Hi, On Mon 17/Feb/2020 10:35:45 +0100 Benoit Panizzon via mailop wrote: > > We operate Spamtraps which feed the SWINOG Anti-Spam Blacklist. > > A feedback loop is sent to the abuse-c of the IP Address from which > email or attackts to spamtraps was detected. > > Occasionally, spam or more often, log-in attempts and dictionary > attacks on the submission ports of the spamtraps are detected from TOR > exit nodes. So a feedback is sent to the abuse-c.
It must be login attempts, since port 25 is not available to Tor users. > Now I got into discussion with the operator of several TOR exit > nodes. He claims that his ISP threatened to disconnect his TOR servers > because they were subject to a couple of abuse complaints from our > spamtraps. > > As he has no way to block the abusers on the TOR network, without > completely blocking any ports involved in email abuse which would > render using email sending over TOR unusable if all TOR exit node > operators would block those ports. For port 25, that's already the case: What about spammers? First of all, the default Tor exit policy rejects all outgoing port 25 (SMTP) traffic. So sending spam mail through Tor isn't going to work by default. It's possible that some relay operators will enable port 25 on their particular exit node, in which case that computer will allow outgoing mails; but that individual could just set up an open mail relay too, independent of Tor. In short, Tor isn't useful for spamming, because nearly all Tor relays refuse to deliver the mail. https://2019.www.torproject.org/docs/faq-abuse.html.en#WhatAboutSpammers For port 587, I too send abuse reports on authentication failures. Only once I happened to get a reply from a Tor operator. Their web sites has a curious faq entry: Emerald Onion Repeat Infringer Termination Policy Emerald Onion does not have subscribers or account holders and cannot identify the IP addresses of individuals who send communications over the Tor network. Nonetheless, it is our policy to terminate the use of Emerald Onion by repeat infringers in appropriate circumstances. https://emeraldonion.org/faq/ Don't ask me how do they identify repeat infringers, I have no idea. However, I get hundreds of bad login attempts, and tens of auto reply follow-up every day. Only one was from Tor, so it seems that they somehow can manage. I heard about Tor users who access imap and submission accounts via Tor just because their University blocks those ports and Tor was the easiest workaround they found. Hence, it's not that it is inconvenient to use Tor. Perhaps, since most of those desperate dictionary attacks seem to come from Owned hosts, low abuse rates are due to Tor operators detecting/ avoiding intrusions better than others...? Best Ale _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop