[tor-talk] Are webmail providers biased against Tor?

Dave Warren davew at hireahit.com
Mon Mar 16 23:48:07 UTC 2015 

On 2015-03-16 16:01, Richard Leckinger wrote:
> I think 'track record' is the relevant point. Everywhere is suspicious 
> until you have a track record of accessing google from there. Tor by 
> design is meant to prevent any track record from developing. 

The fact that you're constantly accessing Google from an otherwise 
totally clean and featureless browser itself is a fingerprint that 
Google could act upon, and "Tor exit node" could be treated as a 
"country" like any other. Even if they can't separate you from other Tor 
users, it's potentially just as significant as a fingerprint like 
"Accesses NY, NJ frequently from each of the four largest providers' 
dynamic IP ranges, and does not retain cookies"

However, the reality is that the rate of abuse from anonymous sources 
will naturally be much higher, and as a result, it does make sense to 
treat such connections with a higher level of suspicion.

A few weeks ago I ran a query against some servers logs which were fed 
from SMTP, POP3, IMAP and webmail authentication attempts against a 
DNSBL (torexit.dan.me.uk, I think?) that lists Tor exit nodes, there 
were tons of unsuccessful authentication attempts coming from Tor exit 
nodes, while there were zero successful authentication requests in the 
time period studied. Many of the IPs were doing obvious dictionary 
attacks, trying many thousands of attempts (with the IP itself being 
locked out completely after just a few minutes). Based on this limited 
analysis, it would make a lot of sense to block Tor completely since I 
don't have any legitimate traffic from Tor. Various other countries 
would meet this same criteria. However, I don't like to block this 
indiscriminately.

I'm sure Google's scale means that there are a lot more legitimate users 
Tor users than I have, but just the same, it's quite reasonable to treat 
Tor traffic with a higher level of suspicion -- It's not about bias 
against Tor, or against Tor users, or even a dislike of Tor, but rather, 
it's the fact that a higher percentage of abuse comes from Tor than from 
most other sources, even when you take the percentage of legitimate 
traffic into account. The fact that Tor, by it's privacy centric nature, 
makes it more difficult to use other fingerprinting techniques to sort 
out legitimate users means that good users get lumped in with the bad 
automatically.

-- 
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

More information about the tor-talk mailing list