abuse report from relays in family 7EAAC49A7840D33B62FA276429F3B03C92AA9327
Hey all, got an abuse report today from Hetzner concerning one middle relay we're running there. allegedly, our relay has been port scanning (port 443 only) some members of https://metrics.torproject.org/rs.html#search/family:7EAAC49A7840D33B62FA276... (just from family relays in 96.9.98.0/24 range, all using ORPort 443) anyone else got similar abuse reports? or someone here from this relay family, that can clear things out with this isp? thinking of replying to hetzner accordingly, let them know (with metrics link), that these are tor relays with 443 port open/accepting our middle relay connections, not port scans... best, d.
On 15.10.2025 09:02 "Dimitris T. via tor-relays" <tor-relays@lists.torproject.org> wrote:
allegedly, our relay has been port scanning (port 443 only) some members of https://metrics.torproject.org/rs.html#search/family:7EAAC49A7840D33B62FA276...
(just from family relays in 96.9.98.0/24 range, all using ORPort 443)
Did those relay operators really sent an abuse report? Can you ask Hetzner about the origin? Can you check if those connections are established or terminated in an early TCP state? -- kind regards Marco Send spam to abfall1760511772@stinkedores.dorfdsl.de
Hey, Στις 15/10/25 10:11, ο/η Marco Moock έγραψε:
Did those relay operators really sent an abuse report? Can you ask Hetzner about the origin?
didn't notice at first, but this wasn't some abuse report from "portscanned" ISP. rather an internal hetzner report. abuse report subject : Abuse Message [AbuseID:xxxxxxx]: NetscanOutLevel: scansnarf-ng detected Netscan from xxx.xxx.xxx.xxx body starts with : "We have indications that there was an attack from your server. Please take all necessary measures to avoid this in the future and to solve the issue." attaching their abuse report txt file. best, d.
On 15.10.2025 10:26 "Dimitris T. via tor-relays" <tor-relays@lists.torproject.org> wrote:
body starts with : "We have indications that there was an attack from your server. Please take all necessary measures to avoid this in the future and to solve the issue."
Tell them that this traffic is intended and you run TOR. Many other TOR relays are located in their ASN. -- kind regards Marco Send spam to abfall1760516801@stinkedores.dorfdsl.de
* Marco Moock via tor-relays:
Tell them that this traffic is intended and you run TOR.
I don't recommend doing that, because an outbound netscan is neither intended, nor might it be real to begin with. I have seen these reports crop up between ca. 2-4 times per month for guard and middle nodes. Looked like spoofed TCP traffic, which Hetzner's monitoring attributed to hosts based on IP address alone. I interpret this as an attempt of some third party to cause trouble for Tor operators aiming to stir up conflicts with the ISP. Keep in mind that while Hetzner does not prohibit Tor nodes, they do prohibit disruptive use of their infrastructure. That includes port scans. I find that the best course of action is to calmly process the automated reports within the allotted timespan, verify/confirm that your server did not in fact cause any malign traffic, and file it under "shit happens". Yes, it is annoying, but I can understand that Hetzner is trying to prevent being seen as a source of abusive behaviour. -Ralph
I agree with that assessment. This is not normal Tor traffic. Not sure about this particular Abuse notice but the ones I get always include both port 443 and 74. Tor has no business sending traffic to port 74 and even if these scans were relay discovery scans, They should point to the ORPort and not exclusively to port 443. Once you click on the retest link, you'll get a notice within a few minutes informing you that the ticket has been closed. The next step which is your statement is just a legal formality. Personally, I don't try to argue my point or try to convince them of anything. They don't care and there's not much they can do. I just tell them I mitigated the problem and then I can go about my business and I'll be done wasting my time. On 10/15/2025 6:56 AM, Ralph Seichter via tor-relays wrote:
* Marco Moock via tor-relays:
Tell them that this traffic is intended and you run TOR. I don't recommend doing that, because an outbound netscan is neither intended, nor might it be real to begin with. I have seen these reports crop up between ca. 2-4 times per month for guard and middle nodes. Looked like spoofed TCP traffic, which Hetzner's monitoring attributed to hosts based on IP address alone. I interpret this as an attempt of some third party to cause trouble for Tor operators aiming to stir up conflicts with the ISP.
Keep in mind that while Hetzner does not prohibit Tor nodes, they do prohibit disruptive use of their infrastructure. That includes port scans. I find that the best course of action is to calmly process the automated reports within the allotted timespan, verify/confirm that your server did not in fact cause any malign traffic, and file it under "shit happens". Yes, it is annoying, but I can understand that Hetzner is trying to prevent being seen as a source of abusive behaviour.
-Ralph _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
I get them from time to time and the address always is for major Tor operators who host numerous Tor servers on the whole block such as 64.65.1.0/24 , 64.65.62.0/24 , 96.9.98.0/24 , etc... These are not related to the operators filing an abuse report. These are automatically generated reports based on the behavior of your server and they are generally wrong because their automated system is simply too sensitive and comes up with a lot of false positive. Simply block outgoing packets to the /24 block at the firewall level. Then click on the link they sent you to retest. It will be automatically tested and comes up clear. Then send them a message using the second link and tell them you blocked it at the firewall level and they'll close the ticket. You can later remove the firewall rule and get on with you life. I've given up arguing with them about how and why they're wrong. They even once admitted that it was a false report and told me not to bother. In fact I just got another abuse report for an IP that's already blocked at the firewall level. They are telling me that my server is scanning port 74 of a range of IPs when outgoing port 74 is explicitly blocked on my server and it simply can't go out. On 10/15/2025 2:02 AM, Dimitris T. via tor-relays wrote:
Hey all,
got an abuse report today from Hetzner concerning one middle relay we're running there.
allegedly, our relay has been port scanning (port 443 only) some members of https://metrics.torproject.org/rs.html#search/family:7EAAC49A7840D33B62FA276...
(just from family relays in 96.9.98.0/24 range, all using ORPort 443)
anyone else got similar abuse reports? or someone here from this relay family, that can clear things out with this isp?
thinking of replying to hetzner accordingly, let them know (with metrics link), that these are tor relays with 443 port open/accepting our middle relay connections, not port scans...
best,
d.
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
Chris, this is horrible advice. You're effectively promoting to become a bad node by knowingly and wilfully prohibiting circuits to certain exits. Run this thought a bit further, eventually you will have banned all exits (and likely some middles too) and your node is effectively useless. I sincerely hope I missed a /s somewhere here. /r0cket On Wednesday, October 15, 2025 08:05 UTC, Chris Enkidu-6 via tor-relays <tor-relays@lists.torproject.org> wrote:
I get them from time to time and the address always is for major Tor operators who host numerous Tor servers on the whole block such as 64.65.1.0/24 , 64.65.62.0/24 , 96.9.98.0/24 , etc... These are not related to the operators filing an abuse report. These are automatically generated reports based on the behavior of your server and they are generally wrong because their automated system is simply too sensitive and comes up with a lot of false positive.
Simply block outgoing packets to the /24 block at the firewall level. Then click on the link they sent you to retest. It will be automatically tested and comes up clear. Then send them a message using the second link and tell them you blocked it at the firewall level and they'll close the ticket.
You can later remove the firewall rule and get on with you life. I've given up arguing with them about how and why they're wrong. They even once admitted that it was a false report and told me not to bother. In fact I just got another abuse report for an IP that's already blocked at the firewall level. They are telling me that my server is scanning port 74 of a range of IPs when outgoing port 74 is explicitly blocked on my server and it simply can't go out.
On 10/15/2025 2:02 AM, Dimitris T. via tor-relays wrote:
Hey all,
got an abuse report today from Hetzner concerning one middle relay we're running there.
allegedly, our relay has been port scanning (port 443 only) some members of https://metrics.torproject.org/rs.html#search/family:7EAAC49A7840D33B62FA276...
(just from family relays in 96.9.98.0/24 range, all using ORPort 443)
anyone else got similar abuse reports? or someone here from this relay family, that can clear things out with this isp?
thinking of replying to hetzner accordingly, let them know (with metrics link), that these are tor relays with 443 port open/accepting our middle relay connections, not port scans...
best,
d.
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
You certainly did miss the important part. You may want to read it again. On 10/15/2025 5:04 AM, R0cketCloud TOR Team wrote:
Chris, this is horrible advice. You're effectively promoting to become a bad node by knowingly and wilfully prohibiting circuits to certain exits.
Run this thought a bit further, eventually you will have banned all exits (and likely some middles too) and your node is effectively useless.
I sincerely hope I missed a /s somewhere here.
/r0cket
On Wednesday, October 15, 2025 08:05 UTC, Chris Enkidu-6 via tor-relays <tor-relays@lists.torproject.org> wrote:
I get them from time to time and the address always is for major Tor operators who host numerous Tor servers on the whole block such as 64.65.1.0/24 , 64.65.62.0/24 , 96.9.98.0/24 , etc... These are not related to the operators filing an abuse report. These are automatically generated reports based on the behavior of your server and they are generally wrong because their automated system is simply too sensitive and comes up with a lot of false positive.
Simply block outgoing packets to the /24 block at the firewall level. Then click on the link they sent you to retest. It will be automatically tested and comes up clear. Then send them a message using the second link and tell them you blocked it at the firewall level and they'll close the ticket.
You can later remove the firewall rule and get on with you life. I've given up arguing with them about how and why they're wrong. They even once admitted that it was a false report and told me not to bother. In fact I just got another abuse report for an IP that's already blocked at the firewall level. They are telling me that my server is scanning port 74 of a range of IPs when outgoing port 74 is explicitly blocked on my server and it simply can't go out.
On 10/15/2025 2:02 AM, Dimitris T. via tor-relays wrote:
Hey all,
got an abuse report today from Hetzner concerning one middle relay we're running there.
allegedly, our relay has been port scanning (port 443 only) some members of https://metrics.torproject.org/rs.html#search/family:7EAAC49A7840D33B62FA276...
(just from family relays in 96.9.98.0/24 range, all using ORPort 443)
anyone else got similar abuse reports? or someone here from this relay family, that can clear things out with this isp?
thinking of replying to hetzner accordingly, let them know (with metrics link), that these are tor relays with 443 port open/accepting our middle relay connections, not port scans...
best,
d.
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
ok whatever chris said applies. no /24 block needed, our relay is down anyway (=runs on the clock w/ bandwidth meter). so, replied to hetzner that this is normal tor traffic , not malicious (no port scans, noone got "offended" by it), hetzner re-check passed, and statement accepted. seemed strange, cause it's the 1st time we got such an abuse report.. and we've been running this relay since 'tor challenge 2014' :) thanks all for your answers, hopefully we can go on without getting too many of these false-positive abuse reports. ciao, d. Στις 15/10/25 12:32, ο/η Chris Enkidu-6 via tor-relays έγραψε:
You certainly did miss the important part. You may want to read it again.
On 10/15/2025 5:04 AM, R0cketCloud TOR Team wrote:
Chris, this is horrible advice. You're effectively promoting to become a bad node by knowingly and wilfully prohibiting circuits to certain exits.
Run this thought a bit further, eventually you will have banned all exits (and likely some middles too) and your node is effectively useless.
I sincerely hope I missed a /s somewhere here.
/r0cket
On Wednesday, October 15, 2025 08:05 UTC, Chris Enkidu-6 via tor-relays<tor-relays@lists.torproject.org> wrote:
I get them from time to time and the address always is for major Tor operators who host numerous Tor servers on the whole block such as 64.65.1.0/24 , 64.65.62.0/24 , 96.9.98.0/24 , etc... These are not related to the operators filing an abuse report. These are automatically generated reports based on the behavior of your server and they are generally wrong because their automated system is simply too sensitive and comes up with a lot of false positive.
Simply block outgoing packets to the /24 block at the firewall level. Then click on the link they sent you to retest. It will be automatically tested and comes up clear. Then send them a message using the second link and tell them you blocked it at the firewall level and they'll close the ticket.
You can later remove the firewall rule and get on with you life. I've given up arguing with them about how and why they're wrong. They even once admitted that it was a false report and told me not to bother. In fact I just got another abuse report for an IP that's already blocked at the firewall level. They are telling me that my server is scanning port 74 of a range of IPs when outgoing port 74 is explicitly blocked on my server and it simply can't go out.
On 10/15/2025 2:02 AM, Dimitris T. via tor-relays wrote:
Hey all,
got an abuse report today from Hetzner concerning one middle relay we're running there.
allegedly, our relay has been port scanning (port 443 only) some members of https://metrics.torproject.org/rs.html#search/family:7EAAC49A7840D33B62FA276...
(just from family relays in 96.9.98.0/24 range, all using ORPort 443)
anyone else got similar abuse reports? or someone here from this relay family, that can clear things out with this isp?
thinking of replying to hetzner accordingly, let them know (with metrics link), that these are tor relays with 443 port open/accepting our middle relay connections, not port scans...
best,
d.
_______________________________________________ tor-relays mailing list --tor-relays@lists.torproject.org To unsubscribe send an email totor-relays-leave@lists.torproject.org
_______________________________________________ tor-relays mailing list --tor-relays@lists.torproject.org To unsubscribe send an email totor-relays-leave@lists.torproject.org
I'm tempted to agree with Chris. Though, the real solution is to apply with your regional IR for your own IP block. That would solve 99% of issues for Tor operators, but the club might be a little more exclusive. I'm not sure what's better for the network ultimately. I have a meeting with ARIN today, à propos of this mail particular list. ~KJ -------- Original Message -------- On Wednesday, 10/15/25 at 06:38 R0cketCloud TOR Team via tor-relays <tor-relays@lists.torproject.org> wrote: Chris, this is horrible advice. You're effectively promoting to become a bad node by knowingly and wilfully prohibiting circuits to certain exits. Run this thought a bit further, eventually you will have banned all exits (and likely some middles too) and your node is effectively useless. I sincerely hope I missed a /s somewhere here. /r0cket On Wednesday, October 15, 2025 08:05 UTC, Chris Enkidu-6 via tor-relays <tor-relays@lists.torproject.org> wrote:
I get them from time to time and the address always is for major Tor operators who host numerous Tor servers on the whole block such as 64.65.1.0/24 , 64.65.62.0/24 , 96.9.98.0/24 , etc... These are not related to the operators filing an abuse report. These are automatically generated reports based on the behavior of your server and they are generally wrong because their automated system is simply too sensitive and comes up with a lot of false positive.
Simply block outgoing packets to the /24 block at the firewall level. Then click on the link they sent you to retest. It will be automatically tested and comes up clear. Then send them a message using the second link and tell them you blocked it at the firewall level and they'll close the ticket.
You can later remove the firewall rule and get on with you life. I've given up arguing with them about how and why they're wrong. They even once admitted that it was a false report and told me not to bother. In fact I just got another abuse report for an IP that's already blocked at the firewall level. They are telling me that my server is scanning port 74 of a range of IPs when outgoing port 74 is explicitly blocked on my server and it simply can't go out.
On 10/15/2025 2:02 AM, Dimitris T. via tor-relays wrote:
Hey all,
got an abuse report today from Hetzner concerning one middle relay we're running there.
allegedly, our relay has been port scanning (port 443 only) some members of https://metrics.torproject.org/rs.html#search/family:7EAAC49A7840D33B62FA276...
(just from family relays in 96.9.98.0/24 range, all using ORPort 443)
anyone else got similar abuse reports? or someone here from this relay family, that can clear things out with this isp?
thinking of replying to hetzner accordingly, let them know (with metrics link), that these are tor relays with 443 port open/accepting our middle relay connections, not port scans...
best,
d.
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
Hey, I received the same abuse report from Hetzner. I’m running a relay as well. Interestingly, I get an abuse report about a port scan every few months, but the IPs in question always belong to the Tor network. In the past, this explanation has always been sufficient for them to close the report. Best regards, Justus
Dimitris T. via tor-relays <tor-relays@lists.torproject.org> hat am 15.10.2025 08:02 CEST geschrieben:
Hey all,
got an abuse report today from Hetzner concerning one middle relay we're running there.
allegedly, our relay has been port scanning (port 443 only) some members of https://metrics.torproject.org/rs.html#search/family:7EAAC49A7840D33B62FA276...
(just from family relays in 96.9.98.0/24 range, all using ORPort 443)
anyone else got similar abuse reports? or someone here from this relay family, that can clear things out with this isp?
thinking of replying to hetzner accordingly, let them know (with metrics link), that these are tor relays with 443 port open/accepting our middle relay connections, not port scans...
best,
d.
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
participants (7)
-
Chris Enkidu-6 -
Dimitris T. -
Justus Flerlage -
KJ -
Marco Moock -
R0cketCloud TOR Team -
Ralph Seichter