The most reasonable suggestion I heard for determining a default exit policy is the eating our own dogfood metric. Is there a to compile some statistics on the percent of running tor routers that allow a given port to exit? Canonicalizing existing practice is probably a good place to start.
I whipped up a small script last month when I got some complaints about IRC abuse. I wanted to find out how many tor exitpoints there were for :6667. I think I posted it at one point, but since it is a small script I'll attach it again. It only looks for accept/reject lines which match all networks (the form '[accept|reject] \*:(\d+)-?(\d+)?')
as a bit of an aside how can exit policy defend against abuse of google groups? seems this is all port 80 and would require digging into the application layer (i would be strongly apposed to interfering with anonyimity in google searches). It seems this has bprobably been discussed so I should probably just go Read The Fine Archives :)
The only two sources of complaints that I've had so far have been from IRC abuse and from usenet abuse via google. The IRC networks seem to have figured out ways to deal with Tor users, although I was intending to allow IRC exit points anyway because there are many IRC networks, and some may still accept anonymous connections.
For the google problem, I've been blocking by address rather then by port. So I've blocked a large range of google addresses which contained the groups.google.com ips. But I just checked now and it looks like groups.google.com maps into a new set of addresses then last month, so looks like I may just keep adding more of google's IP range(s) to my reject lines.
sigh... I guess being on blacklists isn't so bad though.. One thing I've noticed though is that I get a lot more worms/zombies trying to use my web server as a proxy. They must assume that because I am on a particular blacklist that my web server allows proxying. Amusing in a way, but it was causing my firewall logs to grow rapidly (which showed up as a secondary effect on my server's temperature log from extra disk IO).. so it is official, tor contributes to global warming :-)
I remember hearing someone talk about asking their google friends what they were going to do about anonymous abuse, but that's the last I heard.
Valient
#!/usr/bin/perl -w
use strict;
# first (and only) argument should be a port number to look for
my $testPort = $ARGV[0] || die "Usage: tor-exitpoint <port number>\n";
# fetch tor server list from server, cache locally to be nice...
my $cache = ".tor-policies";
my $cacheExpiration = 60*60;
if((! -f $cache) || (stat($cache))[9] + $cacheExpiration < time())
{
print "Fetching aggregate tor policy file.\n";
system "wget -q http://tor.noreply.org:9030/ -O - > $cache";
}
# parse rules for each server..
my $routerName;
my $routerIP;
my $findPort = 0;
open(TOR,$cache) || die "can't open cache file: $!";
while(<TOR>)
{
chomp;
if(m#^router\s+(.*)\s+(\d+\.\d+\.\d+\.\d+)#)
{
# found router list
$routerName = $1;
$routerIP = $2;
$findPort = 1;
} elsif($findPort && m#^(reject|accept)\s+\*:(\d+|\*)-?(\d+)?# )
{
my $type = $1;
my $startport = $2;
my $endport = $3 || $2;
if($startport eq "*" || ( $startport <= $testPort
&& $endport >= $testPort ))
{
print "$routerName ($routerIP) " . $type . "s $testPort ($_)\n";
$findPort = 0;
}
}
}
close(TOR);
Attachment:
signature.asc
Description: OpenPGP digital signature