On 9/28/20 1:54 PM, Matt Corallo wrote:
Different folks have different views on abuse reports, and that's perfectly OK. But "taking it up with list XYZ" isn't going to change that (see discussion on NANOG a few months ago on this very topic =D) - people are always going to have their own views on who's responsibility it is to solve "abuse" (under their current definition).
What are you defining it as here? I can't see that there is going to be much disagreement that abuse such as what these reports are probably about can only be solved at the hosting provider or ISP level where it originates. No one else has the ability to do anything about it. The problem you are identifying is that there are a lot of over-zealous or poorly written automated scripts that like to notify abuse sources without much intelligence in regard to rate limiting or response handling, etc. I think if you create a thoughtful message to include in your rejection text, it is absolutely within reason to try and let them know that they are becoming part of the problem if they don't engage with you.
Of course, it's important to note in this context that there's still a lot of education that has to happen about what Tor is and/or reminding operators of those automated systems that they should skip Tor relays.
My personal abuse policy is "I reach try to help you, but if you keep sending the same automated stuff over and over and don't reply when I reach out, I drop your mails".
It's hard to create a globally applicable blocklist for something like this of any size, since by definition, you have to try to work with them manually before adding anyone to the list. I certainly don't blame you for keeping and sharing such a list, though.
On Fri, October 9, 2020 7:13 pm, Mike Perry wrote:
Absolutely. I suspect the problem is ideological. The abuse resolution camp seems to be largely subscribe to the "force ISPs to identify abusers and ban them" model. They do not want to hear about mitigation strategies or alternatives, other than their banhammer and abuse notice spamming approaches. Making a banlist of banhammer spammers like that is a brilliant move.
What is this problematic ideology you are pointing out? What is your alternative? Why do you think it's so terrible to alert ISPs and hosting providers about abuse originating from their systems? I find those alerts immensely helpful as opposed to finding out some time later that a system I manage is on some RBL or other block list. Not that many want to share their intelligence gathering (especially spamtrap data), so getting alerts can be highly valuable and quite welcome to a lot of operators.
Just because there are some systems that send out notices relentlessly with poor rate limiting and no knowledge of Tor relays/exits does not mean the model itself is wrong-headed. It just means some people wrote some naive notification systems (and as Matt found, they may be poor at actual engagement or do not provide a means to opt out). ISPs and hosting providers can and should be notified about abuse activity and they should be held responsible for shutting down abusive actors on their networks. Whether or not the recipient of the abuse mitigates its effects is beside the point.
I grew so tired of my personal email sever constantly ending up in DNSRBLs for no reason (even with DKIM and SPF), that after 20 years of DIY email, I was forced to moved to paid provider.
I hear personal frustration rather than pointing out any problem. Keeping an email server clear of RBLs is real work, but also not that hard if you try (make sure you aren't renting in a cheap neighborhood where spammers are allowed to flourish, don't run it on the same IP as a Tor node (especially if you exit port 25), enforce good password policy, rate limit or monitor your outgoing mail flow, etc.). I doubt anyone "forced" you... rather, you didn't have the expertise or time and felt the tradeoff was worth paying someone else to take on that work.
This model is broken, its assumptions are contrary to our values
What, that abuse should never be pointed out and we "just deal with it" and let it proliferate? Are "our values" that everyone should have perfectly hardened systems against all possible forms of attack and ignore all responsibility of the originating side... because anyone should be free to do what they want with their device on the network??
Tor is of great value, but you have to see that it is in a unique position and that the standard Tor operator's response of "it didn't originate here and I don't know where it did, so no one can help you with this" is a bitter pill to swallow for people who are trying to chase down abusive actors. That's the way it is - a trade-off we have to accept for a certain freedom and anonymity on the net, but you are conflating ill-informed and ill-constructed notification bots acting on Tor nodes (and your unfortunate experience trying to run a mail server?) with a good and necessary model for use on the clearnet.
and it serves to support the business interests of tech oligarchs that believe that the world should be run by a handful of oligarchical ISPs and email providers, with government-issued identity for all.
This conclusion is quite a reach.
In the Tor world, abuse talk is usually centered on education for the reporting party that the source isn't where they think it is. That is going to be an ongoing battle. But because everyone running a Tor node gets to throw up their hands at the abuse reports and pass the buck does not at all mean tracking down abuse is a poor endeavor. Of course, if everyone fixed their DNS servers, amplification attacks would be a thing of the past. If everyone had better security chops in general, you wouldn't have so many easily cracked abuse sources. But the reality is that there is a variety of experience level for operators on the net and a lot of vulnerable systems... unfortunately, those people are going to need help, and prodding them or blocklisting them is one of the most effective ways to get their attention. If your clearnet service keeps ending up on blocklists, the best conclusion is that maybe you are in the wrong line of work rather than griping about blocklist operators.
No one should argue that certain notifying parties shouldn't make themselves more Tor-aware or provide better engagement, rate limiting or opt-out mechanisms. But it's hard to hear personal annoyance be leveraged to conclude that fighting abuse is not a necessary endeavor. Abuse at any level, be it attacks against Tor's anonymity or abuse carried out over Tor network and sucking up relay operators' resources or the myriad of attacks on the clearnet are a major headache for everyone. Operators who are unaware of its existence on their systems deserve (and often desire) notification of such.