I agree with that assessment. This is not normal Tor traffic. Not sure about this particular Abuse notice but the ones I get always include both port 443 and 74. Tor has no business sending traffic to port 74 and even if these scans were relay discovery scans, They should point to the ORPort and not exclusively to port 443.

Once you click on the retest link, you'll get a notice within a few minutes informing you that the ticket has been closed. The next step which is your statement is just a legal formality. Personally, I don't try to argue my point or try to convince them of anything. They don't care and there's not much they can do. I just tell them I mitigated the problem and then I can go about my business and I'll be done wasting my time.


On 10/15/2025 6:56 AM, Ralph Seichter via tor-relays wrote:
* Marco Moock via tor-relays:


Tell them that this traffic is intended and you run TOR.

I don't recommend doing that, because an outbound netscan is neither
intended, nor might it be real to begin with. I have seen these reports
crop up between ca. 2-4 times per month for guard and middle nodes.
Looked like spoofed TCP traffic, which Hetzner's monitoring attributed
to hosts based on IP address alone. I interpret this as an attempt of
some third party to cause trouble for Tor operators aiming to stir up
conflicts with the ISP.

Keep in mind that while Hetzner does not prohibit Tor nodes, they do
prohibit disruptive use of their infrastructure. That includes port
scans. I find that the best course of action is to calmly process the
automated reports within the allotted timespan, verify/confirm that your
server did not in fact cause any malign traffic, and file it under "shit
happens". Yes, it is annoying, but I can understand that Hetzner is
trying to prevent being seen as a source of abusive behaviour.

-Ralph
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org