-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Heya List
I currently run a VPS which hosts both my mailserver and my tor relay / exit.
Recently I sent an email from this mailserver and had it bounce back. It seems the receiving mailserver subscribes to the spambot list CBL (http://cbl.abuseat.org) and denied it because my IP address was on that list. It's on that list since at some point a botnet talking through tor to its C&C server used my exit node to do so - The C&C server has since been replaced with a sinkhole. That was logged, my server was deemed infected and bam, I'm blacklisted.
The site that did the blacklisting kindly has a good description of what happended (including the sinkhole IP address) and allowed an automatic delisting. I'm able to update my exit policy so it doesn't happen again, however I'd like a somewhat more proactive approach.
So my question is - Does anyone know of a publicly available list of sinkholes created for botnets? If such a list exists I can dynamically update either my exit policy or firewall appropriately. Has anyone implemented such a system already?
(obviosuly this only works for sinkholed botnets - but if anyone knows how to stop all botnets I'm all ears....)
Cheers
Ramo
Hi Ramo,
Thanks for running an exit! You will run into similar trouble again and again, unfortunately.
My suggestion: Get a second IP, or even better, don't share the same VPS.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, Mar 28, 2014 at 06:48:21AM +0100, Moritz Bartl wrote:
Hi Ramo,
Thanks for running an exit!
Thanks. I've been running one for ages, but the appreciation is always nice.
You will run into similar trouble again and again, unfortunately.
This is the first time I've known this to happen, I've had this configuration for ... probably 2 years?
My suggestion: Get a second IP, or even better, don't share the same VPS.
Not sure why a second IP never occurred to me. Good idea.
Cheers
Damian
On Fri, Mar 28, 2014 at 08:36:06AM +0300, ramo@goodvikings.com wrote:
It's on that list since at some point a botnet talking through tor to its C&C server used my exit node to do so
Actually, it could easily have been a computer security researcher who used Tor to access that address, not realizing the collateral damage he was triggering. A growing number of malware researchers and antivirus companies use Tor to reach various parts of the Internet, because otherwise the bad guys recognize their IP address and special-case them.
As Moritz says, this is alas not an easy game to win. Not long ago I learned that the .mil domain refuses to hear any packets from my computer, which runs one of the directory authorities (and it's not even an exit relay!). That meant my postfix became convinced that all mails to or from .mil addresses were spam, since their name doesn't resolve. Bad news for the Navy researchers who are signed up to, say, the petsymposium.org mailing lists.
The real fun is going to start when these blacklists try to bully us by blacklisting the whole /24 nearby, in hopes that our neighbors will lean on us to cut it out.
I still enjoy rereading http://paulgraham.com/spamhausblacklist.html as linked from https://www.torproject.org/docs/faq-abuse#TypicalAbuses
--Roger
tor-relays@lists.torproject.org
-
Moritz Bartl -
ramo@goodvikings.com -
Roger Dingledine