Hey,
Yes, I do more or less the same. If the complaint is sent using some automated system, I "do nothing." If the complaint is sent by a human, I'll answer them with a template, see below. If there is a followup response to that, I'll do some more explaining, oftentimes pointing them at the block lists provided by the Tor Project.
Here's the default answer:
---
Thanks a lot for your notification. The traffic originating from the IP-address is traffic from a Tor exit-node. As I am not sure whether you are familiar with the Tor network, I would like to provide some explanation.
Tor is network software that helps users to enhance their privacy, security, and safety online. It does not host any content. Rather, it is part of a network of nodes on the Internet that simply pass packets among themselves before sending them to their destinations, just as any Internet intermediary does. The difference is that Tor tunnels the connections such that no hop can learn both the source and destination of the packets, giving users protection from nefarious snooping on network traffic. The result is that, unlike most other Internet traffic, the final IP address that the recipient receives is not the IP address of the sender.
I run a Tor node to provide privacy to people who need it most: average computer users. Tor sees use by many important segments of the population, including whistle blowers, journalists, Chinese dissidents skirting the Great Firewall and oppressive censorship, abuse victims, stalker targets, the US military, and law enforcement, just to name a few. While Tor is not designed for malicious computer users, it is true that they can use the network for malicious ends.
Of course, the Tor network may be abused by others and apparently this is what you are seeing. I am very sorry for this to happen to you. In reality however, the actual amount of abuse is quite low. This is largely because criminals and hackers have significantly better access to privacy and anonymity than do the regular users whom they prey upon. Criminals can and do build, sell, and trade far larger and more powerful networks than Tor on a daily basis.
To avoid any more traffic from this source, you could (temporarily) block the IP-address of my Tor exit node. You also have the option of blocking all exit nodes on the Tor network if you so desire. The Tor project provides a web service to fetch a list of all IP addresses of Tor exit nodes that allow exiting to a specified IP:port combination, and an official DNSRBL is also available to determine if a given IP address is actually a Tor exit server.
---
++ 04/10/17 02:44 +0000 - teor:
On 3 Oct 2017, at 22:35, tanous .c sawtous@gmail.com wrote:
Have any of you had this sort of problem? I'm having difficulty determining if this log information represents a normal exit relay ocurrence or if my server has been compromised... What could i do in order to solve this?
Yes, Profihost sent me one recently that looked very similar. Fortunately, I use OutboundBindAddress, so I knew it was (very likely to be) exit traffic.
You can:
- do nothing
- respond and ask for verification that they want your exit to block their site, but explain that they need to block all Tor Exits for the traffic to stop
- add exit policy entries to block each of the mentioned IPs and ports
- block port 22 on your exit
I'll be doing nothing.
You should consider your provider's reaction, because they may want you do something about the complaint, even if it's something ineffective.
Tim _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays