Kees Goossens schreef op 19/10/14 13:24:
Part 1: Abuse over HTTP.
Within one week of being an exit, my provider forwarded the following abuse notification to me (XXXX is the abused Russian website, ZZZZ is me): ==== Greetings,
XXXX abuse team like to inform you, that we have had mass bruteforce attempts to the Joomla / WordPress control panel on the our shared-hosting server XXXX from your network, from IP address ZZZZ
During the last 30 minutes we recorded 333 attempts like this:
XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-" XXXX - [14/Oct/2014:14:17:49 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-" XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-" XXXX - [14/Oct/2014:14:17:51 +0400] "POST /administrator/index.php HTTP/1.1" 200 11646 "-" "-“ XXXX - [14/Oct/2014:14:17:54 +0400] "POST /administrator/index.php HTTP/1.1" 499 0 "-" "-" ====
Lesson (for me at least): since HTTP was used, even a very reduced exit policy is does not make one immune to abuse problems. At this point I reverted back to being a non-exit relay, as I have no interest in having to deal with this.
Hi Kees,
Sounds familiar. This same company (valuehost.ru?) sends me about 20 abuse reports a day. At first I replied with explanations of what Tor is, explaining why it's hard to do anything against this kind of abuse. Later I started sending the same replies but with a note "Please reply if you have read this message." - no replies. Their message mentions a contact address so I started cc'ing that address - still no reply. After replying for two months and never getting any replies, I stopped replying.
IANAL but you can probably just ignore those.
Abuse reports are very common but there's usually not much you can do other than write a message back explaining why there's not much you can do. Make sure your server provider knows that you run an exit relay!
Tom