I recently had a dedicated server free up and decided to set it up as a Tor relay. It has 100Mbps unmetered traffic, so I thought it would be a good contribution. Right now I have it set up as a middle node, but I am considering possibly converting it to an exit node. Both my server and I are based in the US. I asked my hosting company about the possibility of running a Tor exit node and they said that they do not have a policy against it, but that if they get a lot of complaints they might set up and ACL on specific ports. So I really would like to reduce the probability of getting any complaints. I have heard about the reduced exit policy. What are people's experience running with that policy? Is there a further reduced set that might be better, in the sense of avoiding complaints, and still remain useful as an exit node? Should I just leave it as a middle node? Thanks in advance for any feedback.
Regards, George
On Jun 2, 2011, at 1:22 PM, George Gemelos wrote:
I recently had a dedicated server free up and decided to set it up as a Tor relay. It has 100Mbps unmetered traffic, so I thought it would be a good contribution. Right now I have it set up as a middle node, but I am considering possibly converting it to an exit node. Both my server and I are based in the US. I asked my hosting company about the possibility of running a Tor exit node and they said that they do not have a policy against it, but that if they get a lot of complaints they might set up and ACL on specific ports. So I really would like to reduce the probability of getting any complaints.
If it is at all possible, by far the best solution is to have abuse complaints bypass your ISP and come directly to you. To that end, it's worth asking your ISP if SWIP or RDNS services are available, and if it would be possible to set up a filter to forward all abuse complaints to you so that you might deal with them personally (See 1, 3, 4, and 5 of [1]). Personally I've had success with two ISPs by assuming the pretext of saving them the time and effort of dealing with each (unwarranted) complaint themselves.
I have heard about the reduced exit policy. What are people’s experience running with that policy? Is there a further reduced set that might be better, in the sense of avoiding complaints, and still remain useful as an exit node? Should I just leave it as a middle node? Thanks in advance for any feedback.
Most people on this list seem to have a lot of success with the "standard" reduced exit policy (6 of [1]). Generally even ISPs who are hostile to Tor will give you several warnings before shutting down service, so if reasoning with them doesn't work, you always have the option of dropping down to a middle node later on down the line.
Cheers,
~Justin Aplin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/06/11 21:16, Justin Aplin wrote:
Most people on this list seem to have a lot of success with the "standard" reduced exit policy (6 of [1]). Generally even ISPs who are hostile to Tor will give you several warnings before shutting down service, so if reasoning with them doesn't work, you always have the option of dropping down to a middle node later on down the line.
I run a TOR node in OVH (France). They shutdown my server several times because it was "hacked" in the sense of "we don't think a server should make outgoing port 443 connections". After a lof of complains and arguments, and a dozen of shutdowns, I restricted my node to NON-EXIT. And filter my 443 outgoing at FW level, because even connecting to port 443 of other TOR nodes were considered "you have a compromised machine".
Unsatisfying. But at least I provide 50Mbps to TOR mesh, 24x7, as an internal relay node. Could be worse, I guess.
- -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ jcea@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/_/_/_/ . _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
I run a TOR node in OVH (France). They shutdown my server several times because it was "hacked" in the sense of "we don't think a server should make outgoing port 443 connections".
nice provider you've picked hahaha :P
googlebot is hacked too! constantly connecting to port 80 and 443 :P
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 06/03/2011 02:45 PM, Jesus Cea wrote:
I run a TOR node in OVH (France). They shutdown my server several times because it was "hacked" in the sense of "we don't think a server should make outgoing port 443 connections". After a lof of complains and arguments, and a dozen of shutdowns, I restricted my node to NON-EXIT. And filter my 443 outgoing at FW level, because even connecting to port 443 of other TOR nodes were considered "you have a compromised machine".
I suppose most of the circuits attempts through your relay will break because 7 out of the 10 fastest relays have their ORPort set to 443. (in total ~30% of relays have ORPort set to 443)
Your relay won't be able to publish its descriptor to all directory authorities. Would be nice to add a detection for such firewalled relays to the scanner.
You might be interested into this (long term) feature request: https://trac.torproject.org/projects/tor/ticket/3028
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/06/11 15:13, tagnaq wrote:
I suppose most of the circuits attempts through your relay will break because 7 out of the 10 fastest relays have their ORPort set to 443. (in total ~30% of relays have ORPort set to 443)
I guess TOR should listen to several different ports. Same for directory authority.
I am tunneling 50-70Mbps 24x7, so I hope I am helping somebody :)
Just now:
""" ... 650 BW 5246020 5284011 650 BW 5239734 5342017 650 BW 5242553 5294075 650 BW 5244540 5207474 650 BW 5241169 5278475 650 BW 5245447 5242702 650 BW 5241356 5136825 650 BW 5246852 4989203 650 BW 5237821 5260716 650 BW 5243314 5000966 650 BW 5243635 5497194 650 BW 5243761 5207223 650 BW 5241754 5360268 650 BW 5244234 5257080 ... """
- -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ jcea@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/_/_/_/ . _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 06/03/2011 03:30 PM, Jesus Cea wrote:
I guess TOR should listen to several different ports.
Yes, design work related to IPv6 support will bring multiple ORPort support if I recall correct, but this wont prevent circuits to fail in firewalled scenarios because your Tor process doesn't know that outbound traffic going to port 443 is filtered and a client using your node doesn't know that you are not able to connect to relays running on ORPort 443.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/06/11 15:44, tagnaq wrote:
Yes, design work related to IPv6 support will bring multiple ORPort support if I recall correct, but this wont prevent circuits to fail in firewalled scenarios because your Tor process doesn't know that outbound traffic going to port 443 is filtered and a client using your node doesn't know that you are not able to connect to relays running on ORPort 443.
I guess tor.conf could have a directive as "never connect to this port". I know my situation is a bit particular, I fully realize, though.
Anyway, I am tunneling quite a bit of traffic, so I hope I am being useful, even if not useful to everybody. With your comments I am afraid that I could be punishing the network because people trying to go thru me could be unable to create some circuits in an silent way, bringing connection delays and a general sense of unrealibility.
I accept suggestions.
- -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ jcea@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/_/_/_/ . _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 06/03/2011 03:55 PM, Jesus Cea wrote:
I guess tor.conf could have a directive as "never connect to this port". I know my situation is a bit particular, I fully realize, though.
That is what feature request #3028 is all about, but this information must be published in descriptor because it is the client who selects all 3 hops and their order and the client needs to be aware of these restrictions when selecting relays. I suppose a feature like #3028 would only be used by very few relays and at the same time introduce larger descriptors and more complexity, so the effort vs. improvement is currently probably not worth the effort.
Anyway, I am tunneling quite a bit of traffic, so I hope I am being useful, even if not useful to everybody. With your comments I am afraid that I could be punishing the network because people trying to go thru me could be unable to create some circuits in an silent way, bringing connection delays and a general sense of unrealibility.
I accept suggestions.
I think it depends on how many circuits you are actually breaking. If one out of 1000 circuits through your relay are failing because you filter 443 while relaying 50Mbit/s I would find it acceptable, but I fear it are far more. Do you have any stats? (I'm not sure how to gather them.) Mikes opinion is also be very valuable on such topics.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/06/11 16:13, tagnaq wrote:
If one out of 1000 circuits through your relay are failing because you filter 443 while relaying 50Mbit/s I would find it acceptable, but I fear it are far more. Do you have any stats? (I'm not sure how to gather them.) Mikes opinion is also be very valuable on such topics.
If somebody can tell me where to look...
- -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ jcea@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/_/_/_/ . _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
Thus spake Jesus Cea (jcea@jcea.es):
On 03/06/11 16:13, tagnaq wrote:
If one out of 1000 circuits through your relay are failing because you filter 443 while relaying 50Mbit/s I would find it acceptable, but I fear it are far more. Do you have any stats? (I'm not sure how to gather them.) Mikes opinion is also be very valuable on such topics.
If somebody can tell me where to look...
You likely need to taylor your iptables rules to also log when you reject these connections: http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-...
(Paste your current 443-blocking firewall rules to the list if you need some help creating log lines for them.)
Note, this is not a great metric, because each circuit attempt will cause a connection attempt, but if a connection already exists, it will be re-used.. So it is hard to use this to get a baseline of the percentag of circuits your node tends to fail from clients...
On the flip side, it will still be an interesting thing to measure, because Tor relay TLS connections are actually bi-directional, meaning that if a relay successfully connects *to* you, you will use that connection for circuits destined for that relay as opposed to trying to make a new connection. With time, you may actually end up connected to most/all of the 443 relays anyway. It would be interesting to see if you are actually blocking any connection attempts at all after being up for a long time. You should end up connected to most/all relays at some point.
P.S. Not sure what your rules are, but you should really be using the REJECT target, not the DROP target for satisfying your crazy ISPs policy. DROP will force clients to wait to register a timeout for their circuit, where a REJECT will cause them to get a fail reason back. THe REJECT is thus way better for performance of clients: http://www.readmespot.com/question/f/157375/iptables--reject-vs-drop
P.P.S. Your ISP is really crazy. Have you thought about giving them a link to a torstatus directory of Tor IPs so they can feed it to their stupid IDS to whitelist for purposes of outgoing connections? We can probably induce torstatus to produce a csv of this IP set if would help.
On Sat, 4 Jun 2011 01:31:10 -0700 Mike Perry mikeperry@fscked.org wrote:
Thus spake Jesus Cea (jcea@jcea.es):
On 03/06/11 16:13, tagnaq wrote:
If one out of 1000 circuits through your relay are failing because you filter 443 while relaying 50Mbit/s I would find it acceptable, but I fear it are far more. Do you have any stats? (I'm not sure how to gather them.) Mikes opinion is also be very valuable on such topics.
If somebody can tell me where to look...
You likely need to taylor your iptables rules to also log when you reject these connections: http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-...
This is a *very* dangerous thing for *any* relay to do. Does iptables have support for ‘counters’?
P.P.S. Your ISP is really crazy.
I think ‘evil’ is more appropriate here -- on the other hand, ‘sufficiently advanced cluelessness is indistinguishable from malice’.
Have you thought about giving them alink to a torstatus directory of Tor IPs so they can feed it to their stupid IDS to whitelist for purposes of outgoing connections? We can probably induce torstatus to produce a csv of this IP set if would help.
If, as Moritz Bartl said, his ISP's current Terms of Service for new customers explicitly prohibit Tor, they are likely to respond to this by making up an excuse to turn off his server completely.
Robert Ransom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
If somebody can tell me where to look...
You likely need to taylor your iptables rules to also log when you reject these connections: http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-...
This is a *very* dangerous thing for *any* relay to do. Does iptables have support for ‘counters’?
Yes, I first thought about a simple rule counting outgoing TCP SYN packets but I didn't suggest it because I thought there are better ways via the control port and as Mike said if you have already a connection to relay foo new circuits to using relay foo wont result in new connection attempts.
you can count outgoing connection attempts to port 443 from tor like this:
iptables -I OUTPUT -m owner --uid-owner yourtorUID -p tcp --syn --dport 443
Counter can be inspected by looking at the iptables -vL output.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 06/03/2011 03:55 PM, Jesus Cea wrote:
With your comments I am afraid that I could be punishing the network because people trying to go thru me could be unable to create some circuits in an silent way, bringing connection delays and a general sense of unrealibility.
I accept suggestions.
Do you use arm [1] on your relay? You could have a quick look if you have outbound connections to the top 10 443 relays.
[1] http://www.atagar.com/arm/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 06/03/2011 02:45 PM, Jesus Cea wrote:
I run a TOR node in OVH (France). They shutdown my server several times because it was "hacked" in the sense of "we don't think a server should make outgoing port 443 connections". After a lof of complains and arguments, and a dozen of shutdowns, I restricted my node to NON-EXIT. And filter my 443 outgoing at FW level, because even connecting to port 443 of other TOR nodes were considered "you have a compromised machine".
Do you have a specific reason to stay with OVH or why did you choose this ISP? Is it particularly cheap or which positive arguments are there to stay with this ISP?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/06/11 16:49, tagnaq wrote:
Do you have a specific reason to stay with OVH or why did you choose this ISP? Is it particularly cheap or which positive arguments are there to stay with this ISP?
Cheap, and I have been there for years.
New contracts have a traffic limit after which your port speed is decreases to 10Mbps, but I have an old contract with 100Mbps and no traffic limit, so I am a bit reluctant to move away. I actually move 100Mbps, 24x7. I know this machine is going to die eventually or that OVH is going to push a new contract on me, someday. But not yet.
- -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ jcea@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ jabber / xmpp:jcea@jabber.org _/_/ _/_/ _/_/_/_/_/ . _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
On 03.06.2011 16:49, tagnaq wrote:
On 06/03/2011 02:45 PM, Jesus Cea wrote:
I run a TOR node in OVH (France).
Do you have a specific reason to stay with OVH or why did you choose this ISP? Is it particularly cheap or which positive arguments are there to stay with this ISP?
OVH has cheap deals for unmetered servers. They explicitly prohibit Tor in their AUP.
ah le french :P
zhey probably forgot to firewall that hadopi shit out :P
193.105.197.0/24#FARM08#RIPE-CBLK 193.107.240.0/22#FARM08#RIPE-CBLK 195.191.244.0/23#FARM08#RIPE-CBLK3 91.189.104.0/21#FARM04#91-RIPE 109.201.155.0/26#SECUREST_LTD#109-RIPE 77.247.176.0/27#SECUREST_LTD#77-RIPE 77.247.176.192/26#SECUREST_LTD#77-RIPE 77.247.177.0/25#SECUREST_LTD#77-RIPE 77.247.177.128/25#SECUREST_LTD#77-RIPE 77.247.179.0/27#SECUREST_LTD#77-RIPE 77.247.179.192/26#SECUREST_LTD#77-RIPE 77.247.181.128/28#SECUREST_LTD#77-RIPE 77.247.182.128/28#SECUREST_LTD#77-RIPE 77.247.183.128/28#SECUREST_LTD#77-RIPE 77.247.183.192/26#SECUREST_LTD#77-RIPE 85.159.232.80/28#SECUREST_LTD#85-RIPE 85.159.236.240/28#SECUREST_LTD#85-RIPE 82.138.70.128/26#TRIDENT-MEDIAGUARD-NET-1#82-RIPE 82.138.74.0/25#TRIDENT-MEDIAGUARD-NET-2#82-RIPE
Securest being a zionist run contractor of TMG, so just block them too.
if you need the entire list of MAFIAA idiots, just contact me off list :P
On Jun 2, 2011, at 1:22 PM, George Gemelos wrote:
I recently had a dedicated server free up and decided to set it up as a Tor relay. It has 100Mbps unmetered traffic, so I thought it would be a good contribution. Right now I have it set up as a middle node, but I am considering possibly converting it to an exit node. Both my server and I are based in the US. I asked my hosting company about the possibility of running a Tor exit node and they said that they do not have a policy against it, but that if they get a lot of complaints they might set up and ACL on specific ports. So I really would like to reduce the probability of getting any complaints.
If it is at all possible, by far the best solution is to have abuse complaints bypass your ISP and come directly to you. To that end, it's worth asking your ISP if SWIP or RDNS services are available, and if it would be possible to set up a filter to forward all abuse complaints to you so that you might deal with them personally (See 1, 3, 4, and 5 of [1]). Personally I've had success with two ISPs by assuming the pretext of saving them the time and effort of dealing with each (unwarranted) complaint themselves.
I have heard about the reduced exit policy. What are people’s experience running with that policy? Is there a further reduced set that might be better, in the sense of avoiding complaints, and still remain useful as an exit node? Should I just leave it as a middle node? Thanks in advance for any feedback.
Most people on this list seem to have a lot of success with the "standard" reduced exit policy (6 of [1]). Generally even ISPs who are hostile to Tor will give you several warnings before shutting down service, so if reasoning with them doesn't work, you always have the option of dropping down to a middle node later on down the line.
Cheers,
~Justin Aplin
[1] https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment
On Thu, Jun 02, 2011 at 05:22:13PM +0000, George Gemelos wrote:
Is there a further reduced set that might be better, in the sense of avoiding complaints, and still remain useful as an exit node?
You could get your toes wet by "accept *:80, accept *:443, reject *:*". That would let people browse the web through you, which is very useful, while somewhat reducing the variety of abuse complaints you might get.
Then if it goes well for a while, you could open up a few more ports.
Also, if later your ISP decides that it's getting too much mail and asks you to quit it, you can tell them about the time you allowed only web browsing and they didn't mind -- then you have something to fall back to that isn't just being a non-exit.
--Roger
-----Original Message----- From: tor-relays-bounces@lists.torproject.org [mailto:tor-relays- bounces@lists.torproject.org] On Behalf Of Roger Dingledine Sent: Thursday, June 02, 2011 2:47 PM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Exit policy question
On Thu, Jun 02, 2011 at 05:22:13PM +0000, George Gemelos wrote:
Is there a further reduced set that might be better, in the sense of avoiding complaints, and still remain useful as an exit node?
You could get your toes wet by "accept *:80, accept *:443, reject *:*". That would let people browse the web through you, which is very useful, while somewhat reducing the variety of abuse complaints you might get.
Then if it goes well for a while, you could open up a few more ports.
Also, if later your ISP decides that it's getting too much mail and asks you to quit it, you can tell them about the time you allowed only web browsing and they didn't mind -- then you have something to fall back to that isn't just being a non-exit.
--Roger
I was actually thinking of just allowing 80 and 443. My only concern was that I was not sure how useful an exit node with just 80 and 443 would be.
Thus spake George Gemelos (gmg@gemelos.com):
On Thu, Jun 02, 2011 at 05:22:13PM +0000, George Gemelos wrote:
Is there a further reduced set that might be better, in the sense of avoiding complaints, and still remain useful as an exit node?
You could get your toes wet by "accept *:80, accept *:443, reject *:*". That would let people browse the web through you, which is very useful, while somewhat reducing the variety of abuse complaints you might get.
Then if it goes well for a while, you could open up a few more ports.
Also, if later your ISP decides that it's getting too much mail and asks you to quit it, you can tell them about the time you allowed only web browsing and they didn't mind -- then you have something to fall back to that isn't just being a non-exit.
I was actually thinking of just allowing 80 and 443. My only concern was that I was not sure how useful an exit node with just 80 and 443 would be.
For the current consensus, according to the extra-info documents parsed by: https://gitweb.torproject.org/torflow.git/blob_plain/HEAD:/NetworkScanners/s... nodes running the default policy have a port bytecount breakdown like:
Default exit blutmagie4 read 604.3M 80: 68.6% other: 25.8% 443: 3.1% 51413: 0.6% 55315: 0.5% 59776: 0.3% Default exit blutmagie4 wrote 96.2M other: 81.4% 80: 12.1% 443: 3.4% 51413: 1.5% 44596: 1.4% 4000: 0.1%
Default exit rainbowwarrior read 736.8M other: 70.2% 80: 24.6% 443: 1.1% 51413: 1.1% 6881: 1.0% 35691: 0.5% Default exit rainbowwarrior wrote 277.0M other: 92.1% 51413: 1.9% 80: 1.8% 6881: 1.4% 33526: 1.0% 4662: 1.0%
Default exit politkovskaja read 520.5M other: 72.6% 80: 23.6% 443: 1.0% 51413: 0.9% 6881: 0.7% 54909: 0.4% Default exit politkovskaja wrote 192.4M other: 92.0% 4662: 1.7% 80: 1.6% 6881: 1.4% 51413: 1.3% 6995: 0.6%
Where as nodes running the reduced exit policy have a port bytecount breakdown like:
Misc Exit raidz read 327.3M 80: 92.0% 443: 4.6% 8333: 1.4% 8080: 0.7% 563: 0.4% 81: 0.4% Misc Exit raidz wrote 11.6M 80: 65.4% 443: 21.5% 8333: 10.5% other: 2.3% 8080: 0.2% 563: 0.1%
Misc Exit zeller read 315.4M 80: 94.6% 443: 4.4% 8080: 0.3% 81: 0.2% 8000: 0.2% other: 0.1% Misc Exit zeller wrote 11.2M 80: 71.6% 443: 22.4% 21: 4.5% other: 0.9% 8000: 0.3% 8333: 0.2%
Misc Exit Amunet2 read 182.1M 80: 93.4% 443: 5.4% 8080: 0.6% other: 0.2% 81: 0.2% 995: 0.1% Misc Exit Amunet2 wrote 6.3M 80: 71.6% 443: 26.5% other: 1.1% 22: 0.6% 8080: 0.1% 995: 0.0%
So if you've already committed to the reduced exit policy, 95%+ of the traffic will be 80+443.
P.S. Odd that the blutmagie nodes all appear to be reading quite a lot of port 80 data when compared to other default exits. Perhaps some scrapers have hardcoded them as their favorite exits?
On Thu, Jun 02, 2011 at 05:47:17PM -0400, Roger Dingledine wrote:
On Thu, Jun 02, 2011 at 05:22:13PM +0000, George Gemelos wrote:
Is there a further reduced set that might be better, in the sense of avoiding complaints, and still remain useful as an exit node?
You could get your toes wet by "accept *:80, accept *:443, reject *:*". That would let people browse the web through you, which is very useful, while somewhat reducing the variety of abuse complaints you might get.
Then if it goes well for a while, you could open up a few more ports.
Also, if later your ISP decides that it's getting too much mail and asks you to quit it, you can tell them about the time you allowed only web browsing and they didn't mind -- then you have something to fall back to that isn't just being a non-exit.
Note that *:80, *:443 will still get a trickle of spam complaints, since some webmail hosts (Yahoo in particular) include a "Received: from $IP via HTTP" or equivalent, in their outbound email. Depending on the ISP, that may be enough for them to shut down your exit node.
If you can get reverse DNS and SWIP for your exit node, you'll reduce (though not eliminate) the load on your ISP's abuse address. Please do respond to complaints submitted to your whois abuse address; it's to nobody's benefit for Tor to be associated exclusively with malefactors in the minds of spamfighters.
-andy
actually, over all those years, i've only seen a spam complaint using one of those free webmailers from tor -once-...
compared to the fucktons of complaints about the MAFIAA seeding their own crap over tor and then complaining about it on the other end to look important, thats nothing :P
plus, who still cares about smtp anyway, its pretty much dead, 300 spam mails per day and just 1 or 2 real emails a week, anything important is handled over skype and other transports which have "friends lists" nowadays. if they don't fix their protocol to have friends lists, they have no right to complain.. we're gonna completely shut down smtp soon enough, its old, dusty, not peer 2 peer (hardly any open relays left),insecure (no pre-approved senders/friends list) slow (graylisting), unreliable (spamhaus idiots), and pretty much, dead (number of real emails per week vs the number of junk per hour ;).
even more dead than that other piece of crap from the past, ftp and gopher :P
anyway, an access lists which allows http and https but -not- to hotmail/gmail/rest of that crap would not be too hard to make.
On Fri, 3 Jun 2011, Andy Isaacson wrote:
On Thu, Jun 02, 2011 at 05:47:17PM -0400, Roger Dingledine wrote:
On Thu, Jun 02, 2011 at 05:22:13PM +0000, George Gemelos wrote:
Is there a further reduced set that might be better, in the sense of avoiding complaints, and still remain useful as an exit node?
You could get your toes wet by "accept *:80, accept *:443, reject *:*". That would let people browse the web through you, which is very useful, while somewhat reducing the variety of abuse complaints you might get.
Then if it goes well for a while, you could open up a few more ports.
Also, if later your ISP decides that it's getting too much mail and asks you to quit it, you can tell them about the time you allowed only web browsing and they didn't mind -- then you have something to fall back to that isn't just being a non-exit.
Note that *:80, *:443 will still get a trickle of spam complaints, since some webmail hosts (Yahoo in particular) include a "Received: from $IP via HTTP" or equivalent, in their outbound email. Depending on the ISP, that may be enough for them to shut down your exit node.
If you can get reverse DNS and SWIP for your exit node, you'll reduce (though not eliminate) the load on your ISP's abuse address. Please do respond to complaints submitted to your whois abuse address; it's to nobody's benefit for Tor to be associated exclusively with malefactors in the minds of spamfighters.
-andy _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Fri, Jun 03, 2011 at 12:27:08PM +0000, Sven Olaf Kamphuis wrote:
plus, who still cares about smtp anyway, its pretty much dead, 300 spam
If you think SMTP is dead, you're way out of touch with reality.
mails per day and just 1 or 2 real emails a week, anything important is
If you receive 300 spams/day, and your volume is not 50000 emails/day, there's something wrong with your spam filter.
handled over skype and other transports which have "friends lists"
Skype? That thing that's blocked on corporate networks, and the kind of company that autoinstalls malware despite explicit user's wishes? The kind of company just purchased by Microsoft, which forebodes plenty of great things in the future?
nowadays. if they don't fix their protocol to have friends lists, they have no right to complain.. we're gonna completely shut down smtp soon
Who is this 'we' kemosabe?
enough, its old, dusty, not peer 2 peer (hardly any open relays
It *WORKS*. And is an integral part of corporate communications.
left),insecure (no pre-approved senders/friends list) slow (graylisting),
Insecure? Never heard about StartTLS or PGP/S/MIME?
unreliable (spamhaus idiots), and pretty much, dead (number of real emails per week vs the number of junk per hour ;).
even more dead than that other piece of crap from the past, ftp and
Ftp is dead, too? Nobody told me.
In fact, ftp and mail server is the first thing that people yell about when it goes down.
What are you going to tell us next? That nobody uses telephones, and there are no fax machines? Really? You sure?
gopher :P
anyway, an access lists which allows http and https but -not- to hotmail/gmail/rest of that crap would not be too hard to make.
P.S. As someone who bitches about email, notice you're using email, and you top-posted and failed to trim the message.
On Fri, 3 Jun 2011, Eugen Leitl wrote:
On Fri, Jun 03, 2011 at 12:27:08PM +0000, Sven Olaf Kamphuis wrote:
plus, who still cares about smtp anyway, its pretty much dead, 300 spam
If you think SMTP is dead, you're way out of touch with reality.
mails per day and just 1 or 2 real emails a week, anything important is
If you receive 300 spams/day, and your volume is not 50000 emails/day, there's something wrong with your spam filter.
no, there is something wrong with a protocol that requires "Spam filters" in the first place.
handled over skype and other transports which have "friends lists"
Skype? That thing that's blocked on corporate networks, and the kind of company that autoinstalls malware despite explicit user's wishes? The kind of company just purchased by Microsoft, which forebodes plenty of great things in the future?
whatever, jabber, msn, etc all have friends lists and none of them have problems like smtp.
nowadays. if they don't fix their protocol to have friends lists, they have no right to complain.. we're gonna completely shut down smtp soon
Who is this 'we' kemosabe?
the republic cyberbunker / cb3rob (as34109/51787), can't speak for the rest of the internet but we conclude the same with our customers... smtp based email, has been brought back to the bare nessesity and will disappear soon enough.
enough, its old, dusty, not peer 2 peer (hardly any open relays
It *WORKS*. And is an integral part of corporate communications.
no, it does not "work", for all the reasons described here, the people that tried to stop spam, only introduced more severe problems in the process.
left),insecure (no pre-approved senders/friends list) slow (graylisting),
Insecure? Never heard about StartTLS or PGP/S/MIME?
yeah sure, like ssl is a good idea... root exploit anyone, master keys with an enemy of the european people (america), etc.
no thanks :P
pgp, sure, but if we're gonna take -that- much trouble, might as well replace the whole protocol :P
unreliable (spamhaus idiots), and pretty much, dead (number of real emails per week vs the number of junk per hour ;).
even more dead than that other piece of crap from the past, ftp and
Ftp is dead, too? Nobody told me.
run some statistics on the number of people that install ftpd on servers would ya... it's all ssh file transfer nowadays, and http for public file transfer, google doesn't even index ftp (altavista did ;)
In fact, ftp and mail server is the first thing that people yell about when it goes down.
the reason why this happens is because there is a bunch of popups on their screen that stay there even if the pop3 server was unreachable for a minute or so.. doesn't make it a 'more popular protocol' than skype. just means that they notice any downtime, however small it may have been, even if its a week ago :P
What are you going to tell us next? That nobody uses telephones, and there are no fax machines? Really? You sure?
do you still have a fax machine working and connected?
telephones? yeah sure but not on every desk anymore..
gopher :P
anyway, an access lists which allows http and https but -not- to hotmail/gmail/rest of that crap would not be too hard to make.
P.S. As someone who bitches about email, notice you're using email, and you top-posted and failed to trim the message.
i'll post wherever the fuck i want, tyvm :P
and i'm aware that i'm using email, which doesn't nessesarily mean that it's still a "live" protocol (it just means that you are abusing it for what newsgroups were intended for, and meanwhile newsgroups are being abused for what http/ftp were intended for (warez ;)
all mailservers except for a few have been removed, mx records have gone, before the end of 2011, bye bye smtp. old crap :P
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Fri, Jun 03, 2011 at 04:01:45PM +0000, Sven Olaf Kamphuis wrote:
no, there is something wrong with a protocol that requires "Spam filters" in the first place.
Any mature system requires way to deal with abuse. Email has been been dealing with abuse nigh to 30 years now. It has gotten quite good at it in the process. Many more modern systems are mostly in babes in the woods mode, until it hits them, out of the blue. Abuse? Nobody could have expected *that*!
handled over skype and other transports which have "friends lists"
Skype? That thing that's blocked on corporate networks, and the kind of company that autoinstalls malware despite explicit user's wishes? The kind of company just purchased by Microsoft, which forebodes plenty of great things in the future?
whatever, jabber, msn, etc all have friends lists and none of them have
I don't know what a friends list ist. I presume, you mean contacts.
problems like smtp.
If it allows anonymous communication, it has to deal with exactly the same problems like email. If you don't have that need, whitelisting/blacklisting especially with digital signatures etc. is straightfoward enough.
nowadays. if they don't fix their protocol to have friends lists, they have no right to complain.. we're gonna completely shut down smtp soon
Who is this 'we' kemosabe?
the republic cyberbunker / cb3rob (as34109/51787), can't speak for the rest of the internet but we conclude the same with our customers... smtp based email, has been brought back to the bare nessesity and will disappear soon enough.
If it works for you and you get to hand-pick your customers, sure. Few people are so lucky.
enough, its old, dusty, not peer 2 peer (hardly any open relays
It *WORKS*. And is an integral part of corporate communications.
no, it does not "work", for all the reasons described here, the people that tried to stop spam, only introduced more severe problems in the process.
Any system allowing anonymous communication has to deal with abuse, and false positives. There is no free lunch, unfortunately.
Insecure? Never heard about StartTLS or PGP/S/MIME?
yeah sure, like ssl is a good idea... root exploit anyone, master keys with an enemy of the european people (america), etc.
I don't see the problem in practice. E.g. a major pharma customer audited us, asked for mandatory StartTLS, supplied CA/cert information out of band, problem solved. It's all security theater anyway, so insisting on Thawte doesn't offer you anything else than warm fuzzies. Nothing wrong with that, especially if paying customers insist on warm fuzzies. Hooray to warm fuzzies. Keeps the butter on your bread.
no thanks :P
pgp, sure, but if we're gonna take -that- much trouble, might as well replace the whole protocol :P
But people routinely run e.g. server-side PGP encryption as corporate policy. Of course the protocol is braindead. But it works, and StartTLS and application layer encryption does offer additional layer of defense.
Ftp is dead, too? Nobody told me.
run some statistics on the number of people that install ftpd on servers would ya... it's all ssh file transfer nowadays, and http for public file transfer, google doesn't even index ftp (altavista did ;)
Most of our customers haven't even heard of sftp/scp. Wait, most of our developers haven't heard of sftp/scp. I'm still surprised they've heard of sockets. And TCP/IP, what do you mean by IPv4? And networks are *always* octet-aligned, blessed their little hearts.
In fact, ftp and mail server is the first thing that people yell about when it goes down.
the reason why this happens is because there is a bunch of popups on their screen that stay there even if the pop3 server was unreachable for
No, the typical reason is the server is silently broken, and they realize it is because no mail is coming in. I'm not kidding, email is almost as business-critical for most companies as telephone (no VoIP, strictly POTS) is.
a minute or so.. doesn't make it a 'more popular protocol' than skype.
As another anecdote, nobody on our networks uses Skype (because they couldn't). Not a single of our customers uses Skype (they do use WebEx, with POTS conferencing).
just means that they notice any downtime, however small it may have been, even if its a week ago :P
What are you going to tell us next? That nobody uses telephones, and there are no fax machines? Really? You sure?
do you still have a fax machine working and connected?
Absolutely. I use it routinely, so do many other people. My in-laws and wife's business is 95% dead tree facsimile.
telephones? yeah sure but not on every desk anymore..
Most assuredly telephones. People insist on having functions I don't even want to understand. Yet they use these. Most curious.
P.S. As someone who bitches about email, notice you're using email, and you top-posted and failed to trim the message.
i'll post wherever the fuck i want, tyvm :P
Just pointing out you're abusing a poor old protocol unnecessarily ;p
and i'm aware that i'm using email, which doesn't nessesarily mean that it's still a "live" protocol (it just means that you are abusing it for what newsgroups were intended for, and meanwhile newsgroups are being abused for what http/ftp were intended for (warez ;)
Usenet does fine, last time I looked (about a decade ago, admittedly). In fact, I hear S/N has improved quite a bit since most people forgot it still exists. IRC does fine. Many old, strange things are still alive.
all mailservers except for a few have been removed, mx records have gone, before the end of 2011, bye bye smtp. old crap :P
Works for you, great. I try something like that, first I lose my job (is that a downside? waitaminute...), then the company goes out of business.
On Fri, 3 Jun 2011 16:01:45 +0000 (UTC) Sven Olaf Kamphuis sven@cb3rob.net allegedly wrote:
P.S. As someone who bitches about email, notice you're using email, and you top-posted and failed to trim the message.
i'll post wherever the fuck i want, tyvm :P
I think you may have mis-interpreted the meaning of "top-posting". And the rest of your rant suggests that may not be all you don't understand.
And try to stay polite. It helps.
Mick
---------------------------------------------------------------------
The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this?
Douglas E Comer - Internetworking with TCP/IP Volume 1
http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------
On Sat, Jun 4, 2011 at 11:24 AM, mick mbm@rlogin.net wrote:
I think you may have mis-interpreted the meaning of "top-posting". And the rest of your rant suggests that may not be all you don't understand.
He did, maybe he's not familiar with mailing lists, so here is info about top-posting: http://idallen.com/topposting.html
Also, to everyone who complains about top posting, stop using mutt and get an email client with conversation threading, is much more comfortable.
To the OP, the amount of complaints you will have also depends on your ISP. Go to torstatus and copy the emails of everyone with your ISP. (copy the emails of people in your country, and then check who has the same ISP with whois). Select only the ones that are exit nodes. Send them an email asking for advice, and if they had any trouble with the ISP before.
Read your ISP's acceptable use policy and check if it says something about Tor or proxy servers. If not, maybe isn't a bad a idea to contact them and have a confirmation that is ok to run an exit node. Remember to put the tor exit notice on the IP address on port 80 this one: https://gitweb.torproject.org/tor.git?a=blob_plain;hb=HEAD;f=contrib/tor-exi...
On Sat, Jun 04, 2011 at 12:57:15PM -0300, Javier Bassi wrote:
Also, to everyone who complains about top posting, stop using mutt and
Mutt does threading fine, thanks.
get an email client with conversation threading, is much more comfortable.
Threading doesn't help with trimming and local reply context. As long as MUAs don't pass the Turing test that's each poster's work, I'm afraid.
OVH is a cheap French hoster, something like Hetzner, only technically less competent. Hetzner does seem to tolerate Tor exits now, at least several are listed on http://proxy.org/tor.shtml
[offtopic] On Sat, Jun 4, 2011 at 1:12 PM, Eugen Leitl eugen@leitl.org wrote:
Threading doesn't help with trimming and local reply context. As long as MUAs don't pass the Turing test that's each poster's work, I'm afraid.
I know but the reason why people prefer bottom posting is because top-posting forces the reader to work, who has to go down in the same email to see what the last email was. (also the bandwidth but that was in the 90s) If you use an email client with threading, of course it will not trim your message, but you will not care if someone top-post or bottom-post because you will never lose the conversation thread. That's why is common for gmail people to don't know what top-posting and bottom-posting is. Gmail even hides the old text when someone top-posted. That's why it their threading style have solved the top-bottom controversy (at least for its users). (Yes, they have all my emails and insist of having my non-existent cellphone number. I would go away if I find an email client that is as comfortable as gmail web interface. But didn't find one. I'm trapped =P) [/offtopic]
On Sat, Jun 4, 2011 at 11:24 AM, mick mbm@rlogin.net wrote:
I think you may have mis-interpreted the meaning of "top-posting". And the rest of your rant suggests that may not be all you don't understand.
He did, maybe he's not familiar with mailing lists, so here is info about top- posting: http://idallen.com/topposting.html
Also, to everyone who complains about top posting, stop using mutt and get an email client with conversation threading, is much more comfortable.
To the OP, the amount of complaints you will have also depends on your ISP. Go to torstatus and copy the emails of everyone with your ISP. (copy the emails of people in your country, and then check who has the same ISP with whois). Select only the ones that are exit nodes. Send them an email asking for advice, and if they had any trouble with the ISP before.
Read your ISP's acceptable use policy and check if it says something about Tor or proxy servers. If not, maybe isn't a bad a idea to contact them and have a confirmation that is ok to run an exit node. Remember to put the tor exit notice on the IP address on port 80 this one: https://gitweb.torproject.org/tor.git?a=blob_plain;hb=HEAD;f=contrib/tor- exit-notice.html
Thanks for the advice. For now, I decided to set up an exit for port 80 and 443 only. I will probably leave it like this for a while and see how it goes. If all goes well I will switch over to the reduced exit policy. Thanks for all the advice.
mick, My IP address resolves to "tor-proxy" and I have the Tor webpage set up on port 80. I have also spoken with my hosting company and they said that they did not have a policy against Tor. They told me that if they receive a lot of complaints, they might set up an ACL on specific ports. Their official response was therefore to give it a try and see how it goes. I guess worse case I can switch back to a middle node. They are a small company with great customer service, so I think they will try to be accommodating. I did check for them on the network status page looking for relays which resolved to their domain, not the best method, and only found two other nodes, both middle.
mick, My IP address resolves to "tor-proxy"
having non-existing reverse dns entries causes a lot of services to slow down or refuse service, that do PTR->A record matching.
you might want to add some domain name (and not use the domain of your isp for that ;) :P
-----Original Message----- From: tor-relays-bounces@lists.torproject.org [mailto:tor-relays- bounces@lists.torproject.org] On Behalf Of Sven Olaf Kamphuis Sent: Saturday, June 04, 2011 4:59 PM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Exit policy question
mick, My IP address resolves to "tor-proxy"
having non-existing reverse dns entries causes a lot of services to slow down or refuse service, that do PTR->A record matching.
you might want to add some domain name (and not use the domain of your isp for that ;) :P
-- Greetings,
Sven Olaf Kamphuis,
The IP address resolves to a FQDN, tor-proxy.xxx.com, which is my own domain.
btw, when we say "secure" we don't refer to "encryption" but rather to keeping undesired elements from communicating with us :P
"secure" in terms of what you mean is accomplished by physical port/wire security, or encrypting the entire layer-2 stuff thoroughly, with something -custom- (not american-run ssl junk ;)
tor-relays@lists.torproject.org
-
Andy Isaacson -
Eugen Leitl -
George Gemelos -
Javier Bassi -
Jesus Cea -
Justin Aplin -
mick -
Mike Perry -
Moritz Bartl -
Robert Ransom -
Roger Dingledine -
Sven Olaf Kamphuis -
tagnaq