https://globe.torproject.org/#/relay/9DCF76179FCF47224D235ECD4A6165FED22ECE7...
So, i am running exit node. My provider send me an email .. "This IP is infected with, or is NATting for a machine infected with s_downloaderbot-mxb" Any idea what can i do with this problem ?
Now i can see my IP in my server exit policy ...
After my "delist action" is clean ..
http://www.senderbase.org/lookup/ip/?search_string=37.157.192.208
I need just wait ? And all outgoing packet from my server still droped ?
Thanks ..
This *will* happen again. You need to have a conversation with your provider and convince them to ignore reports of this form for your exit node, or else you need to get a new provider. I would open the conversation with something like this:
| This machine is a Tor exit node, which, as part of its normal operation, | proxies traffic for other hosts on the Internet. By design, it is impossible | for me to identify those other hosts or communicate with their operators. | It is one of those other hosts that was infected with s_downloaderbot-mxb. | | Because Tor users are very diverse, I can't guarantee that this will never | happen again. You should expect ongoing false positives for this machine | on all checks for malware infection, outdated operating system, etc. | | I have the ability to disable proxying to specific IP address ranges and | specific TCP ports, but this should be considered a last resort tactic. It | does not actually prevent anyone from using Tor to send spam or whatever; | the traffic will just move to some other exit node. I also have the ability to | limit the total bandwidth consumed by Tor. | | I'm happy to work with you to minimize the impact of this service on your | network. I hope you will consider allowing it to remain in operation, as it | is extremely valuable for people who need to conceal their official | identities online, especially in countries where access to the Internet | is restricted. For more information please see | https://www.torproject.org/about/overview.html#overview
zw
On Mon, Mar 30, 2015 at 9:04 AM, Cmar433 cmar433@yandex.com wrote:
https://globe.torproject.org/#/relay/9DCF76179FCF47224D235ECD4A6165FED22ECE7...
So, i am running exit node. My provider send me an email .. "This IP is infected with, or is NATting for a machine infected with s_downloaderbot-mxb" Any idea what can i do with this problem ?
Now i can see my IP in my server exit policy ...
After my "delist action" is clean ..
http://www.senderbase.org/lookup/ip/?search_string=37.157.192.208
I need just wait ? And all outgoing packet from my server still droped ?
Thanks .. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Thanks for answer. But main question was not about provider .. (is TOR friendly). I was surprised, that my IP is stored in Exit policy as "reject". I was afraid .. that all trafic is droped, but now seems all is OK. (IP is still in exit policy, but chart showing traffic)
Thanks cmar
30.03.2015, 17:02, "Zack Weinberg" zackw@cmu.edu:
This *will* happen again. You need to have a conversation with your provider and convince them to ignore reports of this form for your exit node, or else you need to get a new provider. I would open the conversation with something like this:
| This machine is a Tor exit node, which, as part of its normal operation, | proxies traffic for other hosts on the Internet. By design, it is impossible | for me to identify those other hosts or communicate with their operators. | It is one of those other hosts that was infected with s_downloaderbot-mxb. | | Because Tor users are very diverse, I can't guarantee that this will never | happen again. You should expect ongoing false positives for this machine | on all checks for malware infection, outdated operating system, etc. | | I have the ability to disable proxying to specific IP address ranges and | specific TCP ports, but this should be considered a last resort tactic. It | does not actually prevent anyone from using Tor to send spam or whatever; | the traffic will just move to some other exit node. I also have the ability to | limit the total bandwidth consumed by Tor. | | I'm happy to work with you to minimize the impact of this service on your | network. I hope you will consider allowing it to remain in operation, as it | is extremely valuable for people who need to conceal their official | identities online, especially in countries where access to the Internet | is restricted. For more information please see | https://www.torproject.org/about/overview.html#overview
zw
On Mon, Mar 30, 2015 at 9:04 AM, Cmar433 cmar433@yandex.com wrote:
https://globe.torproject.org/#/relay/9DCF76179FCF47224D235ECD4A6165FED22ECE7...
So, i am running exit node. My provider send me an email .. "This IP is infected with, or is NATting for a machine infected with s_downloaderbot-mxb" Any idea what can i do with this problem ?
Now i can see my IP in my server exit policy ...
After my "delist action" is clean ..
http://www.senderbase.org/lookup/ip/?search_string=37.157.192.208
I need just wait ? And all outgoing packet from my server still droped ?
Thanks .. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Mon, Mar 30, 2015 at 11:45 AM, Cmar433 cmar433@yandex.com wrote:
Thanks for answer. But main question was not about provider .. (is TOR friendly). I was surprised, that my IP is stored in Exit policy as "reject".
Oh! I'm sorry, I did not understand what you were asking at first.
The only way your exit node's own IP address could be in the exit policy is if someone put it there. Maybe you did that and you don't remember doing it? If you didn't do it, then you might indeed have had your node broken into, and you should consider rebuilding it from scratch.
(I can make a case for forbidding exit-to-self, particularly if the exit node runs any other services. But running other services on an exit node is a bad idea in the first place.)
zw
On Mon, Mar 30, 2015 at 12:23:21PM -0400, Zack Weinberg wrote:
The only way your exit node's own IP address could be in the exit policy is if someone put it there. Maybe you did that and you don't remember doing it? If you didn't do it, then you might indeed have had your node broken into, and you should consider rebuilding it from scratch.
(I can make a case for forbidding exit-to-self, particularly if the exit node runs any other services. But running other services on an exit node is a bad idea in the first place.)
No, this is fine and normal. Tor relays automatically add themselves to their exit policy by default.
See the ExitPolicyRejectPrivate option in the man page.
https://lists.torproject.org/pipermail/tor-announce/2008-January/000033.html
--Roger
My torrc not contain my ipadress as exit policy. But I can see it in globe. I read somewhere, that TOR is reading some blacklists and implement this blacklist to exit policy, like central management. Beacuse i was (my ip adress) in the blacklist ... But i cannot find now where .. ..Maybe was wrong.
Any other service not running on my relays (i am running 3, 2 in czech and 1 in kazakhstan).
30.03.2015, 18:39, "Zack Weinberg" zackw@cmu.edu:
On Mon, Mar 30, 2015 at 11:45 AM, Cmar433 cmar433@yandex.com wrote:
Thanks for answer. But main question was not about provider .. (is TOR friendly). I was surprised, that my IP is stored in Exit policy as "reject".
Oh! I'm sorry, I did not understand what you were asking at first.
The only way your exit node's own IP address could be in the exit policy is if someone put it there. Maybe you did that and you don't remember doing it? If you didn't do it, then you might indeed have had your node broken into, and you should consider rebuilding it from scratch.
(I can make a case for forbidding exit-to-self, particularly if the exit node runs any other services. But running other services on an exit node is a bad idea in the first place.)
zw _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hopefully I won't be adding too much confusion into the conversation...
When you see reject 37.157.192.208:*, it means not to accept anything sourced from your IP. For example, if you were to run a Tor client on your server that's running the relay, you would not be able to exit the Tor network from your server... But why would you, right?
This appears to be standard, as all of my relays did the same thing automagically. Nothing to worry about.
(I could be wrong.)
Oh, and if you're running 3 relays, use MyFamily field! :)
Matt Speak Freely
Am 30.03.2015 um 15:04 schrieb Cmar433:
Now i can see my IP in my server exit policy ...
Well you probably added that in the beginning, "reject 37.157.192.208:*" will cause that you exit relay will reject any connections to the IP 37.157.192.208, which is the IP Tor is running on. That means someone running on a tor connection can't access your IP from your exit node.
This has nothing to do with the complaint you received, anyone using tor and happening to exit via you tor relay will look as if he is using the IP 37.157.192.208. So if there is a machine being infected with a virus or bot it will look as if you server "37.157.192.208" is infected with that malicious software. You can not change that if you run an exit node.
All you can do is politely inform anyone complaining, the message of Zack is actually pretty well written. It is normal to receive such complaints, but you might want to check with your hoster to ignore some of them, they usually understand what tor is and also understand that complaints are not caused by you.
yl
tor-relays@lists.torproject.org
-
Cmar433 -
Roger Dingledine -
Speak Freely -
yl -
Zack Weinberg