write something myself to check the response) - if so, guess the full address. Either it's in the login or if not the server probably serves only one domain anyway and I use the reverse lookup - Send them a mail saying, hey, either you've been doing this yourself and it's a bad idea, or someone stole your credentials and is anonymously snooping around in your mail; in any case, change your password.
I suppose someone is doing the reverse and has some fake accounts that they access via TOR and then see if there are any logins that are not theirs to flag the respective exit as a bad guy. Still sounds like a good idea to me but obviously it doesn't work when flagged as bad. Maybe someone can convince me otherwise or has an ide on how to coordinate the two things? Or am I completely off the track here and the reason for the flag is something different?
cheers, Matthias