-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Speaking from experience of operating 25 servers doing 4Gbps, I can
quite safely say that if your host has been supportive of Tor, I would
simply respond with the normal boilerplate regardless of what the
complaint is or who made it. I've received threats from countless
organisations, companies, police and have clashed with Interpol in the
past, they are yet to bring a single charge against me in the UK
(albeit I have had some servers seized). I am the exception of Tor
operators too, not the rule so if they can't charge me I very much
doubt they could charge somebody operating just a single server. The
point is that you should be very open that you operate a Tor node,
ensure you promptly respond to abuse complaints and if your provider
doesn't seem to be fully convinced by you or are threatening to close
your service then it could do with some additional explanation. Heck
if you need it just let me know who to contact and I'll do it for you!
Running Tor isn't illegal, you are protected by various safe-harbour
provisions and ultimately if they blacklist you there is little you
can do. Half of my IP's are on a lot of "blacklists", and I've found
removing them is useful in the short term perhaps but many are
automated and so just waste your time. In the long run we need
education more than anything and in fact I am actually writing up a
letter at the moment to encourage some blacklists to check if the IP
is a tor exit node and to prevent their systems spamming operators
with abuse complaints. (This section I'll follow up with on this
mailing list with next week)
My ISP has a policy that as long as the complaints aren't from
Spamhaus, they aren't too bothered as long as I reply to the abuse
complaints which I do. You should ask your ISP outright what the
policy is on these situations. But as far as Spamhaus goes I've not
received a single complaint from them out of thousands I have received
in the past year.
If you want to talk privately, just reply to me off the mailing list
and I'll be happy to do whatever I can.
Regards,
- -T
On 18/07/2014 10:08, Ch'Gans wrote:
Hi there,
I'm here to look for advice or comments on how to handle abuse
reports when you run a TOR relay exit on a "server for the mass".
I'm running the TOR exit node
18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk
(50E/month, this is my contribution to the TOR project) So far I
had to deal with few "easy" abuse reports (ssh scan, forum insults,
spams, ...), I think i performed pretty well so far (thanks to
Hetzner cooperation?)
But today I just received this botnet related one. I do take this
report seriously, I know that malware are more and more using the
TOR network as an anonymous covert, I don't like malware, I don't
like malicious botnet and I don't like spammers. Still I end up
being identify as one of them.
I knew from day one that it was a risky business to run an exit
TOR node, but I want to stand up and fight. If only I can convince
people of my right doing.
First of all I am quite surprised that cert-bund.de (the
complainant) didn't notice that I am a TOR exit node, so my first
question (for people familiar with these guys) is: - How legit are
these guys? Do they run for the German government? Are their simply
trying to scare the shit out of me by citing europol.europa.eu, and
us-cert.gov? (see redacted forwarded message below, my own opinion
is "Yes") Then - Do they simply spam hosting company each time they
have a probe sensing something somewhere (I know it's vague, but I
can use that as a "this complainant is a spammer" kind of
argument)
Any other thoughts/remarks/comment on that matter?
Regards, Chris
Thought of the day: Nowadays it looks like server administrator
tend to send abuse report each time they receive an illegal ping
request! Testimony of the day: Last time I received an "SSH scan"
abuse report, I sent back my SSH honeypot logs, which contains more
than 5k login attempts per day.
-------- Original Message -------- [..] ----- attachment ----- Dear
Sir or Madam
"Gameover Zeus" is malicious software which is primarily used by
cybercriminals to carry out online banking fraud and to spy out
login credentials for online services on infected PCs. It can also
be used to install further malicious software (including
blackmailing trojans such as "CryptoLocker" ransomware) on PCs or
to carry out DDoS attacks.
In a joint international campaign since the end of May 2014, law
enforcement agencies, with the support of private sector partners,
have taken action against the "Gameover Zeus" botnet [1].
As part of this campaign, it has now been possible to identify the
IP addresses of systems infected with "Gameover Zeus" [2].
We are sending you a list of infected systems in your net area.
Would you please examine the situation thoroughly and take
appropriate measures to cleanse the systems.
Sources:
[1] Europol: International action against 'Gameover Zeus' botnet
and 'CryptoLocker' ransomware
<https://www.europol.europa.eu/content/international-action-against-
gameover-zeus-botnet-and-cryptolocker-ransomware>
[2] ShadowServer: Gameover Zeus & Cryptolocker
<http://blog.shadowserver.org/2014/06/08/gameover-zeus-cryptolocker/>
[3] US-CERT: GameOver Zeus P2P Malware
<https://www.us-cert.gov/ncas/alerts/TA14-150A>
A list of infected systems in your net area: [...]
Kind regards, Team CERT-Bund
_______________________________________________ tor-relays mailing
list tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQIcBAEBAgAGBQJTyklGAAoJEE2uQiaesOsLauoP+gLTI6UG5Ch+vaY68TK6+bT6
rUI0Q53XN+I4Yd0NDiS26I11OpXMJaUlP1gEk64Zs3VrCUkLaIGSn7xAp4b2dSHD
vTylavLk/x8zqVFY+aDk0kBMXofHC8bkgUUUB1uCuHr13DsVotIO8AIXLRdlFQsY
PVHVB8tgizRfm6ePv3hT+LcW1osJ5+PviixE8jlBXcGxXr+olcqjaWAdGN+eXdhr
944vlL9Yk7rNWw8Xkhs0rTg/Prqz4Wlqc2pzit+mRVLs/mkTPihzcbgrIEi4kBHW
L/srUhIoaGpNNG5Qmow8/Ky99k0KAIbnvAeiOOFWwOb3X4XlzsuBS6KYIVkHD7qr
g0cZj7gjCkkAtMS+6Wb0uk/Idx2LlntCoOOJZVlgMKv6lfV8PP5C/DJQvGoz6ADn
0d1jS9VNdLSp+h6daSkRQs19WswH67kdWG5Qbl0TxnBEXULrq/Q36/FfFVbNfGqo
/b8zux0jHe4LM0zYLvAo+0bjeVhGXnzg4xOPgo0zDU3/JdXLdMvUYzScvu1EYUs8
/XOzgF0n4eR4mkufoL7a4hCYc1DGB61m45co9mY0+8piTt+OuKxHG6mcVIweucdc
BYaowXV0pe1mAc4wc07UqtrgDBWNyFnFp6hzgdoEsfEG6qsjLAxj5LKtTu7+9qgo
BiRSx3NMi4GMPT2z4O6o
=JFZA
-----END PGP SIGNATURE-----
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays