On Mon, 10 Aug 2015, at 05:19 AM, Roman Mamedov wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 9 Aug 2015 13:02:14 -0400 Zack Weinberg zackw@cmu.edu wrote:
several "this IP is a source of spam" blacklists indiscriminately list _all_ Tor relays, whether or not they are exit nodes.
Now this is just unnecessarily FUDish, at http://bgp.he.net/ one can check their IPs against 49 RBLs, I checked several of my long-running relays' IPs, and they are on none of the 49.
Try MX Toolbox's blacklist check[0], it searches over 90 blacklists and you'll find at the very least you're on one of the Tor-specific lists.
[0] https://mxtoolbox.com/blacklists.aspx
-- Carlin
Or just search Google for your relay's IP. You'll find several blacklists that contain it and all the other relays. It's not FUD. Here are some more examples:
https://www.dan.me.uk/torlist/ https://github.com/ktsaou/blocklist-ipsets/blob/master/dm_tor.ipset https://github.com/ktsaou/blocklist-ipsets/blob/master/et_tor.ipset https://panwdbl.appspot.com/lists/ettor.txt
On Mon, 10 Aug 2015 06:39:45 +1200 Carlin Bingham cb@viennan.net wrote:
Try MX Toolbox's blacklist check[0], it searches over 90 blacklists and you'll find at the very least you're on one of the Tor-specific lists.
Yeah on precisely one:
DAN TOR This DNS blacklist contains ALL tor nodes (both entry and exit nodes) - The tor nodelist is updated every hour automatically from the live tor network. There is no complaint procedure to have an IP address removed from this list as it will be automatically removed once the tor node ceases to run (with a maximum of 1 hour delay). More information about DAN TOR can be found at their website: https://www.dan.me.uk/dnsbl
So not "several", and not a "this IP is a source of spam" list, that one is not even a blacklist per se, and those using it as one are incompetent and wrong. In fact I would also categorize the person "so helpfully running it" as such, since there is no reason whatsoever to track non-exit relays in any kind of a publicly offered "black"list, unless you just want to inflict harm onto the relay operators and get them unfairly blocked from various services.
I checked the lists; all my ipv4 relays are there. At the same time, I haven't noticed any issues with network access from any of the addresses, in 5+ years of observations. Doesn't mean that nothing is blocked, just that ppl on my network never attempt to go to places behind the lists.
Wondering if someone could be held liable for blocking public access to government resources with no good reason. What happens if you decide to prevent people from accessing an BM SS office, for example?
2015-08-09 12:57 GMT-06:00 Roman Mamedov rm@romanrm.net:
On Mon, 10 Aug 2015 06:39:45 +1200 Carlin Bingham cb@viennan.net wrote:
Try MX Toolbox's blacklist check[0], it searches over 90 blacklists and
you'll find at the very least you're on one of the Tor-specific lists.
Yeah on precisely one:
DAN TOR This DNS blacklist contains ALL tor nodes (both entry and exit nodes) -
The
tor nodelist is updated every hour automatically from the live tor
network.
There is no complaint procedure to have an IP address removed from this
list
as it will be automatically removed once the tor node ceases to run
(with a
maximum of 1 hour delay). More information about DAN TOR can be found at their website: https://www.dan.me.uk/dnsbl
So not "several", and not a "this IP is a source of spam" list, that one is not even a blacklist per se, and those using it as one are incompetent and wrong. In fact I would also categorize the person "so helpfully running it" as such, since there is no reason whatsoever to track non-exit relays in any kind of a publicly offered "black"list, unless you just want to inflict harm onto the relay operators and get them unfairly blocked from various services.
-- With respect, Roman
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 10 Aug 2015, at 04:57 , Roman Mamedov rm@romanrm.net wrote:
On Mon, 10 Aug 2015 06:39:45 +1200 Carlin Bingham cb@viennan.net wrote:
Try MX Toolbox's blacklist check[0], it searches over 90 blacklists and you'll find at the very least you're on one of the Tor-specific lists.
Yeah on precisely one:
DAN TOR This DNS blacklist contains ALL tor nodes (both entry and exit nodes) - The tor nodelist is updated every hour automatically from the live tor network. There is no complaint procedure to have an IP address removed from this list as it will be automatically removed once the tor node ceases to run (with a maximum of 1 hour delay). More information about DAN TOR can be found at their website: https://www.dan.me.uk/dnsbl
So not "several", and not a "this IP is a source of spam" list, that one is not even a blacklist per se, and those using it as one are incompetent and wrong. In fact I would also categorize the person "so helpfully running it" as such, since there is no reason whatsoever to track non-exit relays in any kind of a publicly offered "black"list, unless you just want to inflict harm onto the relay operators and get them unfairly blocked from various services.
I just asked the operator of the "DAN TOR" blocklists to make it easier for people to use the exit-only blocklist, and link to the relevant Tor FAQs so they can make an informed decision.
I'll let you know if he responds.
Begin forwarded message:
From: teor teor2345@gmail.com Subject: Tor Blocklist Confusion Date: 10 August 2015 13:42:26 AEST To: me@dan.me.uk
Hi Dan,
It appears that a number of website operators are using the .tor.dan.me.uk blocklist to block website access from the entire Tor network. It appears that they are doing this by mistake, because they are confusing the .tor.dan.me.uk and .torexit.dan.me.uk blocklists (or don't know which one to choose).
Could you make some changes to the blocklist page to avoid this happening in future?
[I have personally experienced the Apple Support Forums and various other sites blocking non-exit relay IPs. Other Tor relay operators complain about this regularly on the tor-relays mailing list. (One operator even questions why the full Tor network blocklist exists in the first place.) See the thread https://lists.torproject.org/pipermail/tor-relays/2015-August/007595.html ]
If you are willing, the following changes could make it easier for website operators to choose the appropriate list:
Place the .torexit.dan.me.uk blocklist at the top of the page, above the .tor.dan.me.uk blocklist.
Explain that by blocking Tor exits, you will block normal people who use Tor to protect their privacy https://www.torproject.org/about/torusers.html.en
Provide a link to the Tor Project's FAQ about blocking Tor nodes at https://www.torproject.org/docs/faq-abuse.html.en#Bans
Explain that using the .tor.dan.me.uk blocklist will block Tor nodes that don't allow outbound connections (non-Exit nodes), and that there is typically no reason to do this, and direct users to the .torexit.dan.me.uk blocklist instead. (The current "think carefully" doesn't provide enough information for people to make an informed decision, particularly if they aren't familiar with Tor.)
Link to the Tor Project FAQ on Exit Policies at https://www.torproject.org/docs/faq.html.en#ExitPolicies
(A more radical change could be to rename or remove the .tor.dan.me.uk blocklist. This would help avoid confusion and misuse, but would break current setups - so I can't imagine this being an option for you.)
Thank you for considering my request
Tim (teor)
Tim Wilson-Brown (teor)
teor2345 at gmail dot com pgp ABFED1AC https://gist.github.com/teor2345/d033b8ce0a99adbc89c5
teor at blah dot im OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7
tor-relays@lists.torproject.org
-
Carlin Bingham -
Green Dream -
Oleg Mazurov -
Roman Mamedov -
teor