[tor-relays] webiron requesting to block several /24 subnet

WubTheCaptain wub at partyvan.eu
Thu Dec 3 05:27:21 UTC 2015 

This will be my lengthy opinion on Webiron to get everything out of my
mind without redactions.

> Webiron's system sends notifications to both the abusix.org contact
> for the IP and to abuse at base-domain.tld for the reverse-DNS name of
> the relay IP.

This doesn't seem to be the case for us. Our rDNS is set to
tor-exit.se.partyvan.eu. Back when I received our first abuse complaint
from Webiron, the WHOIS for the Tor exit IP-address had an abuse-mailbox
contact for us but the abuse-c was still pointed at our data center.
Webiron emailed three email addresses:

- abuse at portlane.com (abuse-c, mnt-by for all of our /29)
- info at partyvan.eu (unlisted, unused RFC 2142 address)
- abuse at partyvan.eu (abuse-mailbox)

By the time I had received a second or third abuse report from Webiron,
I had made some voluntary changes to get the abuse-c assigned to us
after registering to RIPE database. Despite this, Webiron's system still
contacted two addressses:

- abuse at portlane.com (mnt-by for netnum)
- abuse at partyvan.eu (abuse-c and abuse-mailbox)

More accurately, Webiron may employ caching of results or go for the
netnum abuse-c/abuse-mailbox instead. Other abuse complaints we've
received such as one from the Brazilian Army have contacted our abuse@
role only and never bothered our data center. For what it's worth,
abuse.net also lists our abuse@ contact for the domain.

> I'm currently in the middle of a somewhat heated e-mail debate with
> their vice-president.
> Pasting the e-mails below would be indelicate, but their position is
> that the Tor network is responsible for the abuse it generates and
> should take measures to prevent/block malicious traffic.
> They also state that according to their measurements, 99% of the
> traffic coming out of Tor is hostile, and they're going to release a
> report on the matter soon.

Webiron's policies are dodgy at best. They even claim that Tor exit
operators are legally liable for the traffic they route [1], which is
obviously false given our real legislative liability protection for
service providers. I immediately lost sense of their credibility. They
say:

> Groups hosting exit nodes are responsible for the abuse that comes out
> of exit nodes. By refusing to take action to stop attacks originating
> from your proxies it can make you legally responsible to international
> law as well as laws in most regions (IE EU) as it shows a willingness
> to facilitate further attacks.

Our data center doesn't seem to mind Webiron's abuse reports regarding
our Tor exit, and while they also get copies of the abuse complaints
they've never bothered us about it. (For the curious, Portlane used to
house Serious Tubes which housed The Pirate Bay until a raid on December
2014.[2])

After receiving six or so abuse complaints from Webiron [3] and
acknowledging each to support at webiron.com explaining it's a Tor exit,
I've not heard back from them again for a while.

Banning /32 or /24 seems out of question for us to keep the limited
liability protection. It wouldn't solve the issue anyway due to 1000+
other exits available, so the best solution remains to block Tor
temporarily from the other end or implement CAPTCHAs for Tor users to
slow down or defeat bruteforce attacks.

As an example, CloudFlare implements CAPTCHA for visitors from Tor.
Webiron could do something similar if they wished to act on these as a
reverse proxy service. Their requests are too unreasonable for Tor exit
operators.

By their ideology, I understood they're saying stores selling ski
equipment for skiing should be held liable for crimes commited by their
customers who bought their skiing masks:

> You chose to allow this to run from the network you are responsible
> for. Proxing attacks is translatable to providing the mask before an
> assault or robbery. At this point we feel your company is complicit in
> these attacks by allowing them to continue.

For me this does not sound credible, and I didn't bother trying to give
their argument more credibility with a reply.

They wished me "good luck" [4] after mentioning my Tor exit will be on
their blacklist and referencing to IBM's research on "recommending a
blanket ban on Tor".[5]

At least I still remain to have some sense of credibility in SpamCop and
Spamhaus, despite few controversies involved with the latter.

This is why we can't have nice things and why I've given up with most
hosting providers.

PS: Portlane is not yet listed on GoodBadISPs [6] wiki page.

-Wub

[1]: https://archive.is/Obhnk
[2]: http://www.bbc.com/news/technology-30411782
[3]: https://partyvan.eu/transparency/emails/abuse/
[4]: https://partyvan.eu/transparency/emails/abuse/2015-11-13-webiron-tor-exit.mbox
[5]: http://www.techweekeurope.co.uk/security/ibm-companies-tor-175468
[6]: https://trac.torproject.org/projects/tor/wiki/doc/GoodBadISPs

More information about the tor-relays mailing list