[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [Need quick help] 30+ mbps node taken down by host



From: Name Withheld <survivd@xxxxxxxxx>

To: tor-talk@xxxxxxxxxxxxxxxxxxxx 
>Sent: Wednesday, July 4, 2012 12:36 PM
>Subject: Re: [tor-talk] [Need quick help] 30+ mbps node taken down by host
> 
>Thank you for the response. Unfortunately, it looks like this might be 
>an impossible problem to solve, since they followed it up and said it's 
>forum spam and hack attempts, not just email spam.  Basically, my node 
>is pushing more traffic than most, so it's getting more abuse, faster 
>(even though this is a tiny percentage of the overall traffic).
>
>Here's what they sent me from their upstream provider:
>
>
>
>----------------------------------------------------------------------
>The first email came in for a hack attempt from your IP:
>Dear Sir/Madam,
>We noticed something that resembles a RIP attempt from one of your IP 
>addresses. Our system temporarily blocked the IP address. Please, 
>contact the respective user.
>In case that there is a need for UPSTREAM content download, they can 
>register and make use of our legal (xml) download interface ]UPSTREAM URL].
>In case that the IP is used for search engine crawling, the user can 
>inform us to whitelist the respective IP addresss.
>
>52 requests during period Fri Jun 22 02:14:01 2012 - Fri Jun 22 02:15:01 
>2012 (GMT +1)
>was denied at Fri Jun 22 02:15:01 2012 (GMT +1)
>user-agent: Mozilla/5.0 (X11; U; Linux x86_64; fr-FR) AppleWebKit/534.7 
>(KHTML, like Gecko) Chrome/7.0.514.0 Safari/534.7
>
>Kind regards,
>Open UPSTREAM Team
>----------------------------------------------------------------------
>
>----------------------------------------------------------------------
>The second and all following emails (4 emails in total) came in for spam,
>StopForumSpam report for ASN16265 (as of
>25 Jan 2011)
>
>IP Number XX.XX.XXX.XXX Link
>
>Last seen at 22-Jun-12 04:06:45 Fri
>IP reported 31 times (by 2 different sites) in the
>last 24 hours
>IP seen 34 times in the last month
>
>Usernames seen from this IP
>24H 1month Username
>1 1 Eirena
>1 1 Sheehan
>1 2 Rafu
>1 1 Barnabas
>1 1 Rowland
>1 1 Parvati
>2 2 Chelsia
>1 5 Gwen
>1 1 Rudi
>1 1 Etienette
>1 1 Erianthe
>1 1 Alzena
>1 1 Starveling
>1 3 Althea
>1 4 Brayden
>1 1 Carlen
>1 2 Armorel
>1 3 Brennan
>3 3 Kinga
>1 1 Rarna
>3 9 Richard
>1 1 Rendor
>1 3 Stanton
>1 1 Enola
>1 1 Pankhudi
>1 1 Bhrigu
>1 1 Astrea
>1 3 Pebbles
>2 3 Sage
>1 10 Ella
>1 1 Brodny
>
>Emails seen from this IP
>24H 1month Username
>4 27 e22@xxxxxxxxxxxxxxx
>3 19 e32@xxxxxxxxxxxxxxx
>4 22 e34@xxxxxxxxxxxxxxx
>2 21 e27@xxxxxxxxxxxxxxx
>2 22 e18@xxxxxxxxxxxxxxx
>4 25 e26@xxxxxxxxxxxxxxx
>3 18 e16@xxxxxxxxxxxxxxx
>5 22 e20@xxxxxxxxxxxxxxx
>3 23 e19@xxxxxxxxxxxxxxx
>3 21 e35@xxxxxxxxxxxxxxx
>2 22 e33@xxxxxxxxxxxxxxx
>2 22 e25@xxxxxxxxxxxxxxx
>2 20 e31@xxxxxxxxxxxxxxx
>4 28 e21@xxxxxxxxxxxxxxx
>2 21 e29@xxxxxxxxxxxxxxx
>4 23 e28@xxxxxxxxxxxxxxx
>4 21 e24@xxxxxxxxxxxxxxx
>3 19 e30@xxxxxxxxxxxxxxx
>4 26 e17@xxxxxxxxxxxxxxx
>
>
>
>Since the forum spam is all over http, I'm not sure there's anything I 
>can do without crippling it for other users.  Any ideas?
>
>Thank you again.
>
>
>
>
>
>On 7/3/2012 9:29 PM, morphium wrote:
>> Hi,
>>
>> you are right, SMTP is blocked by default. But people can i.e. access
>> hotmail.com via webinterface (where your IP is then put into the mail
>> as originating IP aswell) or use SMTP on secure ports (but that mostly
>> comes with authentication, I guess).
>>
>> You should ask your provider to get the mail headers of the spam, to
>> see how exactly it was done, and then maybe block i.e. exit to the
>> hotmail IPs, if it was sent via hotmail webinterface (to show them you
>> are doing something).
>>
>> Best regards!
>> morphium
>>
>> 2012/7/4 Name Withheld <survivd@xxxxxxxxx>:
>>> Hello,
>>>
>>> My VPS fast tor exit got taken down by the host today for sending spam
>>> emails. Apparently the upstream provider complained to them about it. I
>>> thought SMTP was supposed to be disabled by default in the tor config, but
>>> apparently my node was sending stuff through (even though I didn't do
>>> anything to change the default setting for that).
>>>
>>> The host is going to give me a chance to see if I can block it, but if I
>>> can't get the spam to stop, they're going to make me kill the node. I prefer
>>> not to do this kind of thing, but since it's their house, it's their rules.
>>>
>>> Can someone please tell me precisely (what file, what entry) how to
>>> configure:
>>>
>>> 1) Tor to block smtp
>>>
>>> 2) Local machine to block smtp egress
>>>
>>> 3) Any other possible way to detect/filter outgoing mail Thank you very much
>>>
>>>
>>>
>>> _______________________________________________
>>> tor-talk mailing list
>>> tor-talk@xxxxxxxxxxxxxxxxxxxx
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>
>>
>
>_______________________________________________
>tor-talk mailing list
>tor-talk@xxxxxxxxxxxxxxxxxxxx
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
>
>

This is likely a recurring problem. See this tor-talk thread:

https://lists.torproject.org/pipermail/tor-talk/2011-September/021446.html

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk