Hello, I received an abuse email today from my hoster (several emails from webiron in one email), typical automated abuse emails, not much information.
However, they request, if the origin IP is a Tor exit, to block the full /24 subnet. As they also state, they will not provide the full IP of there customer and request to block the exit to the /24.
Any thoughts on this? I don't like to block the whole /24, just because one idiot using one of the IPs is using some snake oil service like webiron, the collateral damage is to big in my eyes. All other IPs in the same range will be blocked as well.
Why should I even care about blocking such IPs given by webiron? In my opinion the blocking is useless from my side and in the worst case the users of webiron will block my exit node IP. Would it be better for the tor network if I'd block the IPs? Is there any bad consequences if I don't for the Tor network?
Let me know your thoughts. The services URL is https://www.webiron.com, don't need to go there, I didn't because such services are just useless. Better use fail2ban or something similar.
Greeting yl
Hello yl,
I also got some reports from WebIron. I also made some thoughts about blocking Tor from reaching some parts of the internet and if it's agains the ethics of tor. I think that blocking the destination for two weeks by an reject rule satisfies the "victim" and your hoster thus helps preventing the exit node from being shut down. For me, this is the best solution for this situation.
I also ask my hoster for the mail addresses of the abuse reporter and write a little statement why he got attacked and what tor is and why I running a relay. Mostly the abuse reports from WebIron reports about WordPress login bruteforce attacks. I then try to explain how the "victim" can prevent such attacks by setting up allow/deny rules in their webserver software and a pre-setted basic authentication. I mostly get positives responses.
~Josef
Am 20.10.2015 um 21:51 schrieb yl:
Hello, I received an abuse email today from my hoster (several emails from webiron in one email), typical automated abuse emails, not much information.
However, they request, if the origin IP is a Tor exit, to block the full /24 subnet. As they also state, they will not provide the full IP of there customer and request to block the exit to the /24.
Any thoughts on this? I don't like to block the whole /24, just because one idiot using one of the IPs is using some snake oil service like webiron, the collateral damage is to big in my eyes. All other IPs in the same range will be blocked as well.
Why should I even care about blocking such IPs given by webiron? In my opinion the blocking is useless from my side and in the worst case the users of webiron will block my exit node IP. Would it be better for the tor network if I'd block the IPs? Is there any bad consequences if I don't for the Tor network?
Let me know your thoughts. The services URL is https://www.webiron.com, don't need to go there, I didn't because such services are just useless. Better use fail2ban or something similar.
Greeting yl _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 21 Oct 2015, at 07:41, Josef Stautner hello@veloc1ty.de wrote:
I also ask my hoster for the mail addresses of the abuse reporter and write a little statement why he got attacked and what tor is and why I running a relay. Mostly the abuse reports from WebIron reports about WordPress login bruteforce attacks. I then try to explain how the "victim" can prevent such attacks by setting up allow/deny rules in their webserver software and a pre-setted basic authentication. I mostly get positives responses.
Josef,
Would you mind putting the statement on the wiki or posting it to this list?
It might help other exit operators to respond to these kind of abuse reports.
Tim
Hi,
2015-10-21 22:23 GMT+02:00 teor teor2345@gmail.com:
Would you mind putting the statement on the wiki or posting it to this list?
It might help other exit operators to respond to these kind of abuse reports.
+1. Can somebody point me to this?
I have just received a notification from my ISP that they will suspend my service in 72 if I do not act over a complaint that is a webiron automated report.
I have already replied with the standard answer (this was my first action since at the beginning my ISP mentioned a generic complaint, now they forwarded the webiron mail) I would like some indications for a more dedicated answer.
Blocking IP ranges is out of question, of course.
Thank you,
Cristian
Hi Christian,
sorry, I marked that message as "Todo" but forgot :-)
My replay to my provider is:
----------------------------------------------------- Hello Martin,
I've blocked the whole /24 (originally the target IP range is inside a /16 but this would be too much) to prevent further traffic. I would remove the block round about in one or two months.
Can you please provide me the e-mail address so I can apologize and explain the situation to the reporter?
Thanks,
Josef
-----------------------------------------------------
If I were you I would not mind blocking the destination for a short time.
~Josef
Am 16.11.2015 um 11:52 schrieb Cristian Consonni:
Hi,
2015-10-21 22:23 GMT+02:00 teor teor2345@gmail.com:
Would you mind putting the statement on the wiki or posting it to this list?
It might help other exit operators to respond to these kind of abuse reports.
+1. Can somebody point me to this?
I have just received a notification from my ISP that they will suspend my service in 72 if I do not act over a complaint that is a webiron automated report.
I have already replied with the standard answer (this was my first action since at the beginning my ISP mentioned a generic complaint, now they forwarded the webiron mail) I would like some indications for a more dedicated answer.
Blocking IP ranges is out of question, of course.
Thank you,
Cristian _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
2015-11-16 12:46 GMT+01:00 Josef 'veloc1ty' Stautner hello@veloc1ty.de:
sorry, I marked that message as "Todo" but forgot :-)
Thank you. This is very helpful!.
Hello Martin,
I've blocked the whole /24 (originally the target IP range is inside a /16 but this would be too much) to prevent further traffic. I would remove the block round about in one or two months.
Can you please provide me the e-mail address so I can apologize and explain the situation to the reporter?
Ok, so you did block a range for a limited period. I will need to learn how to do that.
I will try to use this episode to push again with my ISP for SWIP reassingment (which they do offer, but at a cost).
Ciao,
Cristian
On 16 Nov 2015, at 22:58, Cristian Consonni kikkocristian@gmail.com wrote:
Ok, so you did block a range for a limited period. I will need to learn how to do that.
Try: ExitPolicy reject4 1.2.3.4/24:*
There's an extensive description of ExitPolicy in the tor man page.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
Maybe something to add because I ran into a mistake:
ExitPolicy is a first match szenario. The reject rules for abuse reports and stuff has to be the first one, afterwards your accept rules and then a reject *:*.
For exampe my current policy is:
ExitPolicy reject 5.133.182.0/24 # WebIron report ExitPolicy reject 80.14.2.87/16 # [Ticket ID: 960950] ExitPolicy reject 37.247.48.0/21 # #214673 ExitPolicy reject 62.67.194.130 # [Ticket ID: 869382]
ExitPolicy accept *:53 # DNS ExitPolicy accept *:80 # HTTP ExitPolicy accept *:8080 # HTTP ExitPolicy accept *:443 # HTTPS ExitPolicy reject *:*
~Josef
Am 16.11.2015 um 13:01 schrieb Tim Wilson-Brown - teor:
On 16 Nov 2015, at 22:58, Cristian Consonni <kikkocristian@gmail.com mailto:kikkocristian@gmail.com> wrote:
Ok, so you did block a range for a limited period. I will need to learn how to do that.
Try: ExitPolicy reject4 1.2.3.4/24:*
There's an extensive description of ExitPolicy in the tor man page.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
My hosting provider also go these requests. Their terms of service requires that I will answer something to acknowledge I got that.
I just answer "ok, I'll handle it" and that's it.
The reverse lookup of my nodes points to a hostname that shows the Tor text. The host name is tor4thepeople1.torexitnode.net so I'm quite sure they know that. I don't do anything beyond that and agree with AMuse that they can easily handle that without bugging the operators.
On Mon, Nov 16, 2015 at 2:02 PM Tim Wilson-Brown - teor teor2345@gmail.com wrote:
On 16 Nov 2015, at 22:58, Cristian Consonni kikkocristian@gmail.com wrote:
Ok, so you did block a range for a limited period. I will need to learn how to do that.
Try: ExitPolicy reject4 1.2.3.4/24:*
There's an extensive description of ExitPolicy in the tor man page.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
2015-11-16 13:21 GMT+01:00 Eran Sandler eran@sandler.co.il:
My hosting provider also go these requests. Their terms of service requires that I will answer something to acknowledge I got that.
I just answer "ok, I'll handle it" and that's it.
The reverse lookup of my nodes points to a hostname that shows the Tor text. The host name is tor4thepeople1.torexitnode.net so I'm quite sure they know that.
Same here.
I don't do anything beyond that and agree with AMuse that they can easily handle that without bugging the operators.
I understand this and it would also be my first line of reaction. However, I am a new exit node operator (my node as been active as an exit only for 5 and half now) and I have to understand how my ISP reacts to this kind of things.
For instance, after the report (which clearly says " Automated Message" on top of it, btw) they have sent me an email *and* called me on the phone (I just spoke with their customer tech support, they keep reminding me that everything that happens on that machine is my responsibility). They told me that they offer SWIP reassigment at an additional cost and only if buy dedicated servers and dedicated IP. I will speak with their commercial help desk to understand the costs.
For the moment I will keep a low profile and I will block the mentioned IP range for a month. Then let's see if I can talk to my ISP and get the SWIP reassignment.
C
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I'm currently in the middle of a somewhat heated e-mail debate with their vice-president. Pasting the e-mails below would be indelicate, but their position is that the Tor network is responsible for the abuse it generates and should take measures to prevent/block malicious traffic. They also state that according to their measurements, 99% of the traffic coming out of Tor is hostile, and they're going to release a report on the matter soon.
On my side, I've been arguing that 99% of bad traffic absolutely doesn't imply 99% of bad users, since brute-force attacks generate a massive amount of requests (i.e. that 99% of bad traffic may be generated by 1% of the users for all we know) - and therefore I'm unwilling to punish all of them because of an unruly few. Besides, blocking whole /24 subnets seems overkill to me, and they have yet to prove that they have the authority to speak for all the IPs they are requesting.
I suggested that site owners who wish to block Tor traffic do so using the DNSRBL, to which they replied that "hundreds of millions of site owners who barely know how to do e-mail" shouldn't be asked to configure their servers - or indeed do anything to protect themselves because that's victim blaming. They add that "what we have coming next in tackling abuses will make your heads spin :)" and conclude that I'm an arrogant bastard (mildly paraphrasing here).
So as far as I'm concerned, I'll just discard anything I receive from them in the future. I've told my hosting provider that their automated e-mails should be disregarded, and they are okay with that.
- -- JusticeRage
On 16/11/2015 13:52, Cristian Consonni wrote:
2015-11-16 13:21 GMT+01:00 Eran Sandler eran@sandler.co.il:
My hosting provider also go these requests. Their terms of service requires that I will answer something to acknowledge I got that.
I just answer "ok, I'll handle it" and that's it.
The reverse lookup of my nodes points to a hostname that shows the Tor text. The host name is tor4thepeople1.torexitnode.net so I'm quite sure they know that.
Same here.
I don't do anything beyond that and agree with AMuse that they can easily handle that without bugging the operators.
I understand this and it would also be my first line of reaction. However, I am a new exit node operator (my node as been active as an exit only for 5 and half now) and I have to understand how my ISP reacts to this kind of things.
For instance, after the report (which clearly says " Automated Message" on top of it, btw) they have sent me an email *and* called me on the phone (I just spoke with their customer tech support, they keep reminding me that everything that happens on that machine is my responsibility). They told me that they offer SWIP reassigment at an additional cost and only if buy dedicated servers and dedicated IP. I will speak with their commercial help desk to understand the costs.
For the moment I will keep a low profile and I will block the mentioned IP range for a month. Then let's see if I can talk to my ISP and get the SWIP reassignment.
C _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I'm currently in the middle of a somewhat heated e-mail debate with their vice-president. Pasting the e-mails below would be indelicate, but their position is that the Tor network is responsible for the abuse it generates and should take measures to prevent/block malicious traffic. They also state that according to their measurements, 99% of the traffic coming out of Tor is hostile, and they're going to release a report on the matter soon.
On my side, I've been arguing that 99% of bad traffic absolutely doesn't imply 99% of bad users, since brute-force attacks generate a massive amount of requests (i.e. that 99% of bad traffic may be generated by 1% of the users for all we know) - and therefore I'm unwilling to punish all of them because of an unruly few. Besides, blocking whole /24 subnets seems overkill to me, and they have yet to prove that they have the authority to speak for all the IPs they are requesting.
I suggested that site owners who wish to block Tor traffic do so using the DNSRBL, to which they replied that "hundreds of millions of site owners who barely know how to do e-mail" shouldn't be asked to configure their servers - or indeed do anything to protect themselves because that's victim blaming. They add that "what we have coming next in tackling abuses will make your heads spin :)" and conclude that I'm an arrogant bastard (mildly paraphrasing here).
So as far as I'm concerned, I'll just discard anything I receive from them in the future. I've told my hosting provider that their automated e-mails should be disregarded, and they are okay with that.
- -- JusticeRage
On 16/11/2015 13:52, Cristian Consonni wrote:
The TOR directory of exit nodes is readily available for ISP's and website operators to apply in their filters. I don't see why them putting the onus on tens of thousands of exit operators to exit-block THEIR addresses is in any way reasonable.
On 2015-10-20 12:51, yl wrote:
Hello, I received an abuse email today from my hoster (several emails from webiron in one email), typical automated abuse emails, not much information.
However, they request, if the origin IP is
a Tor exit, to block the full /24 subnet. As they also state, they will not provide the full IP of there customer and request to block the exit to the /24.
Any thoughts on this? I don't like to block the whole /24, just because one idiot using one of the IPs is using some snake oil service like webiron, the collateral damage is to big in my eyes. All other IPs in the same range will be blocked as well.
Why should I even care about blocking such IPs given by webiron? In my opinion the blocking is useless from my side and in the worst case the users of webiron will block my exit node IP. Would it be better for the tor network if I'd block the IPs? Is there any bad consequences if I don't for the Tor network?
Let me know your thoughts. The services URL is https://www.webiron.com [1], don't need to go there, I didn't because such services are just useless. Better use fail2ban or something similar.
Greeting yl _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays [2]
Links: ------ [1] https://www.webiron.com [2] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I agree. I just bin these, or send the standard "abuse" response template, which includes a snippet about using a DNSBL.
On 10/20/2015 04:57 PM, AMuse wrote:
The TOR directory of exit nodes is readily available for ISP's and website operators to apply in their filters. I don't see why them putting the onus on tens of thousands of exit operators to exit-block THEIR addresses is in any way reasonable.
On 2015-10-20 12:51, yl wrote:
Hello, I received an abuse email today from my hoster (several emails from webiron in one email), typical automated abuse emails, not much information.
However, they request, if the origin IP is
a Tor exit, to block the full /24 subnet. As they also state, they will not provide the full IP of there customer and request to block the exit to the /24.
Any thoughts on this? I don't like to block the whole /24, just because one idiot using one of the IPs is using some snake oil service like webiron, the collateral damage is to big in my eyes. All other IPs in the same range will be blocked as well.
Why should I even care about blocking such IPs given by webiron? In my opinion the blocking is useless from my side and in the worst case the users of webiron will block my exit node IP. Would it be better for the tor network if I'd block the IPs? Is there any bad consequences if I don't for the Tor network?
Let me know your thoughts. The services URL is https://www.webiron.com [1], don't need to go there, I didn't because such services are just useless. Better use fail2ban or something similar.
Greeting yl _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays [2]
Links:
[1] https://www.webiron.com [2] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
++ 20/10/15 13:57 -0700 - AMuse:
The TOR directory of exit nodes is readily available for ISP's and website operators to apply in their filters. I don't see why them putting the onus on tens of thousands of exit operators to exit-block THEIR addresses is in any way reasonable.
I do agree with the gist of your message. However, I wish you could say there are 'tens of thousands of exit operators'. :)
Dear yl,
just a few words from the abuse helpdesk of a larger tor-exit-node...
TL;DR: we ignore those requests. they don't even reach a human.
While we do handle most genuine/honest/helpful and especially all non-automated abuse reports very diligently. Pointless nagging services like webiron however are automatically rejected before they reach our abuse inbox. It seems that we are not the only ones who deem their mass mailings as spam, as evident from the spamhaus listing below:
Oct 20 03:34:54 mail smtpd: NOQUEUE: reject: RCPT from abuse-reporting.webiron.com[23.91.17.162]: 554 5.7.1 Service unavailable; Client host [23.91.17.162] blocked using sbl.spamhaus.org; http://www.spamhaus.org/sbl/query/SBLCSS; from=###@abuse-reporting.webiron.com to=<abuse@###> proto=ESMTP helo=<abuse-reporting.webiron.com> Oct 20 03:34:54 mail smtpd: disconnect from abuse-reporting.webiron.com[23.91.17.162] Oct 20 19:49:51 mail postfix/smtpd: NOQUEUE: reject: RCPT from unknown[23.239.20.29]: 554 5.7.1 ###@abuse-reporting.webiron.com: Sender address rejected: Access denied; from=###@abuse-reporting.webiron.com to=<abuse@###> proto=ESMTP helo=<abuse-reporting.webiron.com>
We had similar problems with report@redsnitch.net and most notably with clean-mx.de which seems to be a confused single individual (Mr. Recher) sending out not very helpful mass mailings. Repeated contact attempts by mail and on his apparently 24/7 reachable mobile number (included in every of his mails) did not convince him to stop. If you also get these and are annoyed with that, try to give him a call, he seems to like feedback and was ok with getting a call at an odd time.
Also on our inbound-deny-list is a regex match for /^(.*)fail2ban(.*)$/ to a rather recent phenomenon. Some people out there apparently are of the opinion that it is a reasonable choice to use the ugly crutch that is "fail2ban" instead of deprecating password based authentication for ssh. To make things worse, these days this ill-conceived piece of software includes an option to advertise itself to other people. automatedly. via mail. *sigh*
Cheers
Some people out there apparently are of the opinion that it is a reasonable choice to use the ugly crutch that is "fail2ban" instead of deprecating password based authentication for ssh.
You're technically correct (the best kind) but I wanted to point out that Fail2Ban is a really useful tool for a lot of login protocols which are NOT SSH and which are still subject to frequent brute-force attempts. HTTP BASIC and IMAP(s) both come to mind as something I configure fail2ban to watch for me, neither of which have a strong key-based auth system to configure and disable passwords.
Still, configuring fail2ban to email people is really stupid. So I'll give you that with no argument.
On 2015-10-21 04:21, tor@as250.net wrote:
Dear yl,
just a few words from the abuse helpdesk of a larger tor-exit-node...
TL;DR: we ignore those requests. they don't even reach a human.
While we do handle most genuine/honest/helpful and especially all non-automated abuse reports very diligently. Pointless nagging services like webiron however are automatically rejected before they reach our abuse inbox. It seems that we are not the only ones who deem their mass mailings as spam, as evident from the spamhaus listing below:
Oct 20 03:34:54 mail smtpd: NOQUEUE: reject: RCPT from abuse-reporting.webiron.com[23.91.17.162]: 554 5.7.1 Service unavailable; Client host [23.91.17.162] blocked using sbl.spamhaus.org; http://www.spamhaus.org/sbl/query/SBLCSS [1]; from=###@abuse-reporting.webiron.com to=<abuse@###> proto=ESMTP helo=<abuse-reporting.webiron.com> Oct 20 03:34:54 mail smtpd: disconnect from abuse-reporting.webiron.com[23.91.17.162] Oct 20 19:49:51 mail postfix/smtpd: NOQUEUE: reject: RCPT from unknown[23.239.20.29]: 554 5.7.1 ###@abuse-reporting.webiron.com: Sender address rejected: Access denied; from=###@abuse-reporting.webiron.com to=<abuse@###> proto=ESMTP helo=<abuse-reporting.webiron.com>
We had similar problems with report@redsnitch.net and most notably with clean-mx.de which seems to be a confused single individual (Mr. Recher) sending out not very helpful mass mailings. Repeated contact attempts by mail and on his apparently 24/7 reachable mobile number (included in every of his mails) did not convince him to stop. If you also get these and are annoyed with that, try to give him a call, he seems to like feedback and was ok with getting a call at an odd time.
Also on our inbound-deny-list is a regex match for /^(.*)fail2ban(.*)$/ to a rather recent phenomenon. Some people out there apparently are of the opinion that it is a reasonable choice to use the ugly crutch that is "fail2ban" instead of deprecating password based authentication for ssh. To make things worse, these days this ill-conceived piece of software includes an option to advertise itself to other people. automatedly. via mail. *sigh*
Cheers _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays [2]
Links: ------ [1] http://www.spamhaus.org/sbl/query/SBLCSS [2] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
AMuse -
Cristian Consonni -
Eran Sandler -
Josef 'veloc1ty' Stautner -
Josef Stautner
-
JovianMallard -
JusticeRage -
Rejo Zenger -
teor -
Tim Wilson-Brown - teor
-
tor@as250.net -
yl