[tor-talk] Are webmail providers biased against Tor?

[blobby at openmailbox.org]

On 2015-03-16 11:33, Sukhbir Singh wrote:
>> I have noticed that when I try to login to my Gmail or Hotmail 
>> accounts with
>> Tor, I invariably get asked to validate myself (e.g. receive an SMS). 
>> This
>> is understandably due my IP being in a different country from the 
>> "usual"
>> IPs that I use to sign in.
>> 
>> However, I have experimented with StrictExitNodes. I am in New York 
>> and have
>> used a number of New York exit nodes. I still get asked to verify.
>> 
>> I am wondering if Tor developers or experienced users know (for a 
>> fact)
>> whether or not this is "normal" or whether using an exit node 
>> automatically
>> makes Gmail and Hotmail think that a "hacker" is attempting to access 
>> the
>> accounts.
>> 
>> This is not a case of a website e.g. Craigslist blocking Tor. It is 
>> whether
>> the use of an exit node IP automatically engenders scrutiny from 
>> whatever
>> security algorithms certain webmail providers use.
> 
> Mike Hearn from Google addressed this issue on the tor-talk mailing 
> list
> in October 2012, where he said this:
> 
> "Access to Google accounts via Tor (or any anonymizing proxy service) 
> is
> not allowed unless you have established a track record of using those
> services beforehand."
> 
> (https://lists.torproject.org/pipermail/tor-talk/2012-October/025923.html)
> 
> This was in response to several TorBirdy users complaining that they
> couldn't access their Gmail accounts over Tor. As someone who used to
> have a Gmail account and used TorBirdy over it, there were occasional
> periods where I couldn't access my account over IMAP and had to log in
> through the web interface and unlock it by entering a CAPTCHA.
> 
> This was still better than what some other users who used Tor over 
> Gmail
> reported -- in some cases, Gmail would force them to provide a phone
> number where Google would call or send a SMS before you could use your
> account. The surprising part here was that Gmail wanted _any_ phone
> number in _any_ country and not a number previously associated with 
> your
> account.  I am unsure how this helps them and what is the purpose 
> behind
> asking users to register with a phone. If one were to assume that they
> wanted to know the location of the user, then why would they allow the
> user to enter the number of any country?  (A friend confirmed this
> recently and had to enter a phone number to unlock the account. Gmail
> refused to allow access until a phone number was entered, where they
> could call or send a text.)
> 
> So yes, it seems like Gmail doesn't favour users using Tor.
> 
> --
> 

I see. Thanks for that helpful link.

Of course, if you are in NY and you go on holiday to Nepal and login, 
then Gmail will ask for validation since you have a totally different 
IP.

The question I was wondering about was whether a Tor exit node is 
considered suspicious even if in the same city as the user (in other 
words the user hasn't gone on holiday as in the example above).

The impression seems to be that Tor is ipso facto suspicious to Gmail 
irrespective of the exit node's location, whereas "abnormal" IPs (e.g. 
those from Nepal) are only suspicious if they originate from outside the 
usual geographical location of the user.