[tor-relays] Collaborative Bad-Abuse-Sender Blocklist

[Tortilla]

> On 9/28/20 1:54 PM, Matt Corallo wrote:
>
>> Different folks have different views on abuse reports, and that's
>> perfectly OK. But "taking it up with list XYZ" isn't
>> going to change that (see discussion on NANOG a few months ago on this
>> very topic =D) - people are always going to have
>> their own views on who's responsibility it is to solve "abuse" (under
>> their current definition).

What are you defining it as here? I can't see that there is going to be
much disagreement that abuse such as what these reports are probably about
can only be solved at the hosting provider or ISP level where it
originates. No one else has the ability to do anything about it. The
problem you are identifying is that there are a lot of over-zealous or
poorly written automated scripts that like to notify abuse sources without
much intelligence in regard to rate limiting or response handling, etc. I
think if you create a thoughtful message to include in your rejection
text, it is absolutely within reason to try and let them know that they
are becoming part of the problem if they don't engage with you.

Of course, it's important to note in this context that there's still a lot
of education that has to happen about what Tor is and/or reminding
operators of those automated systems that they should skip Tor relays.

>> My personal abuse
>> policy is "I reach try to help you, but if you keep sending the same
>> automated stuff over and over and don't reply when
>> I reach out, I drop your mails".

It's hard to create a globally applicable blocklist for something like
this of any size, since by definition, you have to try to work with them
manually before adding anyone to the list. I certainly don't blame you for
keeping and sharing such a list, though.

On Fri, October 9, 2020 7:13 pm, Mike Perry wrote:
>
> Absolutely. I suspect the problem is ideological. The abuse resolution
> camp seems to be largely subscribe to the "force ISPs to identify
> abusers and ban them" model. They do not want to hear about mitigation
> strategies or alternatives, other than their banhammer and abuse notice
> spamming approaches. Making a banlist of banhammer spammers like that is
> a brilliant move.

What is this problematic ideology you are pointing out? What is your
alternative? Why do you think it's so terrible to alert ISPs and hosting
providers about abuse originating from their systems? I find those alerts
immensely helpful as opposed to finding out some time later that a system
I manage is on some RBL or other block list. Not that many want to share
their intelligence gathering (especially spamtrap data), so getting alerts
can be highly valuable and quite welcome to a lot of operators.

Just because there are some systems that send out notices relentlessly
with poor rate limiting and no knowledge of Tor relays/exits does not mean
the model itself is wrong-headed. It just means some people wrote some
naive notification systems (and as Matt found, they may be poor at actual
engagement or do not provide a means to opt out). ISPs and hosting
providers can and should be notified about abuse activity and they should
be held responsible for shutting down abusive actors on their networks.
Whether or not the recipient of the abuse mitigates its effects is beside
the point.

> I grew so tired of my personal email sever constantly ending up in
> DNSRBLs for no reason (even with DKIM and SPF), that after 20 years of
> DIY email, I was forced to moved to paid provider.

I hear personal frustration rather than pointing out any problem. Keeping
an email server clear of RBLs is real work, but also not that hard if you
try (make sure you aren't renting in a cheap neighborhood where spammers
are allowed to flourish, don't run it on the same IP as a Tor node
(especially if you exit port 25), enforce good password policy, rate limit
or monitor your outgoing mail flow, etc.). I doubt anyone "forced" you...
rather, you didn't have the expertise or time and felt the tradeoff was
worth paying someone else to take on that work.

> This model is broken, its assumptions are contrary to our values

What, that abuse should never be pointed out and we "just deal with it"
and let it proliferate? Are "our values" that everyone should have
perfectly hardened systems against all possible forms of attack and ignore
all responsibility of the originating side... because anyone should be
free to do what they want with their device on the network??

Tor is of great value, but you have to see that it is in a unique position
and that the standard Tor operator's response of "it didn't originate here
and I don't know where it did, so no one can help you with this" is a
bitter pill to swallow for people who are trying to chase down abusive
actors. That's the way it is - a trade-off we have to accept for a certain
freedom and anonymity on the net, but you are conflating ill-informed and
ill-constructed notification bots acting on Tor nodes (and your
unfortunate experience trying to run a mail server?) with a good and
necessary model for use on the clearnet.

> and it
> serves to support the business interests of tech oligarchs that believe
> that the world should be run by a handful of oligarchical ISPs and email
> providers, with government-issued identity for all.

This conclusion is quite a reach.

In the Tor world, abuse talk is usually centered on education for the
reporting party that the source isn't where they think it is. That is
going to be an ongoing battle. But because everyone running a Tor node
gets to throw up their hands at the abuse reports and pass the buck does
not at all mean tracking down abuse is a poor endeavor. Of course, if
everyone fixed their DNS servers, amplification attacks would be a thing
of the past. If everyone had better security chops in general, you
wouldn't have so many easily cracked abuse sources. But the reality is
that there is a variety of experience level for operators on the net and a
lot of vulnerable systems... unfortunately, those people are going to need
help, and prodding them or blocklisting them is one of the most effective
ways to get their attention. If your clearnet service keeps ending up on
blocklists, the best conclusion is that maybe you are in the wrong line of
work rather than griping about blocklist operators.

No one should argue that certain notifying parties shouldn't make
themselves more Tor-aware or provide better engagement, rate limiting or
opt-out mechanisms. But it's hard to hear personal annoyance be leveraged
to conclude that fighting abuse is not a necessary endeavor. Abuse at any
level, be it attacks against Tor's anonymity or abuse carried out over Tor
network and sucking up relay operators' resources or the myriad of attacks
on the clearnet are a major headache for everyone. Operators who are
unaware of its existence on their systems deserve (and often desire)
notification of such.