Hello fellow relay runners,
This morning OVH decided to kill 7 of my relays due to spamming, and block all access to all services. I ran the Reduced Exit policy for all of my relays.
Due to heightened concerns about this affecting other unrelated services I have with OVH, I had to shut down the other 3 relays. They may eventually re-appear as middle-relays.
This has cost me hundreds of dollars, as I foolishly decided to prepay on an annual basis. None of the servers were older than 2 months. Some were only a few weeks old.
The Abuse department's rationale is as follows: "Your account was suspended because 100% of your IPs are blacklisted on multiples lists for Spam and other malicious activities. This case is closed and this decision is final."
---------------------------------------------------------------------- When I first contacted OVH regarding running Tor relays, this was the response that I received from them, which does not mesh with what just happened.
"Good morning Matt,
I'm very glad to here from you. It is very flattering to hear that you are very satisfied by our service at OVH!
We do take our network speed and hardware performance very seriously here. We are proud of our infrastructure that we have built over the years.
I do understand your concerns about setting up a Tor relay on one of our VPS. In a simple form, yes you can.
We do let our customers use our VPS as Tor relays. We have no problem in letting you this.
However, your are allowed to use Tor but it will be at your own risk.
Rest assure that, in case of an abuse, we will not terminate your account without notice. In fact we may not even terminate your VPS. You will receive a warning from our Abuse department giving you a choice to resolve the abuse case.
Like you said, we are in a world where free speech is constantly under attack and we are committed to help as much as possible to protect this fundamental right that we all have. We will absolutely not in any case share our customers information or data to authorities without a warrant.
For any other questions or concerns, feel free to contact us at any time. We are available 24/7.
Good luck with that privacy project of yours and keep on supporting the cause of free speech!
Thank you for contacting OVH and have a wonderful day!
Colin K. Customer Advocate"
----------------------------------------------------------------------
Not that it matters anymore, but each relay was dedicated to one of the victims of the Charlie Hebdo attack. https://atlas.torproject.org/#search/4charlie
----------------------------------------------------------------------
Eventually I will get back at this... But for now, my money is gone, and all my hard work is lost.
----------------------------------------------------------------------
So... I know I'm new. And it's possible this has happened (many times) before, but... You've been warned.
Speak Freely
Hello Speak Freely,
that's not nice to hear.
Quote: "Rest assure that, in case of an abuse, we will not terminate your account without notice. In fact we may not even terminate your VPS. You will receive a warning from our Abuse department giving you a choice to resolve the abuse case"
Has OVH contacted you before because of an abuse complaint?
~Josef
Am 25.02.2015 um 19:35 schrieb Speak Freely:
Hello fellow relay runners,
This morning OVH decided to kill 7 of my relays due to spamming, and block all access to all services. I ran the Reduced Exit policy for all of my relays.
Due to heightened concerns about this affecting other unrelated services I have with OVH, I had to shut down the other 3 relays. They may eventually re-appear as middle-relays.
This has cost me hundreds of dollars, as I foolishly decided to prepay on an annual basis. None of the servers were older than 2 months. Some were only a few weeks old.
The Abuse department's rationale is as follows: "Your account was suspended because 100% of your IPs are blacklisted on multiples lists for Spam and other malicious activities. This case is closed and this decision is final."
When I first contacted OVH regarding running Tor relays, this was the response that I received from them, which does not mesh with what just happened.
"Good morning Matt,
I'm very glad to here from you. It is very flattering to hear that you are very satisfied by our service at OVH!
We do take our network speed and hardware performance very seriously here. We are proud of our infrastructure that we have built over the years.
I do understand your concerns about setting up a Tor relay on one of our VPS. In a simple form, yes you can.
We do let our customers use our VPS as Tor relays. We have no problem in letting you this.
However, your are allowed to use Tor but it will be at your own risk.
Rest assure that, in case of an abuse, we will not terminate your account without notice. In fact we may not even terminate your VPS. You will receive a warning from our Abuse department giving you a choice to resolve the abuse case.
Like you said, we are in a world where free speech is constantly under attack and we are committed to help as much as possible to protect this fundamental right that we all have. We will absolutely not in any case share our customers information or data to authorities without a warrant.
For any other questions or concerns, feel free to contact us at any time. We are available 24/7.
Good luck with that privacy project of yours and keep on supporting the cause of free speech!
Thank you for contacting OVH and have a wonderful day!
Colin K. Customer Advocate"
Not that it matters anymore, but each relay was dedicated to one of the victims of the Charlie Hebdo attack. https://atlas.torproject.org/#search/4charlie
Eventually I will get back at this... But for now, my money is gone, and all my hard work is lost.
So... I know I'm new. And it's possible this has happened (many times) before, but... You've been warned.
Speak Freely _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
OVH says no to Tor exits openly doesn't it?
Quote: "Rest assure that, in case of an abuse, we will not terminate your account without notice. In fact we may not even terminate your VPS. You will receive a warning from our Abuse department giving you a choice to resolve the abuse case"
Has OVH contacted you before because of an abuse complaint?
Hi man,
I will try to explain you how things got in wrong direction for you. OVH don't lie, but they don't have best support that you can find around. Anyway. Last 15-25 days a lot of attacks was made on French ISP's and attacker used Tor IP list to do one part of his sick idea. One of my nodes "in my home" was infected as well. As Linux devs need some time to patch packages that make us vulnerable, we are just attack objects to them. In my case they used exim4 security issue, and as this sh.. comes preinstalled with server ISO i didn't even look to it.
Your are victim of same thing I guess. Classic server side infection from some bot net. Better question is what you can do to protect your servers in the future.
1. Allow logging to your server from one country or IP, for that i use geoip : http://www.axllent.org/docs/view/ssh-geoip/ 2. Add simple 2 min settings to fail2ban: https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fai... (this settings can be used on debian as well etc.) 3. Remove ssh password logins from your servers, use only keys 4. Setup honey-pot on your server and play their game (10-15 job): http://linuxdrops.com/how-to-set-up-a-honeypot-using-smart-and-simple-artill...
In the future I will write ansible play-book for this, or some bash or python script to do this on every server i use for Tor nodes.
I run one exit node from 2014 with OVH cloud (runabove) and thanks to all security measures I made (using some firewall setting as well) i don't have issue with them, and they respect that i take care about my servers security.
Try same and you will see. Block port 25 as well.
On 26 February 2015 at 02:35, I beatthebastards@inbox.com wrote:
OVH says no to Tor exits openly doesn't it?
Quote: "Rest assure that, in case of an abuse, we will not terminate your account without notice. In fact we may not even terminate your VPS. You will receive a warning from our Abuse department giving you a choice to resolve the abuse case"
Has OVH contacted you before because of an abuse complaint?
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Am 26.02.2015 um 03:42 schrieb ZEROF:
- Setup honey-pot on your server and play their game (10-15 job):
http://linuxdrops.com/how-to-set-up-a-honeypot-using-smart-and-simple-artill...
Sounds like a good strategy.
What I don't like is the _permanent_ ban of IP addresses. Being a co-maintainer of a wiki, a mailing list and a forum, all reasonably popular, I've learned that IP addresses are no longer a reliable way to identify users. Also that malicious people have no shortage of addresses. They have plenty of them, enough to choose another one for each attack even if you don't ban the former one.
Running a strategy of banning permanently all IPs with malicious tries inevitably leads to also locking out many legitimate users. Before too long you've banned half the Internet and your server fortress is of no use anymore.
As such I started to ban only for short periods of time. A week, or a month. Works just as fine as permanent bans against attacks and legitimate users have to just wait a few days worst case to pick up services again.
Markus
Hi ZEROF,
I had fail2ban, harden (which includes tiger, tripwire, logcheck, plus MANY others), all the fancy log checkers, rkhunter and clamav, unattended-upgrades, and had all logs emailed to me on a daily basis. It was tedious to go through, but I was trying to do my due diligence.
I disabled root login, changed ssh port (security through obscurity - damn right, but I kept it in the privileged range.) ------------------- Each password was a minimum of 32 characters, alphanumeric plus symbols. No two passwords were alike, or remotely similar. (No, I didn't use keys :@)
I checked "how secure is my password", and this is the result: It would take a desktop PC about 21 quattuordecillion years to crack your password
I had to look quattuordecillion up, as my spell checker doesn't know what it means. In the US, it means 1, followed up 45 zeros. (In the UK it is 10^84, but I believe the website is American so I'm sticking with ^45) --------------- I disabled as many services as I could reasonably tolerate. I removed world rights to as much as I could think. I did everything I could think of to make each VPS effectively useless except for running a Tor relay.
My firewall matched my Reduced Exit Policy, plus my "secret" ssh port.
---- I never thought about the honey-pot... That's a good one.
Speak Freely
So, you made a POST request to an online "passwordchecker" and they now probably have your password.
On 02/26/2015 04:24 PM, Speak Freely wrote:
Hi ZEROF,
I had fail2ban, harden (which includes tiger, tripwire, logcheck, plus MANY others), all the fancy log checkers, rkhunter and clamav, unattended-upgrades, and had all logs emailed to me on a daily basis. It was tedious to go through, but I was trying to do my due diligence.
I disabled root login, changed ssh port (security through obscurity - damn right, but I kept it in the privileged range.)
Each password was a minimum of 32 characters, alphanumeric plus symbols. No two passwords were alike, or remotely similar. (No, I didn't use keys :@)
I checked "how secure is my password", and this is the result: It would take a desktop PC about 21 quattuordecillion years to crack your password
I had to look quattuordecillion up, as my spell checker doesn't know what it means. In the US, it means 1, followed up 45 zeros. (In the UK it is 10^84, but I believe the website is American so I'm sticking with ^45)
I disabled as many services as I could reasonably tolerate. I removed world rights to as much as I could think. I did everything I could think of to make each VPS effectively useless except for running a Tor relay.
My firewall matched my Reduced Exit Policy, plus my "secret" ssh port.
I never thought about the honey-pot... That's a good one.
Speak Freely _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
justaguy,
Seriously, who cares?
The relays are gone. I just checked the passwords now. If you'd like, I will email you all the passwords - as it doesn't matter. They have no value as they are protecting nothing.
Oh no, I checked the password strength of a dead relay... the heavens will fall as the ether's protective shield collapses against the weight of my egregious stupidity...
Speak Freely
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
As a due note, anything above say 16 characters offers only theoretical protection really and making it too difficult to remember (ie making you write it down or store it elsewhere) can decrease the security.
Also, too much "hardening" can be a bad thing. Me and my partner in running our services (s7r) take care not to go overboard on security and matters. Get the ssh to disable root, allow for a specific non-generic user only, use pub-key authentication, non-standard ports and basic hardening on things like webservers and you're golden. We have never had real problems with this simple approach and if we have ever suspected a breach we would simply reinstall the whole system.
Regarding OVH: I have a very good relationship with OVH and have a partner agreement in place with them at the moment (my company launches in the coming weeks). Generally the agreement I have is that they will host whatever is legal - nothing more nothing less, so I am quite surprised at this hair trigger sensitivity. I'll bring the matter up with them if that's ok with you, and see if I can get the senior support people to look into it since they generally have much more power than retail support staff. Of course still proceed with the chargeback even if you are happy for me to do this, but for what it's worth extracting a definitive statement from them regarding Tor can't hurt.
T
On 26/02/2015 15:41, Speak Freely wrote:
justaguy,
Seriously, who cares?
The relays are gone. I just checked the passwords now. If you'd like, I will email you all the passwords - as it doesn't matter. They have no value as they are protecting nothing.
Oh no, I checked the password strength of a dead relay... the heavens will fall as the ether's protective shield collapses against the weight of my egregious stupidity...
Speak Freely _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
- -- Activist, anarchist and a bit of a dreamer. Keybase: https://keybase.io/thomaswhite
PGP Keys: https://www.thecthulhu.com/pgp-keys/ Current Fingerprint: E771 BE69 4696 F742 DB94 AA8C 5C2A 8C5A 0CCA 4983 Key-ID: 0CCA4983 Master Fingerprint: DDEF AB9B 1962 5D09 4264 2558 1F23 39B7 EF10 09F0 Key-ID: EF1009F0
Twitter: @CthulhuSec XMPP: thecthulhu at jabber.ccc.de XMPP-OTR: 4321B19F A9A3462C FE64BAC7 294C8A7E A53CC966
Hi Thomas,
Please feel free to look into this. From everything I've been able to find, trivial events for each server triggered the entire account to be shut down. It would be a real shame if you fot gucked like me.
My original goal, before all of this, was to get a partner agreement with them as well. I was hoping to setup a small niche company with custom images prepackaged for immediate use. Their website stated I needed to have 12 services with them before, and I was up to 11. All I had to do was buy one more and wait another month or so before I was going to initiate contact with ovh.biz
https://www.ovh.biz/ca/en/ "Conditions of access:
You must have been an OVH customer for at least three months and have a portfolio of more than a dozen relevant products."
But, well, I can't continue with them.
Speak Freely
mostly good stuff here, I'd merely suggest you use denyhosts with ssh and keep it on standard 22 with only pubkey access enabled. Serves perfectly well and ssh brute force attempts will get blocked fairly swiftly. fail2ban can also do ssh. -Jason
On 02/26/2015 03:24 PM, Speak Freely wrote:
Hi ZEROF,
I had fail2ban, harden (which includes tiger, tripwire, logcheck, plus MANY others), all the fancy log checkers, rkhunter and clamav, unattended-upgrades, and had all logs emailed to me on a daily basis. It was tedious to go through, but I was trying to do my due diligence.
I disabled root login, changed ssh port (security through obscurity - damn right, but I kept it in the privileged range.)
Each password was a minimum of 32 characters, alphanumeric plus symbols. No two passwords were alike, or remotely similar. (No, I didn't use keys :@)
I checked "how secure is my password", and this is the result: It would take a desktop PC about 21 quattuordecillion years to crack your password
I had to look quattuordecillion up, as my spell checker doesn't know what it means. In the US, it means 1, followed up 45 zeros. (In the UK it is 10^84, but I believe the website is American so I'm sticking with ^45)
I disabled as many services as I could reasonably tolerate. I removed world rights to as much as I could think. I did everything I could think of to make each VPS effectively useless except for running a Tor relay.
My firewall matched my Reduced Exit Policy, plus my "secret" ssh port.
I never thought about the honey-pot... That's a good one.
Speak Freely _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
I'm not a big fan of adding more complexity to "impove" security.
With fail2ban [1] you run the risk of, for example, someone bruteforcing your ssh from every exit node they can find, then your relay blocking those exits meaning there are certain circuits that you're stopping clients from making. Instead of fail2ban I recommend using a non-standard port for SSH defeat the majority of bruteforce attempts, this will stop pretty much all the bad ssh traffic you're seeing, most of it is botnets and they're not very smart and won't waste time, they're looking for the low-hanging fruit (I don't have to outrun the bear, just you).
rkhunter has had a few vulns [2][3] that allowed privesc (lets use predictable filenames in /tmp!) and we all know that signature based detection is terrible anyway.
clamav has a track record [4] that should make you instantly just throw it on the fire too! If you think the data might be evil *don't* try and use your home-rolled parser to try and do in-depth analysis of it automatically!
Keep it simple, have a restricted inbound port policy, if you can use a hardened kernel with grsec/pax and apparmor (or your prefered MAC) profiles to help compartment and reduce the pivot room for any potential exploit if it is successful.
Also, use key auth and deny password logins for your ssh, if possible. I'd recommend that you don't use DSA or ECDSA though, if you're on a modern openssh then ed25519 is fine otherwise use the tried-and-true RSA.
[1] - http://www.osvdb.org/search/search?search%5Bvuln_title%5D=fail2ban&searc... [2] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1270 [3] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4982 [4] - http://www.osvdb.org/search/search?search%5Bvuln_title%5D=clamav&search%...
Speak Freely:
Hi ZEROF,
I had fail2ban, harden (which includes tiger, tripwire, logcheck, plus MANY others), all the fancy log checkers, rkhunter and clamav, unattended-upgrades, and had all logs emailed to me on a daily basis. It was tedious to go through, but I was trying to do my due diligence.
I disabled root login, changed ssh port (security through obscurity
- damn right, but I kept it in the privileged range.)
------------------- Each password was a minimum of 32 characters, alphanumeric plus symbols. No two passwords were alike, or remotely similar. (No, I didn't use keys :@)
I checked "how secure is my password", and this is the result: It would take a desktop PC about 21 quattuordecillion years to crack your password
I had to look quattuordecillion up, as my spell checker doesn't know what it means. In the US, it means 1, followed up 45 zeros. (In the UK it is 10^84, but I believe the website is American so I'm sticking with ^45) --------------- I disabled as many services as I could reasonably tolerate. I removed world rights to as much as I could think. I did everything I could think of to make each VPS effectively useless except for running a Tor relay.
My firewall matched my Reduced Exit Policy, plus my "secret" ssh port.
---- I never thought about the honey-pot... That's a good one.
Speak Freely _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 02/25/2015 07:35 PM, Speak Freely wrote:
"Your account was suspended
Does this really mean, that your money is lost already ? Often ISPs just plugged off a server from the network till "you solved the problem"
"your IPs are blacklisted on multiples lists for Spam and other malicious activities.
I bet, that your exit relays were used for massive port scan activities.
He said that he ran an reduced exit policy relay. Is portscanning even possible there?
Am 25.02.2015 um 19:51 schrieb Toralf Förster:
On 02/25/2015 07:35 PM, Speak Freely wrote:
"Your account was suspended
Does this really mean, that your money is lost already ? Often ISPs just plugged off a server from the network till "you solved the problem"
"your IPs are blacklisted on multiples lists for Spam and other malicious activities.
I bet, that your exit relays were used for massive port scan activities.
On 02/25/2015 07:53 PM, Josef Stautner wrote:
Is portscanning even possible there?
Should better used "service discovering" or "address range scanning" ?
I do observe at my exit relay since December last year, that few times per hour between 500 and 5000 different ip address are "contacted" over port 22, 80 or 443 per second over a certain time frame. (which BTW yielded into "being contacted by ISP" here too)
On Wed, Feb 25, 2015 at 1:53 PM, Josef Stautner hello@veloc1ty.de wrote:
He said that he ran an reduced exit policy relay. Is portscanning even possible there?
Yes. The CMU Tor exit started with the reduced exit policy, and we wound up additionally removing access to ports 22 and 23 (that is, ssh and telnet) due to continual portscanning attempts. And I mean *continual* - multiple scans an hour, 24x7x365 if we'd let it go on.
Campus IT has also noticed a couple of attempts to scan port 3389 (Windows RDP) but that happens much less often.
zw
Oh yes, my money is gone already. They have no interest in talking to me anymore, as the decision was final. The Abuse department won't talk to the Support department, and the abuse department won't talk to me.
I'd be more inclined to think these spam assassin fellas/"evil doer finders" just parsed the exit-node files and decide WHOOPIDY-DO I did my job! Over-zealous punks trying to get their lists larger than their competitor.
OVH appears to have based these accusations on what other websites have said about my IP addresses, and not a single actual complaint against the relays I run.
But I could be wrong.
Either way... It's unfortunate.
OVH has never contacted me for anything, except to notify me of connections to the manager.
For clarification from their email to me where they showed positive feelings toward Tor, here is my original email to them about me running those relays.
The first paragraph butters them up, and the second last paragraph attempts to show that I wanted to run clean, safe relays. ------------------------------------------------------------- "Greetings,
I'm a current customer with two VPS servers with you, so far you've been awesome! I've never met anyone who has heard of you, that that is beyond shocking. Your prices are better than almost everyone, your service is superior, and I'm pretty sure your claims regarding hardware performance are the closest I've ever experienced to truth.
Alright now to the fun stuff.
Section 1)
I have read online that you are accommodating to users setting up Tor *middle* relays on VPS accounts, and as such I recently set one up.
However, that wasn't necessarily the brightest decision on my part. Can you confirm that you let customers run Tor *middle* relays? These are the none-exiting relays.
Given the recent activities around the world, I'd like to set several more relays up. If you do let customers install Tor, can they be installed on VPS Classic accounts?
Here is a description of the Tor platform, (https://www.torproject.org/eff/tor-dmca-response.html.en) ... Tor is network software that helps users to enhance their privacy, security, and safety online. It does not host any content. Rather, it is part of a network of nodes on the Internet that simply pass packets among themselves before sending them to their destinations, just as any Internet intermediary does. The difference is that Tor tunnels the connections such that no hop can learn both the source and destination of the packets, giving users protection from nefarious snooping on network traffic. The result is that, unlike most other Internet traffic, the final IP address that the recipient receives is not the IP address of the sender. Tor protects users against hazards such as harassment, spam, and identity theft. Initial development of Tor, including deployment of a public-use Tor network, was a project of the U.S. Naval Research Laboratory, with funding from ONR and DARPA. (For more on Tor, see https://www.torproject.org/.) I hope, as an organization committed to protecting the privacy of its customers, you'll agree that this is a valuable technology. ...
Section 2)
I've read online nothing but ambiguity regarding exit relays. My current understanding is that if we run them, we risk the account being terminated. Would you terminate the single VPS server, or my entire account with all of my VPSs?
If this somewhat murky situation is the case, would you be willing to assist me with minor activities in locking down the server? If I run exit relays, I want to use rather extreme exit policies, locking out most ports, and only allowing certain traffic through. I don't want to create a conduit for illicit downloading of videos, software, games, etc. And child pornography. Surely there has to be something your SysAdmins can do to help stop that. Blacklists, I suspect. So locking out that type of traffic is important both for my sensibilities, your network, and our legal safety.
I'm more than willing, and interesting in discussing this further with you. In a world where free speech is under attack, we need to protect those that speak up.
Let me know.
Kind regards,
Matt" -------------------------------------------------------------
I tried... I tried to be as helpful as possible in explaining what Tor is and does, and I tried to start a positive dialog and relationship with them. The numerous telephone conversations I've had with them were always quite positive and friendly. I was always assured they would contact me first, let me deal with the complaint, etc...
But I've come to realize this wasn't because of any complaint. Some "john" at OVH saw my IP addresses on a set of lists, most likely siphoned from the publicly available exit-relay lists, and decided I must be doing something bad.
Because they're no longer talking, most of this is all a guessing game.
How can you have any pudding if you don't eat your meat? How can you get your t-shirt if you don't run your relay? Sorry, but that made me smile. :)
Speak Freely
On February 25, 2015 8:21:32 PM Speak Freely when2plus2is5@riseup.net wrote:
Hi,
Oh yes, my money is gone already. They have no interest in talking to me anymore, as the decision was final. The Abuse department won't talk to the Support department, and the abuse department won't talk to me.
Thats really sad. Spam abuse reports are hitting me pretty much every day @ Online SAS (online.net, France). I fill out their abuse formular every time "This is an Tor Exit Node with a reduced Exit policy". It's a 72 hour deadline. Works fine, they never shut down anything.
Every country and every ISP seems to be a completely different game :-(
I'd be more inclined to think these spam assassin fellas/"evil doer finders" just parsed the exit-node files and decide WHOOPIDY-DO I did my job! Over-zealous punks trying to get their lists larger than their competitor.
OVH appears to have based these accusations on what other websites have said about my IP addresses, and not a single actual complaint against the relays I run.
But I could be wrong.
Either way... It's unfortunate.
OVH has never contacted me for anything, except to notify me of connections to the manager.
For clarification from their email to me where they showed positive feelings toward Tor, here is my original email to them about me running those relays.
The first paragraph butters them up, and the second last paragraph attempts to show that I wanted to run clean, safe relays.
"Greetings,
I'm a current customer with two VPS servers with you, so far you've been awesome! I've never met anyone who has heard of you, that that is beyond shocking. Your prices are better than almost everyone, your service is superior, and I'm pretty sure your claims regarding hardware performance are the closest I've ever experienced to truth.
Alright now to the fun stuff.
Section 1)
I have read online that you are accommodating to users setting up Tor *middle* relays on VPS accounts, and as such I recently set one up.
However, that wasn't necessarily the brightest decision on my part. Can you confirm that you let customers run Tor *middle* relays? These are the none-exiting relays.
Given the recent activities around the world, I'd like to set several more relays up. If you do let customers install Tor, can they be installed on VPS Classic accounts?
Here is a description of the Tor platform, (https://www.torproject.org/eff/tor-dmca-response.html.en) ... Tor is network software that helps users to enhance their privacy, security, and safety online. It does not host any content. Rather, it is part of a network of nodes on the Internet that simply pass packets among themselves before sending them to their destinations, just as any Internet intermediary does. The difference is that Tor tunnels the connections such that no hop can learn both the source and destination of the packets, giving users protection from nefarious snooping on network traffic. The result is that, unlike most other Internet traffic, the final IP address that the recipient receives is not the IP address of the sender. Tor protects users against hazards such as harassment, spam, and identity theft. Initial development of Tor, including deployment of a public-use Tor network, was a project of the U.S. Naval Research Laboratory, with funding from ONR and DARPA. (For more on Tor, see https://www.torproject.org/.) I hope, as an organization committed to protecting the privacy of its customers, you'll agree that this is a valuable technology. ...
Section 2)
I've read online nothing but ambiguity regarding exit relays. My current understanding is that if we run them, we risk the account being terminated. Would you terminate the single VPS server, or my entire account with all of my VPSs?
If this somewhat murky situation is the case, would you be willing to assist me with minor activities in locking down the server? If I run exit relays, I want to use rather extreme exit policies, locking out most ports, and only allowing certain traffic through. I don't want to create a conduit for illicit downloading of videos, software, games, etc. And child pornography. Surely there has to be something your SysAdmins can do to help stop that. Blacklists, I suspect. So locking out that type of traffic is important both for my sensibilities, your network, and our legal safety.
I'm more than willing, and interesting in discussing this further with you. In a world where free speech is under attack, we need to protect those that speak up.
Let me know.
Kind regards,
Matt"
I tried... I tried to be as helpful as possible in explaining what Tor is and does, and I tried to start a positive dialog and relationship with them. The numerous telephone conversations I've had with them were always quite positive and friendly. I was always assured they would contact me first, let me deal with the complaint, etc...
But I've come to realize this wasn't because of any complaint. Some "john" at OVH saw my IP addresses on a set of lists, most likely siphoned from the publicly available exit-relay lists, and decided I must be doing something bad.
Because they're no longer talking, most of this is all a guessing game.
How can you have any pudding if you don't eat your meat? How can you get your t-shirt if you don't run your relay? Sorry, but that made me smile. :)
Speak Freely _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 2015-02-25 14:20, Speak Freely wrote:
Oh yes, my money is gone already. They have no interest in talking to me anymore, as the decision was final. The Abuse department won't talk to the Support department, and the abuse department won't talk to me.
The idea of initiating chargeback is great. I did this couple times myself when vendor was everything but honest. If that's what you're going to do, I'd definitely like to hear what was OVH excuse for not following their own policy as they have to explain and prove to the bank why the charge is valid. Hopefully you'll get your money back.
I'd be more inclined to think these spam assassin fellas/"evil doer finders" just parsed the exit-node files and decide WHOOPIDY-DO I did my job! Over-zealous punks trying to get their lists larger than their competitor.
OVH appears to have based these accusations on what other websites have said about my IP addresses, and not a single actual complaint against the relays I run.
I haven't thought about it that way. I run mailserver myself and fighting with spam is daunting task. To avoid situation of automagically reporting spamming IP to SBLs providers I'd like to implement solution that'll do both reporting and whitelisting (have neither). Is someone familiar or have already in place (or need - I'll try to write one myself) a script/config module to spamassasin or postfix milter that will do two following tasks. One would be periodical download of a public list of tor exit relays. Second would involve "spammy email" management. If an email passes through all filters and is deemed spam/malware/ebola, it should be dropped, yet if it is received from exit relay (ip on the list downloaded on step 1) it wouldn't do anything in terms of reporting anywhere. Otherwise forward for spam analysis.
I'm also thinking about second possible solution, but I'm not sure if it's possible. On the host that's an exit relay, one would also have installed some kind of postfix (or other MTA) and not encrypted tor exit traffic directed to port 25,587 reroute to localhost's MTA for virus/spam scanning and then either forwarding or dropping. Rerouting is doable in moments using iptables. I'm not sure what effect that would have on the tor network and security though.
Zefir
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hello,
Sorry to hear this. I want to setup a big node at Voxility, which is a good provider to host Tor exits, maybe more of us can pool together financial resources and make a big cluster. I have some offers from them if interested.
On 2/25/2015 8:35 PM, Speak Freely wrote:
Hello fellow relay runners,
This morning OVH decided to kill 7 of my relays due to spamming, and block all access to all services. I ran the Reduced Exit policy for all of my relays.
Due to heightened concerns about this affecting other unrelated services I have with OVH, I had to shut down the other 3 relays. They may eventually re-appear as middle-relays.
This has cost me hundreds of dollars, as I foolishly decided to prepay on an annual basis. None of the servers were older than 2 months. Some were only a few weeks old.
The Abuse department's rationale is as follows: "Your account was suspended because 100% of your IPs are blacklisted on multiples lists for Spam and other malicious activities. This case is closed and this decision is final."
When I first contacted OVH regarding running Tor relays, this was the
response that I received from them, which does not mesh with what just happened.
"Good morning Matt,
I'm very glad to here from you. It is very flattering to hear that you are very satisfied by our service at OVH!
We do take our network speed and hardware performance very seriously here. We are proud of our infrastructure that we have built over the years.
I do understand your concerns about setting up a Tor relay on one of our VPS. In a simple form, yes you can.
We do let our customers use our VPS as Tor relays. We have no problem in letting you this.
However, your are allowed to use Tor but it will be at your own risk.
Rest assure that, in case of an abuse, we will not terminate your account without notice. In fact we may not even terminate your VPS. You will receive a warning from our Abuse department giving you a choice to resolve the abuse case.
Like you said, we are in a world where free speech is constantly under attack and we are committed to help as much as possible to protect this fundamental right that we all have. We will absolutely not in any case share our customers information or data to authorities without a warrant.
For any other questions or concerns, feel free to contact us at any time. We are available 24/7.
Good luck with that privacy project of yours and keep on supporting the cause of free speech!
Thank you for contacting OVH and have a wonderful day!
Colin K. Customer Advocate"
Not that it matters anymore, but each relay was dedicated to one of the victims of the Charlie Hebdo attack. https://atlas.torproject.org/#search/4charlie
Eventually I will get back at this... But for now, my money is gone, and all my hard work is lost.
So... I know I'm new. And it's possible this has happened (many times) before, but... You've been warned.
Speak Freely _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
If you paid with a credit card, give them a choice: they can either refund your money or you will initiate a chargeback. Either way you get your money back, but with the chargeback you will probably get all of your money back instead of a prorated refund, they have to pay a fee, and may have their merchant account terminated if they get enough of them.
-Pascal
On 2/25/2015 12:35 PM, Speak Freely wrote:
This has cost me hundreds of dollars, as I foolishly decided to prepay on an annual basis. None of the servers were older than 2 months. Some were only a few weeks old.
This++
On 02/25/2015 07:32 PM, Pascal wrote:
If you paid with a credit card, give them a choice: they can either refund your money or you will initiate a chargeback. Either way you get your money back, but with the chargeback you will probably get all of your money back instead of a prorated refund, they have to pay a fee, and may have their merchant account terminated if they get enough of them.
-Pascal
On 2/25/2015 12:35 PM, Speak Freely wrote:
This has cost me hundreds of dollars, as I foolishly decided to prepay on an annual basis. None of the servers were older than 2 months. Some were only a few weeks old.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 02/25/2015 01:34 PM, jason@icetor.is wrote:
This++
Indeed!
And if you used PayPal, they may also help.
On 02/25/2015 07:32 PM, Pascal wrote:
If you paid with a credit card, give them a choice: they can either refund your money or you will initiate a chargeback. Either way you get your money back, but with the chargeback you will probably get all of your money back instead of a prorated refund, they have to pay a fee, and may have their merchant account terminated if they get enough of them.
-Pascal
On 2/25/2015 12:35 PM, Speak Freely wrote:
This has cost me hundreds of dollars, as I foolishly decided to prepay on an annual basis. None of the servers were older than 2 months. Some were only a few weeks old.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I'm having a similar situation. Linode issued a ToS violation because my linode on which I run a relay was a source of spam.
Very strange because I had reject *.* (no exit) set in my torrc.
Anyway I've had to give up and shut down FiatLux. Kind of a bummer, I really enjoyed contributing to Tor.
-Chris
On Wed, Feb 25, 2015 at 1:35 PM, Speak Freely when2plus2is5@riseup.net wrote:
Hello fellow relay runners,
This morning OVH decided to kill 7 of my relays due to spamming, and block all access to all services. I ran the Reduced Exit policy for all of my relays.
Due to heightened concerns about this affecting other unrelated services I have with OVH, I had to shut down the other 3 relays. They may eventually re-appear as middle-relays.
This has cost me hundreds of dollars, as I foolishly decided to prepay on an annual basis. None of the servers were older than 2 months. Some were only a few weeks old.
The Abuse department's rationale is as follows: "Your account was suspended because 100% of your IPs are blacklisted on multiples lists for Spam and other malicious activities. This case is closed and this decision is final."
When I first contacted OVH regarding running Tor relays, this was the response that I received from them, which does not mesh with what just happened.
"Good morning Matt,
I'm very glad to here from you. It is very flattering to hear that you are very satisfied by our service at OVH!
We do take our network speed and hardware performance very seriously here. We are proud of our infrastructure that we have built over the years.
I do understand your concerns about setting up a Tor relay on one of our VPS. In a simple form, yes you can.
We do let our customers use our VPS as Tor relays. We have no problem in letting you this.
However, your are allowed to use Tor but it will be at your own risk.
Rest assure that, in case of an abuse, we will not terminate your account without notice. In fact we may not even terminate your VPS. You will receive a warning from our Abuse department giving you a choice to resolve the abuse case.
Like you said, we are in a world where free speech is constantly under attack and we are committed to help as much as possible to protect this fundamental right that we all have. We will absolutely not in any case share our customers information or data to authorities without a warrant.
For any other questions or concerns, feel free to contact us at any time. We are available 24/7.
Good luck with that privacy project of yours and keep on supporting the cause of free speech!
Thank you for contacting OVH and have a wonderful day!
Colin K. Customer Advocate"
Not that it matters anymore, but each relay was dedicated to one of the victims of the Charlie Hebdo attack. https://atlas.torproject.org/#search/4charlie
Eventually I will get back at this... But for now, my money is gone, and all my hard work is lost.
So... I know I'm new. And it's possible this has happened (many times) before, but... You've been warned.
Speak Freely _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Wed, Feb 25, 2015 at 4:07 PM, Chris Patti cpatti@gmail.com wrote:
I'm having a similar situation. Linode issued a ToS violation because my linode on which I run a relay was a source of spam.
Very strange because I had reject *.* (no exit) set in my torrc.
I have operated a non-exit relay on Linode for almost two years now with no trouble whatsoever. I'd wonder whether your vhost got hacked in some fashion, such that it *was* sending spam, but Tor had nothing to do with it. If that's what happened, you could probably turn your relay back on after confirming with their support that you'd found and fixed the problem. (Regenerate the relay's identity key, too.)
(I would not attempt to run an exit relay on Linode, and I have made a point of not running *anything else* (except key-only SSH) on my vhost that is a relay, to limit attack surface.)
zw
On Wed, Feb 25, 2015 at 1:35 PM, Speak Freely when2plus2is5@riseup.net wrote:
Hello fellow relay runners,
This morning OVH decided to kill 7 of my relays due to spamming, and block all access to all services. I ran the Reduced Exit policy for all of my relays.
I run one relay with OVH and one with DigitalOcean. Both relays are non-exit. I also have another VPS with OVH unrelated to Tor. This makes me uneasy because I, too, paid one year in advance. DigitalOcean seemed more welcoming of Tor when I contacted them about it. Both have policies that do not prohibit Tor. If they shut down a non-exit node, I would contact my credit card company if they don't offer a refund.
On 2015-02-25 11:35, Speak Freely wrote:
The Abuse department's rationale is as follows: "Your account was suspended because 100% of your IPs are blacklisted on multiples lists for Spam and other malicious activities. This case is closed and this decision is final."
Speaking as an abuse desk lead investigator who has had unfortunate experiences reporting issues to OVH, I can assure you that OVH's abuse department is institutionally incompetent. While they have some good staff, their system is set up to break those staff members and their outcomes in almost all ways possible.
What you're encountering is apparently part of their data feed quality problem. Reading between their words, they're mistakenly using a list of Tor nodes (perhaps they bought a cheapo mislabeled list) in place of a competently maintained list of spam sources and malicious actors.
On the flip side of data quality, what also occurs from and by OVH is massive email spam runs from their pet spammers like netmessage.com and oxemis.net. One competent list which tracks ovh.net spammers contains over 20,000 spam source IPs where spam was sent from French-speaking "high volume email deployers" to trap addresses. The list is huge because ovh.net seems to quickly give these spammers new IP ranges as the previous ones are firewalled for cause.
Oddly for a provider that claims to want to stop spam, to the point they use that as an excuse to shut your servers, ovh.net doesn't do anything to disconnect the *actual* spammers they host, or even slow them down.
I thus recommend you do a chargeback. Get your money back, on the grounds that ovh.net first lied to you to close the sale, and now they're probably lying to you about the real reason they're disconnecting. I think they've been dealing in very bad faith with you, and you shouldn't have to pay for that.
Richard
After much research, I've found some interesting tidbits.
Out of the 88 blacklists mxtoolbox reports against,
6/7 relays reported 3 problems - 1) Efnet blocks Tor exits and reported. No exceptions. - 2) CBL detected a single trojan/malware/spam, etc, and reported - 3) Spamhaus ZEN detected CBL's detection, and reported
1 of the 7 relays also had two hits from Mailspike - 1) Mailspike Z found a distributed spam wave, and reported - 2) Mailspike BL aggregates other Mailspike lists, and reported
Essentially, all 7 of my relays were taken down because of trivial issues, all but 1 being single instances of reported problems from a single source.
Both CBL and Mailspike offer de-listing services that are easy to use, and straight forward.
I spoke with MasterCard yesterday, and they've mailed off the paperwork I need to fill out to do the charge-back. I won't get into the specifics, but they were encouraging.
I will also be moving my unrelated business dealings away from OVH as soon as possible.
Speak Freely
This is unfortunate but we will not be deterred.
I would also go chargeback if notice you now give them does not result in satisfied action by close Sunday. You paid for a year based on some assurance, and did not receive.
Now in the future... You plan was long and two part, partly confusing.
It must be made explicitly clear to hosters that you wish to run exit relay, include links to tor website, etc. Always try one month pay for a while first, then maybe the next levels after that succeeds for many months. You can still try to get the lower price from first day by saying that you will stay for those longer months so long as you don't get cutoff in the first month to months. ALL TOS allow them to cut you off for any reason. So if you want to survive as a special tor consideration, you cannot cannot take word of some sales droid in email. You have to contact officer of the company and get written agreement if you want something special above TOS. You need to consider SWIP and making clear the handling methods and scenarios with them.
Otherwise, skip all that and play fast and dirty month to month host game, just don't disrespect them/tor in the process.
Tor!
tor-relays@lists.torproject.org
-
cacahuatl -
Chris Patti -
grarpamp -
I -
jason@icetor.is -
Josef Stautner -
justaguy -
Markus Hitter -
Mirimir -
Pascal -
Richard Johnson -
s7r -
Sebastian Urbach -
Speak Freely -
Stephen R Guglielmo -
Thomas White -
Toralf Förster -
Zack Weinberg -
Zefir -
ZEROF