[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Bad Exit



I was wondering whether anyone could explain me how a node gets the "Bad
Exit" flag?
The thing is this, my router:
http://torstatus.blutmagie.de/router_detail.php?FP=6c7c819f808ac125c69e1d981f350dcba44da8b5
As you can see, it has the "Bad Exit" flag even though it's not an exit
and hasn't been for months. So I suppose that's something manually
assigned? To do with POP/IMAP sniffing honeypots maybe?

Seeing that quite a lot of people use unencrypted mail protocols over
TOR, I wrote script about a year ago to try and warn them about it:
- run ulogd and dsniff to capture logins
- try and do a login to the account to see if it succeeded, to see
  whether it's just an unsuccessful hacking attempt (dsniff doesn't tell
  me and I was too lazy to write something myself to check the response)
- if so, guess the full address. Either it's in the login or if not the
  server probably serves only one domain anyway and I use the reverse
  lookup
- Send them a mail saying, hey, either you've been doing this yourself
  and it's a bad idea, or someone stole your credentials and is
  anonymously snooping around in your mail; in any case, change your
  password.

I suppose someone is doing the reverse and has some fake accounts that
they access via TOR and then see if there are any logins that are not
theirs to flag the respective exit as a bad guy.
Still sounds like a good idea to me but obviously it doesn't work when
flagged as bad. Maybe someone can convince me otherwise or has an ide on
how to coordinate the two things? Or am I completely off the track here
and the reason for the flag is something different?

cheers,
	Matthias

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays