[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Analyzing TOR-exitnodes for anomalies
Ive got this strange behavior also now several times when using tor.
Always there is a redirect with "landing.domainsponsor.com" wich have
the registrar Oversee.net .
A self-description of that company:
"Oversee.net is a technology-driven media company that delivers
innovative advertising solutions in the search (information.com),
display advertising (revenue.net), and lead generation (low.com) and
(degrees.com) segments. Oversee.net is also emerging as the pioneer
of next-generation consumer properties. "
I looks like they have found strange ways for advertising.
The exitnodes wich connect to domainsponsor.com are always locate in
US (all US nodes I have seen are located in texas or US without a
more exact description). One Time the exit node was located in DK.
Ive got "url not found" messages with every DE and UK nodes I have
hmm. I think this is a problem with some dns-server on second/third
level wich make a link to that domainsponsor.com when they are asked
for a not registered url. Is it possible?
Am 06.10.2006 um 21:06 schrieb Claude LaFrenière:
Hi *Robert Hogan* :
On Friday 06 October 2006 19:21, Robert Hogan wrote:
Hmmm... I had this problem with Whistlemother exit node and this
http://www.iamaphex.net with the same
"frame.aspx?u=http%3a%2f%2flanding.domainsponsor.com "blah blah
filter ... =SUSPECTED+UNDESIRABLE+BOT"
i have the same experience using whistlersmother for the same site.
And I have the same experience with practically every other exit
node I try
for this site. So whistlersmother is not the problem...
Personnaly I don't believed that Whistlemother (or any other nodes)
are responsible for this... It looks like web server filter or DNS
But now how to explain the same behaviour with
a web site like http://www.iamaphex.net
a web site like hotmail.com ???
They don't share the same web hosting service...
Is this a new "filter" for Web sites or Web Hosting ?
An other question:
How this "filter" spot a Tor exit like Whistlemother?
I guess it's based on the IP address of this exit node.
(Or the browser referer sent to the web site... ??? )
Since no exit nodes have a control on what is doing by Tor users,
possible that some bad guys had used Tor for "unacceptable" things and
put the Whistlemother Ip address into a "black list" of this
One way to check this is to compare exit nodes with a fixed IP address
with the exit nodes with a dynamic Ip address and if this make a
If an exit node with a dynamic IP address is not spoted as a bad IP
hypothetical "bad list fliter", therefore the filter is based on IP
Many test must be done before to prove this.
If the behaviour of Fixed Ip address exit nodes
the behaviour of Dynamics Ip address exit nodes
are the same
a) the hypothetical filter is not based on Ip address
b) there is no such filter but somethings else...
??? [not sure ...] :-\
( !!! Hmmm.. I to revised my formal logic manuals a little
bit .. ;-) )
It's hard to find enough data about this problem because there's no
easily reproduce it.