On Sun, May 03, 2020 at 10:15:47PM +0200, lists@for-privacy.net wrote:
Below is the information about the attack. Keep in mind that the source IP of our client has been sanitized for anonymity.
Date: 04/30/2020 Time: 11:05:37 Time Zone: America/Chicago Source(s): 37.157.255.118 Type of Attack/Scan: Generic Hosts: 10.10.10.182 Log:
37.157.255.118:9002 > 10.10.10.182:24562
The person sending you this abuse complaint is deeply confused. My guess is that they are running some automated "attack detector" software, and the software is buggy and telling them things that are wrong.
If your relay were making connections to their user, it would not be using port 9002. It would be using some high-numbered port for the outgoing connection.
So what's likely happening here instead is that *their* user is contacting *your* relay -- that is, the person they call "our client" is a Tor user using your relay -- but their automated attack detector is not seeing the initial connection from their user to your relay, and it's misinterpreting the response from your relay to the user as an outgoing connection.
I get these sort of automated abuse complaints a few times a year to moria1, my directory authority, and in many cases it's people running a Tor client or relay somewhere, and that somewhere's ISP really wants me to stop "attacking" their user, when actually what's happening is that their user contacts my relay a lot.
So in summary: there is nothing to fix, because the complaint is wrong about what's going on.
Whether you should respond depends on whether you need to answer your own hosting provider to keep them happy, and/or whether you want to try to engage with the stranger on the internet who doesn't yet understand that their own reporting software is buggy. :)
Hope that helps, --Roger