Analyzing TOR-exitnodes for anomalies

bagelcat bagelcat at galgata.net
Fri Oct 6 19:34:23 UTC 2006


Ive got this strange behavior also now several times when using tor.  
Always there is a redirect with "landing.domainsponsor.com" wich have  
the registrar Oversee.net .

A self-description of that company:
"Oversee.net is a technology-driven media company that delivers  
innovative advertising solutions in the search (information.com),  
display advertising (revenue.net), and lead generation (low.com) and  
(degrees.com) segments. Oversee.net is also emerging as the pioneer  
of next-generation consumer properties. "

I looks like they have found strange ways for advertising.

The exitnodes wich connect to domainsponsor.com are always locate in  
US (all US nodes I have seen are located in texas or US without a  
more exact description). One Time the exit node was located in DK.

Ive got "url not found" messages with every DE and UK nodes I have  
tried.

hmm. I think this is a problem with some dns-server on second/third  
level wich make a link to that domainsponsor.com when they are asked  
for a not registered url. Is it possible?


much fun
Bernd



Am 06.10.2006 um 21:06 schrieb Claude LaFrenière:

> Hi  *Robert Hogan*   :
>
>> On Friday 06 October 2006 19:21, Robert Hogan wrote:
>>>> Hmmm... I had this problem with Whistlemother exit node and this  
>>>> site:
>>>> http://www.iamaphex.net with the same
>>>> "frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com "blah blah  
>>>> blah"
>>>> filter ... =SUSPECTED+UNDESIRABLE+BOT"
>>>
>>> i have the same experience using whistlersmother for the same site.
>>
>> And I have the same experience with practically every other exit  
>> node I try
>> for this site. So whistlersmother is not the problem...
>
> Hmmm...
>
> Personnaly I don't believed that Whistlemother (or any other nodes)
> are responsible for this...  It looks like web server filter or DNS  
> server
> filter...
>
> But now how to explain the same behaviour with
> a web site like  http://www.iamaphex.net
> and
> a web site like hotmail.com ???
>
> They don't share the same web hosting service...
>
> Is this a new "filter" for Web sites or Web Hosting ?
>
> An other question:
> How this "filter" spot a Tor exit like Whistlemother?
>
> I guess it's based on the IP address of this exit node.
> (Or the browser referer sent to the web site... ??? )
>
> Since no exit nodes have a control on what is doing by Tor users,  
> Is it
> possible that some bad guys had used Tor for "unacceptable" things and
> put the Whistlemother Ip address into a "black list" of this  
> hypothetical
> "filter" ???
>
> One way to check this is to compare exit nodes with a fixed IP address
> with the exit nodes with a dynamic Ip address and if this make a
> difference.
>
> If an exit node with a dynamic IP address is not spoted as a bad IP  
> in the
> hypothetical "bad list fliter", therefore the filter is based on IP  
> address
>
> Many test must be done before to prove this.
> ...
>
> If the behaviour of Fixed Ip address exit nodes
> and
> the behaviour of Dynamics Ip address exit nodes
> are the same
> therefore
> a) the hypothetical filter is not based on Ip address
> b) there is no such filter but somethings else...
>
> ??? [not sure ...]  :-\
>
> ( !!! Hmmm.. I to revised my formal logic manuals a little  
> bit .. ;-)  )
>
> It's hard to find enough data about this problem because there's no  
> way to
> easily reproduce it.
>
> :)
>
> -- 
> Claude LaFrenière
>



More information about the tor-talk mailing list