Hello fellow Tor-Exit operators,
today I got the following Abuse message:
//Start
[ SpamCop V5.0.0 ] This message is brief for your comfort. Please use links below for details.
Email from 5.199.130.188 / Tue, 19 Mar 2019 12:20:30 +0000 https://www.spamcop.net/w3m?i=.....(removed) 5.199.130.188 is open proxy, see: https://www.spamcop.net/mky-proxies.html
[ Offending message ] Return-Path: admin@abc.gr X-Original-To: bingobongo69@cd.ru Delivered-To: bingobongo69@cd.ru Received: from 31.184.255.247 (unknown [5.199.130.188]) by relay (Postfix) with ESMTPSA id 7cqntswbr6frkskj for bingobongo69@cd.ru; Tue, 19 Mar 2019 12:20:30 +0000 Message-ID: EAAACECBFAFDDACFCAEABBBEC@abc.gr From: admin@abc.gr To: bingobongo69@cd.ru Subject: smtp:>>smtp.efg.es,587,test@efg.es,123456>> Date: Tue, 19 Mar 2019 13:20:18 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251"; Content-Transfer-Encoding: 7bit
smtp:>>smtp.efg.es,587,test@efg.es,123456>>
veblcshgtpwfdonxkebdghrwf pboqjycmmdslmliomafclayaheiuft uybveafdbnsuydqvbgyukf zsszifpadkpaufibjosuk
//End
I wasn't sure what to remove from the abuse message so I removed all the domains to protect the owners of these hosts/addresses, I hope I didn't miss any.
My question, what did I miss in in the exit policy, I have used the following in the torrc. Maybe I did not miss anything at all. Thanks for helping me to understand how the spammer could use the the exit for spamming.
I assume with the reduced exit policy spammers should not be enabled to use the exit.
// torrc # Reduced Exit policy according to: https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy ExitPolicy accept *:20-21 # FTP ExitPolicy accept *:22 # SSH ExitPolicy accept *:23 # Telnet ExitPolicy accept *:43 # WHOIS ExitPolicy accept *:53 # DNS ExitPolicy accept *:79 # finger ExitPolicy accept *:80-81 # HTTP ExitPolicy accept *:88 # kerberos ExitPolicy accept *:110 # POP3 ExitPolicy accept *:143 # IMAP ExitPolicy accept *:194 # IRC ExitPolicy accept *:220 # IMAP3 ExitPolicy accept *:389 # LDAP ExitPolicy accept *:443 # HTTPS ExitPolicy accept *:464 # kpasswd ExitPolicy accept *:465 # URD for SSM (more often: an alternative SUBMISSION port, see 587) ExitPolicy accept *:531 # IRC/AIM ExitPolicy accept *:543-544 # Kerberos ExitPolicy accept *:554 # RTSP ExitPolicy accept *:563 # NNTP over SSL ExitPolicy accept *:587 # SUBMISSION (authenticated clients [MUA's like Thunderbird] send mail over STARTTLS SMTP here) ExitPolicy accept *:636 # LDAP over SSL ExitPolicy accept *:706 # SILC ExitPolicy accept *:749 # kerberos ExitPolicy accept *:853 # DNS over TLS ExitPolicy accept *:873 # rsync ExitPolicy accept *:902-904 # VMware ExitPolicy accept *:981 # Remote HTTPS management for firewall ExitPolicy accept *:989-990 # FTP over SSL ExitPolicy accept *:991 # Netnews Administration System ExitPolicy accept *:992 # TELNETS ExitPolicy accept *:993 # IMAP over SSL ExitPolicy accept *:994 # IRCS ExitPolicy accept *:995 # POP3 over SSL ExitPolicy accept *:1194 # OpenVPN ExitPolicy accept *:1220 # QT Server Admin ExitPolicy accept *:1293 # PKT-KRB-IPSec ExitPolicy accept *:1500 # VLSI License Manager ExitPolicy accept *:1533 # Sametime ExitPolicy accept *:1677 # GroupWise ExitPolicy accept *:1723 # PPTP ExitPolicy accept *:1755 # RTSP ExitPolicy accept *:1863 # MSNP ExitPolicy accept *:2082 # Infowave Mobility Server ExitPolicy accept *:2083 # Secure Radius Service (radsec) ExitPolicy accept *:2086-2087 # GNUnet, ELI ExitPolicy accept *:2095-2096 # NBX ExitPolicy accept *:2102-2104 # Zephyr ExitPolicy accept *:3128 # SQUID ExitPolicy accept *:3389 # MS WBT ExitPolicy accept *:3690 # SVN ExitPolicy accept *:4321 # RWHOIS ExitPolicy accept *:4643 # Virtuozzo ExitPolicy accept *:5050 # MMCC ExitPolicy accept *:5190 # ICQ ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL ExitPolicy accept *:5228 # Android Market ExitPolicy accept *:5900 # VNC ExitPolicy accept *:6660-6669 # IRC ExitPolicy accept *:6679 # IRC SSL ExitPolicy accept *:6697 # IRC SSL ExitPolicy accept *:8000 # iRDMI ExitPolicy accept *:8008 # HTTP alternate ExitPolicy accept *:8074 # Gadu-Gadu ExitPolicy accept *:8080 # HTTP Proxies ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port ExitPolicy accept *:64738 # Mumble ExitPolicy reject *:*
Regards yl
Someone likely abused a webmail provider. Respond to them that SMTP isn’t available from your exit and they’ll have to contact the email service provider directly.
Cordially, Nathaniel Suchy
On Apr 2, 2019, at 5:04 PM, ylms tor@yl.ms wrote:
Hello fellow Tor-Exit operators,
today I got the following Abuse message:
//Start
[ SpamCop V5.0.0 ] This message is brief for your comfort. Please use links below for details.
Email from 5.199.130.188 / Tue, 19 Mar 2019 12:20:30 +0000 https://www.spamcop.net/w3m?i=.....(removed) 5.199.130.188 is open proxy, see: https://www.spamcop.net/mky-proxies.html
[ Offending message ] Return-Path: admin@abc.gr X-Original-To: bingobongo69@cd.ru Delivered-To: bingobongo69@cd.ru Received: from 31.184.255.247 (unknown [5.199.130.188]) by relay (Postfix) with ESMTPSA id 7cqntswbr6frkskj for bingobongo69@cd.ru; Tue, 19 Mar 2019 12:20:30 +0000 Message-ID: EAAACECBFAFDDACFCAEABBBEC@abc.gr From: admin@abc.gr To: bingobongo69@cd.ru Subject: smtp:>>smtp.efg.es,587,test@efg.es,123456>> Date: Tue, 19 Mar 2019 13:20:18 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251"; Content-Transfer-Encoding: 7bit
smtp:>>smtp.efg.es,587,test@efg.es,123456>>
veblcshgtpwfdonxkebdghrwf pboqjycmmdslmliomafclayaheiuft uybveafdbnsuydqvbgyukf zsszifpadkpaufibjosuk
//End
I wasn't sure what to remove from the abuse message so I removed all the domains to protect the owners of these hosts/addresses, I hope I didn't miss any.
My question, what did I miss in in the exit policy, I have used the following in the torrc. Maybe I did not miss anything at all. Thanks for helping me to understand how the spammer could use the the exit for spamming.
I assume with the reduced exit policy spammers should not be enabled to use the exit.
// torrc # Reduced Exit policy according to: https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy ExitPolicy accept *:20-21 # FTP ExitPolicy accept *:22 # SSH ExitPolicy accept *:23 # Telnet ExitPolicy accept *:43 # WHOIS ExitPolicy accept *:53 # DNS ExitPolicy accept *:79 # finger ExitPolicy accept *:80-81 # HTTP ExitPolicy accept *:88 # kerberos ExitPolicy accept *:110 # POP3 ExitPolicy accept *:143 # IMAP ExitPolicy accept *:194 # IRC ExitPolicy accept *:220 # IMAP3 ExitPolicy accept *:389 # LDAP ExitPolicy accept *:443 # HTTPS ExitPolicy accept *:464 # kpasswd ExitPolicy accept *:465 # URD for SSM (more often: an alternative SUBMISSION port, see 587) ExitPolicy accept *:531 # IRC/AIM ExitPolicy accept *:543-544 # Kerberos ExitPolicy accept *:554 # RTSP ExitPolicy accept *:563 # NNTP over SSL ExitPolicy accept *:587 # SUBMISSION (authenticated clients [MUA's like Thunderbird] send mail over STARTTLS SMTP here) ExitPolicy accept *:636 # LDAP over SSL ExitPolicy accept *:706 # SILC ExitPolicy accept *:749 # kerberos ExitPolicy accept *:853 # DNS over TLS ExitPolicy accept *:873 # rsync ExitPolicy accept *:902-904 # VMware ExitPolicy accept *:981 # Remote HTTPS management for firewall ExitPolicy accept *:989-990 # FTP over SSL ExitPolicy accept *:991 # Netnews Administration System ExitPolicy accept *:992 # TELNETS ExitPolicy accept *:993 # IMAP over SSL ExitPolicy accept *:994 # IRCS ExitPolicy accept *:995 # POP3 over SSL ExitPolicy accept *:1194 # OpenVPN ExitPolicy accept *:1220 # QT Server Admin ExitPolicy accept *:1293 # PKT-KRB-IPSec ExitPolicy accept *:1500 # VLSI License Manager ExitPolicy accept *:1533 # Sametime ExitPolicy accept *:1677 # GroupWise ExitPolicy accept *:1723 # PPTP ExitPolicy accept *:1755 # RTSP ExitPolicy accept *:1863 # MSNP ExitPolicy accept *:2082 # Infowave Mobility Server ExitPolicy accept *:2083 # Secure Radius Service (radsec) ExitPolicy accept *:2086-2087 # GNUnet, ELI ExitPolicy accept *:2095-2096 # NBX ExitPolicy accept *:2102-2104 # Zephyr ExitPolicy accept *:3128 # SQUID ExitPolicy accept *:3389 # MS WBT ExitPolicy accept *:3690 # SVN ExitPolicy accept *:4321 # RWHOIS ExitPolicy accept *:4643 # Virtuozzo ExitPolicy accept *:5050 # MMCC ExitPolicy accept *:5190 # ICQ ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL ExitPolicy accept *:5228 # Android Market ExitPolicy accept *:5900 # VNC ExitPolicy accept *:6660-6669 # IRC ExitPolicy accept *:6679 # IRC SSL ExitPolicy accept *:6697 # IRC SSL ExitPolicy accept *:8000 # iRDMI ExitPolicy accept *:8008 # HTTP alternate ExitPolicy accept *:8074 # Gadu-Gadu ExitPolicy accept *:8080 # HTTP Proxies ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port ExitPolicy accept *:64738 # Mumble ExitPolicy reject *:*
Regards yl _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
My question, what did I miss in in the exit policy, I have used the following in the torrc. Maybe I did not miss anything at all. Thanks for helping me to understand how the spammer could use the the exit for spamming.
Emails and spam can be send via for example: - webmail (frequently port 80/443) - 465/587
(not just port 25)
* ylms:
smtp:>>smtp.efg.es,587,test@efg.es,123456>> [...] ExitPolicy accept *:587
You allow TCP port 587 (submission). That should not be a problem unless the targeted server fails to enforce authentication for all email submitted via this port. If that is the case, it is a configuration error on the destination server.
-Ralph
Hello all, I bundle the reply to all three helpful replies in this email.
Basically the replies confirm my assumptions, I was wondering if there is single malconfiguration on my end or if the problem is a little more complex. I will watch the abuse complaints and if there will be more about spam I will see what I can do.
This abuse ticket was part of a bundle of complaints (many abuse complaints), most of them SSH bruteforce and WordPress "hacking" attempts. So I relied with my standard reply as I always do, it is generic and explains that the server is a Tor exit and I offer to block their ip in the email. Not sure what my provider does with that reply, but I never hear back from any people.
Thanks again for the help.
Regards yl
Replies, just for reference:
1.
On 4/2/19 11:24 PM, Ralph Seichter wrote:> * ylms:
smtp:>>smtp.efg.es,587,test@efg.es,123456>> [...] ExitPolicy accept *:587
You allow TCP port 587 (submission). That should not be a problem unless the targeted server fails to enforce authentication for all email submitted via this port. If that is the case, it is a configuration error on the destination server.
-Ralph
2.
On 4/2/19 11:19 PM, nusenu wrote:>
My question, what did I miss in in the exit policy, I have used the following in the torrc. Maybe I did not miss anything at all. Thanks for helping me to understand how the spammer could use the the exit for spamming.
Emails and spam can be send via for example:
- webmail (frequently port 80/443)
- 465/587
(not just port 25)
3.
On 4/2/19 11:08 PM, Nathaniel Suchy wrote:> Someone likely abused a webmail provider. Respond to them that SMTP isn’t available from your exit and they’ll have to contact the email service provider directly.
Cordially, Nathaniel Suchy
On 4/2/19 11:04 PM, ylms wrote:
Hello fellow Tor-Exit operators,
today I got the following Abuse message:
//Start
[ SpamCop V5.0.0 ] This message is brief for your comfort. Please use links below for details.
Email from 5.199.130.188 / Tue, 19 Mar 2019 12:20:30 +0000 https://www.spamcop.net/w3m?i=.....(removed) 5.199.130.188 is open proxy, see: https://www.spamcop.net/mky-proxies.html
[ Offending message ] Return-Path: admin@abc.gr X-Original-To: bingobongo69@cd.ru Delivered-To: bingobongo69@cd.ru Received: from 31.184.255.247 (unknown [5.199.130.188]) by relay (Postfix) with ESMTPSA id 7cqntswbr6frkskj for bingobongo69@cd.ru; Tue, 19 Mar 2019 12:20:30 +0000 Message-ID: EAAACECBFAFDDACFCAEABBBEC@abc.gr From: admin@abc.gr To: bingobongo69@cd.ru Subject: smtp:>>smtp.efg.es,587,test@efg.es,123456>> Date: Tue, 19 Mar 2019 13:20:18 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251"; Content-Transfer-Encoding: 7bit
smtp:>>smtp.efg.es,587,test@efg.es,123456>>
veblcshgtpwfdonxkebdghrwf pboqjycmmdslmliomafclayaheiuft uybveafdbnsuydqvbgyukf zsszifpadkpaufibjosuk
//End
I wasn't sure what to remove from the abuse message so I removed all the domains to protect the owners of these hosts/addresses, I hope I didn't miss any.
My question, what did I miss in in the exit policy, I have used the following in the torrc. Maybe I did not miss anything at all. Thanks for helping me to understand how the spammer could use the the exit for spamming.
I assume with the reduced exit policy spammers should not be enabled to use the exit.
// torrc # Reduced Exit policy according to: https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy ExitPolicy accept *:20-21 # FTP ExitPolicy accept *:22 # SSH ExitPolicy accept *:23 # Telnet ExitPolicy accept *:43 # WHOIS ExitPolicy accept *:53 # DNS ExitPolicy accept *:79 # finger ExitPolicy accept *:80-81 # HTTP ExitPolicy accept *:88 # kerberos ExitPolicy accept *:110 # POP3 ExitPolicy accept *:143 # IMAP ExitPolicy accept *:194 # IRC ExitPolicy accept *:220 # IMAP3 ExitPolicy accept *:389 # LDAP ExitPolicy accept *:443 # HTTPS ExitPolicy accept *:464 # kpasswd ExitPolicy accept *:465 # URD for SSM (more often: an alternative SUBMISSION port, see 587) ExitPolicy accept *:531 # IRC/AIM ExitPolicy accept *:543-544 # Kerberos ExitPolicy accept *:554 # RTSP ExitPolicy accept *:563 # NNTP over SSL ExitPolicy accept *:587 # SUBMISSION (authenticated clients [MUA's like Thunderbird] send mail over STARTTLS SMTP here) ExitPolicy accept *:636 # LDAP over SSL ExitPolicy accept *:706 # SILC ExitPolicy accept *:749 # kerberos ExitPolicy accept *:853 # DNS over TLS ExitPolicy accept *:873 # rsync ExitPolicy accept *:902-904 # VMware ExitPolicy accept *:981 # Remote HTTPS management for firewall ExitPolicy accept *:989-990 # FTP over SSL ExitPolicy accept *:991 # Netnews Administration System ExitPolicy accept *:992 # TELNETS ExitPolicy accept *:993 # IMAP over SSL ExitPolicy accept *:994 # IRCS ExitPolicy accept *:995 # POP3 over SSL ExitPolicy accept *:1194 # OpenVPN ExitPolicy accept *:1220 # QT Server Admin ExitPolicy accept *:1293 # PKT-KRB-IPSec ExitPolicy accept *:1500 # VLSI License Manager ExitPolicy accept *:1533 # Sametime ExitPolicy accept *:1677 # GroupWise ExitPolicy accept *:1723 # PPTP ExitPolicy accept *:1755 # RTSP ExitPolicy accept *:1863 # MSNP ExitPolicy accept *:2082 # Infowave Mobility Server ExitPolicy accept *:2083 # Secure Radius Service (radsec) ExitPolicy accept *:2086-2087 # GNUnet, ELI ExitPolicy accept *:2095-2096 # NBX ExitPolicy accept *:2102-2104 # Zephyr ExitPolicy accept *:3128 # SQUID ExitPolicy accept *:3389 # MS WBT ExitPolicy accept *:3690 # SVN ExitPolicy accept *:4321 # RWHOIS ExitPolicy accept *:4643 # Virtuozzo ExitPolicy accept *:5050 # MMCC ExitPolicy accept *:5190 # ICQ ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL ExitPolicy accept *:5228 # Android Market ExitPolicy accept *:5900 # VNC ExitPolicy accept *:6660-6669 # IRC ExitPolicy accept *:6679 # IRC SSL ExitPolicy accept *:6697 # IRC SSL ExitPolicy accept *:8000 # iRDMI ExitPolicy accept *:8008 # HTTP alternate ExitPolicy accept *:8074 # Gadu-Gadu ExitPolicy accept *:8080 # HTTP Proxies ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port ExitPolicy accept *:64738 # Mumble ExitPolicy reject *:*
Regards yl _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Nathaniel Suchy -
nusenu -
Ralph Seichter -
ylms