[tor-relays] Intrusion Prevention System Software - Snort or Suricata

Tristan supersluether at gmail.com
Tue Oct 4 16:03:28 UTC 2016


I don't know what I'm doing different, because I only got 2 complaints in
the last 2 months, and that was for SSH and SQL stuff.

On Oct 4, 2016 11:01 AM, "pa011" <pa011 at web.de> wrote:

> Me too Markus -could fill a folder with that tax issue :-((
> Costing a lot of time to answer and restrict the IPs
>
> Plus my ISP moaning with good reason: "It's not just about you, but you're
> giving a bad reputation to one /21 and one /22 subnet. That's ~ 3000 IPs
> which are potentionaly endagered to be marked as source of malicious
> content / blacklisted / whatever ... so you see, this is quite critical for
> us."
>
> Am 04.10.2016 um 17:48 schrieb Markus Koch:
> > same shit here:
> >
> > Dear User,
> > We are contacting you because of unusual activity coming from your IP
> > address towards the IT infrastructure of the European Commission.
> > In specific, since 03/10/2016, IP addresses 95.85.45.159 &
> > 104.236.225.19 of Digital Ocean, located in the Netherlands (NL) and
> > the USA respectively, have submitted a significantly large number of
> > invalid VAT number requests as compared to the total number of
> > requests (89,59% & 89,96% respectively) towards VAT numbers from a
> > multiple of EU member States (MS) through the VIES on the Web service
> > (http://ec.europa.eu/taxation_customs/vies/). For more information on
> > Invalid VAT number requests please refer to FAQ, questions 7, 11, 12,
> > 13 and 20 of the VIES on the WEB site
> > (http://ec.europa.eu/taxation_customs/vies/faq.html).
> > The scope of our team is to monitor on a daily basis the performance
> > of the VIES-on-the-Web (VoW) service in order to ensure its
> > performance in accordance with the standards agreed upon between EU's
> > Directorate General for Taxation and Customs Union (DG TAXUD) and the
> > EU Member States.
> > Our objective is to secure constant and uninterrupted availability and
> > flow of traffic (requests for VAT validation) at all times.
> > Under this framework, our team intervenes whenever there is out of the
> > ordinary, unusual and potentially suspicious use of the system that
> > violates the rules of use as they are stated in the Specific
> > disclaimer for this service, which is available at the VoW site
> > (http://ec.europa.eu/taxation_customs/vies/disclaimer.html).
> > Consequently, in order to allow flawless use of the service, we were
> > obliged to block the access to VIES on the Web for the IP address
> > 88.198.110.130.
> > Following our action, we would like to know if you are aware of this
> > situation. Furthermore, your cooperation and contribution is necessary
> > in order to determine the reason for this occurrence.
> > Please inform us if this behaviour is normal and if such, how often it
> > should occur; we would then take action to unblock the traffic coming
> > from the corresponding IP address assuming you will agree to follow a
> > set ITSM VIES/Web Team
> > "ITSM2 is a contracted support partner for the IT Service Management
> > of the European Commission.
> > This e-mail is a reply to your message sent to the
> > TAXUD-VIESWEB at ec.europa.eu<mailto:TAXUD-VIESWEB at ec.europa.eu> e-mail.
> > Answers provided by the contactor are on behalf and according to
> > policy guidelines of DG TAXUD, but not binding for the European
> > Commission."
> >
> > I am so done with it, I added
> >
> > ExitPolicy reject 147.67.136.103 # TAX SPAM
> > ExitPolicy reject 147.67.136.21  # TAX SPAM
> > ExitPolicy reject 147.67.119.103  # TAX SPAM
> > ExitPolicy reject 147.67.119.3  # TAX SPAM
> > ExitPolicy reject 147.67.136.3  # TAX SPAM
> > ExitPolicy reject 147.67.119.21  # TAX SPAM
> >
> > Thats going on for months now and by all means, this is not free speech
> ...
> >
> > Markus.
> >
> >
> >
> > 2016-10-04 17:42 GMT+02:00 pa011 <pa011 at web.de>:
> >> Am 04.10.2016 um 16:48 schrieb krishna e bera:
> >>> On 04/10/16 08:48 AM, pa011 wrote:
> >>>> One of my main ISP is going mad with the number of abuses he gets
> from my Exits (currently most on port 80).
> >>>> He asks me to install "Intrusion Prevention System Software" or
> shutting down the servers.
> >>>
> >>> You can first ask him for a copy of the complaints in order to
> >>> understand what sort of alleged abuses are taking place.  Are the
> >>> complaints about spam or scraping or web server exploits or something
> else?
> >>
> >> I do get a copy of every complaint - they are unfortunately:
> >>
> >> - Http browser intrucion  - /var/log/apache2/other_vhosts_access.log:
> soldierx.com:80 xxx.xxx.xxx.xxx - - [30/Sep/2016:11:14:34 -0400] "HEAD /
> HTTP/1.0" 302 192 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; nl;
> rv:1.8.1.12) Gecko/20080201Firefox/2.0.0.12"
> >>
> >> - invalid VAT number requests
> >>
> >> -recorded connection attempt(s) from your hosts to our honeypots
> >>
> >> - Issue: Source has attempted the following botnet activity: Semalt
> Referrer    Spam Tor Exit Bot
> >>
> >> - botnet drone|Description: Ramnit botnet victim connection to sinkhole
> details,
> >>
> >> - attackers used the method/service: *imap*
> >>
> >>> You can change your exit policy to reduce likelihood of complaints:
> >>> https://blog.torproject.org/blog/tips-running-exit-node
> >>
> >> I know, but I hardly like to block port 80
> >>
> >>>> As far as I understand implementing such a software is not going
> together with Tor - am I right?
> >>>
> >>> If your exit nodes tamper with traffic in any way they will be labelled
> >>> as Bad Exit. (Tor tries to be net neutral.)
> >>> https://trac.torproject.org/projects/tor/wiki/doc/badRelays
> >>>
> >>>
> >>> _______________________________________________
> >>> tor-relays mailing list
> >>> tor-relays at lists.torproject.org
> >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >>>
> >> _______________________________________________
> >> tor-relays mailing list
> >> tor-relays at lists.torproject.org
> >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> > _______________________________________________
> > tor-relays mailing list
> > tor-relays at lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161004/0b2b8d81/attachment-0001.html>


More information about the tor-relays mailing list