> Note we believe some of these IPs are part of the Meris or Dvinis
> botnets. If you are a residential Internet service provider, it is
> possible that your customers' routers themselves have been
> compromised. You should research the Meris botnet and take
> appropriate actions to have them secure their CPE (customer-premises
> equipment).
This is probably the main reason those reports are being sent.
Meris is a huge botnet using (at least) tens of thousands of compromised routers.
Those notices were probably sent automatically to many ISPs hoping some of them would get their customers to fix their routers, and tor exits were probably just not filtered.