blocking google groups [was Re: ExitPolicy abuse]

Valient Gough vgough at pobox.com
Wed Feb 9 09:43:49 UTC 2005 

I also got a report recently from someone about UUNet abuse through 
Google.  Apparently they had reported it to google, but never got an 
answer (not surprising, in my experience google is very slow to respond 
to mail, if they ever respond).  I think the problem lies with google - 
they are acting as a proxy from HTTP -> UUNet and not filtering spam 
along the way.

So until google fixes the problem, I've rejected access to google's 
network.  I don't know how many ways groups.google.com may be accessed, 
but my first stab is to block 216.239.37.0/24 , which contains the 3 
servers listed right now in DNS.

Perhaps over time we're going to have to build up a list of networks 
that are wide open for abuse, like google groups, which we may want to 
block in a default exit policy..

regards,
Valient


SK wrote:
>Strangely I had exactly the same two reports against my Tor server
>
>1- 2005-01-26 19:35:04 unknown, bots
>2 - Google Groups posting via their HTTP interface (eg. on Sun, 6 Feb
>2005 11:43:32 +0000 (UTC))
>
>After the 1st incident was reported to me, I changed the exit policy
>to block IRC because I reasoned that the bot could be an IRC based on.
>Changing the exit policy to allow only 80, 443 and 22 I thought I will
>be fine, until the second report came in.
>
>SURFNet which owns the network that my Univ uses (Tor runs on my Univ
>machine) is well know to react pretty hard to abuse reports. "Thanks"
>to their forwarding of the report to Univ's CERT, I had to shutdown my
>Tor server (rather abruptly) on Sunday.
>
>As of now, I am deciding whether to restart the server with a reject
>*:* or not to run any server at all, since I do not know how much of a
>benefit anyone will have with a Tor server with such a strict exit
>policy :(
>
>Any suggestions?
>
>SK
>
>On Tue, 8 Feb 2005 20:12:44 -0500, Christopher Heschong <chris at wiw.org> wrote:
>  
>>Besides the fact that shutting down someone based on a single report
>>from the notoriously inaccurate SpamCop is silly, I did some
>>investigation.  The spam reported was actually posted through Google
>>Groups via their HTTP interface to the Usenet network.  This is a
>>possible spam propagation vector you server runners may want to take
>>note of.
>>
>>Here's one of the messages from google groups:
>>
>>http://groups-beta.google.com/group/alt.make.money.fast/msg/
>>c6b998ea193e2fa2?dmode=source
>>
>>    
>
>(..........)
>
>  
>>Unfortunately, I'm not rich enough to own my own network infrastructure
>>these days.  Since the first "spam" allegation got me shut down for
>>over 12 hours (mostly due to poor customer service at my network
>>provider) I've had to make the painful (to me) decision to change my
>>ExitPolicy to reject *:* and thought some others here might be
>>interested.
>>
>>I hope that others running tor servers who have the ability to combat
>>this sort of network muzzling will do so.  Exit nodes are where the tor
>>rubber meets the road, imho, and network AUP bullying is totally
>>shameful (please conveniently ignore the fact that I caved at the first
>>sign of problems... :)  Anonymous access to network resources is a
>>vital tool for liberty, so those who can push back on this sort of
>>abuse (and by abuse I mean being beaten up with an AUP stick), please
>>push a little harder for us little guys.
>>    
>
>

More information about the tor-talk mailing list