Banned by Spamhaus and AWS
I have been running a non-exit Tor relay since Snowdon and a The Guardian journalist used Tor. I am doing it using my public ip on my home network. 1Tbyte/day roughly. Starting a year ago I was excluded from the Danish "internal revenue services" - skat.dk. However, using the Tor-browser I could still perform my duties there... Now! From May this year, my ip over and over again got listed at Spamhaus. My gateway only allows my MTA to use the ports 25, 465 and 587. Mysterious! Spamhaus' services are used a lot, so it seriously limits who we can send mails to! Spamhaus claims the following: Why was this IP listed? a.b.c.d has been classified as part of a proxy network. There is a type of malware using this IP that installs a proxy that can be used for nearly anything, including sending spam or stealing customer data. This should be of more concern than a Spamhaus listing, which is a symptom and not the problem. The proxy is installed on a device - usually an Android mobile, firestick, smart doorbell, etc, but also iPads, and Windows computers - that is using your IP to send spam DIRECTLY to the internet via port 25: This is very often the result of third party "free" apps like VPNs, channel unlockers, streaming, etc being installed on someone's personal device, usually a phone. After a throughout search for "infections" - including finding out that some Tor-relays are using port 465 and 587 as or-port - I caved in and stopped my tor-relay. After a few days the miracle happened my ban at Spamhaus was lifted _and_ I was allowed access to skat.dk directly. My conclusions based on my experiments so far are: Spamhaus falsely considers my Tor relay as malware and so does AWS. (Skat.dk are performing their services at AWS - judging from the ip's used.) Hilfe!!! /Ole PS: no PTR-record relates my domain and ip and Google's DNS-services are used. PPS: I have opened a number of tickets at Spamhaus. However, I have not been successful in having a meaningful conversation with them - so far.
On 6/13/26 08:26, Ole Rydahl via tor-relays wrote:
I have been running a non-exit Tor relay since Snowdon and a The Guardian journalist used Tor.
Awesome. We're in the same club. Consistent trusted operators are a vital component in the network. You matter.
I am doing it using my public ip on my home network. 1Tbyte/day roughly.
Nice bandwidth, but residential IP and public Tor node aren't a good mix...
Starting a year ago I was excluded from the Danish "internal revenue services" - skat.dk. However, using the Tor-browser I could still perform my duties there... Now! From May this year, my ip over and over again got listed at Spamhaus. My gateway only allows my MTA to use the ports 25, 465 and 587. Mysterious! Spamhaus' services are used a lot, so it seriously limits who we can send mails to!
Spamhaus claims the following:
Why was this IP listed?
a.b.c.d has been classified as part of a proxy network. There is a type of malware using this IP that installs a proxy that can be used for nearly anything, including sending spam or stealing customer data. This should be of more concern than a Spamhaus listing, which is a symptom and not the problem.
The proxy is installed on a device - usually an Android mobile, firestick, smart doorbell, etc, but also iPads, and Windows computers - that is using your IP to send spam DIRECTLY to the internet via port 25: This is very often the result of third party "free" apps like VPNs, channel unlockers, streaming, etc being installed on someone's personal device, usually a phone.
After a throughout search for "infections" - including finding out that some Tor-relays are using port 465 and 587 as or-port - I caved in and stopped my tor-relay. After a few days the miracle happened my ban at Spamhaus was lifted _and_ I was allowed access to skat.dk directly.
My conclusions based on my experiments so far are: Spamhaus falsely considers my Tor relay as malware and so does AWS. (Skat.dk are performing their services at AWS - judging from the ip's used.)
Hilfe!!!
In short, welcome to amateur hour in network security, which is now the norm. The new lazy is blocklists inclusive of all public Tor nodes, including non-exits, because it provides of some delusion of increased security. Then tons of networks are subscribing to these lists to make security "easy." I'm actually shocked you ran a public relay for that long on a residential IP and haven't had any issues before. I would do this: don't run a public Tor node (including a non-exit) on a residential network. You will find that many of your providers, such as banks, will subscribe to these primitive blocklists. Your experience is not unique. Get a "clean" IP and run a vanilla bridge or a snowflake proxy, etc. If possible, you might get an additional IP for egress network traffic, if you really do want to continue running that public node. If you have the energy, you might reach out to the dk IRS, etc and make your case. The bigger battle is convincing the Spamhauses and AWSes of the world. Sorry for your hassles, but in times like these, persistence is sometimes a requirement. g -- A3F5 9814 DDDC 2FAA E485 C354 7226 51EA 22B6 D315
Am 13.06.26 um 16:09 schrieb George via tor-relays:
Nice bandwidth, but residential IP and public Tor node aren't a good mix...
Such relays have a high value, as their IP addresses are often changing and that means that blocking them is a bit harder and involved overblocking. -- Gruß Marco Muell und Spam bitte an abfalleimer2002@stinkedores.dorfdsl.de
* Marco Moock via tor-relays:
Am 13.06.26 um 16:09 schrieb George via tor-relays:
Nice bandwidth, but residential IP and public Tor node aren't a good mix...
Such relays have a high value, as their IP addresses are often changing and that means that blocking them is a bit harder and involved overblocking.
If by "often changing" you mean that ISPs assign new IP addresses from their pool to their residential customers: Deutsche Telekom used to do this every 24 hours, but that is no longer set in stone. I typically see my residential, non-business IP address change every couple of weeks. Besides, I expect different countries to follow different rules. Ole lives in Denmark, if I am not mistaken? No idea how IP assignments are handled there. I agree with George that running a public Tor node in your residence is not ideal. Too much potential for trouble for my taste. -Ralph
My ip is fixed and public. A paid for service from my isp. 1Gbit fiber, public fixed ip4 and /48 ipv6 delegation. The volume has been pretty constant during the last couple of years (695.0 TB in total). Spamhaus listings started early May this year. /Ole -----Oprindelig meddelelse----- Fra: Marco Moock via tor-relays <tor-relays@lists.torproject.org> Sendt: 13. juni 2026 16:22 Til: tor-relays@lists.torproject.org Cc: Marco Moock <mm@dorfdsl.de> Emne: [tor-relays] Re: Banned by Spamhaus and AWS Am 13.06.26 um 16:09 schrieb George via tor-relays:
Nice bandwidth, but residential IP and public Tor node aren't a good mix...
Such relays have a high value, as their IP addresses are often changing and that means that blocking them is a bit harder and involved overblocking. -- Gruß Marco Muell und Spam bitte an abfalleimer2002@stinkedores.dorfdsl.de
Hi there, I'm running also on a Residential-IP, but my IPv4 is not listed in Spamhaus - I only have that PBL-Entry which means I'm residential and should not run E-Mail Servers. But I'n not pumpong as much traffic as you do :D Could you check on Cisco Thalos (https://talosintelligence.com/) about you Mail Volume? Mine is zero and I maybe it would hint that there might be a real security concern, if excessive Mail-Volume is indeed detected. Personally I never had any issues, except for rare IPv4 only Targets. All of my Clients use GUA-IPv6 Adresses, so their IP will never be on a blocklist, and luckily most banks support IPv6. Only the German BSI Website is still stuck in 1981 and has no IPv6 implemented so far and therefore are blocking me. Maybe this can be a solution for you aswell? But i would really check the Mail volumes! Best Regards, Joker Von: Ole Rydahl via tor-relays [mailto:tor-relays@lists.torproject.org] Gesendet: Samstag, 13. Juni 2026 14:27 An: 'support and questions about running Tor relays (exit, non-exit, bridge)' Cc: Ole Rydahl Betreff: [tor-relays] Banned by Spamhaus and AWS I have been running a non-exit Tor relay since Snowdon and a The Guardian journalist used Tor. I am doing it using my public ip on my home network. 1Tbyte/day roughly. Starting a year ago I was excluded from the Danish "internal revenue services" - skat.dk. However, using the Tor-browser I could still perform my duties there... Now! From May this year, my ip over and over again got listed at Spamhaus. My gateway only allows my MTA to use the ports 25, 465 and 587. Mysterious! Spamhaus' services are used a lot, so it seriously limits who we can send mails to! Spamhaus claims the following: Why was this IP listed? a.b.c.d has been classified as part of a proxy network. There is a type of malware using this IP that installs a proxy that can be used for nearly anything, including sending spam or stealing customer data. This should be of more concern than a Spamhaus listing, which is a symptom and not the problem. The proxy is installed on a device - usually an Android mobile, firestick, smart doorbell, etc, but also iPads, and Windows computers - that is using your IP to send spam DIRECTLY to the internet via port 25: This is very often the result of third party "free" apps like VPNs, channel unlockers, streaming, etc being installed on someone's personal device, usually a phone. After a throughout search for "infections" - including finding out that some Tor-relays are using port 465 and 587 as or-port - I caved in and stopped my tor-relay. After a few days the miracle happened my ban at Spamhaus was lifted _and_ I was allowed access to skat.dk directly. My conclusions based on my experiments so far are: Spamhaus falsely considers my Tor relay as malware and so does AWS. (Skat.dk are performing their services at AWS - judging from the ip's used.) Hilfe!!! /Ole PS: no PTR-record relates my domain and ip and Google's DNS-services are used. PPS: I have opened a number of tickets at Spamhaus. However, I have not been successful in having a meaningful conversation with them - so far.
On 13/06/2026 16.09, George via tor-relays wrote:
If you have the energy, you might reach out to the dk IRS, etc and make your case. [...]
If you decide to do this Ole, then I'd love to back you up on this. Danish government services have had a plethora of privacy issues lately, such as walling the parliament website behind Cloudflare and of course AltID's age proofs not being anonymous. I've managed to get by with hosting residentals relays here for quite a while as well, but alas I also had to drop the exit policies. I'm sure the amazing people at the IT Politisk forening mailing list would love to hear about this as well. — mib
Thank you! The Danish irs doesn't know what's going on inside their own systems - they seem to have lost track! I have piles of correspondence with them, but - given my age - I gave up! I am in a process of shifting ISP to one that allows me to have a proper PTR-record. I hope that will cure the Spamhaus problem. The new public ip works fine with the irs - for now... Regards Ole -----Oprindelig meddelelse----- Fra: mib via tor-relays <tor-relays@lists.torproject.org> Sendt: 14. juni 2026 17:06 Til: George via tor-relays <tor-relays@lists.torproject.org> Cc: mib <mib@kanp.ai> Emne: [tor-relays] Re: Banned by Spamhaus and AWS On 13/06/2026 16.09, George via tor-relays wrote:
If you have the energy, you might reach out to the dk IRS, etc and make your case. [...]
If you decide to do this Ole, then I'd love to back you up on this. Danish government services have had a plethora of privacy issues lately, such as walling the parliament website behind Cloudflare and of course AltID's age proofs not being anonymous. I've managed to get by with hosting residentals relays here for quite a while as well, but alas I also had to drop the exit policies. I'm sure the amazing people at the IT Politisk forening mailing list would love to hear about this as well. — mib _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
participants (6)
-
George -
Marco Moock -
mib -
Ole Rydahl -
ProSecureRelays -
Ralph Seichter