[tor-relays] Keeping an exit node off of blacklists due to botnet activity.
tor at t-3.net
tor at t-3.net
Fri Jun 5 13:21:24 UTC 2015
> I have a fairly high bandwidth exit node running for about a month
now
> that I'm having difficulty keeping off of the
http://cbl.abuseat.org/
> blacklist and have been informed of this listing by the VPS
provider.
> The relay is running with a reduced exit policy -- and additionally
I've
> blocked common mail ports, etc via IPFW so I know that no spam is
> actually being sent out of the relay. Still, various botnets
connections
> are connecting to abuseat.org botnet sinkholes via port 80
> Command&Control connection attempts. I'm at a loss at how to stop
this
> or somehow detect and filter botnet traffic.
>
> I've informed the VPS provider that I'm on top of it and have the
> machine configured to not actually allow this sort of malicious
traffic
> out and they seem to be generally happy with that explanation, but
a
> better solution if one exists would be appreciated.
>
> Thanks,
>
> Julian Plamann
>
> julian (at) amity.be
> GPG: 0x96881D83
Don't know if this will help, but maybe:
ExitPolicy reject 85.159.211.119 # Cryptolocker
ExitPolicy reject 212.71.250.4 # Cryptolocker
ExitPolicy reject 54.83.43.69 # Cryptolocker
ExitPolicy reject 192.42.116.41 # Cryptolocker
ExitPolicy reject 192.42.119.41 # Cryptolocker
ExitPolicy reject 198.98.103.253 # Cryptolocker
ExitPolicy reject 208.64.121.161 # Cryptolocker
ExitPolicy reject 142.0.36.234 # Cryptolocker
ExitPolicy reject 173.193.197.194 # Cryptolocker
In general, I see complaints about abuse from the exit relays we run
due to someone using Tor to try to exploit remote web server scripts
and databases and the like. I don't think there's anything that can be
done about it? I would say that it's just part of what you get coming
out out of Tor exit nodes.
If anyone else has any better advice feel free to correct me but, I
think it might be accurate to explain to the upstream that Tor exits
will generate certain kinds of abuse complaints as part of normal
operation. They open proxy web-related ports out, and some people
abuse Tor for web hacking types of activity.
I would say that it is normal for Tor exits to live permanently on
certain kinds of blacklists. They do not need to be on the spam email
related ones (reject *:25 and other email ports), but they will land
on other types of blacklists, and I don't think it can be helped.
More information about the tor-relays
mailing list