Hi all,
I run a Tor exit node, and I received an abuse complain from Webiron. In this mail, I can read the following: "If you run a VPN, anonymizer service (like a TOR exit or proxy node), or business intelligence not contracted with the site owner, then we request that the targeted range be blocked from your service. If it is being blocked, then it's at the right and choice of our clients to refuse access." So if I understand correctly, they ask me to block the targeted range they give me in this report.
I know I can block this IP range by adding it to my exit policy, but I would like to know how others exit node operators manage these type of requests, because I ask myself if it is not against tor philosophy to block access to a specific network to Tor users.
Thanks all in advance for your answers.
Best regards,
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
I receive the Webiron abuse complaints too. You can opt-out of their e-mails as I personally also do not like restricting access to specific networks.
For the relays I run which are in a SWIP-ed IP range redirecting the abuse to myself I just ignore them. I do however have a few relays without IP addresses on my own name for which I did have to add a reported range to the exit policy to prevent an angry hoster.
It is up to yourself to decide what you can and want to do with it. Better have a relay which stays running but restricting access to one /24 range than have it offline as a whole.
Just my two cents.
On 7/5/15 7:21 PM, Patrick ZAJDA wrote:
Hi all,
I run a Tor exit node, and I received an abuse complain from Webiron. In this mail, I can read the following: "If you run a VPN, anonymizer service (like a TOR exit or proxy node), or business intelligence not contracted with the site owner, then we request that the targeted range be blocked from your service. If it is being blocked, then it's at the right and choice of our clients to refuse access." So if I understand correctly, they ask me to block the targeted range they give me in this report.
I know I can block this IP range by adding it to my exit policy, but I would like to know how others exit node operators manage these type of requests, because I ask myself if it is not against tor philosophy to block access to a specific network to Tor users.
Thanks all in advance for your answers.
Best regards,
- -- Tim Semeijn Babylon Network pgp 0x5B8A4DDF
To add to this, it might be worth noting that they will likely block (or attempt to block) your IP address from their network regardless of if you add their network to you exit policies. What this will mean is that anyone attempting to access their network through your exit node will be met with either a block page or a network-level error (connection timeout or connection reset or refused), at least until your IP changes. If you do add this network to your exit policy, then those requests will be routed to nodes that may not have been picked up by that network and would be able to access the services behind it.
That's the way I look at the issue, in any case.
On 07/05/2015 07:21 PM, Patrick ZAJDA wrote:
I know I can block this IP range by adding it to my exit policy, but I would like to know how others exit node operators manage these type of requests, because I ask myself if it is not against tor philosophy to block access to a specific network to Tor users.
If the provider specifically requests it, you can try to argue, but I doubt it will get you anywhere. So far we have been able to avoid most blocks by arguing that we only run a fraction of exits and attackers will be routed around it without even noticing.
Alternatively, tell them you have blocked the destination range for 180 days (or something). Maybe this is already enough.
Hi,
Usually those are automated messages. I get them all the time as well. They are just relaying abuse messages. The text in their message is standard, and includes all cases so to say. If you scroll down the email, you will see the target IP and few logs. Usually this is the result of automated scripts talking directly to Webiron, which send the message automatically (no humans involved) to the abuse handle of a certain IP address.
I recommend you not to take any action unless you are contacted by humans, with real abuse reasons. Then, you explain what Tor is, provide some links, and if the reporter is still concerned and insists explicitly, you could block his IP ranges from your exit. I don't see why a sane person would ask for this, since this can be better implemented at their side, with few firewall rules...
On 7/5/2015 8:21 PM, Patrick ZAJDA wrote:
Hi all,
I run a Tor exit node, and I received an abuse complain from Webiron. In this mail, I can read the following: "If you run a VPN, anonymizer service (like a TOR exit or proxy node), or business intelligence not contracted with the site owner, then we request that the targeted range be blocked from your service. If it is being blocked, then it's at the right and choice of our clients to refuse access." So if I understand correctly, they ask me to block the targeted range they give me in this report.
I know I can block this IP range by adding it to my exit policy, but I would like to know how others exit node operators manage these type of requests, because I ask myself if it is not against tor philosophy to block access to a specific network to Tor users.
Thanks all in advance for your answers.
Best regards,
tor-relays@lists.torproject.org
-
Moritz Bartl -
Patrick ZAJDA -
s7r -
Tim Semeijn -
Tor Relays at brwyatt.net