[tor-relays] Intrusion Prevention System Software - Snort or Suricata

Markus Koch niftybunny at googlemail.com
Tue Oct 4 15:48:19 UTC 2016


same shit here:

Dear User,
We are contacting you because of unusual activity coming from your IP
address towards the IT infrastructure of the European Commission.
In specific, since 03/10/2016, IP addresses 95.85.45.159 &
104.236.225.19 of Digital Ocean, located in the Netherlands (NL) and
the USA respectively, have submitted a significantly large number of
invalid VAT number requests as compared to the total number of
requests (89,59% & 89,96% respectively) towards VAT numbers from a
multiple of EU member States (MS) through the VIES on the Web service
(http://ec.europa.eu/taxation_customs/vies/). For more information on
Invalid VAT number requests please refer to FAQ, questions 7, 11, 12,
13 and 20 of the VIES on the WEB site
(http://ec.europa.eu/taxation_customs/vies/faq.html).
The scope of our team is to monitor on a daily basis the performance
of the VIES-on-the-Web (VoW) service in order to ensure its
performance in accordance with the standards agreed upon between EU's
Directorate General for Taxation and Customs Union (DG TAXUD) and the
EU Member States.
Our objective is to secure constant and uninterrupted availability and
flow of traffic (requests for VAT validation) at all times.
Under this framework, our team intervenes whenever there is out of the
ordinary, unusual and potentially suspicious use of the system that
violates the rules of use as they are stated in the Specific
disclaimer for this service, which is available at the VoW site
(http://ec.europa.eu/taxation_customs/vies/disclaimer.html).
Consequently, in order to allow flawless use of the service, we were
obliged to block the access to VIES on the Web for the IP address
88.198.110.130.
Following our action, we would like to know if you are aware of this
situation. Furthermore, your cooperation and contribution is necessary
in order to determine the reason for this occurrence.
Please inform us if this behaviour is normal and if such, how often it
should occur; we would then take action to unblock the traffic coming
from the corresponding IP address assuming you will agree to follow a
set ITSM VIES/Web Team
"ITSM2 is a contracted support partner for the IT Service Management
of the European Commission.
This e-mail is a reply to your message sent to the
TAXUD-VIESWEB at ec.europa.eu<mailto:TAXUD-VIESWEB at ec.europa.eu> e-mail.
Answers provided by the contactor are on behalf and according to
policy guidelines of DG TAXUD, but not binding for the European
Commission."

I am so done with it, I added

ExitPolicy reject 147.67.136.103 # TAX SPAM
ExitPolicy reject 147.67.136.21  # TAX SPAM
ExitPolicy reject 147.67.119.103  # TAX SPAM
ExitPolicy reject 147.67.119.3  # TAX SPAM
ExitPolicy reject 147.67.136.3  # TAX SPAM
ExitPolicy reject 147.67.119.21  # TAX SPAM

Thats going on for months now and by all means, this is not free speech ...

Markus.



2016-10-04 17:42 GMT+02:00 pa011 <pa011 at web.de>:
> Am 04.10.2016 um 16:48 schrieb krishna e bera:
>> On 04/10/16 08:48 AM, pa011 wrote:
>>> One of my main ISP is going mad with the number of abuses he gets from my Exits (currently most on port 80).
>>> He asks me to install "Intrusion Prevention System Software" or shutting down the servers.
>>
>> You can first ask him for a copy of the complaints in order to
>> understand what sort of alleged abuses are taking place.  Are the
>> complaints about spam or scraping or web server exploits or something else?
>
> I do get a copy of every complaint - they are unfortunately:
>
> - Http browser intrucion  - /var/log/apache2/other_vhosts_access.log:soldierx.com:80 xxx.xxx.xxx.xxx - - [30/Sep/2016:11:14:34 -0400] "HEAD / HTTP/1.0" 302 192 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12"
>
> - invalid VAT number requests
>
> -recorded connection attempt(s) from your hosts to our honeypots
>
> - Issue: Source has attempted the following botnet activity: Semalt Referrer    Spam Tor Exit Bot
>
> - botnet drone|Description: Ramnit botnet victim connection to sinkhole details,
>
> - attackers used the method/service: *imap*
>
>> You can change your exit policy to reduce likelihood of complaints:
>> https://blog.torproject.org/blog/tips-running-exit-node
>
> I know, but I hardly like to block port 80
>
>>> As far as I understand implementing such a software is not going together with Tor - am I right?
>>
>> If your exit nodes tamper with traffic in any way they will be labelled
>> as Bad Exit. (Tor tries to be net neutral.)
>> https://trac.torproject.org/projects/tor/wiki/doc/badRelays
>>
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


More information about the tor-relays mailing list