Re: Connections to botnet masters

K.N.(tor-admin@xxxxxxxxxxxxxxxxxxxxxxxxx)@Mon, Aug 27, 2007 at 02:42:04PM +0200:
> Hi
> this exit-node problem you may have with Google and some DNSBL (SORBS
> and others?) too. Your exit node contacts several IRC channels. That is
> why your node is listed as "trojan hacked".
> Some times ago we have a thread about SORBS and many exit nodes were
> listed in this DNSBL with the attribut "trojan hacked". Conclusion of
> the thread was: "They have no glue!"
> Google sometimes does not work with several exit nodes and give you the
> message "You may have a virus or malware, please clean your computer!"
> (or something like that).
> I have changed the exit policity of my node and now it is no longer
> listed in SORBS and works fine with Google. May be, this is not a good
> solution. Any other suggestions?

I've butted heads with SORBS a few times in the past (something about
running Tor on a mail server...) and have come up with this:

* Block outgoing IRC traffic.  This sucks, but allowing it will get you
  listed time and time again.  My blocking rules for that are below.

* If you get listed, use the webpage unblock form.  Then go onto the IRC
  server and talk to someone.  Don't wait for them to do it, they might
  not.  Preferably, keep talking to people until you get someone who can
  unlist you.

* When you get unlisted, immediately send notes to anyone who blocked your
  email telling them to fix their shit.  Seriously.  postmaster@(each
  domain) gets a form letter from me.

IRC blocking rules:
ExitPolicy reject *:6660-6670 # IRC
ExitPolicy reject *:7000-7001 # IRC
ExitPolicy reject *:7026 # IRC
ExitPolicy reject *:7777 # IRC
ExitPolicy reject *:8000 # IRC
ExitPolicy reject *:9999 # IRC

I'm sure that this doesn't cover everything, and that there is collateral
damage from this block, but it seems to work for me.

Good luck!

Bill Weiss
