I agree with that assessment. This is not normal Tor traffic. Not sure about this particular Abuse notice but the ones I get always include both port 443 and 74. Tor has no business sending traffic to port 74 and even if these scans were relay discovery scans, They should point to the ORPort and not exclusively to port 443. Once you click on the retest link, you'll get a notice within a few minutes informing you that the ticket has been closed. The next step which is your statement is just a legal formality. Personally, I don't try to argue my point or try to convince them of anything. They don't care and there's not much they can do. I just tell them I mitigated the problem and then I can go about my business and I'll be done wasting my time. On 10/15/2025 6:56 AM, Ralph Seichter via tor-relays wrote:
* Marco Moock via tor-relays:
Tell them that this traffic is intended and you run TOR. I don't recommend doing that, because an outbound netscan is neither intended, nor might it be real to begin with. I have seen these reports crop up between ca. 2-4 times per month for guard and middle nodes. Looked like spoofed TCP traffic, which Hetzner's monitoring attributed to hosts based on IP address alone. I interpret this as an attempt of some third party to cause trouble for Tor operators aiming to stir up conflicts with the ISP.
Keep in mind that while Hetzner does not prohibit Tor nodes, they do prohibit disruptive use of their infrastructure. That includes port scans. I find that the best course of action is to calmly process the automated reports within the allotted timespan, verify/confirm that your server did not in fact cause any malign traffic, and file it under "shit happens". Yes, it is annoying, but I can understand that Hetzner is trying to prevent being seen as a source of abusive behaviour.
-Ralph _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org