Re: [tor-relays] Speed of my relay not correct on global list

[Matthew Harrold]

> I run a small relay, alias "Empire64" >(I tried an exit once, but my IP
was >then banned at several places, so >back to only a relay) on Win Xp.

PSA: XP is out of date, and no longer supported by Microsoft. Please
update, if you can't afford MS licensing please consider a Linux OS.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Speed of my relay not correct on global list

[Scott Bennett]

Matthew Harrold  wrote:

> > I run a small relay, alias "Empire64" >(I tried an exit once, but my IP
> was >then banned at several places, so >back to only a relay) on Win Xp.
>
> PSA: XP is out of date, and no longer supported by Microsoft. Please
> update, if you can't afford MS licensing please consider a Linux OS.

 Ahem.  I think that should be amended to say, "...please consider
a currently supported OS", which would include the BSDs (e.g., DragonflyBSD,
FreeBSD, OS X, NetBSD, OpenBSD, primarily) and Solaris at the least, as
well as LINUX.


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at sdf.org   *or*   bennett at freeshell.org   *
**
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen

[Thomas White]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Speaking from experience of operating 25 servers doing 4Gbps, I can
quite safely say that if your host has been supportive of Tor, I would
simply respond with the normal boilerplate regardless of what the
complaint is or who made it. I've received threats from countless
organisations, companies, police and have clashed with Interpol in the
past, they are yet to bring a single charge against me in the UK
(albeit I have had some servers seized). I am the exception of Tor
operators too, not the rule so if they can't charge me I very much
doubt they could charge somebody operating just a single server. The
point is that you should be very open that you operate a Tor node,
ensure you promptly respond to abuse complaints and if your provider
doesn't seem to be fully convinced by you or are threatening to close
your service then it could do with some additional explanation. Heck
if you need it just let me know who to contact and I'll do it for you!

Running Tor isn't illegal, you are protected by various safe-harbour
provisions and ultimately if they blacklist you there is little you
can do. Half of my IP's are on a lot of "blacklists", and I've found
removing them is useful in the short term perhaps but many are
automated and so just waste your time. In the long run we need
education more than anything and in fact I am actually writing up a
letter at the moment to encourage some blacklists to check if the IP
is a tor exit node and to prevent their systems spamming operators
with abuse complaints. (This section I'll follow up with on this
mailing list with next week)

My ISP has a policy that as long as the complaints aren't from
Spamhaus, they aren't too bothered as long as I reply to the abuse
complaints which I do. You should ask your ISP outright what the
policy is on these situations. But as far as Spamhaus goes I've not
received a single complaint from them out of thousands I have received
in the past year.

If you want to talk privately, just reply to me off the mailing list
and I'll be happy to do whatever I can.

Regards,
- -T

On 18/07/2014 10:08, Ch'Gans wrote:
> Hi there,
> 
> I'm here to look for advice or comments on how to handle abuse
> reports when you run a TOR relay exit on a "server for the mass". 
> I'm running the TOR exit node
> 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk
> (50E/month, this is my contribution to the TOR project) So far I
> had to deal with few "easy" abuse reports (ssh scan, forum insults,
> spams, ...), I think i performed pretty well so far (thanks to 
> Hetzner cooperation?)
> 
> But today I just received this botnet related one. I do take this
> report seriously, I know that malware are more and more using the
> TOR network as an anonymous covert, I don't like malware, I don't
> like malicious botnet and I don't like spammers. Still I end up
> being identify as one of them.
> 
> I knew from day one that it was a risky business to run an exit
> TOR node, but I want to stand up and fight. If only I can convince
> people of my right doing.
> 
> First of all I am quite surprised that cert-bund.de (the
> complainant) didn't notice that I am a TOR exit node, so my first
> question (for people familiar with these guys) is: - How legit are
> these guys? Do they run for the German government? Are their simply
> trying to scare the shit out of me by citing europol.europa.eu, and
> us-cert.gov? (see redacted forwarded message below, my own opinion
> is "Yes") Then - Do they simply spam hosting company each time they
> have a probe sensing something somewhere (I know it's vague, but I
> can use that as a "this complainant is a spammer" kind of
> argument)
> 
> Any other thoughts/remarks/comment on that matter?
> 
> Regards, Chris
> 
> Thought of the day: Nowadays it looks like server administrator
> tend to send abuse report each time they receive an illegal ping
> request! Testimony of the day: Last time I received an "SSH scan"
> abuse report, I sent back my SSH honeypot logs, which contains more
> than 5k login attempts per day.
> 
> 
>  Original Message  [..] - attachment - Dear
> Sir or Madam
> 
> "Gameover Zeus" is malicious software which is primarily used by 
> cybercriminals to carry out online banking fraud and to spy out 
> login credentials for online services on infected PCs. It can also 
> be used to install further malicious software (including 
> blackmailing trojans such as "CryptoLocker" ransomware) on PCs or
> to carry out DDoS attacks.
> 
> In a joint international campaign since the end of May 2014, law
> enforcement agencies, with the support of private sector partners, 
> have taken action against the "Gameover Zeus" botnet [1].
> 
> As part of this campaign, it has now been possible to identify the 
> IP addresses of systems infected with "Gameover Zeus" [2].
> 
> We are sending you a list of infected systems in your net area.
> 
> Would you please examine the situation th

Re: [tor-relays] Speed of my relay not correct on global list

[no . thing_to-hide]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Sylvain!

I can only tell that I deal with a similar question.

But at 1st: Please upgrade to an actual Linux or BSD, in your own
interest. WinXP is out of date since 4/2014, and the IP of your
computer with an outdated OS is published on multiple lists of
anonymizing relays. There can't be a better invitation to crackers.
Coming from Windows, a user-friendly Linux like Mint or Ubuntu might
be a good choice for you (or does anyone here know a /userfriendly/
BSD ? :-) ). The whole OS including the Firewall is pre-configured,
there is not much work left.

The bandwith: I also run a small internal relay, Ueberwachungsstaat (=
surveillance society) in Austria. I found 4 to 5 different numbers for
the average bandwidth:

- -

_Empire64_

I Tor Network Map, Vidalia

Empire64 (Online)
Location: Canada
IP Address: 70.81.135.152
Bandwidth: 9.00 KB/s
Uptime: 11 hours 38 mins 53 secs
Last Updated: 2014-07-19 02:27:25 GMT

II Message Log, Vidalia

- --> on your relay

III Atlas (1)

81.9 kBps

IV Onioo (2)

80.0 kBps (advertised)

V Blutmagie (3)

3.3 kBps


_Ueberwachungsstaat_

I Tor Network Map, Vidalia

Ueberwachungsstaat (Online)
Location: Austria
IP Address: 194.96.5.19
Bandwidth: 12.00 KB/s
Uptime: 20 hours 59 mins 23 secs
Last Updated: 2014-07-18 17:07:34 GMT

II Message Log, Vidalia

Jul 19 09:04:34.476 [Notice] Heartbeat: Tor's uptime is 14:01 hours,
with 2 circuits open. I've sent 657.26 MB and received 790.30 MB.

=> Upload 13.3 kBps, Download 16.0 kBps

III Atlas (4)

92.7 kBps

IV Onioo

92.5 kBps (Advertised)

V Blutmagie (6)

1.3 kBps

- -

So the kBps from Blutmagie seem to be too low and Atlas and Onioo to
high. Perhaps there the count-logic is different.
The most reliable numbers should be the ones calculated from the
message log, assuming that Tor counts the bits correctly. Also the
number from the Network Map fits well.

What works to my experience, when your relay does not do anything at
all: Turn it off for one or two days and start it again with changed
port numbers. Sometimes my relay forwards only 10 to 20 MB a day, and
in that case I try to fix it the prescribed way. Most times it works,
sometimes not.

I operate it at a simple DSL line of Austrian ISP A1, 8192 kBps D, 768
kBps U. The bandwidth limit is 200 (400) kBps.

Why only 6.7 % of the bandwidth limit are used: I just don't know.

Best regards, and: Stay wiretapped!

Anton


1)
https://atlas.torproject.org/#details/E1DFC86060848E0FDCC7B0F072FA9EBAC639DA66
2) https://onionoo.torproject.org/details?search=empire64
3)
https://torstatus.blutmagie.de/router_detail.php?FP=e1dfc86060848e0fdcc7b0f072fa9ebac639da66
4)
https://atlas.torproject.org/#details/4B46A52249A529324B030970E2B39AAEA7A4A79B
5) https://onionoo.torproject.org/details?search=Ueberwachungsstaat
6)
https://torstatus.blutmagie.de/router_detail.php?FP=4b46a52249a529324b030970e2b39aaea7a4a79b


- -- 
no.thing_to-hide at cryptopathie dot eu
0x30C3CDF0, RSA 2048, 24 Mar 2014
0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0
Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC



On 19/07/14 05:15, B00ze/Empire wrote:
> Good day.
> 
> I hope this is the correct mailing list for this.
> 
> I run a small relay, alias "Empire64" (I tried an exit once, but my
> IP was then banned at several places, so back to only a relay) on
> Win Xp. It is very small (bandwidth 80k, burst 160k) but it used to
> be smaller (64k). Back when it was 64k, I still had a lot of
> traffic, and in Vidalia's "View the network" list of relays, I was
> listed as a 64k node. Now that I have increased bandwidth and would
> like to increase it more depending on how much traffic this
> creates, I see that no one uses my relay, I have practically no
> traffic. I think this is because in the "View the network" list, I
> am listed as a 10k node! I know that Tor has changed since I ran
> the relay at 64k. If I understand correctly, the Tor network now
> TESTS for bandwidth before accepting the declared bandwidth in the
> torRC file. Well obviously, this testing is not working for me. I 
> have "attached" a screenshot of one of the rare times when I do
> have traffic - as you can see, my node DOES run @ 80k. But, see the
> other "attached" pic, I am showing in the list as a 10k node. Also,
> the Atlas shows me as UNNAMMED, I don't understand why, I am the
> only one with that alias...
> 
> Tor80k screenshot:  (it needs
> javascript) Tor10k screenshot: 
> 
> Can you guys help me with this? I'd like to contribute to the
> network but its not working for me now, and besides, the more
> traffic goes through me, the better it hides my own traffic; I want
> more :-)
> 
> My uptime (from the Atlas): 22 days 3 hours 23 minutes and 16
> seconds Fingerprint: E1DFC86060848E0FDCC7B0F072FA9EBAC639DA66 
> Platform: Tor 0.2.4.21 on Windows XP (updated to 2.4.22 just now)
> 
> Thank you. Best Regards,
> 
-BEG

Re: [tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen

[Michael Rasmussen]

The real issue here is somewhere there is a Game Over Zeus
infected client that is web browsing through the Tor network.

We have no way of alerting that host to their compromised status.
At least and unless entry nodes have a means for detecting infected
clients. Which I believe is not the case.

Anti virus software is poor at detecting this type of trojan.
It is a difficult problem we would do well to give thought to.



On Sat, Jul 19, 2014 at 11:32:38AM +0100, Thomas White wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Speaking from experience of operating 25 servers doing 4Gbps, I can
> quite safely say that if your host has been supportive of Tor, I would
> simply respond with the normal boilerplate regardless of what the
> complaint is or who made it. I've received threats from countless
> organisations, companies, police and have clashed with Interpol in the
> past, they are yet to bring a single charge against me in the UK
> (albeit I have had some servers seized). I am the exception of Tor
> operators too, not the rule so if they can't charge me I very much
> doubt they could charge somebody operating just a single server. The
> point is that you should be very open that you operate a Tor node,
> ensure you promptly respond to abuse complaints and if your provider
> doesn't seem to be fully convinced by you or are threatening to close
> your service then it could do with some additional explanation. Heck
> if you need it just let me know who to contact and I'll do it for you!
> 
> Running Tor isn't illegal, you are protected by various safe-harbour
> provisions and ultimately if they blacklist you there is little you
> can do. Half of my IP's are on a lot of "blacklists", and I've found
> removing them is useful in the short term perhaps but many are
> automated and so just waste your time. In the long run we need
> education more than anything and in fact I am actually writing up a
> letter at the moment to encourage some blacklists to check if the IP
> is a tor exit node and to prevent their systems spamming operators
> with abuse complaints. (This section I'll follow up with on this
> mailing list with next week)
> 
> My ISP has a policy that as long as the complaints aren't from
> Spamhaus, they aren't too bothered as long as I reply to the abuse
> complaints which I do. You should ask your ISP outright what the
> policy is on these situations. But as far as Spamhaus goes I've not
> received a single complaint from them out of thousands I have received
> in the past year.
> 
> If you want to talk privately, just reply to me off the mailing list
> and I'll be happy to do whatever I can.
> 
> Regards,
> - -T
> 
> On 18/07/2014 10:08, Ch'Gans wrote:
> > Hi there,
> > 
> > I'm here to look for advice or comments on how to handle abuse
> > reports when you run a TOR relay exit on a "server for the mass". 
> > I'm running the TOR exit node
> > 18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk
> > (50E/month, this is my contribution to the TOR project) So far I
> > had to deal with few "easy" abuse reports (ssh scan, forum insults,
> > spams, ...), I think i performed pretty well so far (thanks to 
> > Hetzner cooperation?)
> > 
> > But today I just received this botnet related one. I do take this
> > report seriously, I know that malware are more and more using the
> > TOR network as an anonymous covert, I don't like malware, I don't
> > like malicious botnet and I don't like spammers. Still I end up
> > being identify as one of them.
> > 
> > I knew from day one that it was a risky business to run an exit
> > TOR node, but I want to stand up and fight. If only I can convince
> > people of my right doing.
> > 
> > First of all I am quite surprised that cert-bund.de (the
> > complainant) didn't notice that I am a TOR exit node, so my first
> > question (for people familiar with these guys) is: - How legit are
> > these guys? Do they run for the German government? Are their simply
> > trying to scare the shit out of me by citing europol.europa.eu, and
> > us-cert.gov? (see redacted forwarded message below, my own opinion
> > is "Yes") Then - Do they simply spam hosting company each time they
> > have a probe sensing something somewhere (I know it's vague, but I
> > can use that as a "this complainant is a spammer" kind of
> > argument)
> > 
> > Any other thoughts/remarks/comment on that matter?
> > 
> > Regards, Chris
> > 
> > Thought of the day: Nowadays it looks like server administrator
> > tend to send abuse report each time they receive an illegal ping
> > request! Testimony of the day: Last time I received an "SSH scan"
> > abuse report, I sent back my SSH honeypot logs, which contains more
> > than 5k login attempts per day.
> > 
> > 
> >  Original Message  [..] - attachment - Dear
> > Sir or Madam
> > 
> > "Gameover Zeus" is malicious software which is primarily used by 
> > cybercriminals to carry out online banking fraud and to spy out 
> > 

Re: [tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen

[Zack Weinberg]

On Sat, Jul 19, 2014 at 12:32 PM, Thomas White  wrote:
> Speaking from experience of operating 25 servers doing 4Gbps, I can
> quite safely say that if your host has been supportive of Tor, I would
> simply respond with the normal boilerplate regardless of what the
> complaint is or who made it.

I have found that if the complaint is of this type - that is, "this
machine appears to be [infected with $MALWARE | running an unsafely
obsolete version of $OPERATING_SYSTEM | part of $BOTNET]" - it is
useful to augment the normal boilerplate along the lines of

| Scanners that aim to detect misconfigured, vulnerable, or infected
| computers will, from time to time, pick up Tor exits as false
| positives, whenever they happen to be emitting traffic that
| originates from such computers. By design, we have no way to pass
| your report along to the true source of the traffic. We can assure
| you that the actual computer at [EXIT'S IP ADDRESS] is not infected
| with any malware and is kept up to date with security fixes.
| However, you should expect it to continue to appear in your scans as
| a false positive.

zw
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen

[Ch'Gans]

On 20/07/14 05:58, Zack Weinberg wrote:

On Sat, Jul 19, 2014 at 12:32 PM, Thomas White  wrote:

Speaking from experience of operating 25 servers doing 4Gbps, I can
quite safely say that if your host has been supportive of Tor, I would
simply respond with the normal boilerplate regardless of what the
complaint is or who made it.


I have found that if the complaint is of this type - that is, "this
machine appears to be [infected with $MALWARE | running an unsafely
obsolete version of $OPERATING_SYSTEM | part of $BOTNET]" - it is
useful to augment the normal boilerplate along the lines of

| Scanners that aim to detect misconfigured, vulnerable, or infected
| computers will, from time to time, pick up Tor exits as false
| positives, whenever they happen to be emitting traffic that
| originates from such computers. By design, we have no way to pass
| your report along to the true source of the traffic. We can assure
| you that the actual computer at [EXIT'S IP ADDRESS] is not infected
| with any malware and is kept up to date with security fixes.
| However, you should expect it to continue to appear in your scans as
| a false positive.


Tanks Zack for this example of explanation, I think i will re-use it in 
my answer.


Thanks again!
Chris



zw
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



--
QtCreator/qmakeparser.cpp:42
// Parser ///
#define fL1S(s) QString::fromLatin1(s)
namespace { // MSVC2010 doesn't seem to know the semantics of "static" ...
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Fwd: [Abuse[...]] GameoverZeus-Infektionen

[Ch'Gans]

On 19/07/14 22:32, Thomas White wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Speaking from experience of operating 25 servers doing 4Gbps, I can
quite safely say that if your host has been supportive of Tor, I would
simply respond with the normal boilerplate regardless of what the
complaint is or who made it. I've received threats from countless
organisations, companies, police and have clashed with Interpol in the
past, they are yet to bring a single charge against me in the UK
(albeit I have had some servers seized). I am the exception of Tor
operators too, not the rule so if they can't charge me I very much
doubt they could charge somebody operating just a single server. The
point is that you should be very open that you operate a Tor node,
ensure you promptly respond to abuse complaints and if your provider
doesn't seem to be fully convinced by you or are threatening to close
your service then it could do with some additional explanation. Heck
if you need it just let me know who to contact and I'll do it for you!


Thanks for proposing your help, I think i'm OK for now.
This is true that I have not been very "honest" with my hosting company, 
I didn't tell them that i am running an exit TOR node, I simply stated 
so far that I provide "service to people", and that sometimes this 
service get abused by bad apples.
But I think this time I will tell them, and try to come with convincing 
arguments (your email and other's one are helpful to me)


Actually, I'm not the only TOR exit not on the Hetzner AS:
https://metrics.torproject.org/bubbles.html#as-exits-only
Hetzner is on the right of the biggest AS bubble (i3d BV)
And from https://metrics.torproject.org/bubbles.html#as, Hetzner is the 
biggest bubble!


Thx,
Chris



Running Tor isn't illegal, you are protected by various safe-harbour
provisions and ultimately if they blacklist you there is little you
can do. Half of my IP's are on a lot of "blacklists", and I've found
removing them is useful in the short term perhaps but many are
automated and so just waste your time. In the long run we need
education more than anything and in fact I am actually writing up a
letter at the moment to encourage some blacklists to check if the IP
is a tor exit node and to prevent their systems spamming operators
with abuse complaints. (This section I'll follow up with on this
mailing list with next week)

My ISP has a policy that as long as the complaints aren't from
Spamhaus, they aren't too bothered as long as I reply to the abuse
complaints which I do. You should ask your ISP outright what the
policy is on these situations. But as far as Spamhaus goes I've not
received a single complaint from them out of thousands I have received
in the past year.

If you want to talk privately, just reply to me off the mailing list
and I'll be happy to do whatever I can.

Regards,
- -T

On 18/07/2014 10:08, Ch'Gans wrote:

Hi there,

I'm here to look for advice or comments on how to handle abuse
reports when you run a TOR relay exit on a "server for the mass".
I'm running the TOR exit node
18B6EBAF10814335242ECA5705A04AAD29774078 on Hetzner netowrk
(50E/month, this is my contribution to the TOR project) So far I
had to deal with few "easy" abuse reports (ssh scan, forum insults,
spams, ...), I think i performed pretty well so far (thanks to
Hetzner cooperation?)

But today I just received this botnet related one. I do take this
report seriously, I know that malware are more and more using the
TOR network as an anonymous covert, I don't like malware, I don't
like malicious botnet and I don't like spammers. Still I end up
being identify as one of them.

I knew from day one that it was a risky business to run an exit
TOR node, but I want to stand up and fight. If only I can convince
people of my right doing.

First of all I am quite surprised that cert-bund.de (the
complainant) didn't notice that I am a TOR exit node, so my first
question (for people familiar with these guys) is: - How legit are
these guys? Do they run for the German government? Are their simply
trying to scare the shit out of me by citing europol.europa.eu, and
us-cert.gov? (see redacted forwarded message below, my own opinion
is "Yes") Then - Do they simply spam hosting company each time they
have a probe sensing something somewhere (I know it's vague, but I
can use that as a "this complainant is a spammer" kind of
argument)

Any other thoughts/remarks/comment on that matter?

Regards, Chris

Thought of the day: Nowadays it looks like server administrator
tend to send abuse report each time they receive an illegal ping
request! Testimony of the day: Last time I received an "SSH scan"
abuse report, I sent back my SSH honeypot logs, which contains more
than 5k login attempts per day.


 Original Message  [..] - attachment - Dear
Sir or Madam

"Gameover Zeus" is malicious software which is primarily used by
cybercriminals to carry out online banking fraud and to spy out
login credentials