[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [Need quick help] 30+ mbps node taken down by host

Thank you for the response. Unfortunately, it looks like this might be an impossible problem to solve, since they followed it up and said it's forum spam and hack attempts, not just email spam. Basically, my node is pushing more traffic than most, so it's getting more abuse, faster (even though this is a tiny percentage of the overall traffic).

Here's what they sent me from their upstream provider:

The first email came in for a hack attempt from your IP:
Dear Sir/Madam,
We noticed something that resembles a RIP attempt from one of your IP addresses. Our system temporarily blocked the IP address. Please, contact the respective user. In case that there is a need for UPSTREAM content download, they can register and make use of our legal (xml) download interface ]UPSTREAM URL]. In case that the IP is used for search engine crawling, the user can inform us to whitelist the respective IP addresss.

52 requests during period Fri Jun 22 02:14:01 2012 - Fri Jun 22 02:15:01 2012 (GMT +1)
was denied at Fri Jun 22 02:15:01 2012 (GMT +1)
user-agent: Mozilla/5.0 (X11; U; Linux x86_64; fr-FR) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.514.0 Safari/534.7

Kind regards,

The second and all following emails (4 emails in total) came in for spam,
StopForumSpam report for ASN16265 (as of
25 Jan 2011)

IP Number XX.XX.XXX.XXX Link

Last seen at 22-Jun-12 04:06:45 Fri
IP reported 31 times (by 2 different sites) in the
last 24 hours
IP seen 34 times in the last month

Usernames seen from this IP
24H 1month Username
1 1 Eirena
1 1 Sheehan
1 2 Rafu
1 1 Barnabas
1 1 Rowland
1 1 Parvati
2 2 Chelsia
1 5 Gwen
1 1 Rudi
1 1 Etienette
1 1 Erianthe
1 1 Alzena
1 1 Starveling
1 3 Althea
1 4 Brayden
1 1 Carlen
1 2 Armorel
1 3 Brennan
3 3 Kinga
1 1 Rarna
3 9 Richard
1 1 Rendor
1 3 Stanton
1 1 Enola
1 1 Pankhudi
1 1 Bhrigu
1 1 Astrea
1 3 Pebbles
2 3 Sage
1 10 Ella
1 1 Brodny

Emails seen from this IP
24H 1month Username
4 27 e22@xxxxxxxxxxxxxxx
3 19 e32@xxxxxxxxxxxxxxx
4 22 e34@xxxxxxxxxxxxxxx
2 21 e27@xxxxxxxxxxxxxxx
2 22 e18@xxxxxxxxxxxxxxx
4 25 e26@xxxxxxxxxxxxxxx
3 18 e16@xxxxxxxxxxxxxxx
5 22 e20@xxxxxxxxxxxxxxx
3 23 e19@xxxxxxxxxxxxxxx
3 21 e35@xxxxxxxxxxxxxxx
2 22 e33@xxxxxxxxxxxxxxx
2 22 e25@xxxxxxxxxxxxxxx
2 20 e31@xxxxxxxxxxxxxxx
4 28 e21@xxxxxxxxxxxxxxx
2 21 e29@xxxxxxxxxxxxxxx
4 23 e28@xxxxxxxxxxxxxxx
4 21 e24@xxxxxxxxxxxxxxx
3 19 e30@xxxxxxxxxxxxxxx
4 26 e17@xxxxxxxxxxxxxxx

Since the forum spam is all over http, I'm not sure there's anything I can do without crippling it for other users. Any ideas?

Thank you again.

On 7/3/2012 9:29 PM, morphium wrote:

you are right, SMTP is blocked by default. But people can i.e. access
hotmail.com via webinterface (where your IP is then put into the mail
as originating IP aswell) or use SMTP on secure ports (but that mostly
comes with authentication, I guess).

You should ask your provider to get the mail headers of the spam, to
see how exactly it was done, and then maybe block i.e. exit to the
hotmail IPs, if it was sent via hotmail webinterface (to show them you
are doing something).

Best regards!

2012/7/4 Name Withheld <survivd@xxxxxxxxx>:

My VPS fast tor exit got taken down by the host today for sending spam
emails. Apparently the upstream provider complained to them about it. I
thought SMTP was supposed to be disabled by default in the tor config, but
apparently my node was sending stuff through (even though I didn't do
anything to change the default setting for that).

The host is going to give me a chance to see if I can block it, but if I
can't get the spam to stop, they're going to make me kill the node. I prefer
not to do this kind of thing, but since it's their house, it's their rules.

Can someone please tell me precisely (what file, what entry) how to

1) Tor to block smtp

2) Local machine to block smtp egress

3) Any other possible way to detect/filter outgoing mail Thank you very much

tor-talk mailing list

tor-talk mailing list