Hello fellow relay operators,
I have received word from my ISP that they detected malicious traffic from my account. I'm running the exit node "cave" with reduced exit policy,
https://atlas.torproject.org/#details/3875c9c843d33762fa733bcaf128f26a10bc75...
The information received from my ISP was:
infection => 'kelihos', subtype => 'kelihos.e', port => '52935', asn => '209', family => 'kelihos', sourceSummary => 'Drone Report'
Typically they will also provide an IP address related to the infection, which is usually a sinkhole. The solution is to block the IP in my exit policy. However no IP was provided in this report and there is not one available, since my ISP is just relaying information they receive from a 3rd party detection agency. Furthermore, the port mentioned, 52935, is not allowed in my exit policy, so I'm guessing that port is somewhere else...
Any ideas about this "infection" and how we could prevent it from using our exit nodes?
Thanks