[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [Need quick help] 30+ mbps node taken down by host

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] [Need quick help] 30+ mbps node taken down by host
From: Eugen Leitl <eugen@xxxxxxxxx>
Date: Wed, 4 Jul 2012 13:07:06 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 04 Jul 2012 07:06:44 -0400
In-reply-to: <4FF41CB4.6050306@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4FF3D4EE.4080105@xxxxxxxxx> <4FF3D58A.9050903@xxxxxxxxx> <CAJSW5N2D9TVY+ot_hnBciMYcvY786kjHOnHbMkT248WjSpzUtw@xxxxxxxxxxxxxx> <4FF41CB4.6050306@xxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.18 (2008-05-17)

On Wed, Jul 04, 2012 at 12:36:36AM -1000, Name Withheld wrote:

> Thank you for the response. Unfortunately, it looks like this might be  
> an impossible problem to solve, since they followed it up and said it's  
> forum spam and hack attempts, not just email spam.  Basically, my node  

So they're keep changing their story. It seems they want to get rid of you.

> is pushing more traffic than most, so it's getting more abuse, faster  
> (even though this is a tiny percentage of the overall traffic).

Of what concern should be the traffic, if it's a flat rodent data
plan? If it is, you have to throttle your node down to a dull roar
(e.g. I'm currently throttling mine down to about 1.5 TByte/month).

I personally use the following Exit Policy:

reject 0.0.0.0/8:*
reject 169.254.0.0/16:*
reject 127.0.0.0/8:*
reject 192.168.0.0/16:*
reject 10.0.0.0/8:*
reject 172.16.0.0/12:*
reject put-your-node's-ip-here:*
accept *:22
accept *:443
accept *:465
accept *:563
accept *:992-995
reject *:*

which so far has generated zero complaints.

If they still complain, go total middleman. Even
middlemen throttled to 120 kBytes/s or higher are
of value to the network, especially if they're stable.

> Here's what they sent me from their upstream provider:
>
>
>
> ----------------------------------------------------------------------
> The first email came in for a hack attempt from your IP:
> Dear Sir/Madam,
> We noticed something that resembles a RIP attempt from one of your IP  
> addresses. Our system temporarily blocked the IP address. Please,  
> contact the respective user.
> In case that there is a need for UPSTREAM content download, they can  
> register and make use of our legal (xml) download interface ]UPSTREAM 
> URL].
> In case that the IP is used for search engine crawling, the user can  
> inform us to whitelist the respective IP addresss.
>
> 52 requests during period Fri Jun 22 02:14:01 2012 - Fri Jun 22 02:15:01  
> 2012 (GMT +1)
> was denied at Fri Jun 22 02:15:01 2012 (GMT +1)
> user-agent: Mozilla/5.0 (X11; U; Linux x86_64; fr-FR) AppleWebKit/534.7  
> (KHTML, like Gecko) Chrome/7.0.514.0 Safari/534.7
>
> Kind regards,
> Open UPSTREAM Team
> ----------------------------------------------------------------------
>
> ----------------------------------------------------------------------
> The second and all following emails (4 emails in total) came in for spam,
> StopForumSpam report for ASN16265 (as of
> 25 Jan 2011)
>
> IP Number XX.XX.XXX.XXX Link
>
> Last seen at 22-Jun-12 04:06:45 Fri
> IP reported 31 times (by 2 different sites) in the
> last 24 hours
> IP seen 34 times in the last month
>
> Usernames seen from this IP
> 24H 1month Username
> 1 1 Eirena
> 1 1 Sheehan
> 1 2 Rafu
> 1 1 Barnabas
> 1 1 Rowland
> 1 1 Parvati
> 2 2 Chelsia
> 1 5 Gwen
> 1 1 Rudi
> 1 1 Etienette
> 1 1 Erianthe
> 1 1 Alzena
> 1 1 Starveling
> 1 3 Althea
> 1 4 Brayden
> 1 1 Carlen
> 1 2 Armorel
> 1 3 Brennan
> 3 3 Kinga
> 1 1 Rarna
> 3 9 Richard
> 1 1 Rendor
> 1 3 Stanton
> 1 1 Enola
> 1 1 Pankhudi
> 1 1 Bhrigu
> 1 1 Astrea
> 1 3 Pebbles
> 2 3 Sage
> 1 10 Ella
> 1 1 Brodny
>
> Emails seen from this IP
> 24H 1month Username
> 4 27 e22@xxxxxxxxxxxxxxx
> 3 19 e32@xxxxxxxxxxxxxxx
> 4 22 e34@xxxxxxxxxxxxxxx
> 2 21 e27@xxxxxxxxxxxxxxx
> 2 22 e18@xxxxxxxxxxxxxxx
> 4 25 e26@xxxxxxxxxxxxxxx
> 3 18 e16@xxxxxxxxxxxxxxx
> 5 22 e20@xxxxxxxxxxxxxxx
> 3 23 e19@xxxxxxxxxxxxxxx
> 3 21 e35@xxxxxxxxxxxxxxx
> 2 22 e33@xxxxxxxxxxxxxxx
> 2 22 e25@xxxxxxxxxxxxxxx
> 2 20 e31@xxxxxxxxxxxxxxx
> 4 28 e21@xxxxxxxxxxxxxxx
> 2 21 e29@xxxxxxxxxxxxxxx
> 4 23 e28@xxxxxxxxxxxxxxx
> 4 21 e24@xxxxxxxxxxxxxxx
> 3 19 e30@xxxxxxxxxxxxxxx
> 4 26 e17@xxxxxxxxxxxxxxx
>
>
>
> Since the forum spam is all over http, I'm not sure there's anything I  
> can do without crippling it for other users.  Any ideas?
>
> Thank you again.
>
>
>
>
>
> On 7/3/2012 9:29 PM, morphium wrote:
>> Hi,
>>
>> you are right, SMTP is blocked by default. But people can i.e. access
>> hotmail.com via webinterface (where your IP is then put into the mail
>> as originating IP aswell) or use SMTP on secure ports (but that mostly
>> comes with authentication, I guess).
>>
>> You should ask your provider to get the mail headers of the spam, to
>> see how exactly it was done, and then maybe block i.e. exit to the
>> hotmail IPs, if it was sent via hotmail webinterface (to show them you
>> are doing something).
>>
>> Best regards!
>> morphium
>>
>> 2012/7/4 Name Withheld <survivd@xxxxxxxxx>:
>>> Hello,
>>>
>>> My VPS fast tor exit got taken down by the host today for sending spam
>>> emails. Apparently the upstream provider complained to them about it. I
>>> thought SMTP was supposed to be disabled by default in the tor config, but
>>> apparently my node was sending stuff through (even though I didn't do
>>> anything to change the default setting for that).
>>>
>>> The host is going to give me a chance to see if I can block it, but if I
>>> can't get the spam to stop, they're going to make me kill the node. I prefer
>>> not to do this kind of thing, but since it's their house, it's their rules.
>>>
>>> Can someone please tell me precisely (what file, what entry) how to
>>> configure:
>>>
>>> 1) Tor to block smtp
>>>
>>> 2) Local machine to block smtp egress
>>>
>>> 3) Any other possible way to detect/filter outgoing mail Thank you very much
>>>
>>>
>>>
>>> _______________________________________________
>>> tor-talk mailing list
>>> tor-talk@xxxxxxxxxxxxxxxxxxxx
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
>>
>
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] [Need quick help] 30+ mbps node taken down by host
  - From: grarpamp

References:
- [tor-talk] [Need quick help] 30+ mbps node taken down by host
  - From: Name Withheld
- Re: [tor-talk] [Need quick help] 30+ mbps node taken down by host
  - From: morphium
- Re: [tor-talk] [Need quick help] 30+ mbps node taken down by host
  - From: Name Withheld

Prev by Author: Re: [tor-talk] [Need quick help] 30+ mbps node taken down by host
Next by Author: Re: [tor-talk] Transparent e-mail encryption?
Previous by thread: Re: [tor-talk] [Need quick help] 30+ mbps node taken down by host
Next by thread: Re: [tor-talk] [Need quick help] 30+ mbps node taken down by host
Index(es):
- Author
- Thread