[tor-relays] Spamcop question

ylms tor at yl.ms
Thu Apr 4 12:42:01 UTC 2019 

Hello all,
I bundle the reply to all three helpful replies in this email.

Basically the replies confirm my assumptions, I was wondering if there
is single malconfiguration on my end or if the problem is a little more
complex. I will watch the abuse complaints and if there will be more
about spam I will see what I can do.

This abuse ticket was part of a bundle of complaints (many abuse
complaints), most of them SSH bruteforce and WordPress "hacking"
attempts. So I relied with my standard reply as I always do, it is
generic and explains that the server is a Tor exit and I offer to block
their ip in the email. Not sure what my provider does with that reply,
but I never hear back from any people.


Thanks again for the help.

Regards
yl



Replies, just for reference:

1.

On 4/2/19 11:24 PM, Ralph Seichter wrote:> * ylms:
>
>> smtp:>>smtp.efg.es,587,test at efg.es,123456>>
>> [...]
>> ExitPolicy accept *:587
>
> You allow TCP port 587 (submission). That should not be a problem unless
> the targeted server fails to enforce authentication for all email
> submitted via this port. If that is the case, it is a configuration
> error on the destination server.
>
> -Ralph



2.

On 4/2/19 11:19 PM, nusenu wrote:>
>> My question, what did I miss in in the exit policy, I have used the
>> following in the torrc. Maybe I did not miss anything at all. Thanks for
>> helping me to understand how the spammer could use the the exit for
>> spamming.
>
> Emails and spam can be send via for example:
> - webmail (frequently port 80/443)
> - 465/587
>
> (not just port 25)
>
>


3.

On 4/2/19 11:08 PM, Nathaniel Suchy wrote:> Someone likely abused a
webmail provider. Respond to them that SMTP isn’t available from your
exit and they’ll have to contact the email service provider directly.
>
> Cordially,
> Nathaniel Suchy


On 4/2/19 11:04 PM, ylms wrote:
> Hello fellow Tor-Exit operators,
> 
> today I got the following Abuse message:
> 
> //Start
> 
> [ SpamCop V5.0.0 ]
> This message is brief for your comfort.  Please use links below for details.
> 
> Email from 5.199.130.188 / Tue, 19 Mar 2019 12:20:30 +0000
> https://www.spamcop.net/w3m?i=.....(removed)
> 5.199.130.188 is open proxy, see: https://www.spamcop.net/mky-proxies.html
> 
> [ Offending message ]
> Return-Path: <admin at abc.gr>
> X-Original-To: bingobongo69 at cd.ru
> Delivered-To: bingobongo69 at cd.ru
> Received: from 31.184.255.247 (unknown [5.199.130.188])
> 	by relay (Postfix) with ESMTPSA id 7cqntswbr6frkskj
> 	for <bingobongo69 at cd.ru>; Tue, 19 Mar 2019 12:20:30 +0000
> Message-ID: <EAAACECBFAFDDACFCAEABBBEC at abc.gr>
> From: <admin at abc.gr>
> To: <bingobongo69 at cd.ru>
> Subject: smtp:>>smtp.efg.es,587,test at efg.es,123456>>
> Date: Tue, 19 Mar 2019 13:20:18 +0100
> MIME-Version: 1.0
> Content-Type: text/plain;
> 	charset="windows-1251";
> Content-Transfer-Encoding: 7bit
> 
> smtp:>>smtp.efg.es,587,test at efg.es,123456>>
> 
> veblcshgtpwfdonxkebdghrwf
> pboqjycmmdslmliomafclayaheiuft
> uybveafdbnsuydqvbgyukf
> zsszifpadkpaufibjosuk
> 
> //End
> 
> I wasn't sure what to remove from the abuse message so I removed all the
> domains to protect the owners of these hosts/addresses, I hope I didn't
> miss any.
> 
> My question, what did I miss in in the exit policy, I have used the
> following in the torrc. Maybe I did not miss anything at all. Thanks for
> helping me to understand how the spammer could use the the exit for
> spamming.
> 
> I assume with the reduced exit policy spammers should not be enabled to
> use the exit.
> 
> // torrc
> # Reduced Exit policy according to:
> https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
> ExitPolicy accept *:20-21     # FTP
> ExitPolicy accept *:22        # SSH
> ExitPolicy accept *:23        # Telnet
> ExitPolicy accept *:43        # WHOIS
> ExitPolicy accept *:53        # DNS
> ExitPolicy accept *:79        # finger
> ExitPolicy accept *:80-81     # HTTP
> ExitPolicy accept *:88        # kerberos
> ExitPolicy accept *:110       # POP3
> ExitPolicy accept *:143       # IMAP
> ExitPolicy accept *:194       # IRC
> ExitPolicy accept *:220       # IMAP3
> ExitPolicy accept *:389       # LDAP
> ExitPolicy accept *:443       # HTTPS
> ExitPolicy accept *:464       # kpasswd
> ExitPolicy accept *:465       # URD for SSM (more often: an alternative
> SUBMISSION port, see 587)
> ExitPolicy accept *:531       # IRC/AIM
> ExitPolicy accept *:543-544   # Kerberos
> ExitPolicy accept *:554       # RTSP
> ExitPolicy accept *:563       # NNTP over SSL
> ExitPolicy accept *:587       # SUBMISSION (authenticated clients [MUA's
> like Thunderbird] send mail over STARTTLS SMTP here)
> ExitPolicy accept *:636       # LDAP over SSL
> ExitPolicy accept *:706       # SILC
> ExitPolicy accept *:749       # kerberos
> ExitPolicy accept *:853       # DNS over TLS
> ExitPolicy accept *:873       # rsync
> ExitPolicy accept *:902-904   # VMware
> ExitPolicy accept *:981       # Remote HTTPS management for firewall
> ExitPolicy accept *:989-990   # FTP over SSL
> ExitPolicy accept *:991       # Netnews Administration System
> ExitPolicy accept *:992       # TELNETS
> ExitPolicy accept *:993       # IMAP over SSL
> ExitPolicy accept *:994       # IRCS
> ExitPolicy accept *:995       # POP3 over SSL
> ExitPolicy accept *:1194      # OpenVPN
> ExitPolicy accept *:1220      # QT Server Admin
> ExitPolicy accept *:1293      # PKT-KRB-IPSec
> ExitPolicy accept *:1500      # VLSI License Manager
> ExitPolicy accept *:1533      # Sametime
> ExitPolicy accept *:1677      # GroupWise
> ExitPolicy accept *:1723      # PPTP
> ExitPolicy accept *:1755      # RTSP
> ExitPolicy accept *:1863      # MSNP
> ExitPolicy accept *:2082      # Infowave Mobility Server
> ExitPolicy accept *:2083      # Secure Radius Service (radsec)
> ExitPolicy accept *:2086-2087 # GNUnet, ELI
> ExitPolicy accept *:2095-2096 # NBX
> ExitPolicy accept *:2102-2104 # Zephyr
> ExitPolicy accept *:3128      # SQUID
> ExitPolicy accept *:3389      # MS WBT
> ExitPolicy accept *:3690      # SVN
> ExitPolicy accept *:4321      # RWHOIS
> ExitPolicy accept *:4643      # Virtuozzo
> ExitPolicy accept *:5050      # MMCC
> ExitPolicy accept *:5190      # ICQ
> ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
> ExitPolicy accept *:5228      # Android Market
> ExitPolicy accept *:5900      # VNC
> ExitPolicy accept *:6660-6669 # IRC
> ExitPolicy accept *:6679      # IRC SSL
> ExitPolicy accept *:6697      # IRC SSL
> ExitPolicy accept *:8000      # iRDMI
> ExitPolicy accept *:8008      # HTTP alternate
> ExitPolicy accept *:8074      # Gadu-Gadu
> ExitPolicy accept *:8080      # HTTP Proxies
> ExitPolicy accept *:8082      # HTTPS Electrum Bitcoin port
> ExitPolicy accept *:64738     # Mumble
> ExitPolicy reject *:*
> 
> 
> 
> Regards
> yl
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>

More information about the tor-relays mailing list