[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata



Wouldn't it be interesting if we could set up some kind of central "Tor Abuse Center" where all the complaints go, and all the relay operators can help respond to them. I suppose it would be pretty chaotic though...


On Oct 4, 2016 11:18 AM, "pa011" <pa011@xxxxxx> wrote:
Yes its ISP - plus 10 times more fire-power both, Markus and me
which is 10 times more work, sadly :-(


Am 04.10.2016 um 18:12 schrieb Markus Koch:
> Short answer: ISP
>
> I got 2 abuse mails (1 false positive) from Hostwinds in 4 months and
> I get weekly mass reports from DigitalOcean.
> And the thing that pisses me off is: Its all bots or Tax spam or other
> stuff I got weeks/months ago. Different day, same shitty abuse mail.
>
> Markus
>
>
> 2016-10-04 18:03 GMT+02:00 Tristan <supersluether@xxxxxxxxx>:
>> I don't know what I'm doing different, because I only got 2 complaints in
>> the last 2 months, and that was for SSH and SQL stuff.
>>
>>
>> On Oct 4, 2016 11:01 AM, "pa011" <pa011@xxxxxx> wrote:
>>>
>>> Me too Markus -could fill a folder with that tax issue :-((
>>> Costing a lot of time to answer and restrict the IPs
>>>
>>> Plus my ISP moaning with good reason: "It's not just about you, but you're
>>> giving a bad reputation to one /21 and one /22 subnet. That's ~ 3000 IPs
>>> which are potentionaly endagered to be marked as source of malicious content
>>> / blacklisted / whatever ... so you see, this is quite critical for us."
>>>
>>> Am 04.10.2016 um 17:48 schrieb Markus Koch:
>>>> same shit here:
>>>>
>>>> Dear User,
>>>> We are contacting you because of unusual activity coming from your IP
>>>> address towards the IT infrastructure of the European Commission.
>>>> In specific, since 03/10/2016, IP addresses 95.85.45.159 &
>>>> 104.236.225.19 of Digital Ocean, located in the Netherlands (NL) and
>>>> the USA respectively, have submitted a significantly large number of
>>>> invalid VAT number requests as compared to the total number of
>>>> requests (89,59% & 89,96% respectively) towards VAT numbers from a
>>>> multiple of EU member States (MS) through the VIES on the Web service
>>>> (http://ec.europa.eu/taxation_customs/vies/). For more information on
>>>> Invalid VAT number requests please refer to FAQ, questions 7, 11, 12,
>>>> 13 and 20 of the VIES on the WEB site
>>>> (http://ec.europa.eu/taxation_customs/vies/faq.html).
>>>> The scope of our team is to monitor on a daily basis the performance
>>>> of the VIES-on-the-Web (VoW) service in order to ensure its
>>>> performance in accordance with the standards agreed upon between EU's
>>>> Directorate General for Taxation and Customs Union (DG TAXUD) and the
>>>> EU Member States.
>>>> Our objective is to secure constant and uninterrupted availability and
>>>> flow of traffic (requests for VAT validation) at all times.
>>>> Under this framework, our team intervenes whenever there is out of the
>>>> ordinary, unusual and potentially suspicious use of the system that
>>>> violates the rules of use as they are stated in the Specific
>>>> disclaimer for this service, which is available at the VoW site
>>>> (http://ec.europa.eu/taxation_customs/vies/disclaimer.html).
>>>> Consequently, in order to allow flawless use of the service, we were
>>>> obliged to block the access to VIES on the Web for the IP address
>>>> 88.198.110.130.
>>>> Following our action, we would like to know if you are aware of this
>>>> situation. Furthermore, your cooperation and contribution is necessary
>>>> in order to determine the reason for this occurrence.
>>>> Please inform us if this behaviour is normal and if such, how often it
>>>> should occur; we would then take action to unblock the traffic coming
>>>> from the corresponding IP address assuming you will agree to follow a
>>>> set ITSM VIES/Web Team
>>>> "ITSM2 is a contracted support partner for the IT Service Management
>>>> of the European Commission.
>>>> This e-mail is a reply to your message sent to the
>>>> TAXUD-VIESWEB@xxxxxxxxxxxx<mailto:TAXUD-VIESWEB@ec.europa.eu> e-mail.
>>>> Answers provided by the contactor are on behalf and according to
>>>> policy guidelines of DG TAXUD, but not binding for the European
>>>> Commission."
>>>>
>>>> I am so done with it, I added
>>>>
>>>> ExitPolicy reject 147.67.136.103 # TAX SPAM
>>>> ExitPolicy reject 147.67.136.21  # TAX SPAM
>>>> ExitPolicy reject 147.67.119.103  # TAX SPAM
>>>> ExitPolicy reject 147.67.119.3  # TAX SPAM
>>>> ExitPolicy reject 147.67.136.3  # TAX SPAM
>>>> ExitPolicy reject 147.67.119.21  # TAX SPAM
>>>>
>>>> Thats going on for months now and by all means, this is not free speech
>>>> ...
>>>>
>>>> Markus.
>>>>
>>>>
>>>>
>>>> 2016-10-04 17:42 GMT+02:00 pa011 <pa011@xxxxxx>:
>>>>> Am 04.10.2016 um 16:48 schrieb krishna e bera:
>>>>>> On 04/10/16 08:48 AM, pa011 wrote:
>>>>>>> One of my main ISP is going mad with the number of abuses he gets
>>>>>>> from my Exits (currently most on port 80).
>>>>>>> He asks me to install "Intrusion Prevention System Software" or
>>>>>>> shutting down the servers.
>>>>>>
>>>>>> You can first ask him for a copy of the complaints in order to
>>>>>> understand what sort of alleged abuses are taking place.  Are the
>>>>>> complaints about spam or scraping or web server exploits or something
>>>>>> else?
>>>>>
>>>>> I do get a copy of every complaint - they are unfortunately:
>>>>>
>>>>> - Http browser intrucion  -
>>>>> /var/log/apache2/other_vhosts_access.log:soldierx.com:80 xxx.xxx.xxx.xxx - -
>>>>> [30/Sep/2016:11:14:34 -0400] "HEAD / HTTP/1.0" 302 192 "-" "Mozilla/5.0
>>>>> (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12)
>>>>> Gecko/20080201Firefox/2.0.0.12"
>>>>>
>>>>> - invalid VAT number requests
>>>>>
>>>>> -recorded connection attempt(s) from your hosts to our honeypots
>>>>>
>>>>> - Issue: Source has attempted the following botnet activity: Semalt
>>>>> Referrer    Spam Tor Exit Bot
>>>>>
>>>>> - botnet drone|Description: Ramnit botnet victim connection to sinkhole
>>>>> details,
>>>>>
>>>>> - attackers used the method/service: *imap*
>>>>>
>>>>>> You can change your exit policy to reduce likelihood of complaints:
>>>>>> https://blog.torproject.org/blog/tips-running-exit-node
>>>>>
>>>>> I know, but I hardly like to block port 80
>>>>>
>>>>>>> As far as I understand implementing such a software is not going
>>>>>>> together with Tor - am I right?
>>>>>>
>>>>>> If your exit nodes tamper with traffic in any way they will be
>>>>>> labelled
>>>>>> as Bad Exit. (Tor tries to be net neutral.)
>>>>>> https://trac.torproject.org/projects/tor/wiki/doc/badRelays
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> tor-relays mailing list
>>>>>> tor-relays@lists.torproject.org
>>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>>>>
>>>>> _______________________________________________
>>>>> tor-relays mailing list
>>>>> tor-relays@lists.torproject.org
>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>> _______________________________________________
>>>> tor-relays mailing list
>>>> tor-relays@lists.torproject.org
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>>
>>> _______________________________________________
>>> tor-relays mailing list
>>> tor-relays@lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
> _______________________________________________
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays