Re: tor block list

[Valient Gough <vgough@xxxxxxxxx>]

Brian Bruns wrote:
> > > If you are blocking TOR nodes primarily for IRC users, then you
> > > should be aware the TOR nodes are individually configurable as to
> > > which destinations they allow.  Some TOR nodes don't allow *any*
> > > outgoing traffic -- they only act as middlemen between other TOR
> > > nodes.
> > >
> > >      
> Yes, I am aware of the ability to restrict what traffic the nodes
> allow.
>
> We actually have more then just IRC users using this right now - we've
> got a prototype setup with a Usenet server, as well several web hosts
> restricting certain web pages/sites with the list (for things like
> whois lookups, SSL transactions), which is why it lists all nodes and
> not just some (each list we load into our servers uses up resources,
> so we try to limit our lists as specifically as we can).
>  
Then still you gain nothing by blocking tor nodes which do not allow any 
outgoing connections.  There should be no technical reason to block 
hosts with no exitpoints.   That should be easy to fix, and it doesn't 
require separate lists.

> Its up to the users themselves to figure out how to properly use the
> list.  However, I will personally yell at any individual who uses this
> list for SMTP blocking, since it is bound to cause false positives.
>  
I'd say it is guaranteed to cause false positives the way it is now.  
100% false positives for SMTP as of a couple hours ago when I last 
checked -- there were a total of 0 tor nodes that allowed exit to SMTP 
ports.

> On the flip side, anyone who runs this kind of service on a server
> that does other things like SMTP, needs to honestly reevaluate this
> choice, as it is guaranteed to cause problems with the other services
> once abuse starts spewing from the node.
>  
This kind of service..  Sounds like an evil group.  Maybe we could call 
them 'red commie bastard' servers for greater effect.  Tor and SMTP are 
entirely separate, even if they come from the same IP address.

On the flip side of that flip side, I don't envy your job, because 
services which provide blocking lists are tasked with a job of not 
producing false positives, just like my spam filter.  Sure, it would be 
easier if you never had to fine-tune blocking -- you could do like a 
certain company and block all of Europe..  But just like my spam filter, 
false positives tend to upset customers, and I know that if my spam 
filter starts dropping mail from my friends, I do something about it, 
including finding something better.
> I have nothing against TOR
> itself - its a nifty idea, but its already started causing me stress
> from dealing with the abuse on irc.
>  
I had a talk with someone from one of the IRC servers recently because 
they were getting unwanted traffic from my tor server as an endpoint.  
The person reporting the problem had suggested that I block IRC ports or 
else my server would get blocked by his network.  But the way I see it 
is that there are hundreds of IRC networks, and blocking access to all 
IRC ports would be dumbing down the connection options to whatever the 
least tolerant network wanted.  I'd rather see my node blocked by IRC 
networks that don't want anonymous traffic, because I expect that there 
will be some that do allow it!

So, I have nothing against some networks blocking IRC connections from 
tor nodes with IRC exitpoints, like mine.  But if my server's other 
connections are wrongfully blocked, then I'll try to educate the users 
on finding better solutions.  That's why I think it is in both of our 
interests to have your lists used for the right purpose. 

regards,
Valient