[tor-relays] Protecting your domain's reputation

JusticeRage justicerage at manalyzer.org
Tue Aug 19 15:51:19 UTC 2014 

Hello everyone!

I am the operator of a somewhat recent exit node with SMTP allowed, and I have found out something worth sharing. Let me know if this is already known.
As suggested by the Tor documentation, I set a reverse DNS which makes clear that my exit node belongs to the Tor network (tor-exit-readme.manalyzer.org). This week-end, I started to recieve weird e-mail delivery failure notifications, and even a line from a guy kindly asking me to stop sending him mail.

The thing is, I was actually lucky to recieve all those, and I wouldn't have if I didn't have a catch-all address set for the whole domain. Looking at the source of the rejected e-mails, I found out that someone was forging e-mails which look like they come from my domain:

Received: from tor-exit-readme.manalyzer.org (tor-exit-readme.manalyzer.org [95.130.11.147])
        by smtp.craigslist.org (Haraka/2.5.0) with ESMTP id 66DDCADC-FEA4-4D62-8F08-2630AC1E0299.1
        envelope-from <best_pharmacy5 at manalyzer.org>;
        Mon, 18 Aug 2014 13:25:12 -0700
From: Levitra-Shop <best_pharmacy5 at manalyzer.org>
To: <rkdq8-4339052657 at hous.craigslist.org>
Subject: When It Comes Healthcare, Nothing Beats a Hometown Advantage, Rkdq8-4339052657 .

(I got tons of these, all procedurally generated e-mail addresses.)
The thing is, these e-mails don't just seem like they're coming from my domain: they ARE coming from my domain, since the machine sending them has a rDNS which belongs to it. From a mail server's perspective, they're actually very legitimate and probably won't be flagged as spam.
I believe that someone is listing all the exit nodes which have a reverse DNS set up, and uses the domain to send out unwanted e-mail. This is a problem for operators for the following reasons:
- The reputation of your domain is damaged, and legitimate e-mails sent from it may end up discarded
- It strenghtens the idea that mail servers blindly reject everything that comes out of a Tor exit node

The good news is, there is something you can do about it. This is exactly what Sender Policy Framework [1] was created for. Long story short, this is some information you can put in your DNS to indicate which machines are allowed to send e-mails for the domains, and which are not (hint: the exit node should not be listed in there).
Here is a sample policy which says that only servers registered as MX in your DNS should send e-mails for the domain : 

tor-exit.domain.com.  IN TXT "v=spf1 mx -all"

If you need something more specific, I have found a nice wizard [2] which will help greatly. If you run an exit node and have a reverse DNS set up, I highly recommend you take ten minutes to look into this.
Please note that this will NOT prevent Tor users from sending e-mail or restrain their freedom in any way; it will only prevent ill-intentioned people from spoofing your domain.
I also think that there should be a note in the Tor documentation about this issue (I couldn't find anything regarding this).

I hope this helps!

[1] https://en.wikipedia.org/wiki/Sender_Policy_Framework
[2] http://www.spfwizard.net/

--
JusticeRage

More information about the tor-relays mailing list