Abuse complaints are how this thing goes. With your limited exit policy, you would hardly see any complaints (relatively speaking), and what you do see would be mostly like SQL hack complaints and such. It's usually not going to be cases where someone got all the way into someone's machine, it's going to be mainly complaints about attempts.

I feel like a short notification should be all you need and you're done with responses to stuff like that, such as:

Hi <person>,

That is the Tor exit router we host. https://www.torproject.org . Unfortunately, bad actors sometimes misuse Tor for things like this.

If your attacker proves to be a serious problem, you may wish to block the entire Tor network from your device. A list of Tor exits can be seen here (and there is also an RBL somewhere): https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1 . Blocking one Tor exit such as mine won't really stop the person. Also, if I configure my node not to exit to you, the attacker won't necessarily even notice, as Tor will automatically route him through a different exit node.

Regards,

- < your sig >

While it's true that the suggestion about blocking all of Tor isn't ideal for the internet at large, in particular as a response to stupid scans or web hack attempts that don't actually get in, there are cases where it may make sense for a server operator to do that on a single system, if only temporarily.

The main points in this response are the explanations of what Tor is (via the provided link) and why it never makes sense from the attacked server's perspective for a single exit to stop exiting to it specifically. The affected server operator has the choice of ignoring the attempts, or fixing whatever vulnerability is there if one is being exploited, or blocking all of Tor. You as a single exit operator are not a part of that.

There was only one time that I got a bullshit response back from someone as a result of what I'd sent, and he could be safely ignored, as he was just an idiot who thought that Tor was a bad thing. There was another guy who was ignoring my responses and emailing our abuse box repeatedly - he comes from a relatively rare mindspring.com address. If that is the one complaining about your exit, he's worthless. I configured our mail server to reject his abuse complaints outright (we own our own IP space, so, this is simpler for us than it would be for you). That mindspring.com guy also had the bright idea of emailing the networks he saw along his traceroute, thinking that we are a customer of those networks (we're not).