Hi Monkey Pet,
On Mon, Jan 23, 2017 at 05:57:42PM -0800, Monkey Pet wrote:
I received the following email from my ISP, the IP belongs to the tor exit node. I am wondering if the DHS is sending it out to all tor exit nodes?
We receive Avalanche e-mails via our ISP, too. It started in early December. As our exit relays are in Germany, the sender is not the DHS but its German counterpart BSI/CERT-Bund reports@reports.cert-bund.de. The English part of these e-mails reads as follows:
======================================================================
Dear Sir or Madam,
this is a notification on systems on your network most likely infected with malware.
With an internationally coordinated operation, law enforcement agencies took down the 'Avalanche' botnet infrastructure. The infrastructure was used by cybercriminals for controlling various botnets. Additional information is available at: https://www.europol.europa.eu/newsroom
In the course of this operation, domain names used by malware related to those botnets for contacting command-and-control servers operated by the criminals have been redirected to so called 'sinkholes'. Additional information on this technique is available at: https://reports.cert-bund.de/en/malware
Any connection to a sinkhole is usually a good indicator for the host sending the request being infected with an associated malware. CERT-Bund receives log data from the sinkholes for notification of the responsible network operators.
Please find below a list of logged requests to the sinkholes from your networks. Each record includes the IP address, a timestamp and the name of the corresponding malware family. If available, the record also includes the source port, target IP, target port and target hostname for each connection.
A value of 'generic' for the malware family means: a) The affected system connected to a domain name related to the Avalanche botnet infrastructure which could not be mapped to a particular malware family yet. or b) The HTTP request sent by the affected system did not include a domain name. Thus, on the sinkhole it could not be decided which domain name the affected system resolved to connect to the respective IP address.
Most of the malware families reported here include functions for identity theft (harvesting of usernames and passwords) and/or online-banking fraud. Further information on the different malware families as well as additional help is available at: https://www.bsi-fuer-buerger.de/EN/avalanche
We would like to ask you to check the issues reported and to take appropriate action to get the infected hosts cleaned up or notify your customers accordingly.
This message is digitally signed using PGP. Information on the signature key is available at: https://reports.cert-bund.de/en/
Please note: This is an automatically generated message. Replying to the sender address is not possible. In case of questions, please contact certbund@bsi.bund.de.
======================================================================
In our understanding, there is nothing we can do. The e-mails do not even demand that we do anything. It is just a friendly warning that other people's computers are infected with malware, which we knew before.
The Tor project offers an RBL containing all current exit relays, so we would ask the sender of these e-mails to consult that list and stop bothering people who run Tor exit relays.
Cheers, Christian