Dr Gerard Bulger wrote:
I ran an exit node, but gave up after too many abuse reports that annoyed my ISP. So I turned al exit ports off, and reports stopped as a rely. After months and many terabytes of data I get an abuse complaint that my tor IP has been used for espionage.
“NCSC have been made aware of a report and associated malicious indicators released by the United States Government relating to malicious cyber activity. A copy if the report and indicators can be found at the following link:- https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicio...
Details within this report indicate network assets which may have been compromised or associated with malicious activity. We have identified the following IP address from this report as x.x.x.x As a minimum, it is recommended that you check systems and any available logs concerned with the above addresses for indications of malicious activity”
There are no other details as to HOW my tor relay is being used. The espionage seems to relay on the stupidity of recipients on receiving emails asking for passwords. I am not sure HOW ISP or relay service can stop that. Or is it that my relay was being used to transfer the data?
Like Rana, I also wondered if perhaps this traces back to when you ran an exit node. I haven't taken the time (and probably don't have the skill) to analyze what is in that report, but others have. You might find Security Week's write-up helpful:
http://www.securityweek.com/us-attributes-election-hacks-russian-threat-grou...
In particular:
While some industry experts applauded the GRIZZLY STEPPE indicators provided by the U.S. Government, some experts urged caution for those quickly integrating them into their cyber defense measures.
"Be careful using the DHS/FBI GRIZZLY STEPPE indicators. Many are VPS, TOR relays, proxies, etc. which will generate lots of false positives," Robert M. Lee, founder and CEO of Dragos Security and a former member of the intelligence community, Tweeted.
I suspect you are among the "lots of false positives".
I assume my IP was found by way of a DNS leak which I need to look into. There is nothing else I can do as a relay to stop this or is there?
If this happened when you ran an exit node then you don't need to look for a DNS leak (I don't see how that would pertain to a relay, anyway) and you wouldn't need to worry about stopping it (you already have by not being an exit).
Of course, it is possible you node was actually compromised but I think Occam's razor argues against that.
Jim