Re: [tor-relays] tor-relays Digest, Vol 3, Issue 11

Subject: Re: [tor-relays] tor-relays Digest, Vol 3, Issue 11

From: Gijs Peskens <gpeskens85@xxxxxxxxx>

Date: Thu, 14 Apr 2011 16:30:26 +0200

Delivery-date: Thu, 14 Apr 2011 10:30:41 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=sh/jWHEOWCE4KuxpM+6innQW7p/bvG6BizSv9huYLew=; b=MEULgTyhFCQ24WbR3oV+oaeLilJY+wLmtrGX/NfHmruXYE11yj9YMNWvQMMsxkOrmv ooSkX0Okzwb6m6bRNKswywP055ZJAhDNxJPOZ+uS0x1WjR1hjtZFGRmkXzfGLDo+RECN ODIjlrhPivCX8ldWY0aN1rK7lPTpoMnsD2jLo=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=Tlugmx84XTxfyzEqYqeTaU2o3LNwMvIfjmMM19rXsFq4nOTtSTXSo834LotEnBOlPb HM5FI/uYwOzhpxbUOK3/Y69KczRSRCenVP4SPhUba+IRef6KMMKbmmsUEIX60Dv7/aKR /IhmbbBNlUSwOvqyyTOBG0dCE6Ezpig5ulXwQ=

In-reply-to: <mailman.5.1302696003.19816.tor-relays@xxxxxxxxxxxxxxxxxxxx>

List-archive: <http://lists.torproject.org/pipermail/tor-relays>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "This mailing list is for support and questions about running Tor relays \(exit, non-exit, bridge\)." <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <mailman.5.1302696003.19816.tor-relays@xxxxxxxxxxxxxxxxxxxx>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx

2011-04-05 21:56:55,85.223.49.156,29272,20507,NL,UTRECHT,AMERSFOORT,,tcp,sinkhole,,,REMOVED,DE,,1,,,Windows,2000 SP2+, XP SP1+ (seldom 98)
2011-04-05 22:26:35,85.223.49.156,45924,20507,NL,UTRECHT,AMERSFOORT,,tcp,sinkhole,,,REMOVED,US,,1,,,Windows,2000 SP4, XP SP1+
2011-04-04 21:04:06,85.223.49.156,20507,NL,GET /search?q=0 HTTP/1.1,downadup,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .N...
2011-04-05 02:29:02,85.223.49.156,20507,NL,GET /?REMOVED HTTP/1.0,sality,KUKU v5.02c =REMOVED,,30184,Windows,2000 SP4, XP SP1+,,80,www.REMOVED.info,,,,REMOVED,8560,...
2011-04-05 22:02:01,85.223.49.156,20507,NL,GET /search?q=0 HTTP/1.1,downadup,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .N...
2011-04-06 01:13:53,85.223.49.156,20507,NL,.,downadup,,,21901,,,,80,,,,,REMOVED,US
2011-04-07 20:08:37,85.223.49.156,20507,NL,GET /tatoshko.biz?data=""> HTTP/1.0,machbot,MachBot,,10988,Windows,2000 SP4, XP SP1+,,80,853c9e57.biz,,,,87.10...
2011-04-11 16:46:41,85.223.49.156,47015,20507,NL,UTRECHT,AMERSFOORT,,tcp,sinkhole,,,REMOVED,US,,1,,,Linux,2.6 (newer, 2)
2011-04-11 15:31:23,85.223.49.156,20507,NL,GET /search?q=15 HTTP/1.0,downadup,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727),,45931,Windows,2000 SP...
2011-04-12 04:08:30,85.223.49.156,44022,20507,NL,UTRECHT,AMERSFOORT,,tcp,sinkhole,,,REMOVED,DE,,1,,,Windows,XP/2000

8560 might be a virus/trojan/worm specific port ? Might be a good idea to remove this port from your exit if you get a lot of complaints (and it's not used for anything usefull)

The idea of setting up a local smtp out server with spam detection and clamav seems like a very good idea, maybe together with some tarpitting (if possible and easy) it would help a lot of users in need of smtp access and deter spammers (as they would spend hours and hours in tarpits at random when using tor) anyone can provide some good advice on how to set it up properly (I'm running FreeBSD)?

2011/4/13 <tor-relays-request@xxxxxxxxxxxxxxxxxxxx>

Send tor-relays mailing list submissions to
tor-relays@xxxxxxxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
or, via email, send a message with subject or body 'help' to
tor-relays-request@xxxxxxxxxxxxxxxxxxxx

You can reach the person managing the list at
tor-relays-owner@xxxxxxxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of tor-relays digest..."

Today's Topics:

1. Tor and Viruses (Porcelain Mouse)
2. Re: Tor and Viruses (grarpamp)

----------------------------------------------------------------------

Message: 1
Date: Tue, 12 Apr 2011 20:46:21 -0700 (PDT)
From: Porcelain Mouse <porcelain_mouse@xxxxx>
Subject: [tor-relays] Tor and Viruses
To: Tor-Relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Message-ID: <alpine.LFD.2.02.1104122018100.5770@xxxxxxxxxxxxxxxxxxxxx>
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII

Greetings All,

I've been running an exit for about 5 months, but had to stop due
to virus abuses. In the last two weeks, my ISP has partially blocked my
Internet access twice due to suspected virus infections. I'll spare you
the long story, but I was able to get a copy of their "evidence" and I'm
fairly certain it was connections made through my Tor relay.

1) How common is it that Tor is abused by viruses? What is the trend?
2) Is this just standard virus-kit material, these days?

I guess I was a little surprised. Obviously, this is a great idea for
hiding the infection site, so I'm sure it's being done. But still, I've
been fighting viruses for quite a while and I don't think I've read a
single virus description that mentioned Tor. I'm sure it's happening, but
I've never heard a single statistic about it, so I thought I would ask.

Also, this type of abuse is *not* mentioned on the Tor wiki's Abuse FAQ
under "What should I expect if I run an exit relay?" I read that section
carefully and was prepared for most of the things mentioned. Again, I'm
not completely shocked. I'm just saying it didn't seem likely, according
to the FAQ. It would be nice to know how likely is this kind of abuse,
and what is the trend. (And, maybe someone can add the results to the FAQ
when we have an answer.)

Thanks,
PMouse

------------------------------

Message: 2
Date: Wed, 13 Apr 2011 03:19:27 -0400
From: grarpamp <grarpamp@xxxxxxxxx>
Subject: Re: [tor-relays] Tor and Viruses
To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Message-ID: <BANLkTikwPS6JDqKMvaxxWhgq2dUoGELKKA@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8

> my ISP has partially blocked my Internet access twice
> due to suspected virus infections.

Virus is likely not the right word for things. Anyways...

There's really no reason an operator cannot run something
like bro-ids.org and sink known bad traffic in real time. Yeah,
sure, everyone will bitch at me. But it is operator fiat, and
they're not sinking specific users, so well within common
carrier exceptions on that aspect. No different than operators
who block 'torrent' ports, smtp, etc.

Speaking of smtp, one could even redirect that into their
system despam/clamav it and send it on its way. Better
than nothing. Especially for the legit senders.

------------------------------

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

End of tor-relays Digest, Vol 3, Issue 11
*****************************************

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:

[tor-relays] problem with tor
- From: PRAFULL CHANDRA MOULEKHI