Re: [tor-relays] Digital Ocean - running Exit node locked

2016-10-09 Thread pa011 
True, about 40 Exits as of my count yesterday...

The back of that medal - concentration on only a few big providers gets 
resolved that way :-) 

Paul

Am 09.10.2016 um 11:57 schrieb Markus Koch:
> Thats really really bad news. Over 400 Digitalocean relays out there :(
> 
> Markus
> 
> 2016-10-09 11:44 GMT+02:00 pa011 :
>> OK further bad news, Exit shut down by DO yesterday.
>> Here the latest statement from them:
>>
>> "Additionally, we are not allowing further TOR exit nodes on our 
>> infrastructure - they generate a large amount of abuse, are used for various 
>> illegal activities, and attract a large number of DDoS attacks.
>>
>> You're more than welcome to run bridges, obfs proxies, and relays, but 
>> running an exit node is at your own risk, and sufficient abuse may result in 
>> suspension of service."
>>
>>
>>
>>
>> Am 08.10.2016 um 05:00 schrieb Alecks Gates:
>>> I'm running on DO as well with the reduced exit policy and have had
>>> about five complaints in 2 months.  DO certainly appears to be getting
>>> less and less happy.  I'm glad to know it's not just me, though.
>>>
>>> Hopefully a curated list of IPs to reject will help a lot.  Thanks for
>>> the link to tornull.
>>>
>>> Exit Node fingerprints:
>>> E553AC1CA05365EA218D477C2FF4C48986919D07
>>> 889550CB9C98CF172CB977AA942B77E9759056C2
>>>
>>> Alecks
>>>
>>> On 10/07/2016 07:04 PM, Matthew Finkel wrote:
 On Sat, Oct 08, 2016 at 12:16:39AM +0200, Markus Koch wrote:
> 2016-10-08 0:09 GMT+02:00 Tristan :
>> This page has 3 policies: Reduce exit policy, reduced-reduced exit 
>> policy,
>> and a lightweight example policy.
>>
>> https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
>>
>>
>> On Oct 7, 2016 5:01 PM, "Markus Koch"  wrote:
>>>
>>> reduced-reduced exit policy. ?
>>>
>>> Illuminate me, pls.
>>>
> Thank you both!
>
> Will try https://tornull.org. Perhaps it helps.
>
> Markus
>>
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Digital Ocean - running Exit node locked

2016-10-09 Thread Markus Koch 
Thats really really bad news. Over 400 Digitalocean relays out there :(

Markus

2016-10-09 11:44 GMT+02:00 pa011 :
> OK further bad news, Exit shut down by DO yesterday.
> Here the latest statement from them:
>
> "Additionally, we are not allowing further TOR exit nodes on our 
> infrastructure - they generate a large amount of abuse, are used for various 
> illegal activities, and attract a large number of DDoS attacks.
>
> You're more than welcome to run bridges, obfs proxies, and relays, but 
> running an exit node is at your own risk, and sufficient abuse may result in 
> suspension of service."
>
>
>
>
> Am 08.10.2016 um 05:00 schrieb Alecks Gates:
>> I'm running on DO as well with the reduced exit policy and have had
>> about five complaints in 2 months.  DO certainly appears to be getting
>> less and less happy.  I'm glad to know it's not just me, though.
>>
>> Hopefully a curated list of IPs to reject will help a lot.  Thanks for
>> the link to tornull.
>>
>> Exit Node fingerprints:
>> E553AC1CA05365EA218D477C2FF4C48986919D07
>> 889550CB9C98CF172CB977AA942B77E9759056C2
>>
>> Alecks
>>
>> On 10/07/2016 07:04 PM, Matthew Finkel wrote:
>>> On Sat, Oct 08, 2016 at 12:16:39AM +0200, Markus Koch wrote:
 2016-10-08 0:09 GMT+02:00 Tristan :
> This page has 3 policies: Reduce exit policy, reduced-reduced exit policy,
> and a lightweight example policy.
>
> https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
>
>
> On Oct 7, 2016 5:01 PM, "Markus Koch"  wrote:
>>
>> reduced-reduced exit policy. ?
>>
>> Illuminate me, pls.
>>
 Thank you both!

 Will try https://tornull.org. Perhaps it helps.

 Markus
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Digital Ocean - running Exit node locked

2016-10-09 Thread pa011 
OK further bad news, Exit shut down by DO yesterday.
Here the latest statement from them:

"Additionally, we are not allowing further TOR exit nodes on our infrastructure 
- they generate a large amount of abuse, are used for various illegal 
activities, and attract a large number of DDoS attacks.

You're more than welcome to run bridges, obfs proxies, and relays, but running 
an exit node is at your own risk, and sufficient abuse may result in suspension 
of service."




Am 08.10.2016 um 05:00 schrieb Alecks Gates:
> I'm running on DO as well with the reduced exit policy and have had
> about five complaints in 2 months.  DO certainly appears to be getting
> less and less happy.  I'm glad to know it's not just me, though.
> 
> Hopefully a curated list of IPs to reject will help a lot.  Thanks for
> the link to tornull.
> 
> Exit Node fingerprints:
> E553AC1CA05365EA218D477C2FF4C48986919D07
> 889550CB9C98CF172CB977AA942B77E9759056C2
> 
> Alecks
> 
> On 10/07/2016 07:04 PM, Matthew Finkel wrote:
>> On Sat, Oct 08, 2016 at 12:16:39AM +0200, Markus Koch wrote:
>>> 2016-10-08 0:09 GMT+02:00 Tristan :
 This page has 3 policies: Reduce exit policy, reduced-reduced exit policy,
 and a lightweight example policy.

 https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy


 On Oct 7, 2016 5:01 PM, "Markus Koch"  wrote:
>
> reduced-reduced exit policy. ?
>
> Illuminate me, pls.
>
>>> Thank you both!
>>>
>>> Will try https://tornull.org. Perhaps it helps.
>>>
>>> Markus


0xC8C330E7.asc
Description: application/pgp-keys
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Digital Ocean - running Exit node locked

2016-10-07 Thread Alecks Gates 
I'm running on DO as well with the reduced exit policy and have had
about five complaints in 2 months.  DO certainly appears to be getting
less and less happy.  I'm glad to know it's not just me, though.

Hopefully a curated list of IPs to reject will help a lot.  Thanks for
the link to tornull.

Exit Node fingerprints:
E553AC1CA05365EA218D477C2FF4C48986919D07
889550CB9C98CF172CB977AA942B77E9759056C2

Alecks

On 10/07/2016 07:04 PM, Matthew Finkel wrote:
> On Sat, Oct 08, 2016 at 12:16:39AM +0200, Markus Koch wrote:
>> 2016-10-08 0:09 GMT+02:00 Tristan :
>>> This page has 3 policies: Reduce exit policy, reduced-reduced exit policy,
>>> and a lightweight example policy.
>>>
>>> https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
>>>
>>>
>>> On Oct 7, 2016 5:01 PM, "Markus Koch"  wrote:

 reduced-reduced exit policy. ?

 Illuminate me, pls.

>> Thank you both!
>>
>> Will try https://tornull.org. Perhaps it helps.
>>
>> Markus
>>
> 
> I spotchecked a few of the rejects on the list. Spamhaus returned a page
> showing only [0][1][2][3]:
> 
>   Error SH-403-001 
> 
> 
> Are all of those tornull rejects legit?
> 
> Another one I checked said:
> 
>   "Network operated by cybercriminals, providing services to spammers and
>   botnet operators. Can't trust anything originating from AS59564."
> 
> 
> And that came from [4]:
> 
>   "Upstream Adjacent AS list
>   AS3255 UARNET-AS State Enterprise Scientific and Telecommunication Centre
>   "Ukrainian Academic and Research Network" of the Institute for Condensed
>   Matter Physics of the National Academy of Science of Ukraine (UARNet),UA"
> 
> 
> I worry about blindly following a list of rejected subnets. I won't argue that
> it's not safer for the exit operator, but I hope someone's cross-checking and
> confirming each entry is needed.
> 
> 
> [0] https://www.spamhaus.org/sbl/query/SBL113323
> [1] https://www.spamhaus.org/sbl/query/SBL169644
> [2] https://www.spamhaus.org/sbl/query/SBL300589
> [3] https://www.spamhaus.org/sbl/query/SBL310432
> [4] https://www.spamhaus.org/sbl/query/SBL244638
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 


0x26CA0F78.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Digital Ocean - running Exit node locked

2016-10-07 Thread Ralph Seichter 
On 08.10.16 00:00, Markus Koch wrote:

> reduced-reduced exit policy. ?

The reduced-reduced policy variant is shown here:
https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy

-Ralph
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Digital Ocean - running Exit node locked

2016-10-07 Thread Markus Koch 
reduced-reduced exit policy. ?

Illuminate me, pls.

Markus
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Digital Ocean - running Exit node locked

2016-10-07 Thread Markus Koch 
# The following sets which ports can exit the tor network through you. For more
# information and updates on the suggested policy see:
# https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
ExitPolicy accept *:53# DNS

# ports for general internet browsing
ExitPolicy reject 103.11.130.162:* # Gute Frage :(
ExitPolicy reject 23.254.211.232:* # gute Frage :(
ExitPolicy reject 211.234.112.4:* # South Korea
ExitPolicy reject 147.67.119.2:* # tax spam
ExitPolicy reject 147.67.119.20:* # tax spam
ExitPolicy reject 147.67.119.102:* # tax spam
ExitPolicy reject 147.67.136.2:* # tax spam
ExitPolicy reject 147.67.136.20:* # tax spam
ExitPolicy reject 147.67.136.102:* # tax spam
ExitPolicy reject 147.67.136.103 # TAX SPAM
ExitPolicy reject 147.67.136.21  # TAX SPAM
ExitPolicy reject 147.67.119.103  # TAX SPAM
ExitPolicy reject 147.67.119.3  # TAX SPAM
ExitPolicy reject 147.67.136.3  # TAX SPAM
ExitPolicy reject 147.67.119.21  # TAX SPAM
ExitPolicy reject 138.197.129.153:* #Hacking Fail2ban
ExitPolicy accept *:80# HTTP
ExitPolicy accept *:81# HTTP Alternate
ExitPolicy accept *:443   # HTTPS
ExitPolicy accept *:3128  # SQUID
ExitPolicy accept *:8008  # HTTP Alternate
ExitPolicy accept *:8080  # HTTP Proxy
ExitPolicy reject *:* # prevents any exit traffic not permitted above

Thats part of my DigitalOcean torrc file. I got the fucking tax spam
and the south korea bank on every droplet ever, so I would advise you
to do the same reject. Its helping to only allow HTTP + HTTPS. But
with the new circle I am just 2 weeks in and already 5 abuse mails.
And these exits should go to a friend ... I need more spare time :/

Markus


2016-10-07 23:49 GMT+02:00 Tristan :
> Guess I'm next. My relay has been running for 3 months now. I'm doing my
> best to be a good neighbor though. After the first month, I got an SSH
> abuse, so now I reject SSH traffic. A month later I got an SQL hack attempt,
> and I switched to the reduced-reduced exit policy. Haven't gotten anything
> else yet.
>
>
> On Oct 7, 2016 4:34 PM, "Markus Koch"  wrote:
>
> They will kick you after 2-3 months. Delete account, make new account.
> They will kick you after 2-3 months. Delete account, make new account.
> They will kick you after 2-3 months. Delete account, make new account.
> They will kick you after 2-3 months. Delete account, make new account.
> Welcome to DigitalOcean!
>
> Markus
>
>
> 2016-10-07 23:23 GMT+02:00 pa011 :
>> Seems like even DO is not very much in favour of running Exits any more ?
>>
>> Anybody made the same experience - how to handle this please ?
>>
>> Thanks and Regards
>> Paul
>>
>>
>> "Hello -Although we do not specifically disallow TOR exit nodes, as the
>> account holder you are responsible for all the traffic going through your
>> droplet (including traffic that an exit node may generate).
>>
>> Also be aware that we do not allow some of the traffic types that come out
>> of a typical TOR exit node (torrents, spam, SSH probes, hacking attempts,
>> botnets, DDoS, etc).
>>
>> If you are unable to stop this sort of traffic, please reconsider running
>> a TOR exit node as it may lead to your account suspension or termination.
>>
>> Please refer to our Terms of Service for greater detail on this issue:
>> https://www.digitalocean.com/legal/terms/
>>
>> Best,
>>
>> DigitalOcean Support "
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Digital Ocean - running Exit node locked

2016-10-07 Thread pa011 
Thanks Markus - you are obviously well experienced with them :-)
We should meet some day and share this and others..

Paul

Am 07.10.2016 um 23:33 schrieb Markus Koch:
> They will kick you after 2-3 months. Delete account, make new account.
> They will kick you after 2-3 months. Delete account, make new account.
> They will kick you after 2-3 months. Delete account, make new account.
> They will kick you after 2-3 months. Delete account, make new account.
> Welcome to DigitalOcean!
> 
> Markus
> 
> 
> 2016-10-07 23:23 GMT+02:00 pa011 :
>> Seems like even DO is not very much in favour of running Exits any more ?
>>
>> Anybody made the same experience - how to handle this please ?
>>
>> Thanks and Regards
>> Paul
>>
>>
>> "Hello -Although we do not specifically disallow TOR exit nodes, as the 
>> account holder you are responsible for all the traffic going through your 
>> droplet (including traffic that an exit node may generate).
>>
>> Also be aware that we do not allow some of the traffic types that come out 
>> of a typical TOR exit node (torrents, spam, SSH probes, hacking attempts, 
>> botnets, DDoS, etc).
>>
>> If you are unable to stop this sort of traffic, please reconsider running a 
>> TOR exit node as it may lead to your account suspension or termination.
>>
>> Please refer to our Terms of Service for greater detail on this issue: 
>> https://www.digitalocean.com/legal/terms/
>>
>> Best,
>>
>> DigitalOcean Support "
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Digital Ocean - running Exit node locked

2016-10-07 Thread Markus Koch 
They will kick you after 2-3 months. Delete account, make new account.
They will kick you after 2-3 months. Delete account, make new account.
They will kick you after 2-3 months. Delete account, make new account.
They will kick you after 2-3 months. Delete account, make new account.
Welcome to DigitalOcean!

Markus


2016-10-07 23:23 GMT+02:00 pa011 :
> Seems like even DO is not very much in favour of running Exits any more ?
>
> Anybody made the same experience - how to handle this please ?
>
> Thanks and Regards
> Paul
>
>
> "Hello -Although we do not specifically disallow TOR exit nodes, as the 
> account holder you are responsible for all the traffic going through your 
> droplet (including traffic that an exit node may generate).
>
> Also be aware that we do not allow some of the traffic types that come out of 
> a typical TOR exit node (torrents, spam, SSH probes, hacking attempts, 
> botnets, DDoS, etc).
>
> If you are unable to stop this sort of traffic, please reconsider running a 
> TOR exit node as it may lead to your account suspension or termination.
>
> Please refer to our Terms of Service for greater detail on this issue: 
> https://www.digitalocean.com/legal/terms/
>
> Best,
>
> DigitalOcean Support "
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays