Hi!
In regular intervals, people ask me what it takes to run a large number of exit relays. Let me try to document a few steps that I think you need to take to become a Large Tor Operator (TM).
1) Think about registering a (non-profit) association. At least in Germany this helps with liability, and in general it helps to appear bigger than you are (and less likely to get raided). What we did was try and find a lawyer who would agree to "host" us inside his office. We succeeded, and now are a non-profit registered inside a lawyers office. How cool is that? :)
2) Register a fax number. At least law enforcement in Germany regularly uses the fax number present in IP records. We use a free German fax-to-email service, www.call-manager.de.
3) Register a phone number. The IP records should contain a phone number for abuse reports, and you don't want that to be your personal phone number. We use Sipgate One, a German VoIP service that redirects calls to cellphones and Skype for free.
4) Create handles for your organization at ARIN and/or RIPE. Example record: https://apps.db.ripe.net/whois/lookup/ripe/person-role/MB22990-RIPE.html With RIPE, it works far better, most abuse reports will hit you and not that of your upstream. Having your own IP records is a key element for abuse handling.
5) Find a good ISP. This is going to be a hard one. But not too hard. Go through forums and sites where ISPs posts their latest deals, and contact them about Tor hosting. We usually divide it into a two-step process: We first ask if they were okay with a Tor exit, and with reassignment of the IP range - no details in the first mail! When they come back positively, or somewhat worried, you can still explain that you are a non-profit superb large organization filled with security professionals, and that all will be good. The two step process usually helps in elevating your request to higher levels of support staff and without scaring them off to early. See also https://www.torservers.net/wiki/hoster/inquiry
5a) Still find a good ISP. A good ISP is one that offers cheap bandwidth and is not being used by other members of the Tor community.
6) Be quick in answering abuse. We receive a very small number of complaints, given that we run high bandwith nodes. I am actually still surprised how few complaints we get. Roughly 80% are automated reports, which we ignore, and for the rest it is usually good enough to send our default template. See https://www.torservers.net/wiki/abuse/templates and https://www.torservers.net/wiki/abuse/dmca
For police inquiries, we usually give them a one-liner (something like "As a German organization, we fully comply with Telemediengesetz §15 (the German telemedia law), which prohibits to log any user identifiable data or usage data unless required for billing purposes."). We get one policy inquiry per quarter on average.
What did I forget?
On Wed, Jul 11, 2012, at 02:33 PM, Moritz Bartl wrote:
Roughly 80% are automated reports, which we ignore,
How do you decide which are automated? GD
They usually say that they are ;-) and very often there are 10-15 identical Mails.
Actually I can offer to publish a bunch of those abuse mails if there is interest. Just need to find some time to polish them a little- anonymize stuff and maybe make some pretty statistics.
Julian
Am Mittwoch, 11. Juli 2012, 14:33:55 schrieb Moritz Bartl:
- Be quick in answering abuse.
We receive a very small number of complaints, given that we run high bandwith nodes. I am actually still surprised how few complaints we get. Roughly 80% are automated reports, which we ignore, and for the rest it is usually good enough to send our default template. See https://www.torservers.net/wiki/abuse/templates and https://www.torservers.net/wiki/abuse/dmca
Can you tell how many abuse messages you receive per week?
Regards
On 11 jul. 2012, at 22:05, tor-admin wrote:
Can you tell how many abuse messages you receive per week?
I am running one exit relay for a couple of months now and I have seen less than one notification a month.
When running an exit relay I had one FBI visit, one other LE inquiry(both bomb threats), and would get anywhere from 0-15 webmail related spam notices, averaging ~2 a month. This was with the reduced exit node policy in place.
Andrew
On Jul 11, 2012, at 4:51 PM, Rejo Zenger rejo@zenger.nl wrote:
On 11 jul. 2012, at 22:05, tor-admin wrote:
Can you tell how many abuse messages you receive per week?
I am running one exit relay for a couple of months now and I have seen less than one notification a month.
-- Rejo Zenger . rejo@zenger.nl . 0x21DBEFD4 . https://rejo.zenger.nl GPG encrypted e-mail preferred . +31.6.39642738 . @rejozenger
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Am Mittwoch, 11. Juli 2012, 14:33:55 schrieb Moritz Bartl:
- Be quick in answering abuse. We receive a very small number of
complaints, given that we run high bandwith nodes. I am actually still surprised how few complaints we get. Roughly 80% are automated reports, which we ignore, and for the rest it is usually good enough to send our default template. See https://www.torservers.net/wiki/abuse/templates and https://www.torservers.net/wiki/abuse/dmca
Can you tell how many abuse messages you receive per week?
Regards
Short answer: ~110 of which we ignore 105 Long answer: About 15 automated abuses from MediaSentry, Icecat, IP-Echelon and the likes per day, which we used to automatically answer, but don't bother about, any more. Then there are celepar.pr.gov.br and SpamCop from whom we receive the occasional email and an average of 4-5 regular, "legit" abuse mails/calls per week. Those are not evenly distributd however! There are certain "abuse peaks" where we get a lot followed, usually, by getting none for some time. I also have a feeling (needs confirmation by me sitting down and plotting our abuses) that it has been getting less abuse mails over the last year.
Overall those add up to ~110 abuse mails a week of which 105 are automated and belong to senders who apparently don't care about what we do/don't care about getting an answer at all/don't react in any way, like MediaSentry who weren't even reachable by phone. There are of course, also legit automated abuse mails - I've once had a wonderful conversation with a guy who apparently also hosts a Tor node after one of his system's ids sent an email to us, which I replied.
Then there are those few abuses from real people. Those can be anything from Police inquiries from all over the world, Interpol, Companies, normal People. Regular subjects frange from Spam and DDoS to hacked mail accounts and stuff like that. Every few months there is stuff like harrassment, threats and credit card fraud. There have however also been police inquiries about terrorism and murder. Gladly those have been non-recurring, unique events though and I hope it stays that way.
So about those automated abuses. We took that seriously in the beginning, answering them, trying to establish contact, explain what we do. Usually people on the other end were like "We don't care", so we started ignoring them and yeah, they really don't care and also won't stop sending stuff. There have been a few noteworthy exceptions though, like a guy whom I've had a conversation with after answering an email from his IDS. Turned out, he hosted a Tor node himself. So sending a template answer that explains Tor and stuff once or twice to automated mails can't be wrong, but afterwards its probably okay to just start ignoring them, if there's no reaction.
Abuses from real people - Important. Answer! We have templates for the standard situations, otherwise we write specific responses. We try to answer within 24h, which works 98% of the time. Often these inquries also result in conversations, some short, some long, some people just wanting more info, some being supportive of what we do and some very emotional (usually in a negative way). Some even resulted in hate mails for months. There are a few unfortunate ones, however. I speak English, German and a little French, as does everyone else answering abuses at Torservers, so whenever an email in any other language comes in we usually ask to resend the request in one of those three languages, else we have to ignore it.
Julian
On Juli 12, 2012, at 01:24 PM Julian Wissmann wrote:
Short answer: ~110 of which we ignore 105 Long answer: About 15 automated abuses from MediaSentry, Icecat, IP-Echelon and the likes per day, which we used to automatically answer, but don't bother about, any more.
[...] Thanks for your detailed answer. My nodes with an average traffic of 300MBit/s generate about 1 abuse message per week using a restricted exit policy. I don't have a custom whois entry, so all messages are forwarded from my ISP. Therefore I am very cautious to answer all of them in a way that satisfies my ISP. My normal response times are less than one hour. I have blocked notorious spammers like Icecat.
Best regards
On 07/11/2012 08:33 AM, Moritz Bartl wrote:
Hi!
In regular intervals, people ask me what it takes to run a large number of exit relays. Let me try to document a few steps that I think you need to take to become a Large Tor Operator (TM).
Thanks Moritz! This is a helpful write-up. If others have experience in other settings or jurisdictions, it would be interesting to compare. What do you think about adding this to the wiki?
--Wendy
First of all, thanks Moritz for beginning the thread and the info you passed on. It has given me some good info. :)
In my case, I have been running a full exit relay now for just over 2 1/2 years. When I first began, I would get reports from my ISP about abuses. They just called me on the phone and told me about it. I asked them what port it was and specifically what the problem issue was. They advised they had several reports about copyright infringement issues on music and a couple on movies. I took the info and and blocked that specific port.
That solved the problem. I went several months before I got called again for the same thing, but from a different complainer. I did again block the new port and everything was solved. I went for over a year with out any complaints and this year got called again. It was about my IP addy doing some mass mailing spam. I advised them ( my ISP ) that I did not do this. I asked what port was used and who the complaint came from. I was told both and I resolved that issue after we hung up.
In all of my complaints, it was done by phone from my ISP, and I was able to put a fix right away. From reading other Tor Op's reports about the complaints, I had expeted more and was worried how I was going to handle it. I have been greatly surprised that it has been as few as it is.
In my case I would say no more than total of 10-15 complaints in 2 1/2 years in running a full exit relay.
Jon
tor-relays@lists.torproject.org
-
Andrew Lewis -
Geoff Down -
Jon -
Julian Wissmann -
Moritz Bartl -
Rejo Zenger -
tor-admin -
Wendy Seltzer