[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Banners injected in web pages at exit nodes TRHCourtney*
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Banners injected in web pages at exit nodes TRHCourtney*
- From: John Brooks <special@xxxxxxxxxxxxxxxx>
- Date: Tue, 2 Jun 2009 05:36:43 -0600
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Tue, 02 Jun 2009 08:06:43 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type:content-transfer-encoding; bh=lk0qXw77RMMG4ORrOwryb31SeoI2Kk78oYdLkxxv7JU=; b=WMZXhQBimT36m5C6DistrIa5RnO2VxjxwS1LDcdquN4Bd2ea01CSqrfHQ7uo9lM0o1 u1SzPFKhhMCfDPfee2kBXDAKvMZvoH/BbnLM+as4pNGzoB3KYKK6QKmOauJd6HwwEt97 JMdpxMOT+eyKC8+s7Inxs7NRmDqMgZOE+R9DY=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=KMfIYco91UHRJ40/H05tPAy21GCgUnTtYPofOsQAPpsyc5gJRu706ykthUiNyQ0HGm NldVNuV5dF/SX5SvVegZPplkPEyLcJ+d4xUF3dYuyb0LYYRwPIpt4l3FwY6sZAhaSIci Zecs1w21YnKhwdH/hVL/Ns5s3WgxSRPBaZlmc=
- In-reply-to: <20090602112258.C864914085B6@xxxxxxxxxxxxxx>
- References: <20090602112258.C864914085B6@xxxxxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
Definitely abusive. Fortunately, because of how nearby most of the IPs
are, Tor will treat them as family even if the operator neglected to,
so it doesn't pose a risk to anonymity (other than the one outlying
node, but even then it's a maximum of two), but this definitely looks
like a badexit situation.
Honestly, why does somebody run a tor node if they keep
connection/session logs? Seems like an odd place to look for a
paycheck.
- John Brooks
On Tue, Jun 2, 2009 at 4:52 AM, Alexander Cherepanov <cherepan@xxxxxxxx> wrote:
> Hello!
>
> Just stumbled upon a banner injected in html at tor exit node.
> Nodes in question:
>
> router TRHCourtney01 94.76.246.74 443 0 9030
> router TRHCourtney02 94.76.247.136 443 0 9030
> router TRHCourtney03 94.76.247.137 443 0 9030
> router TRHCourtney04 94.76.247.138 443 0 9030
> router TRHCourtney05 94.76.247.139 443 0 9030
> router TRHCourtney06 94.76.247.140 443 0 9030
> router TRHCourtney07 94.76.247.141 443 0 9030
> router TRHCourtney08 94.76.247.142 443 0 9030
> router TRHCourtney09 94.76.247.143 443 0 9030
> router TRHCourtney10 92.48.84.113 443 0 9030
> contact Courtney TRH <courtney@xxxxxxxxxxxxx>
>
> All of them inject a piece of html at end of web pages. Text under
> banner reads:
>
> Courtney TOR/VPN & Wifi Exit Node :: Usage subject to Terms and
> Conditions/Acceptable Use Policy :: Want to advertise here? Contact
> us
>
> Check for yourself: http://www.torproject.org.TRHCourtney01.exit/ .
>
> Some more concerns. Page http://courtney.nullroute.net/ contains:
>
> WARNING: The TOR Exit Node must *not* be used for illegal means.
> Connection and session logs are kept and *will* be forwarded onto
> the police in the event of an abuse report
>
> There is no family set for these nodes in descriptors.
>
> Port 110 (POP3) accepted in exit policy but not port 995 (POP3/SSL).
>
> Just to let you know.
>
> Alexander Cherepanov
>
>