[tor-relays] Intrusion Prevention System Software - Snort or Suricata
pa011
pa011 at web.de
Tue Oct 4 16:18:20 UTC 2016
Yes its ISP - plus 10 times more fire-power both, Markus and me
which is 10 times more work, sadly :-(
Am 04.10.2016 um 18:12 schrieb Markus Koch:
> Short answer: ISP
>
> I got 2 abuse mails (1 false positive) from Hostwinds in 4 months and
> I get weekly mass reports from DigitalOcean.
> And the thing that pisses me off is: Its all bots or Tax spam or other
> stuff I got weeks/months ago. Different day, same shitty abuse mail.
>
> Markus
>
>
> 2016-10-04 18:03 GMT+02:00 Tristan <supersluether at gmail.com>:
>> I don't know what I'm doing different, because I only got 2 complaints in
>> the last 2 months, and that was for SSH and SQL stuff.
>>
>>
>> On Oct 4, 2016 11:01 AM, "pa011" <pa011 at web.de> wrote:
>>>
>>> Me too Markus -could fill a folder with that tax issue :-((
>>> Costing a lot of time to answer and restrict the IPs
>>>
>>> Plus my ISP moaning with good reason: "It's not just about you, but you're
>>> giving a bad reputation to one /21 and one /22 subnet. That's ~ 3000 IPs
>>> which are potentionaly endagered to be marked as source of malicious content
>>> / blacklisted / whatever ... so you see, this is quite critical for us."
>>>
>>> Am 04.10.2016 um 17:48 schrieb Markus Koch:
>>>> same shit here:
>>>>
>>>> Dear User,
>>>> We are contacting you because of unusual activity coming from your IP
>>>> address towards the IT infrastructure of the European Commission.
>>>> In specific, since 03/10/2016, IP addresses 95.85.45.159 &
>>>> 104.236.225.19 of Digital Ocean, located in the Netherlands (NL) and
>>>> the USA respectively, have submitted a significantly large number of
>>>> invalid VAT number requests as compared to the total number of
>>>> requests (89,59% & 89,96% respectively) towards VAT numbers from a
>>>> multiple of EU member States (MS) through the VIES on the Web service
>>>> (http://ec.europa.eu/taxation_customs/vies/). For more information on
>>>> Invalid VAT number requests please refer to FAQ, questions 7, 11, 12,
>>>> 13 and 20 of the VIES on the WEB site
>>>> (http://ec.europa.eu/taxation_customs/vies/faq.html).
>>>> The scope of our team is to monitor on a daily basis the performance
>>>> of the VIES-on-the-Web (VoW) service in order to ensure its
>>>> performance in accordance with the standards agreed upon between EU's
>>>> Directorate General for Taxation and Customs Union (DG TAXUD) and the
>>>> EU Member States.
>>>> Our objective is to secure constant and uninterrupted availability and
>>>> flow of traffic (requests for VAT validation) at all times.
>>>> Under this framework, our team intervenes whenever there is out of the
>>>> ordinary, unusual and potentially suspicious use of the system that
>>>> violates the rules of use as they are stated in the Specific
>>>> disclaimer for this service, which is available at the VoW site
>>>> (http://ec.europa.eu/taxation_customs/vies/disclaimer.html).
>>>> Consequently, in order to allow flawless use of the service, we were
>>>> obliged to block the access to VIES on the Web for the IP address
>>>> 88.198.110.130.
>>>> Following our action, we would like to know if you are aware of this
>>>> situation. Furthermore, your cooperation and contribution is necessary
>>>> in order to determine the reason for this occurrence.
>>>> Please inform us if this behaviour is normal and if such, how often it
>>>> should occur; we would then take action to unblock the traffic coming
>>>> from the corresponding IP address assuming you will agree to follow a
>>>> set ITSM VIES/Web Team
>>>> "ITSM2 is a contracted support partner for the IT Service Management
>>>> of the European Commission.
>>>> This e-mail is a reply to your message sent to the
>>>> TAXUD-VIESWEB at ec.europa.eu<mailto:TAXUD-VIESWEB at ec.europa.eu> e-mail.
>>>> Answers provided by the contactor are on behalf and according to
>>>> policy guidelines of DG TAXUD, but not binding for the European
>>>> Commission."
>>>>
>>>> I am so done with it, I added
>>>>
>>>> ExitPolicy reject 147.67.136.103 # TAX SPAM
>>>> ExitPolicy reject 147.67.136.21 # TAX SPAM
>>>> ExitPolicy reject 147.67.119.103 # TAX SPAM
>>>> ExitPolicy reject 147.67.119.3 # TAX SPAM
>>>> ExitPolicy reject 147.67.136.3 # TAX SPAM
>>>> ExitPolicy reject 147.67.119.21 # TAX SPAM
>>>>
>>>> Thats going on for months now and by all means, this is not free speech
>>>> ...
>>>>
>>>> Markus.
>>>>
>>>>
>>>>
>>>> 2016-10-04 17:42 GMT+02:00 pa011 <pa011 at web.de>:
>>>>> Am 04.10.2016 um 16:48 schrieb krishna e bera:
>>>>>> On 04/10/16 08:48 AM, pa011 wrote:
>>>>>>> One of my main ISP is going mad with the number of abuses he gets
>>>>>>> from my Exits (currently most on port 80).
>>>>>>> He asks me to install "Intrusion Prevention System Software" or
>>>>>>> shutting down the servers.
>>>>>>
>>>>>> You can first ask him for a copy of the complaints in order to
>>>>>> understand what sort of alleged abuses are taking place. Are the
>>>>>> complaints about spam or scraping or web server exploits or something
>>>>>> else?
>>>>>
>>>>> I do get a copy of every complaint - they are unfortunately:
>>>>>
>>>>> - Http browser intrucion -
>>>>> /var/log/apache2/other_vhosts_access.log:soldierx.com:80 xxx.xxx.xxx.xxx - -
>>>>> [30/Sep/2016:11:14:34 -0400] "HEAD / HTTP/1.0" 302 192 "-" "Mozilla/5.0
>>>>> (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12)
>>>>> Gecko/20080201Firefox/2.0.0.12"
>>>>>
>>>>> - invalid VAT number requests
>>>>>
>>>>> -recorded connection attempt(s) from your hosts to our honeypots
>>>>>
>>>>> - Issue: Source has attempted the following botnet activity: Semalt
>>>>> Referrer Spam Tor Exit Bot
>>>>>
>>>>> - botnet drone|Description: Ramnit botnet victim connection to sinkhole
>>>>> details,
>>>>>
>>>>> - attackers used the method/service: *imap*
>>>>>
>>>>>> You can change your exit policy to reduce likelihood of complaints:
>>>>>> https://blog.torproject.org/blog/tips-running-exit-node
>>>>>
>>>>> I know, but I hardly like to block port 80
>>>>>
>>>>>>> As far as I understand implementing such a software is not going
>>>>>>> together with Tor - am I right?
>>>>>>
>>>>>> If your exit nodes tamper with traffic in any way they will be
>>>>>> labelled
>>>>>> as Bad Exit. (Tor tries to be net neutral.)
>>>>>> https://trac.torproject.org/projects/tor/wiki/doc/badRelays
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> tor-relays mailing list
>>>>>> tor-relays at lists.torproject.org
>>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>>>>
>>>>> _______________________________________________
>>>>> tor-relays mailing list
>>>>> tor-relays at lists.torproject.org
>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>> _______________________________________________
>>>> tor-relays mailing list
>>>> tor-relays at lists.torproject.org
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>>
>>> _______________________________________________
>>> tor-relays mailing list
>>> tor-relays at lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
More information about the tor-relays
mailing list