On Tue, Jul 12, 2016 at 10:10:56PM +0200, Markus Koch wrote:
running 3 exit nodes with HTTP + HTTPS (niftymouse,niftygerbil and niftyguineapig) on cheap VPSs and can confirm: There are heavily used and meaningful. Even with only HTTP + HTTPS. I got 12 abuse mails ... so you wont get rid of this issue but I will be way less. Please think about using less ports.
Most of the abuse that my ISP receives are TCP/80 bots. c2, virut, gozi, Zeus/Gameover, Tinba, pony, nymaim malware get lots of sinkhole hits, on average 3-6 abuse reports every hour. A government agency FICORA was interested in a case of Ramnit bot from my exit, but that's nothing surprising or alerting.
A majority of the > 8200 abuse reports are these autoreporter logs about these bots, so allowing ports 80 and 443 in my exit policy would not reduce the amount of abuse reports generated.
I am in belief that my ISP would not actually see port 80 and 443 bots being "malicious traffic" per AUP, but their recommendation for me was to start looking elsewhere with reverse DNS appropriately set for a Tor exit node. Still, they say to be pro-anonymity and have given me some leanway for that goal.
For me, it's not as meaningful to run an exit and deal with abuse complaints if it doesn't allow at least ports 22 (SSH), 80 (HTTPS), 110 (POP3), 143 (IMAP), 443 (HTTPS) and 6667 (6665-6669) (IRC). There's also a high barrier of entry to colocation services in Finland, so hosting an exit somewhere else in this country is not easy to accomplish.