Re: [tor-relays] suspicious exit?
On 6/6/2014 7:39 PM, JB wrote: I just setup my relay node today, and am keeping a hawkish(ish) eye on traffic And noticed a flurry of activity from SSH port (22) at 5.104.224.5 - which is listed as an exit. That exit node uses port 22 as its ORPort (where other relays send Tor traffic). There is nothing suspicious about this. You can verify this info here: https://globe.torproject.org/#/relay/30D983762D3993AD8F17EB5DCD522A5D6AAE8C59 But it's also listed on http://cbl.abuseat.org/lookup.cgi?ip=5.104.224.5 as infected (or NATting for a computer that is infected) with the Conficker botnet. Exits are going to show up in all sorts of lists, because a small group of bad people abuse Tor. Exit nodes get blamed because the victims think the traffic actually originates at the exit. I've black-holed it in the meantime, but am wondering if I'm being overly cautious... Yes :) Please don't block other tor nodes. Tor can communicate to/from any port the admin has configured. -- Mike ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Unblocking blacklisted exits [was: suspicious]
But it's also listed on http://cbl.abuseat.org/lookup.cgi?ip=5.104.224.5 as If you find exits on blacklists, you could try to contact the operator via their descriptor contact, exit http banner, etc so that they can try to have it removed. Usually a few clicks on an assertion of ownership/cleanliness and an email ack is all that's needed for removal. Since ownership of IP's is always in flux from perspective of BL's such that any 'real' owner could always do it too, absent exit contact info, many users could probably submit removal for them without issues. There's a project covering this on the wiki: https://trac.torproject.org/projects/tor/wiki/org/projects/DontBlockMe ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays