Mike Perry wrote:
Thus spake Alexander Bernauer (alex-tor@copton.net):
my ISP keeps on receiving abuse reports from shadowserver.org. They claim that an IRC bot operates from the IP that belongs to my tor exit.
The strange thing is that my exit policy only allows web and mail ports. Furthermore, the IPs of the shadowserver honeypots have a ptr entry for *.sinkhole.shadowserver.org.
Hrmm. Based on your snippets of mails you pasted on or-talk, it appears that a subset of the shadowserver folks are ideological zealots and crazed vigilantes. We've dealt with their flavor of lunacy before, in the form of the various "bribe me to get off my list or I will blackhole your entire netblock" DNSRBLs.
It is quite possible that lunatics like these will just make up abuse reports and send them to ISPs that look like they might cave. It is very interesting that our higher bandwidth exits that *do* exit to IRC are not hearing from them right now.
History has shown that the Internet as a whole usually learns to ignore nutballs. AFAIK, all of the "collateral damage" DNSRBLs are completely unused these days. Of course, that doesn't stop the nutballs from being really annoying in the short term :/.
So, I could block their servers either by means of the exit policy or with iptables. Which one would you prefer?
What is their network topology like? Do they cycle through their honeypots? iptables is especially bad if you have the situation where what was once a honeypot one week turns into a legitimate server the next.
OTOH, exit policy is bad if you end up with a ton of entries in it...
I additionally wanted to ask here if there is any experience with shadowserver in this regard?
Explaining the issue to my ISP failed. They keep on getting nervous.
This may be an issue. If the zealots believe that they can intimidate your ISP to knock you offline, they may keep sending nonsense reports to do so, declaring victory that one more tor node bites the dust...
Not sure what to tell you about this. If they succeed, perhaps it's just new ISP time? There are a lot of crazies out there, not just these guys..
Last year my VDS-provider received an idiotical abuse report from them. Because the emloyees of that ISP were idiots too I was to change my vds-provider. It seems to me, that 'shadowserver.org' is an evil group that deliberately send unfounded abuses against tor-nodes and etc.