[tor-talk] [Need quick help] 30+ mbps node taken down by host

Name Withheld survivd at gmail.com
Wed Jul 4 10:36:36 UTC 2012 

Thank you for the response. Unfortunately, it looks like this might be 
an impossible problem to solve, since they followed it up and said it's 
forum spam and hack attempts, not just email spam.  Basically, my node 
is pushing more traffic than most, so it's getting more abuse, faster 
(even though this is a tiny percentage of the overall traffic).

Here's what they sent me from their upstream provider:



----------------------------------------------------------------------
The first email came in for a hack attempt from your IP:
Dear Sir/Madam,
We noticed something that resembles a RIP attempt from one of your IP 
addresses. Our system temporarily blocked the IP address. Please, 
contact the respective user.
In case that there is a need for UPSTREAM content download, they can 
register and make use of our legal (xml) download interface ]UPSTREAM URL].
In case that the IP is used for search engine crawling, the user can 
inform us to whitelist the respective IP addresss.

52 requests during period Fri Jun 22 02:14:01 2012 - Fri Jun 22 02:15:01 
2012 (GMT +1)
was denied at Fri Jun 22 02:15:01 2012 (GMT +1)
user-agent: Mozilla/5.0 (X11; U; Linux x86_64; fr-FR) AppleWebKit/534.7 
(KHTML, like Gecko) Chrome/7.0.514.0 Safari/534.7

Kind regards,
Open UPSTREAM Team
----------------------------------------------------------------------

----------------------------------------------------------------------
The second and all following emails (4 emails in total) came in for spam,
StopForumSpam report for ASN16265 (as of
25 Jan 2011)

IP Number XX.XX.XXX.XXX Link

Last seen at 22-Jun-12 04:06:45 Fri
IP reported 31 times (by 2 different sites) in the
last 24 hours
IP seen 34 times in the last month

Usernames seen from this IP
24H 1month Username
1 1 Eirena
1 1 Sheehan
1 2 Rafu
1 1 Barnabas
1 1 Rowland
1 1 Parvati
2 2 Chelsia
1 5 Gwen
1 1 Rudi
1 1 Etienette
1 1 Erianthe
1 1 Alzena
1 1 Starveling
1 3 Althea
1 4 Brayden
1 1 Carlen
1 2 Armorel
1 3 Brennan
3 3 Kinga
1 1 Rarna
3 9 Richard
1 1 Rendor
1 3 Stanton
1 1 Enola
1 1 Pankhudi
1 1 Bhrigu
1 1 Astrea
1 3 Pebbles
2 3 Sage
1 10 Ella
1 1 Brodny

Emails seen from this IP
24H 1month Username
4 27 e22 at buyandsmoke.net
3 19 e32 at buyandsmoke.net
4 22 e34 at buyandsmoke.net
2 21 e27 at buyandsmoke.net
2 22 e18 at buyandsmoke.net
4 25 e26 at buyandsmoke.net
3 18 e16 at buyandsmoke.net
5 22 e20 at buyandsmoke.net
3 23 e19 at buyandsmoke.net
3 21 e35 at buyandsmoke.net
2 22 e33 at buyandsmoke.net
2 22 e25 at buyandsmoke.net
2 20 e31 at buyandsmoke.net
4 28 e21 at buyandsmoke.net
2 21 e29 at buyandsmoke.net
4 23 e28 at buyandsmoke.net
4 21 e24 at buyandsmoke.net
3 19 e30 at buyandsmoke.net
4 26 e17 at buyandsmoke.net



Since the forum spam is all over http, I'm not sure there's anything I 
can do without crippling it for other users.  Any ideas?

Thank you again.





On 7/3/2012 9:29 PM, morphium wrote:
> Hi,
>
> you are right, SMTP is blocked by default. But people can i.e. access
> hotmail.com via webinterface (where your IP is then put into the mail
> as originating IP aswell) or use SMTP on secure ports (but that mostly
> comes with authentication, I guess).
>
> You should ask your provider to get the mail headers of the spam, to
> see how exactly it was done, and then maybe block i.e. exit to the
> hotmail IPs, if it was sent via hotmail webinterface (to show them you
> are doing something).
>
> Best regards!
> morphium
>
> 2012/7/4 Name Withheld <survivd at gmail.com>:
>> Hello,
>>
>> My VPS fast tor exit got taken down by the host today for sending spam
>> emails. Apparently the upstream provider complained to them about it. I
>> thought SMTP was supposed to be disabled by default in the tor config, but
>> apparently my node was sending stuff through (even though I didn't do
>> anything to change the default setting for that).
>>
>> The host is going to give me a chance to see if I can block it, but if I
>> can't get the spam to stop, they're going to make me kill the node. I prefer
>> not to do this kind of thing, but since it's their house, it's their rules.
>>
>> Can someone please tell me precisely (what file, what entry) how to
>> configure:
>>
>> 1) Tor to block smtp
>>
>> 2) Local machine to block smtp egress
>>
>> 3) Any other possible way to detect/filter outgoing mail Thank you very much
>>
>>
>>
>> _______________________________________________
>> tor-talk mailing list
>> tor-talk at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
>

More information about the tor-talk mailing list