Hello,
I run a 100mb exit hosted at server.lu since sometime in late 2013. There have been a couple dozen abuse reports but normally they forward them to me to deal with and nothing much happens. However a week or so ago, while I was travelling, there was an abuse report that made them decide to file a ticket which then led to them suspending my IP as I 'ignored' it while I was gone. So now I'm trying to convince them to turn the system back on and they are pushing back, and after some back and forth they say they want me to run an exit policy consisting of ports 53, 80, and 443. I've been running the suggested reduced exit policy since day one and am very reluctant to pare it down further, and certainly not to just 3 ports. I wrote a short note explaining my point of view and I wonder if any of you would do me the courtesy of telling me if I am likely to convince them to let me leave the exit policy alone. I'm very willing to edit my response as required. I think it bears mentioning that I am several messages in and I did not get a good sense that whoever I am talking to understands Tor very well at all - I was repeatedly asked to find and block my customer, and told I must have logs if I provide a service, etc. I can show you the longer exchange if you think it might be helpful. Thanks in advance and here goes:
--- Hello,
We have nothing against Tor but IP is listed at 11 blacklists including Spamhaus ZEN. So we have to ask you block all ports except 80, 53 and 443 to prevent scan, spam and other infringing activity from your IP. Hope such proposal will be suitable for you.
Regards, ROOT S.A.
---
Hello again,
I would rather not block any more ports that are already blocked. The system is already set up to use the reduced exit policy detailed at https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy which allows as many Internet services as possible while still blocking the majority of TCP ports. Currently, the policy allows approximately 65 ports. I am reluctant to further reduce the ports because there is vastly more to the internet than just the world wide web. Email, chat, remote desktop, cache, and vpn services are all valid uses of the network that would not be allowed by such a restrictive exit policy. I'm also afraid that it will not help much in getting this IP off the various blocklists that it is on, as 2/3rds of the abuse reports I've been sent were due to traffic on ports 80 or 443. Several of the lists such as SECTOOR and Dans TOREXIT and related are simply reporting to the world that this system is a Tor node. The system is only in the Spamhaus Zen list due to its listing in the CBL for being "infected with, or is NATting for a machine infected with s_vawtrak" which is a Microsoft Windows virus that connected to their sinkhole IP on port 80. Being on blocklists is something that happens when you are running a Tor exit node and supporting Tor means putting up with them and explaining why Tor is worth supporting even though abuse is guaranteed to happen.
Naturally if you require this change I will be forced to make it. I hope, however, that you can be persuaded that it is not helpful to Tor and will not solve the problem of abuse and blacklists even if it were. Thanks again.
--
Thanks for getting this far. I await your replies with interest. :)
On 2015-07-31 05:30, Christopher Yeager wrote:
Hello,
I run a 100mb exit hosted at server.lu since sometime in late 2013. There have been a couple dozen abuse reports but normally they forward them to me to deal with and nothing much happens. However a week or so ago, while I was travelling, there was an abuse report that made them decide to file a ticket which then led to them suspending my IP as I 'ignored' it while I was gone. So now I'm trying to convince them to turn the system back on and they are pushing back, and after some back and forth they say they want me to run an exit policy consisting of ports 53, 80, and 443. I've been running the suggested reduced exit policy since day one and am very reluctant to pare it down further, and certainly not to just 3 ports. I wrote a short note explaining my point of view and I wonder if any of you would do me the courtesy of telling me if I am likely to convince them to let me leave the exit policy alone. I'm very willing to edit my response as required. I think it bears mentioning that I am several messages in and I did not get a good sense that whoever I am talking to understands Tor very well at all - I was repeatedly asked to find and block my customer, and told I must have logs if I provide a service, etc. I can show you the longer exchange if you think it might be helpful. Thanks in advance and here goes:
Hello,
We have nothing against Tor but IP is listed at 11 blacklists including Spamhaus ZEN. So we have to ask you block all ports except 80, 53 and 443 to prevent scan, spam and other infringing activity from your IP. Hope such proposal will be suitable for you.
Regards, ROOT S.A.
Hello again,
I would rather not block any more ports that are already blocked. The system is already set up to use the reduced exit policy detailed at https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy which allows as many Internet services as possible while still blocking the majority of TCP ports. Currently, the policy allows approximately 65 ports. I am reluctant to further reduce the ports because there is vastly more to the internet than just the world wide web. Email, chat, remote desktop, cache, and vpn services are all valid uses of the network that would not be allowed by such a restrictive exit policy. I'm also afraid that it will not help much in getting this IP off the various blocklists that it is on, as 2/3rds of the abuse reports I've been sent were due to traffic on ports 80 or 443. Several of the lists such as SECTOOR and Dans TOREXIT and related are simply reporting to the world that this system is a Tor node. The system is only in the Spamhaus Zen list due to its listing in the CBL for being "infected with, or is NATting for a machine infected with s_vawtrak" which is a Microsoft Windows virus that connected to their sinkhole IP on port 80. Being on blocklists is something that happens when you are running a Tor exit node and supporting Tor means putting up with them and explaining why Tor is worth supporting even though abuse is guaranteed to happen.
Naturally if you require this change I will be forced to make it. I hope, however, that you can be persuaded that it is not helpful to Tor and will not solve the problem of abuse and blacklists even if it were. Thanks again.
--
Thanks for getting this far. I await your replies with interest. :)
Hi
We are running gigabit servers at server.lu. Normally they just want you to be quick when it comes to abuses. Respond fast, block the resource destination for a month or so and they will be happy. But when it comes to spam they get, indeed, a bit upset. I recommend you to block the mail ports as we do it. ---> 25, 465, 587
If your IP has been put on a Spamhaus blacklist because of webspam (blogs, boards...) you can contact spamhaus. Tell them that you blocked the destination IP's and explain that you are a tor exit node. That should do the trick. If not, go for their advise and open only 3 to 5 ports. Let the node run for a least a month with this configuration and then inform them that you are now opening more ports again and that you promise faster responses to abuse mails.
Greetings
On Fri, Jul 31, 2015 at 5:41 AM, Tyler Durden virii@enn.lu wrote:
But when it comes to spam they get, indeed, a bit upset. I recommend you to block the mail ports as we do it. ---> 25, 465, 587
As posted here last month, 25 no longer open relays mail for MUA's, it does accept MX for its own @domains. Since few want to whitelist and exclude that one email from someone, protection against mail sources is inherently weak and 25 gets a lot of inbound spam. Tor exits get a lot of reports and block it.
Authentication is required by RFC with 587 submission (which MUA's are now effectively confined to use by the rest of the email / antispam / admin ecosystem if they expect their mail to get through). And counter to RFC which say not to use it for any mail at all anymore, 465 is sometimes still used as a legacy submission port.
Since it is manageable account based, submission is less of an issue. It is the responsibility of the mail provider to deal with (ie cancel) the individual spammy account that was reported to them. If they don't want outbound spam they should charge nonrefundable fees for accounts, deploy outbound antispam, etc. As last resort they can block client IP.
If an exit operator gets a report regarding an account based service, they should consider copying their reply to all of: - the ISP of the exit (to educate, show responsiveness, and save the exit) - the reporter (to educate, and redirect them to the account based service) - the account based service (to educate, and let them deal with the account)
Browsing (80 and 443) and email (993 and 587) are fundamental, it can be hard to know when to give them up to otherwise save an exit.
tor-relays@lists.torproject.org