Tor Exit: Complaints of IP being used for "spam" despite exit policy
Hi, A day or two ago, my Tor exit host, Psychz Networks, has sent me complaints about my IPs being used to send "spam" despite me having blocked Port 25 (and 465/587) in the exit policy. Psychz threatened to block Port 25 even when my exit policy explicitly blocks 25/465/587. The URLs I got were from Cisco Talos: * https://talosintelligence.com/reputation_center/lookup?search=104.149.136.24... * https://talosintelligence.com/reputation_center/lookup?search=104.149.133.54... Sometimes I think "is my FreeBSD exploited and being used to send spam", but then I also see Linux relays on other ISPs also on the blocklists. Yes, I am aware Tor exit relays will land on blacklists. But getting complaints from spam is new, especially when my relays are blocking SMTP. I am worried I would have to find a new host if they continue complaining. Darn, Psychz has been one of the more reliable exit hosts (on-and-off) for many years, although they are more vigilant on abuse than say BuyVM. BuyVM is similarly priced (although my Psychz is an special offer) and solid but has too many exits. OVH and TerraHost only allow exits on much more expensive dedicated servers. Prgmr and HostMaze allow exits but has so-so peering. I just hope Psychz doesn't continue to complain. -Neel
Neel, Your Exit Policies do appear to be configured to block standard smtp ports. Reach out to Psychz and request mail headers for sample pieces of spam originating from the offending Exits in question. This will assist in determining whether the spam is destine for non-standard smtp ports and you can adjust your Exit policies from there. Respectfully, Gary— This Message Originated by the Sun. iBigBlue 63W Solar Array (~12 Hour Charge) + 2 x Charmast 26800mAh Power Banks = iPhone XS Max 512GB (~2 Weeks Charged) On Wednesday, May 4, 2022, 1:20:17 AM MDT, Neel Chauhan <neel@neelc.org> wrote: Hi, A day or two ago, my Tor exit host, Psychz Networks, has sent me complaints about my IPs being used to send "spam" despite me having blocked Port 25 (and 465/587) in the exit policy. Psychz threatened to block Port 25 even when my exit policy explicitly blocks 25/465/587. The URLs I got were from Cisco Talos: * https://talosintelligence.com/reputation_center/lookup?search=104.149.136.24... * https://talosintelligence.com/reputation_center/lookup?search=104.149.133.54... Sometimes I think "is my FreeBSD exploited and being used to send spam", but then I also see Linux relays on other ISPs also on the blocklists. Yes, I am aware Tor exit relays will land on blacklists. But getting complaints from spam is new, especially when my relays are blocking SMTP. I am worried I would have to find a new host if they continue complaining. Darn, Psychz has been one of the more reliable exit hosts (on-and-off) for many years, although they are more vigilant on abuse than say BuyVM. BuyVM is similarly priced (although my Psychz is an special offer) and solid but has too many exits. OVH and TerraHost only allow exits on much more expensive dedicated servers. Prgmr and HostMaze allow exits but has so-so peering. I just hope Psychz doesn't continue to complain. -Neel _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Tuesday, May 3, 2022 8:42:20 PM CEST Neel Chauhan wrote:
A day or two ago, my Tor exit host, Psychz Networks, has sent me complaints about my IPs being used to send "spam" despite me having blocked Port 25 (and 465/587) in the exit policy.
Psychz threatened to block Port 25 even when my exit policy explicitly blocks 25/465/587.
Yes, unfortunately you get this SPAM abuse, although it is clear that the mail was submitted via a webmailer :-(
Sometimes I think "is my FreeBSD exploited and being used to send spam", but then I also see Linux relays on other ISPs also on the blocklists.
It's actually very unlikely that a longer running exit can send mails. ;-) I can't even send myself log mails from my exit IP's because all IP's are blacklisted. On abusix.com and similar.
Yes, I am aware Tor exit relays will land on blacklists. But getting complaints from spam is new, especially when my relays are blocking SMTP.
I am worried I would have to find a new host if they continue complaining. Darn, Psychz has been one of the more reliable exit hosts (on-and-off) for many years, although they are more vigilant on abuse than say BuyVM.
If possible, try to get an ARIN SWIP record: https://blog.torproject.org/tips-running-exit-node/ 5. Get ARIN registration 99% of the abuse is f*cking auto-generated stuff from tools like fail2ban. If you reply, you will not get an answer or 'message is undeliverable' back.
BuyVM is similarly priced (although my Psychz is an special offer) and solid but has too many exits. OVH and TerraHost only allow exits on much more expensive dedicated servers. Prgmr and HostMaze allow exits but has so-so peering. https://rdp.sh/ is not overcrowded yet.
I just hope Psychz doesn't continue to complain.
We all hope with you. As I've mentioned here before, IPv6 only relays are important. An AS with IPv6/48 is affordable. Then it's much easier to set up your own bulletproof ISP. -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
Hi, On 2022-05-04 12:31, lists@for-privacy.net wrote:
Yes, unfortunately you get this SPAM abuse, although it is clear that the mail was submitted via a webmailer :-(
Probably true.
Sometimes I think "is my FreeBSD exploited and being used to send spam", but then I also see Linux relays on other ISPs also on the blocklists.
It's actually very unlikely that a longer running exit can send mails. ;-) I can't even send myself log mails from my exit IP's because all IP's are blacklisted. On abusix.com and similar.
If you need to send emails, you could: a. use Sendgrid or Mailgun or whatever to send emails if they don't block exit IPs from connecting to their SMTP relays b. Run your own SMTP relay on a $3.5 VPS to forward emails
If possible, try to get an ARIN SWIP record: https://blog.torproject.org/tips-running-exit-node/ 5. Get ARIN registration
I could look into that. I do have a LLC that I could use for the SWIP record if needed.
99% of the abuse is f*cking auto-generated stuff from tools like fail2ban. If you reply, you will not get an answer or 'message is undeliverable' back.
Probably true. Psychz is still more automated but not so much, but I do know some hosts where abuse is very automated to the extent that they ignore automated complaints. Think AWS, Azure, OVH, or DigitalOcean, or a Big Telecom provider like Comcast, AT&T, Deutsche Telekom, Telefonica, etc. On the opposite end of the spectrum, some hosts such as GTHost and Primcast both asked me to turn off my exit relay due to "too much abuse" because their abuse departments are very manual.
BuyVM is similarly priced (although my Psychz is an special offer) and solid but has too many exits. OVH and TerraHost only allow exits on much more expensive dedicated servers. Prgmr and HostMaze allow exits but has so-so peering. https://rdp.sh/ is not overcrowded yet.
Thanks for the suggestion. I prefer to run my exits on FreeBSD (well, I am a FreeBSD committer), but I will keep rdp.sh in mind in case I need a new host.
We all hope with you. As I've mentioned here before, IPv6 only relays are important. An AS with IPv6/48 is affordable. Then it's much easier to set up your own bulletproof ISP.
That sounds good :-). I'd love to have my own ASN, but don't have the mental or financial bandwidth to do this right now. Fortunately Psychz got off my case, for now at least :-). -Neel
------- Original Message ------- On Wednesday, May 4th, 2022 at 11:16, Neel Chauhan <neel@neelc.org> wrote:
If you need to send emails, you could:
a. use Sendgrid or Mailgun or whatever to send emails if they don't block exit IPs from connecting to their SMTP relays
b. Run your own SMTP relay on a $3.5 VPS to forward emails
You could also run an SMTP-to-something else protocol bridge to work around it. I use a fake SMTP server that relays every message it gets over XMPP to work around that problem. The Doctor [412/724/301/703/415/510] WWW: https://drwho.virtadpt.net/ The old world is dying, and the new world struggles to be born. Now is the time of monsters.
On Thursday, May 5, 2022 3:57:02 PM CEST The Doctor wrote:
------- Original Message -------
On Wednesday, May 4th, 2022 at 11:16, Neel Chauhan <neel@neelc.org> wrote:
If you need to send emails, you could:
a. use Sendgrid or Mailgun or whatever to send emails if they don't block exit IPs from connecting to their SMTP relays
b. Run your own SMTP relay on a $3.5 VPS to forward emails
You could also run an SMTP-to-something else protocol bridge to work around it. I use a fake SMTP server that relays every message it gets over XMPP to work around that problem.
The Doctor [412/724/301/703/415/510]
Thanks, Neel and yl had already messaged me privately. I replied to them yesterday. I had already solved the problem, unattended-upgrades and logcheck mails reach me again. Actually, I should know that we should avoid exit IPs for DNS, mail and other things. I configured nullmailer as usual, then it takes the first IP and interface it finds. I was sending mail as a client through|to my DNS provider's SMTP server 'easydns.com'. They recently started using abusix before smtpauth as well. Only a /27 are exit IP's per server. Now the mail goes out on a completely different subnet and network card. Well I could have pinged Mark Jeftovic @ easyDNS too, please whitelist _my_ IP for _my_ mailbox. Or sending mail out via the SMTP server from IN-Berlin, like my iRMC (BMC) do. -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
On 5/4/22 14:31, lists@for-privacy.net wrote:
It's actually very unlikely that a longer running exit can send mails.;-) I can't even send myself log mails from my exit IP's because all IP's are blacklisted. On abusix.com and similar.
I wonder if you could use msmtp to replace sendmail and then sent your mail as a client via some SMTP server. Wonder if these mail providers check users IPs towards blacklists?
Hello Neel, I found in the past year, that these Spam abuse complaints are about Spam sent via some webmailer, so someone uses port 80/443 and then sent spam via a email providers website. Very strange they even report this as spam. Regards yl On 5/3/22 20:42, Neel Chauhan wrote:
Hi,
A day or two ago, my Tor exit host, Psychz Networks, has sent me complaints about my IPs being used to send "spam" despite me having blocked Port 25 (and 465/587) in the exit policy.
Psychz threatened to block Port 25 even when my exit policy explicitly blocks 25/465/587.
The URLs I got were from Cisco Talos:
* https://talosintelligence.com/reputation_center/lookup?search=104.149.136.24...
* https://talosintelligence.com/reputation_center/lookup?search=104.149.133.54...
Sometimes I think "is my FreeBSD exploited and being used to send spam", but then I also see Linux relays on other ISPs also on the blocklists.
Yes, I am aware Tor exit relays will land on blacklists. But getting complaints from spam is new, especially when my relays are blocking SMTP.
I am worried I would have to find a new host if they continue complaining. Darn, Psychz has been one of the more reliable exit hosts (on-and-off) for many years, although they are more vigilant on abuse than say BuyVM.
BuyVM is similarly priced (although my Psychz is an special offer) and solid but has too many exits. OVH and TerraHost only allow exits on much more expensive dedicated servers. Prgmr and HostMaze allow exits but has so-so peering.
I just hope Psychz doesn't continue to complain.
-Neel _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
participants (5)
-
Gary C. New -
lists@for-privacy.net -
Neel Chauhan -
The Doctor -
yl