Re: [tor-relays] G-Core Labs and their humanoid robots

Subject: Re: [tor-relays] G-Core Labs and their humanoid robots

From: Tor Relays <torrelaysaregreat@xxxxxxxxx>

Date: Thu, 10 Jun 2021 22:50:34 +0200

Delivery-date: Fri, 11 Jun 2021 02:36:43 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=jfR5dyGoe8bGZvk09eG97NMYKxqRv56o5Bj5sJail3g=; b=JaHTtttdrEiiKq2FV6yBJMojfYP8AqGSDd71fqYA4HGl+oDcVzdnVanAIOoML7gXq0 WKiPi23M5YUt4HR4lgk0SVGHEaa48xRNXDmNydc3D/FdgNVyvZ5N/ctIF6QajjyQQ2Tg OX501yAgk3sU12aMPA2SVCJ2wvTkFmFgCk2/nISF9zm3zUdcw3+8CcbrPW5LOVLQ85Rn UjhopFKD771f10W8JyQe0HsO3LhYKuOlgEGp8IPOJvexWNzIxgFKAmLmAxjdVQA/C7tY yB7Sh/CYFM8GlsuxbMty8m4jfFH+NSAdqfhudQ9DHTqq65gbANarEJ9WSfJ7RqI5tQPz +ggg==

In-reply-to: <20210610043329.GV1232@moria.seul.org>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <CAHTJAwEXak40C11pptO+NuZJujri0b710W4ofoYSSQKA-s7V=w@mail.gmail.com> <20210610043329.GV1232@moria.seul.org>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On Tue, Jun 08, 2021 at 01:56:33PM +0200, Tor Relays wrote:
> Support agent 1:
> It was blocked because automatic monitoring system find your activity
> suspicious.
> Now, trust level of your traffic for IP has been increased however the
> traffic is still automatically monitored. If the system of automatization
> identifies your traffic as illegitimate or if we receive an infringement
> report, we'll have to disable ports once again.

Right, this is the key part of the explanation.

Typically the way these blocklists work is that they run "honey services"
somewhere secret on the internet, often on ports like 80 that are
different from the ones they will apply the blocklist to. And if anybody
connects to their secret honey IP address on port 80, they call them a
likely spammer and refuse to allow emails/etc to their other services
from that address.

And Tor exits are particularly susceptible to getting put on these kind
of blocklists, because all it takes is one person trying to connect to the
honey address, and bam the exit relay's IP address gets on the blocklist.

And the "cross-protocol" nature of the blocking, where they see you do
one protocol and then block you from doing a different protocol, also
does not match well with Tor's notion of exit policies.

I guess that the scale of jerks on the internet is huge compared to what
they imagine is the scale of non-jerks on Tor, and so they have little
incentive to change the design of their honeypot systems. :(

--Roger

This would explain it when the relay in question would be an exit relay, but it is an ordinary relay.

Maybe it impacts your own trust level when you frequently connect to IPs with a bad reputation (e.g. exits).

Or they analyzed too much traffic they don't understand so they mark it "suspicious" and when the trust level falls under some threshold their first line of defense is blocking the SMTP ports and check back later.

Or a silent hack and the server indeed sent emails.

IP address spoofing.

A bug in Tor that allows exiting when it shouldn't.

When they don't provide any information it's only speculation and as a customer you can't do anything but watch and keep up the security level.

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays