[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] abuse reports from shadowserver.org
Mike Perry wrote:
> Thus spake Alexander Bernauer (alex-tor@xxxxxxxxxx):
>
>> my ISP keeps on receiving abuse reports from shadowserver.org. They
>> claim that an IRC bot operates from the IP that belongs to my tor exit.
>>
>> The strange thing is that my exit policy only allows web and mail ports.
>> Furthermore, the IPs of the shadowserver honeypots have a ptr entry for
>> *.sinkhole.shadowserver.org.
>
> Hrmm. Based on your snippets of mails you pasted on or-talk, it
> appears that a subset of the shadowserver folks are ideological
> zealots and crazed vigilantes. We've dealt with their flavor of lunacy
> before, in the form of the various "bribe me to get off my list or I
> will blackhole your entire netblock" DNSRBLs.
>
> It is quite possible that lunatics like these will just make up abuse
> reports and send them to ISPs that look like they might cave. It is
> very interesting that our higher bandwidth exits that *do* exit to IRC
> are not hearing from them right now.
>
> History has shown that the Internet as a whole usually learns to
> ignore nutballs. AFAIK, all of the "collateral damage" DNSRBLs are
> completely unused these days. Of course, that doesn't stop the
> nutballs from being really annoying in the short term :/.
>
>> So, I could block their servers either by means of the exit policy or
>> with iptables. Which one would you prefer?
>
> What is their network topology like? Do they cycle through their
> honeypots? iptables is especially bad if you have the situation where
> what was once a honeypot one week turns into a legitimate server the
> next.
>
> OTOH, exit policy is bad if you end up with a ton of entries in it...
>
>> I additionally wanted to ask here if there is any experience with
>> shadowserver in this regard?
>>
>> Explaining the issue to my ISP failed. They keep on getting nervous.
>
> This may be an issue. If the zealots believe that they can intimidate
> your ISP to knock you offline, they may keep sending nonsense reports
> to do so, declaring victory that one more tor node bites the dust...
>
> Not sure what to tell you about this. If they succeed, perhaps it's
> just new ISP time? There are a lot of crazies out there, not just
> these guys..
>
>
>
>
Last year my VDS-provider received an idiotical abuse report from them.
Because the emloyees of that ISP were idiots too I was to change my
vds-provider.
It seems to me, that 'shadowserver.org' is an evil group that
deliberately send unfounded abuses against tor-nodes and etc.
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays