[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: tor block list
Brian Bruns wrote:
Then still you gain nothing by blocking tor nodes which do not allow any
outgoing connections. There should be no technical reason to block
hosts with no exitpoints. That should be easy to fix, and it doesn't
require separate lists.
If you are blocking TOR nodes primarily for IRC users, then you
should be aware the TOR nodes are individually configurable as to
which destinations they allow. Some TOR nodes don't allow *any*
outgoing traffic -- they only act as middlemen between other TOR
Yes, I am aware of the ability to restrict what traffic the nodes
We actually have more then just IRC users using this right now - we've
got a prototype setup with a Usenet server, as well several web hosts
restricting certain web pages/sites with the list (for things like
whois lookups, SSL transactions), which is why it lists all nodes and
not just some (each list we load into our servers uses up resources,
so we try to limit our lists as specifically as we can).
Its up to the users themselves to figure out how to properly use theI'd say it is guaranteed to cause false positives the way it is now.
100% false positives for SMTP as of a couple hours ago when I last
checked -- there were a total of 0 tor nodes that allowed exit to SMTP
list. However, I will personally yell at any individual who uses this
list for SMTP blocking, since it is bound to cause false positives.
On the flip side, anyone who runs this kind of service on a serverThis kind of service.. Sounds like an evil group. Maybe we could call
them 'red commie bastard' servers for greater effect. Tor and SMTP are
entirely separate, even if they come from the same IP address.
that does other things like SMTP, needs to honestly reevaluate this
choice, as it is guaranteed to cause problems with the other services
once abuse starts spewing from the node.
On the flip side of that flip side, I don't envy your job, because
services which provide blocking lists are tasked with a job of not
producing false positives, just like my spam filter. Sure, it would be
easier if you never had to fine-tune blocking -- you could do like a
certain company and block all of Europe.. But just like my spam filter,
false positives tend to upset customers, and I know that if my spam
filter starts dropping mail from my friends, I do something about it,
including finding something better.
I have nothing against TORI had a talk with someone from one of the IRC servers recently because
they were getting unwanted traffic from my tor server as an endpoint.
The person reporting the problem had suggested that I block IRC ports or
else my server would get blocked by his network. But the way I see it
is that there are hundreds of IRC networks, and blocking access to all
IRC ports would be dumbing down the connection options to whatever the
least tolerant network wanted. I'd rather see my node blocked by IRC
networks that don't want anonymous traffic, because I expect that there
will be some that do allow it!
itself - its a nifty idea, but its already started causing me stress
from dealing with the abuse on irc.
So, I have nothing against some networks blocking IRC connections from
tor nodes with IRC exitpoints, like mine. But if my server's other
connections are wrongfully blocked, then I'll try to educate the users
on finding better solutions. That's why I think it is in both of our
interests to have your lists used for the right purpose.