[tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen

Thomas White thomaswhite at riseup.net
Sat Jul 19 10:32:38 UTC 2014

Hash: SHA1

Speaking from experience of operating 25 servers doing 4Gbps, I can
quite safely say that if your host has been supportive of Tor, I would
simply respond with the normal boilerplate regardless of what the
complaint is or who made it. I've received threats from countless
organisations, companies, police and have clashed with Interpol in the
past, they are yet to bring a single charge against me in the UK
(albeit I have had some servers seized). I am the exception of Tor
operators too, not the rule so if they can't charge me I very much
doubt they could charge somebody operating just a single server. The
point is that you should be very open that you operate a Tor node,
ensure you promptly respond to abuse complaints and if your provider
doesn't seem to be fully convinced by you or are threatening to close
your service then it could do with some additional explanation. Heck
if you need it just let me know who to contact and I'll do it for you!

Running Tor isn't illegal, you are protected by various safe-harbour
provisions and ultimately if they blacklist you there is little you
can do. Half of my IP's are on a lot of "blacklists", and I've found
removing them is useful in the short term perhaps but many are
automated and so just waste your time. In the long run we need
education more than anything and in fact I am actually writing up a
letter at the moment to encourage some blacklists to check if the IP
is a tor exit node and to prevent their systems spamming operators
with abuse complaints. (This section I'll follow up with on this
mailing list with next week)

My ISP has a policy that as long as the complaints aren't from
Spamhaus, they aren't too bothered as long as I reply to the abuse
complaints which I do. You should ask your ISP outright what the
policy is on these situations. But as far as Spamhaus goes I've not
received a single complaint from them out of thousands I have received
in the past year.

If you want to talk privately, just reply to me off the mailing list
and I'll be happy to do whatever I can.

- -T

On 18/07/2014 10:08, Ch'Gans wrote:
> Hi there,
> I'm here to look for advice or comments on how to handle abuse
> reports when you run a TOR relay exit on a "server for the mass". 
> I'm running the TOR exit node
> 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk
> (50E/month, this is my contribution to the TOR project) So far I
> had to deal with few "easy" abuse reports (ssh scan, forum insults,
> spams, ...), I think i performed pretty well so far (thanks to 
> Hetzner cooperation?)
> But today I just received this botnet related one. I do take this
> report seriously, I know that malware are more and more using the
> TOR network as an anonymous covert, I don't like malware, I don't
> like malicious botnet and I don't like spammers. Still I end up
> being identify as one of them.
> I knew from day one that it was a risky business to run an exit
> TOR node, but I want to stand up and fight. If only I can convince
> people of my right doing.
> First of all I am quite surprised that cert-bund.de (the
> complainant) didn't notice that I am a TOR exit node, so my first
> question (for people familiar with these guys) is: - How legit are
> these guys? Do they run for the German government? Are their simply
> trying to scare the shit out of me by citing europol.europa.eu, and
> us-cert.gov? (see redacted forwarded message below, my own opinion
> is "Yes") Then - Do they simply spam hosting company each time they
> have a probe sensing something somewhere (I know it's vague, but I
> can use that as a "this complainant is a spammer" kind of
> argument)
> Any other thoughts/remarks/comment on that matter?
> Regards, Chris
> Thought of the day: Nowadays it looks like server administrator
> tend to send abuse report each time they receive an illegal ping
> request! Testimony of the day: Last time I received an "SSH scan"
> abuse report, I sent back my SSH honeypot logs, which contains more
> than 5k login attempts per day.
> -------- Original Message -------- [..] ----- attachment ----- Dear
> Sir or Madam
> "Gameover Zeus" is malicious software which is primarily used by 
> cybercriminals to carry out online banking fraud and to spy out 
> login credentials for online services on infected PCs. It can also 
> be used to install further malicious software (including 
> blackmailing trojans such as "CryptoLocker" ransomware) on PCs or
> to carry out DDoS attacks.
> In a joint international campaign since the end of May 2014, law
> enforcement agencies, with the support of private sector partners, 
> have taken action against the "Gameover Zeus" botnet [1].
> As part of this campaign, it has now been possible to identify the 
> IP addresses of systems infected with "Gameover Zeus" [2].
> We are sending you a list of infected systems in your net area.
> Would you please examine the situation thoroughly and take
> appropriate measures to cleanse the systems.
> Sources:
> [1] Europol: International action against 'Gameover Zeus' botnet
> and 'CryptoLocker' ransomware 
> <https://www.europol.europa.eu/content/international-action-against-
> [2] ShadowServer: Gameover Zeus & Cryptolocker 
> <http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/>
>  [3] US-CERT: GameOver Zeus P2P Malware 
> <https://www.us-cert.gov/ncas/alerts/TA14-150A>
> A list of infected systems in your net area: [...]
> Kind regards, Team CERT-Bund
> _______________________________________________ tor-relays mailing
> list tor-relays at lists.torproject.org 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Version: GnuPG v2.0.22 (MingW32)


More information about the tor-relays mailing list