ExitPolicy abuse

[Michael Laccetti]

Quick note:  sounds like DHS is hooked up with SORBS, since they recently listed
ALL Tor servers as hacked by some unknown trojan.  Good god, what the hell is
wrong with people these days?

I understand the frustration.  One of the clients that we host recently sent out
an e-mail to a big list of people.  How he got the list is beyond me, I cannot
tell if they were his actual clients, or just a random smattering of people.
Regardless, he sent this e-mail out.  The mail left through Bell (Canada)
Nexxia's network, and went here and there.  How did I find out about this?
Well, I got an e-mail from SpamCop.  They sent me a link to some report.  The
report itself made NO sense whatsoever, it had dates stretching back to November
2004, when the e-mail was sent on January 22nd 2005.  I added some info, and
went about life.  Then, last week, the datacenter calls me and says that I have
to remove a website that was spreading itself via spam, and that I had one day
to remove it before my account was shut down.  I talked to the rep, let them
know that I knew about it, and that the issue had been addressed.  I also
pointed two other things out:  one, the mail originated from Bell, and two, that
the mailserver for that domain wasn't even hosted with them.  The rep decided
that the issue had been addressed, and so I closed the book on it.  Till I woke
up this morning, and found that I couldn't connect to that specific server.
Couldn't SSH, couldn't do anything.  Asked for a reboot, and went back to my
morning routine.  Got an e-mail back roughly 30 minutes later telling me that
until the DNS for the 'spam' domain pointed elsewhere, that my server would
remain offline.  I called support and tried to explain exactly what was going
on, but the rep decided to actually yell at me.  (Wow, now that's service!)  I
finally capitulated, and changed the DNS while on the phone with the tech.
Lucky that we didn't put our eggs all in one basket.  The rep said that the
server would be brought back up, and that everything was taken care of.  Two and
a half hours later, still no go.  So, back on the phone I go.  Talk to a
different rep, jump through the same hoops, and ask when it'll be back up.  "The
abuse department has it, they'll take care of it."  (Some searching later on
showed that the tech support people and data center are in different places.)
Another 30 minutes, and it was finally back up.

All of this was from SpamCop.  Based on one e-mail.  No huge distribution.  Not
offering viagra, or anything that usual spam offers, but a legitimate product.
So much crap, all from an automated system that seems to have the shotgun
approach: fire enough pellets, and you'll hit something.  Crazy.

-----Original Message-----
From: owner-or-talk at freehaven.net [mailto:owner-or-talk at freehaven.net] On Behalf
Of Christopher Heschong
Sent: February 8, 2005 20:13
To: or-talk at seul.org
Subject: ExitPolicy abuse [u]

Over the last 2 days, my server has been sited twice for "abuse of AUP"  
by my ISP.  The first was a report from SpamCop that prompted them to shut down
my access port!

Besides the fact that shutting down someone based on a single report from the
notoriously inaccurate SpamCop is silly, I did some investigation.  The spam
reported was actually posted through Google Groups via their HTTP interface to
the Usenet network.  This is a possible spam propagation vector you server
runners may want to take note of.

Here's one of the messages from google groups:

http://groups-beta.google.com/group/alt.make.money.fast/msg/
c6b998ea193e2fa2?dmode=source

(strangely, it isn't really an advertisement... but definitely not
kosher)  Google should be able to track the spam itself back to the poster, but
that doesn't keep you from getting on Stalinist spam blacklists.  (see Ed
Felten's experience at http://www.freedom-to-tinker.com/archives/000014.html )

The second notice was from "The National Communications System (NCS), an agency
of the US Department of Homeland Security (DHS)" informing my network provider
that I had a virus or trojan.  The only details they provided was this: "Bots -
unknown."  Again, this is somewhat ridiculous, but for those who buy space on
other peoples networks, it can be a serious concern if they get notes from DHS
claiming you're spreading viruses.

All of this has a pretty chilling effect, knowing that anyone with a grudge can
report you to SpamCop and without any real validation your network provider will
have no problems dropping you (although they did send an e-mail to my backup
e-mail address telling me I had 1 hour to "respond" before disconnection).  Or
worse, that the government can imply that suspicious network activity coming
from your server is grounds to have your access yanked.

Unfortunately, I'm not rich enough to own my own network infrastructure these
days.  Since the first "spam" allegation got me shut down for over 12 hours
(mostly due to poor customer service at my network
provider) I've had to make the painful (to me) decision to change my ExitPolicy
to reject *:* and thought some others here might be interested.

I hope that others running tor servers who have the ability to combat this sort
of network muzzling will do so.  Exit nodes are where the tor rubber meets the
road, imho, and network AUP bullying is totally shameful (please conveniently
ignore the fact that I caved at the first sign of problems... :)  Anonymous
access to network resources is a vital tool for liberty, so those who can push
back on this sort of abuse (and by abuse I mean being beaten up with an AUP
stick), please push a little harder for us little guys.

--
/chris/


-- 
---------------------[ Ciphire Signature ]----------------------
From: michael at s2g-limited.com signed email body (4630 characters)
Date: on 09 February 2005 at 02:42:18 UTC
To:   or-talk at freehaven.net
----------------------------------------------------------------
: Ciphire has secured this email against identity theft.
: Free download at www.ciphire.com. The garbled lines
: below are the sender's verifiable digital signature.
----------------------------------------------------------------
00fAAAAAEAAACKeAlCFhIAAPIBAAIAAgACACCF2JwL8FSZ12JHjaqi4keWch0Su1
tLYkwGHFe6dbl/JgEAMU5HZi3bbCGzHuBROgacg8f7vXlTdFsqED3Fgplg8g8lS6
daE2Wg9bMZb94RdNT3dRzuCqZZtLjX+TbfgaLBFw==
------------------[ End Ciphire Signed Message ]----------------