Re: [tor-relays] 7 relays gone because of spammers
On 2015-02-25 14:20, Speak Freely wrote: Oh yes, my money is gone already. They have no interest in talking to me anymore, as the decision was final. The Abuse department won't talk to the Support department, and the abuse department won't talk to me. The idea of initiating chargeback is great. I did this couple times myself when vendor was everything but honest. If that's what you're going to do, I'd definitely like to hear what was OVH excuse for not following their own policy as they have to explain and prove to the bank why the charge is valid. Hopefully you'll get your money back. I'd be more inclined to think these spam assassin fellas/evil doer finders just parsed the exit-node files and decide WHOOPIDY-DO I did my job! Over-zealous punks trying to get their lists larger than their competitor. OVH appears to have based these accusations on what other websites have said about my IP addresses, and not a single actual complaint against the relays I run. I haven't thought about it that way. I run mailserver myself and fighting with spam is daunting task. To avoid situation of automagically reporting spamming IP to SBLs providers I'd like to implement solution that'll do both reporting and whitelisting (have neither). Is someone familiar or have already in place (or need - I'll try to write one myself) a script/config module to spamassasin or postfix milter that will do two following tasks. One would be periodical download of a public list of tor exit relays. Second would involve spammy email management. If an email passes through all filters and is deemed spam/malware/ebola, it should be dropped, yet if it is received from exit relay (ip on the list downloaded on step 1) it wouldn't do anything in terms of reporting anywhere. Otherwise forward for spam analysis. I'm also thinking about second possible solution, but I'm not sure if it's possible. On the host that's an exit relay, one would also have installed some kind of postfix (or other MTA) and not encrypted tor exit traffic directed to port 25,587 reroute to localhost's MTA for virus/spam scanning and then either forwarding or dropping. Rerouting is doable in moments using iptables. I'm not sure what effect that would have on the tor network and security though. Zefir ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I'm not a big fan of adding more complexity to impove security. With fail2ban [1] you run the risk of, for example, someone bruteforcing your ssh from every exit node they can find, then your relay blocking those exits meaning there are certain circuits that you're stopping clients from making. Instead of fail2ban I recommend using a non-standard port for SSH defeat the majority of bruteforce attempts, this will stop pretty much all the bad ssh traffic you're seeing, most of it is botnets and they're not very smart and won't waste time, they're looking for the low-hanging fruit (I don't have to outrun the bear, just you). rkhunter has had a few vulns [2][3] that allowed privesc (lets use predictable filenames in /tmp!) and we all know that signature based detection is terrible anyway. clamav has a track record [4] that should make you instantly just throw it on the fire too! If you think the data might be evil *don't* try and use your home-rolled parser to try and do in-depth analysis of it automatically! Keep it simple, have a restricted inbound port policy, if you can use a hardened kernel with grsec/pax and apparmor (or your prefered MAC) profiles to help compartment and reduce the pivot room for any potential exploit if it is successful. Also, use key auth and deny password logins for your ssh, if possible. I'd recommend that you don't use DSA or ECDSA though, if you're on a modern openssh then ed25519 is fine otherwise use the tried-and-true RSA. [1] - http://www.osvdb.org/search/search?search[vuln_title]=fail2bansearch[text_type]=titlessearch[refid]=search[referencetypes]=kthx=search [2] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1270 [3] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4982 [4] - http://www.osvdb.org/search/search?search[vuln_title]=clamavsearch[text_type]=titlessearch[refid]=search[referencetypes]=kthx=search Speak Freely: Hi ZEROF, I had fail2ban, harden (which includes tiger, tripwire, logcheck, plus MANY others), all the fancy log checkers, rkhunter and clamav, unattended-upgrades, and had all logs emailed to me on a daily basis. It was tedious to go through, but I was trying to do my due diligence. I disabled root login, changed ssh port (security through obscurity - damn right, but I kept it in the privileged range.) --- Each password was a minimum of 32 characters, alphanumeric plus symbols. No two passwords were alike, or remotely similar. (No, I didn't use keys :@) I checked how secure is my password, and this is the result: It would take a desktop PC about 21 quattuordecillion years to crack your password I had to look quattuordecillion up, as my spell checker doesn't know what it means. In the US, it means 1, followed up 45 zeros. (In the UK it is 10^84, but I believe the website is American so I'm sticking with ^45) --- I disabled as many services as I could reasonably tolerate. I removed world rights to as much as I could think. I did everything I could think of to make each VPS effectively useless except for running a Tor relay. My firewall matched my Reduced Exit Policy, plus my secret ssh port. I never thought about the honey-pot... That's a good one. Speak Freely ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -BEGIN PGP SIGNATURE- iQEcBAEBCgAGBQJU8IlxAAoJEFmpmcH7mQWjgVsH/Rrd5rYviojTYCIPJBG2jmGn sCqCyWukF0qx2QLblebUKpQjJWYmqKfSDWrgdVkNfBqQrWicFHPOz9X4uzK32H5w 3tyLl7eRWO1zC5I+xrLp/nSlYpBT+adlefzhJfG6p6cnu25VGGwSN4k6amx63BPs vtAGH50/skF9Oz99oSSSP/fTvUKwEobUyMWKoUvposL20E91tznPa62Xx79Idp7S mYDZOK+llKoCQYuRrMtqkq0n9xnS4jik5FD6g4cWKhLNZxVN6wa+iY6DTPHNS/iJ SOLcStQaBVuoQN4hhFB8VynReaT0EdjFpn1YXGNBruL92vZE6HjY9+66l3Dx5Rk= =HU65 -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
Hi ZEROF, I had fail2ban, harden (which includes tiger, tripwire, logcheck, plus MANY others), all the fancy log checkers, rkhunter and clamav, unattended-upgrades, and had all logs emailed to me on a daily basis. It was tedious to go through, but I was trying to do my due diligence. I disabled root login, changed ssh port (security through obscurity - damn right, but I kept it in the privileged range.) --- Each password was a minimum of 32 characters, alphanumeric plus symbols. No two passwords were alike, or remotely similar. (No, I didn't use keys :@) I checked how secure is my password, and this is the result: It would take a desktop PC about 21 quattuordecillion years to crack your password I had to look quattuordecillion up, as my spell checker doesn't know what it means. In the US, it means 1, followed up 45 zeros. (In the UK it is 10^84, but I believe the website is American so I'm sticking with ^45) --- I disabled as many services as I could reasonably tolerate. I removed world rights to as much as I could think. I did everything I could think of to make each VPS effectively useless except for running a Tor relay. My firewall matched my Reduced Exit Policy, plus my secret ssh port. I never thought about the honey-pot... That's a good one. Speak Freely ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
After much research, I've found some interesting tidbits. Out of the 88 blacklists mxtoolbox reports against, 6/7 relays reported 3 problems - 1) Efnet blocks Tor exits and reported. No exceptions. - 2) CBL detected a single trojan/malware/spam, etc, and reported - 3) Spamhaus ZEN detected CBL's detection, and reported 1 of the 7 relays also had two hits from Mailspike - 1) Mailspike Z found a distributed spam wave, and reported - 2) Mailspike BL aggregates other Mailspike lists, and reported Essentially, all 7 of my relays were taken down because of trivial issues, all but 1 being single instances of reported problems from a single source. Both CBL and Mailspike offer de-listing services that are easy to use, and straight forward. I spoke with MasterCard yesterday, and they've mailed off the paperwork I need to fill out to do the charge-back. I won't get into the specifics, but they were encouraging. I will also be moving my unrelated business dealings away from OVH as soon as possible. Speak Freely ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
So, you made a POST request to an online passwordchecker and they now probably have your password. On 02/26/2015 04:24 PM, Speak Freely wrote: Hi ZEROF, I had fail2ban, harden (which includes tiger, tripwire, logcheck, plus MANY others), all the fancy log checkers, rkhunter and clamav, unattended-upgrades, and had all logs emailed to me on a daily basis. It was tedious to go through, but I was trying to do my due diligence. I disabled root login, changed ssh port (security through obscurity - damn right, but I kept it in the privileged range.) --- Each password was a minimum of 32 characters, alphanumeric plus symbols. No two passwords were alike, or remotely similar. (No, I didn't use keys :@) I checked how secure is my password, and this is the result: It would take a desktop PC about 21 quattuordecillion years to crack your password I had to look quattuordecillion up, as my spell checker doesn't know what it means. In the US, it means 1, followed up 45 zeros. (In the UK it is 10^84, but I believe the website is American so I'm sticking with ^45) --- I disabled as many services as I could reasonably tolerate. I removed world rights to as much as I could think. I did everything I could think of to make each VPS effectively useless except for running a Tor relay. My firewall matched my Reduced Exit Policy, plus my secret ssh port. I never thought about the honey-pot... That's a good one. Speak Freely ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -- https://justaguy.pw PGP fingerprint: 8516 5FFC 011A 6465 D042 6AC1 D719 1F41 B7CE EDFF The Net treats censorship as a defect and routes around it. ~John Gilmore, 1993 signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
Am 26.02.2015 um 03:42 schrieb ZEROF: 4. Setup honey-pot on your server and play their game (10-15 job): http://linuxdrops.com/how-to-set-up-a-honeypot-using-smart-and-simple-artillery-debian-6-0/ Sounds like a good strategy. What I don't like is the _permanent_ ban of IP addresses. Being a co-maintainer of a wiki, a mailing list and a forum, all reasonably popular, I've learned that IP addresses are no longer a reliable way to identify users. Also that malicious people have no shortage of addresses. They have plenty of them, enough to choose another one for each attack even if you don't ban the former one. Running a strategy of banning permanently all IPs with malicious tries inevitably leads to also locking out many legitimate users. Before too long you've banned half the Internet and your server fortress is of no use anymore. As such I started to ban only for short periods of time. A week, or a month. Works just as fine as permanent bans against attacks and legitimate users have to just wait a few days worst case to pick up services again. Markus -- - - - - - - - - - - - - - - - - - - - Dipl. Ing. (FH) Markus Hitter http://www.jump-ing.de/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
On February 25, 2015 8:21:32 PM Speak Freely when2plus2...@riseup.net wrote: Hi, Oh yes, my money is gone already. They have no interest in talking to me anymore, as the decision was final. The Abuse department won't talk to the Support department, and the abuse department won't talk to me. Thats really sad. Spam abuse reports are hitting me pretty much every day @ Online SAS (online.net, France). I fill out their abuse formular every time This is an Tor Exit Node with a reduced Exit policy. It's a 72 hour deadline. Works fine, they never shut down anything. Every country and every ISP seems to be a completely different game :-( I'd be more inclined to think these spam assassin fellas/evil doer finders just parsed the exit-node files and decide WHOOPIDY-DO I did my job! Over-zealous punks trying to get their lists larger than their competitor. OVH appears to have based these accusations on what other websites have said about my IP addresses, and not a single actual complaint against the relays I run. But I could be wrong. Either way... It's unfortunate. OVH has never contacted me for anything, except to notify me of connections to the manager. For clarification from their email to me where they showed positive feelings toward Tor, here is my original email to them about me running those relays. The first paragraph butters them up, and the second last paragraph attempts to show that I wanted to run clean, safe relays. - Greetings, I'm a current customer with two VPS servers with you, so far you've been awesome! I've never met anyone who has heard of you, that that is beyond shocking. Your prices are better than almost everyone, your service is superior, and I'm pretty sure your claims regarding hardware performance are the closest I've ever experienced to truth. Alright now to the fun stuff. Section 1) I have read online that you are accommodating to users setting up Tor *middle* relays on VPS accounts, and as such I recently set one up. However, that wasn't necessarily the brightest decision on my part. Can you confirm that you let customers run Tor *middle* relays? These are the none-exiting relays. Given the recent activities around the world, I'd like to set several more relays up. If you do let customers install Tor, can they be installed on VPS Classic accounts? Here is a description of the Tor platform, (https://www.torproject.org/eff/tor-dmca-response.html.en) ... Tor is network software that helps users to enhance their privacy, security, and safety online. It does not host any content. Rather, it is part of a network of nodes on the Internet that simply pass packets among themselves before sending them to their destinations, just as any Internet intermediary does. The difference is that Tor tunnels the connections such that no hop can learn both the source and destination of the packets, giving users protection from nefarious snooping on network traffic. The result is that, unlike most other Internet traffic, the final IP address that the recipient receives is not the IP address of the sender. Tor protects users against hazards such as harassment, spam, and identity theft. Initial development of Tor, including deployment of a public-use Tor network, was a project of the U.S. Naval Research Laboratory, with funding from ONR and DARPA. (For more on Tor, see https://www.torproject.org/.) I hope, as an organization committed to protecting the privacy of its customers, you'll agree that this is a valuable technology. ... Section 2) I've read online nothing but ambiguity regarding exit relays. My current understanding is that if we run them, we risk the account being terminated. Would you terminate the single VPS server, or my entire account with all of my VPSs? If this somewhat murky situation is the case, would you be willing to assist me with minor activities in locking down the server? If I run exit relays, I want to use rather extreme exit policies, locking out most ports, and only allowing certain traffic through. I don't want to create a conduit for illicit downloading of videos, software, games, etc. And child pornography. Surely there has to be something your SysAdmins can do to help stop that. Blacklists, I suspect. So locking out that type of traffic is important both for my sensibilities, your network, and our legal safety. I'm more than willing, and interesting in discussing this further with you. In a world where free speech is under attack, we need to protect those that speak up. Let me know. Kind regards, Matt - I tried... I tried to be as helpful as possible in explaining what Tor is and does, and I tried to start a positive dialog and relationship with them. The numerous telephone conversations I've had with them were always quite positive and friendly. I was always assured they would contact me first, let me deal with the
Re: [tor-relays] 7 relays gone because of spammers
On 02/25/2015 07:35 PM, Speak Freely wrote: Your account was suspended Does this really mean, that your money is lost already ? Often ISPs just plugged off a server from the network till you solved the problem your IPs are blacklisted on multiples lists for Spam and other malicious activities. I bet, that your exit relays were used for massive port scan activities. -- Toralf pgp key: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 0076 E94E ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, Sorry to hear this. I want to setup a big node at Voxility, which is a good provider to host Tor exits, maybe more of us can pool together financial resources and make a big cluster. I have some offers from them if interested. On 2/25/2015 8:35 PM, Speak Freely wrote: Hello fellow relay runners, This morning OVH decided to kill 7 of my relays due to spamming, and block all access to all services. I ran the Reduced Exit policy for all of my relays. Due to heightened concerns about this affecting other unrelated services I have with OVH, I had to shut down the other 3 relays. They may eventually re-appear as middle-relays. This has cost me hundreds of dollars, as I foolishly decided to prepay on an annual basis. None of the servers were older than 2 months. Some were only a few weeks old. The Abuse department's rationale is as follows: Your account was suspended because 100% of your IPs are blacklisted on multiples lists for Spam and other malicious activities. This case is closed and this decision is final. -- When I first contacted OVH regarding running Tor relays, this was the response that I received from them, which does not mesh with what just happened. Good morning Matt, I'm very glad to here from you. It is very flattering to hear that you are very satisfied by our service at OVH! We do take our network speed and hardware performance very seriously here. We are proud of our infrastructure that we have built over the years. I do understand your concerns about setting up a Tor relay on one of our VPS. In a simple form, yes you can. We do let our customers use our VPS as Tor relays. We have no problem in letting you this. However, your are allowed to use Tor but it will be at your own risk. Rest assure that, in case of an abuse, we will not terminate your account without notice. In fact we may not even terminate your VPS. You will receive a warning from our Abuse department giving you a choice to resolve the abuse case. Like you said, we are in a world where free speech is constantly under attack and we are committed to help as much as possible to protect this fundamental right that we all have. We will absolutely not in any case share our customers information or data to authorities without a warrant. For any other questions or concerns, feel free to contact us at any time. We are available 24/7. Good luck with that privacy project of yours and keep on supporting the cause of free speech! Thank you for contacting OVH and have a wonderful day! Colin K. Customer Advocate -- Not that it matters anymore, but each relay was dedicated to one of the victims of the Charlie Hebdo attack. https://atlas.torproject.org/#search/4charlie -- Eventually I will get back at this... But for now, my money is gone, and all my hard work is lost. -- So... I know I'm new. And it's possible this has happened (many times) before, but... You've been warned. Speak Freely ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJU7hu9AAoJEIN/pSyBJlsRD+UH/j78yJIPzCiKjeyDrJtQ2YIp 7W2aU/ESWPm8rQQQo1r8d6YYbaDSFJOyCVaaIHlNq1Iom5bn59DX4IigBhQzcINs N/ys6ysPy/RKU2E0YJssG9DIT8KrcKTDJ47mCe6WE5l7BqDCYUwp/Z03zuyxYUTy 7zBZH0KsqtQMepnTvPpSoQmG6CAJGHUuTng1+V1Fcd2WV8gpgu30P1yyBR9HigSa m0Nbo6rwDJ/DNYgFPgD4W2KC6COrZop6unSFHw5Xz6Du64ClwZidEfgYPRcm3SU6 3+rEEKvc3Zln4LirYALYaOpxPv/LyR1UAu1sqAJb0NBR4Dd2/wvyAbYxBFMhV/c= =fo3M -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
He said that he ran an reduced exit policy relay. Is portscanning even possible there? Am 25.02.2015 um 19:51 schrieb Toralf Förster: On 02/25/2015 07:35 PM, Speak Freely wrote: Your account was suspended Does this really mean, that your money is lost already ? Often ISPs just plugged off a server from the network till you solved the problem your IPs are blacklisted on multiples lists for Spam and other malicious activities. I bet, that your exit relays were used for massive port scan activities. signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
Hello Speak Freely, that's not nice to hear. Quote: Rest assure that, in case of an abuse, we will not terminate your account without notice. In fact we may not even terminate your VPS. You will receive a warning from our Abuse department giving you a choice to resolve the abuse case Has OVH contacted you before because of an abuse complaint? ~Josef Am 25.02.2015 um 19:35 schrieb Speak Freely: Hello fellow relay runners, This morning OVH decided to kill 7 of my relays due to spamming, and block all access to all services. I ran the Reduced Exit policy for all of my relays. Due to heightened concerns about this affecting other unrelated services I have with OVH, I had to shut down the other 3 relays. They may eventually re-appear as middle-relays. This has cost me hundreds of dollars, as I foolishly decided to prepay on an annual basis. None of the servers were older than 2 months. Some were only a few weeks old. The Abuse department's rationale is as follows: Your account was suspended because 100% of your IPs are blacklisted on multiples lists for Spam and other malicious activities. This case is closed and this decision is final. -- When I first contacted OVH regarding running Tor relays, this was the response that I received from them, which does not mesh with what just happened. Good morning Matt, I'm very glad to here from you. It is very flattering to hear that you are very satisfied by our service at OVH! We do take our network speed and hardware performance very seriously here. We are proud of our infrastructure that we have built over the years. I do understand your concerns about setting up a Tor relay on one of our VPS. In a simple form, yes you can. We do let our customers use our VPS as Tor relays. We have no problem in letting you this. However, your are allowed to use Tor but it will be at your own risk. Rest assure that, in case of an abuse, we will not terminate your account without notice. In fact we may not even terminate your VPS. You will receive a warning from our Abuse department giving you a choice to resolve the abuse case. Like you said, we are in a world where free speech is constantly under attack and we are committed to help as much as possible to protect this fundamental right that we all have. We will absolutely not in any case share our customers information or data to authorities without a warrant. For any other questions or concerns, feel free to contact us at any time. We are available 24/7. Good luck with that privacy project of yours and keep on supporting the cause of free speech! Thank you for contacting OVH and have a wonderful day! Colin K. Customer Advocate -- Not that it matters anymore, but each relay was dedicated to one of the victims of the Charlie Hebdo attack. https://atlas.torproject.org/#search/4charlie -- Eventually I will get back at this... But for now, my money is gone, and all my hard work is lost. -- So... I know I'm new. And it's possible this has happened (many times) before, but... You've been warned. Speak Freely ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
Oh yes, my money is gone already. They have no interest in talking to me anymore, as the decision was final. The Abuse department won't talk to the Support department, and the abuse department won't talk to me. I'd be more inclined to think these spam assassin fellas/evil doer finders just parsed the exit-node files and decide WHOOPIDY-DO I did my job! Over-zealous punks trying to get their lists larger than their competitor. OVH appears to have based these accusations on what other websites have said about my IP addresses, and not a single actual complaint against the relays I run. But I could be wrong. Either way... It's unfortunate. OVH has never contacted me for anything, except to notify me of connections to the manager. For clarification from their email to me where they showed positive feelings toward Tor, here is my original email to them about me running those relays. The first paragraph butters them up, and the second last paragraph attempts to show that I wanted to run clean, safe relays. - Greetings, I'm a current customer with two VPS servers with you, so far you've been awesome! I've never met anyone who has heard of you, that that is beyond shocking. Your prices are better than almost everyone, your service is superior, and I'm pretty sure your claims regarding hardware performance are the closest I've ever experienced to truth. Alright now to the fun stuff. Section 1) I have read online that you are accommodating to users setting up Tor *middle* relays on VPS accounts, and as such I recently set one up. However, that wasn't necessarily the brightest decision on my part. Can you confirm that you let customers run Tor *middle* relays? These are the none-exiting relays. Given the recent activities around the world, I'd like to set several more relays up. If you do let customers install Tor, can they be installed on VPS Classic accounts? Here is a description of the Tor platform, (https://www.torproject.org/eff/tor-dmca-response.html.en) ... Tor is network software that helps users to enhance their privacy, security, and safety online. It does not host any content. Rather, it is part of a network of nodes on the Internet that simply pass packets among themselves before sending them to their destinations, just as any Internet intermediary does. The difference is that Tor tunnels the connections such that no hop can learn both the source and destination of the packets, giving users protection from nefarious snooping on network traffic. The result is that, unlike most other Internet traffic, the final IP address that the recipient receives is not the IP address of the sender. Tor protects users against hazards such as harassment, spam, and identity theft. Initial development of Tor, including deployment of a public-use Tor network, was a project of the U.S. Naval Research Laboratory, with funding from ONR and DARPA. (For more on Tor, see https://www.torproject.org/.) I hope, as an organization committed to protecting the privacy of its customers, you'll agree that this is a valuable technology. ... Section 2) I've read online nothing but ambiguity regarding exit relays. My current understanding is that if we run them, we risk the account being terminated. Would you terminate the single VPS server, or my entire account with all of my VPSs? If this somewhat murky situation is the case, would you be willing to assist me with minor activities in locking down the server? If I run exit relays, I want to use rather extreme exit policies, locking out most ports, and only allowing certain traffic through. I don't want to create a conduit for illicit downloading of videos, software, games, etc. And child pornography. Surely there has to be something your SysAdmins can do to help stop that. Blacklists, I suspect. So locking out that type of traffic is important both for my sensibilities, your network, and our legal safety. I'm more than willing, and interesting in discussing this further with you. In a world where free speech is under attack, we need to protect those that speak up. Let me know. Kind regards, Matt - I tried... I tried to be as helpful as possible in explaining what Tor is and does, and I tried to start a positive dialog and relationship with them. The numerous telephone conversations I've had with them were always quite positive and friendly. I was always assured they would contact me first, let me deal with the complaint, etc... But I've come to realize this wasn't because of any complaint. Some john at OVH saw my IP addresses on a set of lists, most likely siphoned from the publicly available exit-relay lists, and decided I must be doing something bad. Because they're no longer talking, most of this is all a guessing game. How can you have any pudding if you don't eat your meat? How can you get your t-shirt if you don't run your relay?
Re: [tor-relays] 7 relays gone because of spammers
This++ On 02/25/2015 07:32 PM, Pascal wrote: If you paid with a credit card, give them a choice: they can either refund your money or you will initiate a chargeback. Either way you get your money back, but with the chargeback you will probably get all of your money back instead of a prorated refund, they have to pay a fee, and may have their merchant account terminated if they get enough of them. -Pascal On 2/25/2015 12:35 PM, Speak Freely wrote: This has cost me hundreds of dollars, as I foolishly decided to prepay on an annual basis. None of the servers were older than 2 months. Some were only a few weeks old. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
I'm having a similar situation. Linode issued a ToS violation because my linode on which I run a relay was a source of spam. Very strange because I had reject *.* (no exit) set in my torrc. Anyway I've had to give up and shut down FiatLux. Kind of a bummer, I really enjoyed contributing to Tor. -Chris On Wed, Feb 25, 2015 at 1:35 PM, Speak Freely when2plus2...@riseup.net wrote: Hello fellow relay runners, This morning OVH decided to kill 7 of my relays due to spamming, and block all access to all services. I ran the Reduced Exit policy for all of my relays. Due to heightened concerns about this affecting other unrelated services I have with OVH, I had to shut down the other 3 relays. They may eventually re-appear as middle-relays. This has cost me hundreds of dollars, as I foolishly decided to prepay on an annual basis. None of the servers were older than 2 months. Some were only a few weeks old. The Abuse department's rationale is as follows: Your account was suspended because 100% of your IPs are blacklisted on multiples lists for Spam and other malicious activities. This case is closed and this decision is final. -- When I first contacted OVH regarding running Tor relays, this was the response that I received from them, which does not mesh with what just happened. Good morning Matt, I'm very glad to here from you. It is very flattering to hear that you are very satisfied by our service at OVH! We do take our network speed and hardware performance very seriously here. We are proud of our infrastructure that we have built over the years. I do understand your concerns about setting up a Tor relay on one of our VPS. In a simple form, yes you can. We do let our customers use our VPS as Tor relays. We have no problem in letting you this. However, your are allowed to use Tor but it will be at your own risk. Rest assure that, in case of an abuse, we will not terminate your account without notice. In fact we may not even terminate your VPS. You will receive a warning from our Abuse department giving you a choice to resolve the abuse case. Like you said, we are in a world where free speech is constantly under attack and we are committed to help as much as possible to protect this fundamental right that we all have. We will absolutely not in any case share our customers information or data to authorities without a warrant. For any other questions or concerns, feel free to contact us at any time. We are available 24/7. Good luck with that privacy project of yours and keep on supporting the cause of free speech! Thank you for contacting OVH and have a wonderful day! Colin K. Customer Advocate -- Not that it matters anymore, but each relay was dedicated to one of the victims of the Charlie Hebdo attack. https://atlas.torproject.org/#search/4charlie -- Eventually I will get back at this... But for now, my money is gone, and all my hard work is lost. -- So... I know I'm new. And it's possible this has happened (many times) before, but... You've been warned. Speak Freely ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -- Christopher Patti - Geek At Large | GTalk: cpa...@gmail.com | AIM: chrisfeohpatti | P: (260) 54PATTI Technology challenges art, art inspires technology. - John Lasseter, Pixar ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
On Wed, Feb 25, 2015 at 4:07 PM, Chris Patti cpa...@gmail.com wrote: I'm having a similar situation. Linode issued a ToS violation because my linode on which I run a relay was a source of spam. Very strange because I had reject *.* (no exit) set in my torrc. I have operated a non-exit relay on Linode for almost two years now with no trouble whatsoever. I'd wonder whether your vhost got hacked in some fashion, such that it *was* sending spam, but Tor had nothing to do with it. If that's what happened, you could probably turn your relay back on after confirming with their support that you'd found and fixed the problem. (Regenerate the relay's identity key, too.) (I would not attempt to run an exit relay on Linode, and I have made a point of not running *anything else* (except key-only SSH) on my vhost that is a relay, to limit attack surface.) zw ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
On Wed, Feb 25, 2015 at 1:35 PM, Speak Freely when2plus2...@riseup.net wrote: Hello fellow relay runners, This morning OVH decided to kill 7 of my relays due to spamming, and block all access to all services. I ran the Reduced Exit policy for all of my relays. I run one relay with OVH and one with DigitalOcean. Both relays are non-exit. I also have another VPS with OVH unrelated to Tor. This makes me uneasy because I, too, paid one year in advance. DigitalOcean seemed more welcoming of Tor when I contacted them about it. Both have policies that do not prohibit Tor. If they shut down a non-exit node, I would contact my credit card company if they don't offer a refund. pgpfxABcat71V.pgp Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
Hi man, I will try to explain you how things got in wrong direction for you. OVH don't lie, but they don't have best support that you can find around. Anyway. Last 15-25 days a lot of attacks was made on French ISP's and attacker used Tor IP list to do one part of his sick idea. One of my nodes in my home was infected as well. As Linux devs need some time to patch packages that make us vulnerable, we are just attack objects to them. In my case they used exim4 security issue, and as this sh.. comes preinstalled with server ISO i didn't even look to it. Your are victim of same thing I guess. Classic server side infection from some bot net. Better question is what you can do to protect your servers in the future. 1. Allow logging to your server from one country or IP, for that i use geoip : http://www.axllent.org/docs/view/ssh-geoip/ 2. Add simple 2 min settings to fail2ban: https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-6 (this settings can be used on debian as well etc.) 3. Remove ssh password logins from your servers, use only keys 4. Setup honey-pot on your server and play their game (10-15 job): http://linuxdrops.com/how-to-set-up-a-honeypot-using-smart-and-simple-artillery-debian-6-0/ In the future I will write ansible play-book for this, or some bash or python script to do this on every server i use for Tor nodes. I run one exit node from 2014 with OVH cloud (runabove) and thanks to all security measures I made (using some firewall setting as well) i don't have issue with them, and they respect that i take care about my servers security. Try same and you will see. Block port 25 as well. On 26 February 2015 at 02:35, I beatthebasta...@inbox.com wrote: OVH says no to Tor exits openly doesn't it? Quote: Rest assure that, in case of an abuse, we will not terminate your account without notice. In fact we may not even terminate your VPS. You will receive a warning from our Abuse department giving you a choice to resolve the abuse case Has OVH contacted you before because of an abuse complaint? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -- http://www.backbox.org http://www.pentester.iz.rs ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
On 02/25/2015 01:34 PM, ja...@icetor.is wrote: This++ Indeed! And if you used PayPal, they may also help. On 02/25/2015 07:32 PM, Pascal wrote: If you paid with a credit card, give them a choice: they can either refund your money or you will initiate a chargeback. Either way you get your money back, but with the chargeback you will probably get all of your money back instead of a prorated refund, they have to pay a fee, and may have their merchant account terminated if they get enough of them. -Pascal On 2/25/2015 12:35 PM, Speak Freely wrote: This has cost me hundreds of dollars, as I foolishly decided to prepay on an annual basis. None of the servers were older than 2 months. Some were only a few weeks old. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
On 2015-02-25 11:35, Speak Freely wrote: The Abuse department's rationale is as follows: Your account was suspended because 100% of your IPs are blacklisted on multiples lists for Spam and other malicious activities. This case is closed and this decision is final. Speaking as an abuse desk lead investigator who has had unfortunate experiences reporting issues to OVH, I can assure you that OVH's abuse department is institutionally incompetent. While they have some good staff, their system is set up to break those staff members and their outcomes in almost all ways possible. What you're encountering is apparently part of their data feed quality problem. Reading between their words, they're mistakenly using a list of Tor nodes (perhaps they bought a cheapo mislabeled list) in place of a competently maintained list of spam sources and malicious actors. On the flip side of data quality, what also occurs from and by OVH is massive email spam runs from their pet spammers like netmessage.com and oxemis.net. One competent list which tracks ovh.net spammers contains over 20,000 spam source IPs where spam was sent from French-speaking high volume email deployers to trap addresses. The list is huge because ovh.net seems to quickly give these spammers new IP ranges as the previous ones are firewalled for cause. Oddly for a provider that claims to want to stop spam, to the point they use that as an excuse to shut your servers, ovh.net doesn't do anything to disconnect the *actual* spammers they host, or even slow them down. I thus recommend you do a chargeback. Get your money back, on the grounds that ovh.net first lied to you to close the sale, and now they're probably lying to you about the real reason they're disconnecting. I think they've been dealing in very bad faith with you, and you shouldn't have to pay for that. Richard ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
OVH says no to Tor exits openly doesn't it? Quote: Rest assure that, in case of an abuse, we will not terminate your account without notice. In fact we may not even terminate your VPS. You will receive a warning from our Abuse department giving you a choice to resolve the abuse case Has OVH contacted you before because of an abuse complaint? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] 7 relays gone because of spammers
This is unfortunate but we will not be deterred. I would also go chargeback if notice you now give them does not result in satisfied action by close Sunday. You paid for a year based on some assurance, and did not receive. Now in the future... You plan was long and two part, partly confusing. It must be made explicitly clear to hosters that you wish to run exit relay, include links to tor website, etc. Always try one month pay for a while first, then maybe the next levels after that succeeds for many months. You can still try to get the lower price from first day by saying that you will stay for those longer months so long as you don't get cutoff in the first month to months. ALL TOS allow them to cut you off for any reason. So if you want to survive as a special tor consideration, you cannot cannot take word of some sales droid in email. You have to contact officer of the company and get written agreement if you want something special above TOS. You need to consider SWIP and making clear the handling methods and scenarios with them. Otherwise, skip all that and play fast and dirty month to month host game, just don't disrespect them/tor in the process. Tor! ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
