[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Analyzing TOR-exitnodes for anomalies



Ive got this strange behavior also now several times when using tor. Always there is a redirect with "landing.domainsponsor.com" wich have the registrar Oversee.net .

A self-description of that company:
"Oversee.net is a technology-driven media company that delivers innovative advertising solutions in the search (information.com), display advertising (revenue.net), and lead generation (low.com) and (degrees.com) segments. Oversee.net is also emerging as the pioneer of next-generation consumer properties. "


I looks like they have found strange ways for advertising.

The exitnodes wich connect to domainsponsor.com are always locate in US (all US nodes I have seen are located in texas or US without a more exact description). One Time the exit node was located in DK.

Ive got "url not found" messages with every DE and UK nodes I have tried.

hmm. I think this is a problem with some dns-server on second/third level wich make a link to that domainsponsor.com when they are asked for a not registered url. Is it possible?


much fun Bernd



Am 06.10.2006 um 21:06 schrieb Claude LaFrenière:

Hi  *Robert Hogan*   :

On Friday 06 October 2006 19:21, Robert Hogan wrote:
Hmmm... I had this problem with Whistlemother exit node and this site:
http://www.iamaphex.net with the same
"frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com "blah blah blah"
filter ... =SUSPECTED+UNDESIRABLE+BOT"

i have the same experience using whistlersmother for the same site.

And I have the same experience with practically every other exit node I try
for this site. So whistlersmother is not the problem...

Hmmm...

Personnaly I don't believed that Whistlemother (or any other nodes)
are responsible for this... It looks like web server filter or DNS server
filter...


But now how to explain the same behaviour with
a web site like  http://www.iamaphex.net
and
a web site like hotmail.com ???

They don't share the same web hosting service...

Is this a new "filter" for Web sites or Web Hosting ?

An other question:
How this "filter" spot a Tor exit like Whistlemother?

I guess it's based on the IP address of this exit node.
(Or the browser referer sent to the web site... ??? )

Since no exit nodes have a control on what is doing by Tor users, Is it
possible that some bad guys had used Tor for "unacceptable" things and
put the Whistlemother Ip address into a "black list" of this hypothetical
"filter" ???


One way to check this is to compare exit nodes with a fixed IP address
with the exit nodes with a dynamic Ip address and if this make a
difference.

If an exit node with a dynamic IP address is not spoted as a bad IP in the
hypothetical "bad list fliter", therefore the filter is based on IP address


Many test must be done before to prove this.
...

If the behaviour of Fixed Ip address exit nodes
and
the behaviour of Dynamics Ip address exit nodes
are the same
therefore
a) the hypothetical filter is not based on Ip address
b) there is no such filter but somethings else...

??? [not sure ...]  :-\

( !!! Hmmm.. I to revised my formal logic manuals a little bit .. ;-) )

It's hard to find enough data about this problem because there's no way to
easily reproduce it.


:)

--
Claude LaFrenière