[tor-relays] tor-relays Digest, Vol 3, Issue 11

Gijs Peskens gpeskens85 at gmail.com
Thu Apr 14 14:30:26 UTC 2011 

My ISP also send me a message about abuse (virusses) ,and after I send them
a reply that I'm running a tor node and that if they receive further abuse
complaints they should just forward them to my mail for me to handle myself
I didn't receive any abuse mail again :)
I think my ISP is actually running some IDS with sinkholethinghies (I don't
know anything about IDS'es yet, will research into it) and I can access a
page with info on my IP wich shows some activity:

2011-04-05 21:56:55,85.223.49.156,29272,20507,NL,UTRECHT,AMERSFOORT,,tcp,sinkhole,,,REMOVED,DE,,1,,,Windows,2000
SP2+, XP SP1+ (seldom 98)
2011-04-05 22:26:35,85.223.49.156,45924,20507,NL,UTRECHT,AMERSFOORT,,tcp,sinkhole,,,REMOVED,US,,1,,,Windows,2000
SP4, XP SP1+
2011-04-04 21:04:06,85.223.49.156,20507,NL,GET /search?q=0
HTTP/1.1,downadup,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;
SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .N...
2011-04-05 02:29:02,85.223.49.156,20507,NL,GET /?REMOVED
HTTP/1.0,sality,KUKU v5.02c =REMOVED,,30184,Windows,2000 SP4, XP
SP1+,,80,www.REMOVED.info,,,,REMOVED,8560,...
2011-04-05 22:02:01,85.223.49.156,20507,NL,GET /search?q=0
HTTP/1.1,downadup,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;
SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .N...
2011-04-06 01:13:53,85.223.49.156,20507,NL,.,downadup,,,21901,,,,80,,,,,REMOVED,US
2011-04-07 20:08:37,85.223.49.156,20507,NL,GET
/tatoshko.biz?data=REMOVED==
HTTP/1.0,machbot,MachBot,,10988,Windows,2000 SP4, XP
SP1+,,80,853c9e57.biz,,,,87.10...
2011-04-11 16:46:41,85.223.49.156,47015,20507,NL,UTRECHT,AMERSFOORT,,tcp,sinkhole,,,REMOVED,US,,1,,,Linux,2.6
(newer, 2)
2011-04-11 15:31:23,85.223.49.156,20507,NL,GET /search?q=15
HTTP/1.0,downadup,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
.NET CLR 1.1.4322; .NET CLR 2.0.50727),,45931,Windows,2000 SP...
2011-04-12 04:08:30,85.223.49.156,44022,20507,NL,UTRECHT,AMERSFOORT,,tcp,sinkhole,,,REMOVED,DE,,1,,,Windows,XP/2000

REMOVED= ip adresses (destination), dns names or things that look like http
session specific things.
I see one port number (destination) somewhat more (all cases of tcp,sinkhole
except 1): 8560 might be a virus/trojan/worm specific port ? Might be a good
idea to remove this port from your exit if you get a lot of complaints (and
it's not used for anything usefull)


The idea of setting up a local smtp out server with spam detection and
clamav seems like a very good idea, maybe together with some tarpitting (if
possible and easy) it would help a lot of users in need of smtp access and
deter spammers (as they would spend hours and hours in tarpits at random
when using tor) anyone can provide some good advice on how to set it up
properly (I'm running FreeBSD)? Would also be _really_ nice to maybe somehow
add some header that says it was send using a tor relay with admin details
so my ISP (as I would probably need to set it to relay to their smtp) will
not start bitching and moaning about that to me, is it possible ? Yes? How ?
;)

What are the dangers of running an IDS myself ? Privacy wise I mean, could
it be set up so that it knows about bad stuff hapening and in no way log
other stuff ?

2011/4/13 <tor-relays-request at lists.torproject.org>

> Send tor-relays mailing list submissions to
>        tor-relays at lists.torproject.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> or, via email, send a message with subject or body 'help' to
>        tor-relays-request at lists.torproject.org
>
> You can reach the person managing the list at
>        tor-relays-owner at lists.torproject.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of tor-relays digest..."
>
>
> Today's Topics:
>
>   1. Tor and Viruses (Porcelain Mouse)
>   2. Re: Tor and Viruses (grarpamp)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 12 Apr 2011 20:46:21 -0700 (PDT)
> From: Porcelain Mouse <porcelain_mouse at q.com>
> Subject: [tor-relays] Tor and Viruses
> To: Tor-Relays <tor-relays at lists.torproject.org>
> Message-ID: <alpine.LFD.2.02.1104122018100.5770 at localhost.localdomain>
> Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
>
> Greetings All,
>
>        I've been running an exit for about 5 months, but had to stop due
> to virus abuses.  In the last two weeks, my ISP has partially blocked my
> Internet access twice due to suspected virus infections.  I'll spare you
> the long story, but I was able to get a copy of their "evidence" and I'm
> fairly certain it was connections made through my Tor relay.
>
>  1) How common is it that Tor is abused by viruses?  What is the trend?
>  2) Is this just standard virus-kit material, these days?
>
> I guess I was a little surprised.  Obviously, this is a great idea for
> hiding the infection site, so I'm sure it's being done.  But still, I've
> been fighting viruses for quite a while and I don't think I've read a
> single virus description that mentioned Tor.  I'm sure it's happening, but
> I've never heard a single statistic about it, so I thought I would ask.
>
> Also, this type of abuse is *not* mentioned on the Tor wiki's Abuse FAQ
> under "What should I expect if I run an exit relay?"  I read that section
> carefully and was prepared for most of the things mentioned.  Again, I'm
> not completely shocked.  I'm just saying it didn't seem likely, according
> to the FAQ.  It would be nice to know how likely is this kind of abuse,
> and what is the trend.  (And, maybe someone can add the results to the FAQ
> when we have an answer.)
>
> Thanks,
> PMouse
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 13 Apr 2011 03:19:27 -0400
> From: grarpamp <grarpamp at gmail.com>
> Subject: Re: [tor-relays] Tor and Viruses
> To: tor-relays at lists.torproject.org
> Message-ID: <BANLkTikwPS6JDqKMvaxxWhgq2dUoGELKKA at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> > my ISP has partially blocked my Internet access twice
> > due to suspected virus infections.
>
> Virus is likely not the right word for things. Anyways...
>
> There's really no reason an operator cannot run something
> like bro-ids.org and sink known bad traffic in real time. Yeah,
> sure, everyone will bitch at me. But it is operator fiat, and
> they're not sinking specific users, so well within common
> carrier exceptions on that aspect. No different than operators
> who block 'torrent' ports, smtp, etc.
>
> Speaking of smtp, one could even redirect that into their
> system despam/clamav it and send it on its way. Better
> than nothing. Especially for the legit senders.
>
>
> ------------------------------
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
> End of tor-relays Digest, Vol 3, Issue 11
> *****************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20110414/76e36574/attachment.htm>

More information about the tor-relays mailing list