[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] CloudFlare

> Though I don't think I'd apply a permaban, because whatever IP is bothering you will eventually get pulled at the source before long.
The IP wont' eventually be pulled if it's on rdsnet.ro. ;)  

In any case, I'm not asking what you would do. I'm telling you what I do. I keep lists of IP ranges whose individual IPs will be permabanned if they fall in that range. I will continue this practice at my hobby sites where I pay for hosting even if you or someone else 'minds the approach'.  My opinion is you can implement your policy at sites you pay for and run. I implement mine at sites I pay for and run.

> Unless their profits come from spam, bribing Russian officials with cracked CC's, etc.
In fact there seem to be plenty of IPs that do not get pulled at the source as a result of hacking, cracking, scraping, trolling or other behaviors someone running a blog or forum might consider ban worthy.
Believe it or not, some anonymizing services who do not take bribes from Russian officials also do not monitor their users and appear to take absolutely no steps prevent those who try to hack, spam, scrape or fingerprint from using their service.  Can you imagine that?!
Admittedly, the way some of these services work, a specific person scraping, hacking or spamming might have to cycle through a different IP every 10 minutes, but if they are persistent scrapers,  they may very well come back on one they used before. There is no guarantee that IP will ever be pulled at the source. In fact, if someone were to complain to the ISP, the person running an exit node might defend the connections on the basis that it's just a TOR node exit, it's not him he has no control over what goes out and basically, it's not his problem. If the ISP is TOR friendly, they may accept that and not pull the IP. 
An IP that has been observed hacking, scraping, spamming and it doesn't get pulled eventually. Can you even imagine such a thing?!?!
TOR aside, I think you are being naive about what happens with particular IPs. Some companies make sell cheap shared hosting; that's their business. It's a perfectly legitimate one.  Once such service might have server used by  numerous accounts all associated with a particular ip, say A person on one of those accounts could load up a script that permits them to spam, scrape, hack, fingerprint, or set up an open proxy that others could use to spam, scrape, hack, finger print or do whatever they prefer. This person would operate a while before complaints rolled in. Then they might get kicked off and move to another company with cheap shared hosting.  Now in principle, is clean. Hurray!
Unfortunately, the company's business still provides cheap shared hosting.  If the hosting company succeeds in keeping other undesirables off, my blog will see zero traffic from that site.   But given their business model, likely as not someone who got kicked off from some other cheap hosting company will sign up and that undesirable person who gets one will load up a script and start hacking, scraping, fingerprinting or setting up an open proxy.   Since the IP is associated with a server whose intended service is to serve pages, not visit other pages, when that IP visits my blog, it's generally going to be traffic I find undesirable.  
Also some dedicated servers provide hosting to scrapers of various sorts. These include seo companies, copyright companies, reputation protection companies and all sorts of other businesses that make a living scraping. Many of those hosts will not cancel a customer account for scraping.  There really is no reason to believe that such IPs will be pulled at the source.  If one wishes to avoid incurring high costs to help these scrapers carry out their business model, one has to ban them.
 If the IP is at a colo facility, a dedicated or cheap hosting service, the most practical thing for a one person hobby blogger to do is ban that IP permanently.  As far as I can see, there is very little lost banning these IPs indefinitely. 
For example, a year or so ago I tested an English language based
> For example, a year or so ago I tested an English language based predominantly North American, slightly Euro, dating site against Tor. Though they had no stated policy to be sure of it, from my tests it appeared that from English speaking exit countries, Tor worked fine. If I let Tor float or come in via say Brazil, the account would be silently deleted. This lead to belief that they utilized the 'unfathomable' policy. Again, their actual policy is unknown, I could have just been using unlucky IP's.

Brazil? Blocking IPs from Brazil may seem unfathomable to you. It's not unfathomable to me!  I've blocked the entire country of Brazil from time to time using Cloudflares convenient system that lets me block countries. It took a while to find which of the ranges were the really bad ones, once I did, I blocked those and let the rest of Brazil in.
With respect to your issue with the dating service:  Brazil is hard to deal with, contains many dirty scraper, googlebot spoofing ranges. If TOR floats to Brazil, it's likely to hit a range I regularly ban and I wouldn't be at all surprised if some businesses ban the same range. 

> Again, their actual policy is unknown, I could have just been using unlucky IP's.
If you were a customer with a paying account and they cancelled you for reasons that were not stated in the contract, you should request a refund. If you forked over money with no contract: more fool you.  Assuming they did have a contract, when you ask for a refund, they might point to their policy and tell you which policy you violated or refund your money. That seems like a straightforward business issue that could be resolved by discussing the matter with them. 

If this was a free dating service, it seems to me you have no recourse. On the other hand, you also haven't been injured. Just find another service.  

> Further, people find dating hard enough without having their employer or landlord snooping on how many kids they want, and whoever else generally reading/storing/selling their personal bits. These sites need to respect that.

No these sites aren't *required* to respect that. They are businesses involved in helping people find dates. They haven't represented themselves as services who will prevent your landlord or employer from snooping on you or trying to learn how many kids you want.

In the dating business, dating sites put  parties in contact. These businesses have a perfect right and  possibly a fiduciary responsibility to balance the concerns of some customers who might be concerned about their physical safety if their date turns out to be  'The Craigslist Killer',  a con artist after their money  or just married against the desire of another customer who wishes to conceal the fact they are wasting company time visiting dating sites from their employer.    

When weighing the needs, desires of rights of paying customers, or deciding what sort of service to provide, the owner and operator of a dating site also has a perfect right to balance any financial lose associated with losing customers who will only join if they can use TOR against those who won't join the service if the dating company permits potential dates to be totally anonymous and untraceable. 

 (FWIW: I would suggest that if you are concerned your employer's snooping might reveal your visiting a data site using company time or resources that you refrain from visiting dating sites during company time. )

> Part of which is to fully and properly enable HTTPS on their servers and to permit their users to come from Tor.
Or maybe what they should do is block TOR entirely so they can improve the odds of tracing a customer if another one turns up sliced and diced after a date arranged on the dating service?  

The dating service is a dating service. If the features they offer don't satisfy your requirements seek another one.  If that service isn't TOR friendly, you should certainly share that information with others who want to find a TOR friendly service. But many people won't care, and a dating business isn't required to provide that feature. (Restaurants aren't required to provide tiramisu on their desert menu's either.  If they don't tiramisu loving diners will eat elsewhere, but so be it.)
tor-talk mailing list