Monday we received their usual spam about our exit-node sending spam, and of course instead of implementing the TorDNSEL on their sites, they rather want us to block a whole /24 range.
Anyhow, one line caught our eyes:
"Tor: Please note as the abuse from Tor has gotten out of hand, we do not give free passes to abuse coming from Tor exits. See the leader board linked below for more details on the issue."
They also include a link to some fancy unresolved abuse ranking[1].
From that ranking we can see that they currently have 116 unresolved Tor abuse cases and at least 500 unresolved non-Tor cases. Assuming that 616 cases are enough we can try to calculate with 99% certainty, the true interval of the difference in Tor and non-Tor abuse.
We will use 500/616 = 0.812 as an estimate for all non-Tor abuse and we will use 116/616 = 0.188 as an estimate for all Tor abuse.
One can easily calculate that there is a difference of 62.3% between the 81.2% non-Tor and 18.8% Tor abuse cases.
However this percentage (62.3%) is just one impression of a sample. Imagine we would sample 100 hosters just like webiron and then see what their difference is. And we want to be 99% sure that our measured value is within the interval. The formula can be found here[2].
Then we would receive an interval from 0.51 to 0.73.
What this boils down to:
If we were to check 100 companies that send abuse reports like Webiron, in 99 cases we would find a difference between Tor and non-Tor abuse to range between 51% and 73%:
Two concrete examples:
Tor abuse could be as high as 24.5% (lower end of the interval -> 0.51 = 75.5 non-Tor - 24.5 Tor) or as low as 13.5% (higher end of the interval -> 0.73 = 0.865 Non-Tor - 0.135 Tor)
I think that having a tiny bit less than 1/4 of all abuse reports originating from Tor is a pretty great value and not "out of hand" at all.
P.S.: We are pretty sure that this calculation is correct, but don't take our word for it.
Also on a funny note: Their mx server blocks our mx server, so we can't even reply to their email, even though the Tor-exit runs on a different IP than the mx.
[1] https://www.webiron.com/abuse_web_leaderboard/ [2] http://www.kean.edu/~fosborne/bstat/06d2pop.html?ModPagespeed=noscript
They are a pain in the ass. We did block them on our mail server and reported to our ISPs that they often send false-positives. Like UDP DDoS from our exit nodes. Stuff like that. This calmed our ISPs. We also tried to speak to them but they don't answer or when they did it was in a rude way. Abuse mail ninjas like this are a threat to the network and the internet in general.
Am 15. Dezember 2015 15:43:35 MEZ, schrieb Schokomilch NOC noc@schokomil.ch:
Monday we received their usual spam about our exit-node sending spam, and of course instead of implementing the TorDNSEL on their sites, they
rather want us to block a whole /24 range.
Anyhow, one line caught our eyes:
"Tor: Please note as the abuse from Tor has gotten out of hand, we do not give free passes to abuse coming from Tor exits. See the leader board linked below for more details on the issue."
They also include a link to some fancy unresolved abuse ranking[1].
From that ranking we can see that they currently have 116 unresolved Tor abuse cases and at least 500 unresolved non-Tor cases. Assuming that 616 cases are enough we can try to calculate with 99% certainty, the true interval of the difference in Tor and non-Tor abuse.
We will use 500/616 = 0.812 as an estimate for all non-Tor abuse and we will use 116/616 = 0.188 as an estimate for all Tor abuse.
One can easily calculate that there is a difference of 62.3% between the 81.2% non-Tor and 18.8% Tor abuse cases.
However this percentage (62.3%) is just one impression of a sample. Imagine we would sample 100 hosters just like webiron and then see what their difference is. And we want to be 99% sure that our measured value is within the interval. The formula can be found here[2].
Then we would receive an interval from 0.51 to 0.73.
What this boils down to:
If we were to check 100 companies that send abuse reports like Webiron,
in 99 cases we would find a difference between Tor and non-Tor abuse to
range between 51% and 73%:
Two concrete examples:
Tor abuse could be as high as 24.5% (lower end of the interval -> 0.51 = 75.5 non-Tor - 24.5 Tor) or as low as 13.5% (higher end of the interval -> 0.73 = 0.865 Non-Tor
0.135 Tor)
I think that having a tiny bit less than 1/4 of all abuse reports originating from Tor is a pretty great value and not "out of hand" at all.
P.S.: We are pretty sure that this calculation is correct, but don't take our
word for it.
Also on a funny note: Their mx server blocks our mx server, so we can't
even reply to their email, even though the Tor-exit runs on a different
IP than the mx.
[1] https://www.webiron.com/abuse_web_leaderboard/ [2] http://www.kean.edu/~fosborne/bstat/06d2pop.html?ModPagespeed=noscript _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 16 Dec 2015, at 01:43, Schokomilch NOC noc@schokomil.ch wrote:
Monday we received their usual spam about our exit-node sending spam, and of course instead of implementing the TorDNSEL on their sites, they rather want us to block a whole /24 range.
Anyhow, one line caught our eyes:
"Tor: Please note as the abuse from Tor has gotten out of hand, we do not give free passes to abuse coming from Tor exits. See the leader board linked below for more details on the issue."
They also include a link to some fancy unresolved abuse ranking[1]. ... I think that having a tiny bit less than 1/4 of all abuse reports originating from Tor is a pretty great value and not "out of hand" at all.
You also have to scroll down their list for a long time before finding any "onion with sunglasses" symbols.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
tor-relays@lists.torproject.org