Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)

Thu, 20 Feb 2020 10:32:24 -0800 

On 2/20/20 3:02 AM, Benoit Panizzon via mailop wrote:

Hi


Hi,


The Spamtrap / HoneyPot in question not only listens to port 25 but 
also listens on port 465 (smtps) and 587 (submission).


Okay.


It sounds like your spam trap / honey pot is designed to detect IPs that 
are perpetrating abusive behavior.  And that the ToR exit nodes happen 
to be perpetrating said abusive behavior.



If an attacker is doing some dictionary attack on this to check for 
valid passwords (every authentication attempt is accepted) or attempts 
to relay spam mails (every relay attempt is answered with 200 OK) he 
is being blacklisted and an ARF reports is sent to the abuse contact 
of the submitting IP range.



I don't see any problem with that.  That's how you have chosen to run 
your spam trap / honey pot.  That's your choice.



This is what causes those reports, not emails received on port 25.



I don't care what the behavior is.  If you have designed your spam trap 
/ honey pot to react to a specific behavior and someone is triggering 
the trap, then so be it.



But I guess, just silently blacklisting Tor exist nodes and not 
sending a ARF report to the ISP could be an option to solve that issue.



That's your call.  But I feel like it's akin to a thief asking you to 
disable your security system and / or not call the police.  Why do you 
want to honor a request from an apparent bad actor who is asking you to 
ignore their bad actions.



I feel like this is a good use for a company policy, whatever it may be. 
 As a company, make a policy, and configure systems in accordance with 
that policy.  You can re-visit the policy at any point in the future. 
But in the mean time, things should remain configured as mandated by the 
policy.



I don't think that your policy (current behavior representative there 
of) would quite likely not have any adverse impact on legitimate use of 
ToR.  Meaning that anybody using ToR for white hat purposes to reach 
their business / university email servers will quite likely not 
connecting to your spam trap / honey pot.  As such, I don't feel like 
your policy does anything negative to the ToR community or Internet at 
large.


This really seems like whining on the part of ToR Exit Node operators.



--
Grant. . . .
unix || die




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop






















					Reply via email to