[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] LeaseWeb disconnects Tor exit node for forum "spam"



I just thought I would notify the list that leaseweb is not a safe place to
host a Tor exit node.

Occasionally I would get a complaint from leaseweb but it would be marked
as priority "normal" (basically meaning its informational only and you
don't have to reply to it) but recently they are now null routing the
server.

My node was running for about 8 months without any real problems.
Now it seems leaseweb has subscribed to lists from stop forum spam and
project honeypot and is not accepting Tor as an explanation.

I thought I was safe from complaints by only allowing http/https ports so
no p2p so I am curious if any other exit node operators had to deal with
this problem with forum spam.

This was a surprise to be treated like this by leaseweb which I am a large
customer with many servers and I have heard only good things about how they
stand up for their customers and don't respond to DMCA's and such.

Does anyone have any ideas how to prevent this or a better strategy for
responding to these type of complaints?

Also does anyone know if forum spam is really illegal under dutch law?
I was almost going to hire a lawyer since they pissed me off and it seems
quite clear that there is nothing in their contract that prohibits this but
I do not want to make an issue of it and have them cancel my entire service
since my business is based around leaseweb servers and there is no real
alternative at their price/bandwidth level.

I have included my full exchange with them below.

Eric.

> On 13/02/2012 08:21, LeaseWeb - Security - Feeds wrote:
>> Eric,
>>
>> If you have a server with us, you’ll have to prevent it from generating
>> abuse, if you don’t the IP gets nullrouted it’s as simple as that. We
>> have many other customers that operate anonymous VPN services and none
>> of them had any problem blocking abuse generated by X-Rumer with the
>> information provided by Stopforumspam so there is no reason why you
>> would not be able to do so.
>> Regarding the definition of spam, Dutch law states that spam is any
>> form of unwanted electronic communication such as but not limited to e-
>> mail, sms, forum posts and faxes. This law is enforced by OPTA, the
>> Dutch telecom agency. The acceptable use policy forbids unlawful
>> activities. Violating the Dutch anti-spam law with forum spam qualifies
>> as such. The IP will be unblocked once you are ready to implement a
>> solution.
>>
>> Kind Regards,
>>
>> Rob Kruit CISSP
>> Senior Security Engineer
>>
>> LeaseWeb B.V.
>> P.O. Box 93054
>> 1090BB Amsterdam
>> The Netherlands
>> Tel: +31 20 3162880
>> Fax: +31 20 3162890
>> Skype: lsw.sec.rob.kruit
>> E-Mail: r.kruit@xxxxxxxxxxxx
>> PGP KeyID: 1FC92F92
>> http://www.leaseweb.com
>>
>> On Sat Feb 11 09:16:29 2012, beyondhosting.com wrote:
>>> That agreement still defines spam as email.
>>> Dutch and European law also defines spam as email and there is no law
>>> against forum "spam", and stopforumspam.com are not a law enforcement
>>> agency.
>>>
>>> I do not understand why you are being difficult about this.
>>> No actual person has made a complaint, If a person made a complaint,
>>> I can block access to his site from my Tor node.
>>> Stopforumspam.com purposely hides the details of the complainant making
>>> it impossible to respond to it or block access.
>>>
>>> Your complaint has not listed any URL that I can block, so there is
>>> nothing I can do about it.
>>> Also that Tor connections last only 10 minutes, so the activity you are
>>> referring to is long finished and cannot be undone.
>>> So nothing can be done to prevent this, also websites that do not wish
>>> to receive Tor traffic are free to block Tor without any assistance
from me.
>>> As a Tor node operator I am acting as an ISP and have no liability for
>>> the actions of my users, and leaseweb has no liability either.
>>> Anonymity is not a crime and Tor is legal in The Netherlands.
>>>
>>> You have the ability to close this complaint and restore my server so
>>> please do so, since no laws have been broken.
>>>
>>> I have almost 100 servers and pay your company over €11,000 per month
and
>>> your reaction to this has put doubt in my mind that you are a company I
>>> can rely on for the continuation of my business, it seems you don't care
>>> about standing up for the rights of your customers, or about following
>>> the wording of your own contract.
>>>
>>> Thanks,
>>> Eric.
>>>
>>> On 09/02/2012 12:07, LeaseWeb - Security - Feeds wrote:
>>>> Master agreement: section 2.1 and 2.2
>>>> Again, as the IP has been assigned to you, you are responsible to
>>>> prevent any abuse originating from that IP. Running TOR, a VPN service
>>>> or any other network relay service does not exclude you from that
>>>> responsibility. If you are unable to take appropriate measures, then I
>>>> suggest you'll remove the TOR exit node from that system.
>>>>
>>>> Kind Regards,
>>>>
>>>> Rob Kruit CISSP
>>>> Senior Security Engineer
>>>>
>>>> LeaseWeb B.V.
>>>> P.O. Box 93054
>>>> 1090BB Amsterdam
>>>> The Netherlands
>>>> Tel: +31 20 3162880
>>>> Fax: +31 20 3162890
>>>> Skype: lsw.sec.rob.kruit
>>>> E-Mail: r.kruit@xxxxxxxxxxxx
>>>> PGP KeyID: 1FC92F92
>>>> http://www.leaseweb.com
>>>>
>>>> On Thu Feb 09 10:59:08 2012, beyondhosting.com wrote:
>>>>> Please note that I am a large leaseweb customer paying over €11,000
per month.
>>>>>
>>>>> I refer to the definition of "spam" in your contract.
>>>>>
http://www.leaseweb.nl/uploads/legal/20111115_NL_General_Conditions_v2011-1_11.pdf
>>>>>
>>>>> "Spam means unsolicited broadcast e-mail or unsolicited commercial
>>>>> email that is sent to addresses that do not affirmatively and
>>>>> verifiably request such e-mail from that specific sender, including
>>>>> but
>>>>> not limited to advertising, surveys, information pieces, third party
>>>>> spamming, website addresses, sales, and auctions"
>>>>>
>>>>> Please unblock my server or point me to exactly what specific
>>>>> condition
>>>>> of the service you claim I have violated.
>>>>>
>>>>> It seems you just shut off my server because of some automated report
>>>>> and no actual person sent you any complaint.
>>>>>
>>>>> What solution do you propose?
>>>>> I have no way to identify which traffic might be forum spam, and there
>>>>> is no law requiring me to do, the content is not hosted on the server,
>>>>> I
>>>>> am only acting as a network relay which have no liability.
>>>>>
>>>>> Thanks,
>>>>> Eric.
>>>>>
>>>>> On 09/02/2012 09:43, LeaseWeb - Security - Feeds wrote:
>>>>>> Dear Customer,
>>>>>>
>>>>>> The IP has been nullrouted as no action has been taken. Running a TOR
>>>>>> node cannot be seen as an excuse for generating abuse. Forum spam is
>>>>>> generated by the Xrumer application
http://en.wikipedia.org/wiki/XRumer
>>>>>> As you can see, these activities are in fact spamming and thus
illegal.
>>>>>> The Stopforumspam reports are accurate and this form of abuse needs
to
>>>>>> be prevented. Since the IP is assigned to you, implementing a working
>>>>>> solution to prevent this kind of activity is your responsibility.
>>>>>> Kind Regards,
>>>>>>
>>>>>> Rob Kruit CISSP
>>>>>> Senior Security Engineer
>>>>>>
>>>>>> LeaseWeb B.V.
>>>>>> P.O. Box 93054
>>>>>> 1090BB Amsterdam
>>>>>> The Netherlands
>>>>>> Tel: +31 20 3162880
>>>>>> Fax: +31 20 3162890
>>>>>> Skype: lsw.sec.rob.kruit
>>>>>> E-Mail: r.kruit@xxxxxxxxxxxx
>>>>>> PGP KeyID: 1FC92F92
>>>>>> http://www.leaseweb.com
>>>>>>
>>>>>> On Thu Feb 09 09:45:03 2012, beyondhosting.com wrote:
>>>>>>> PLEASE STOP SENDING THESE COMPLAINTS EVERY DAY!!!!
>>>>>>> REMOVE THIS IP FROM YOUR REPORTS
>>>>>>>
>>>>>>> This IP address is a Tor exit node (kind of an open proxy).
>>>>>>> Only HTTP traffic is allowed and email port 25 is blocked.
>>>>>>> Your abuse complain mistakenly report this as spam, it is not spam,
it
>>>>>>> is a HTTP request only.
>>>>>>>
>>>>>>> If you want a site blocked from being accessed through the proxy, I
>>>>>>> need
>>>>>>> to know the domain name or IP to block access to which you have not
>>>>>>> provided.
>>>>>>>
>>>>>>> There is nothing illegal about this activity and the IP is not
listed
>>>>>>> in any spam blacklists.
>>>>>>>
>>>>>>> Web sites can choose to block the IP address of my server (or all
TOR
>>>>>>> nodes) if they do not want to receive this traffic.
>>>>>>>
>>>>>>> The IP address in question is a Tor exit node.
>>>>>>> https://www.torproject.org/overview.html
>>>>>>>
>>>>>>> There is little we can do to trace this matter further. As can be
seen
>>>>>>> from the overview page, the Tor network is designed to make tracing
of
>>>>>>> users impossible. The Tor network is run by some 2500 volunteers who
>>>>>>> use the free software provided by the Tor Project to run Tor
routers.
>>>>>>> Client connections are routed through multiple relays, and are
>>>>>>> multiplexed together on the connections between relays. The system
>>>>>>> does not record logs of client connections or previous hops.
>>>>>>>
>>>>>>> This is because the Tor network is a censorship resistance, privacy,
>>>>>>> and anonymity system used by whistle blowers, journalists, Chinese
>>>>>>> dissidents skirting the Great Firewall, abuse victims, stalker
>>>>>>> targets, the US military, and law enforcement, just to name a few.
>>>>>>> See https://www.torproject.org/about/torusers.html.en for more info.
>>>>>>> Unfortunately, some people misuse the network. However, compared to
>>>>>>> the rate of legitimate use (the IP range in question processes
nearly
>>>>>>> a gigabit of traffic per second), abuse complaints are rare.
>>>>>>> https://www.torproject.org/docs/faq-abuse.html.en
>>>>>>>
>>>>>>> On 09/02/2012 08:02, LeaseWeb Security Response Team (LSRT) wrote:
>>>>>>>> ABUSE TYPE: SPAM
>>>>>>>> URGENCY: VERY HIGH (4hours notice)
>>>>>>>> IP: 85.17.97.19
>>>>>>>>
>>>>>>>> Dear customer,
>>>>>>>>
>>>>>>>> We received a complaint regarding an IP assigned to you. Please
see the complaint at the bottom of this e-mail. We urge you to take
appropriate action to prevent future complaints.
>>>>>>>> PLEASE NOTIFY US WITHIN 4 HOURS WITH TAKEN ACTiONS. FAILURE TO DO
SO WILL RESULT IN AN IP BLOCK OF THE MENTIONED IP.
>>>>>>>> LeaseWeb Security Response Team (LSRT)
>>>>>>>>
>>>>>>>> ***** ADDITIONAL INFORMATION BY LSRT *****
>>>>>>>>
>>>>>>>> ******************************************
>>>>>>>>
>>>>>>>> ******************************************
>>>>>>>>     ORIGINAL COMPLAINT BELOW
>>>>>>>> ******************************************
>>>>>>>>
>>>>>>>> StopForumSpam report for LEASEWEB ASN16265 (as of
>>>>>>>> 25 Jan 2011)
>>>>>>>>
>>>>>>>> IP Number 85.17.97.19  rnds
>>>>>>>> tor-exit-node.beyondhosting.com
>>>>>>>> Link
>>>>>>>> http://www.stopforumspam.com/ipcheck/85.17.97.19
>>>>>>>> Last seen at 08-Feb-12 22:02:12 Wed
>>>>>>>> IP reported 2 times (by 2 different sites) in the
>>>>>>>> last 24 hours
>>>>>>>> IP seen 13 times in the last month
>>>>>>>>
>>>>>>>> Usernames seen from this IP
>>>>>>>> 24H    1month    Username
>>>>>>>> 1    1    Ann Martin
>>>>>>>> 1    1    maznikn
>>>>>>>>
>>>>>>>> Emails seen from this IP
>>>>>>>> 24H    1month    Username
>>>>>>>> 1    1    Ann_Martin.1981@xxxxxxxxx
>>>>>>>> 1    1    aiandjsklsbf@xxxxxxxxxxxxxx
>>>>>>>>
>>>>>>>> Evidence seen from this IP (last 24 hours only)
>>>>>>>> , StopForumSpam report for LEASEWEB ASN16265 (as of
>>>>>>>> 25 Jan 2011)
>>>>>>>>
>>>>>>>> IP Number 85.17.97.19  rnds
>>>>>>>> tor-exit-node.beyondhosting.com
>>>>>>>> Link
>>>>>>>> http://www.stopforumspam.com/ipcheck/85.17.97.19
>>>>>>>> Last seen at 08-Feb-12 22:02:12 Wed
>>>>>>>> IP reported 2 times (by 2 different sites) in the
>>>>>>>> last 24 hours
>>>>>>>> IP seen 13 times in the last month
>>>>>>>>
>>>>>>>> Usernames seen from this IP
>>>>>>>> 24H    1month    Username
>>>>>>>> 1    1    Ann Martin
>>>>>>>> 1    1    maznikn
>>>>>>>>
>>>>>>>> Emails seen from this IP
>>>>>>>> 24H    1month    Username
>>>>>>>> 1    1    Ann_Martin.1981@xxxxxxxxx
>>>>>>>> 1    1    aiandjsklsbf@xxxxxxxxxxxxxx
>>>>>>>>
>>>>>>>> Evidence seen from this IP (last 24 hours only)
>>>>>>>> ,
>>>>>>>>
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk