[tor-relays] Keeping an exit node off of blacklists due to botnet activity.
tor at t-3.net
tor at t-3.net
Fri Jun 5 13:21:24 UTC 2015
> I have a fairly high bandwidth exit node running for about a month
> that I'm having difficulty keeping off of the
> blacklist and have been informed of this listing by the VPS
> The relay is running with a reduced exit policy -- and additionally
> blocked common mail ports, etc via IPFW so I know that no spam is
> actually being sent out of the relay. Still, various botnets
> are connecting to abuseat.org botnet sinkholes via port 80
> Command&Control connection attempts. I'm at a loss at how to stop
> or somehow detect and filter botnet traffic.
> I've informed the VPS provider that I'm on top of it and have the
> machine configured to not actually allow this sort of malicious
> out and they seem to be generally happy with that explanation, but
> better solution if one exists would be appreciated.
> Julian Plamann
> julian (at) amity.be
> GPG: 0x96881D83
Don't know if this will help, but maybe:
ExitPolicy reject 220.127.116.11 # Cryptolocker
ExitPolicy reject 18.104.22.168 # Cryptolocker
ExitPolicy reject 22.214.171.124 # Cryptolocker
ExitPolicy reject 126.96.36.199 # Cryptolocker
ExitPolicy reject 188.8.131.52 # Cryptolocker
ExitPolicy reject 184.108.40.206 # Cryptolocker
ExitPolicy reject 220.127.116.11 # Cryptolocker
ExitPolicy reject 18.104.22.168 # Cryptolocker
ExitPolicy reject 22.214.171.124 # Cryptolocker
In general, I see complaints about abuse from the exit relays we run
due to someone using Tor to try to exploit remote web server scripts
and databases and the like. I don't think there's anything that can be
done about it? I would say that it's just part of what you get coming
out out of Tor exit nodes.
If anyone else has any better advice feel free to correct me but, I
think it might be accurate to explain to the upstream that Tor exits
will generate certain kinds of abuse complaints as part of normal
operation. They open proxy web-related ports out, and some people
abuse Tor for web hacking types of activity.
I would say that it is normal for Tor exits to live permanently on
certain kinds of blacklists. They do not need to be on the spam email
related ones (reject *:25 and other email ports), but they will land
on other types of blacklists, and I don't think it can be helped.
More information about the tor-relays