> I received a botnet/drone complaint from shadowserver.org today If the complaint was sent directly to you, rather than to you via your ISP, it is unlikely you need to do anything. Unless you're concerned about possibly having your own IP space blacklisted (which is normally an ISP concern).
If your ISP is bugging you, there are some abuse templates and general advice docs on the Tor project site that you may find useful. > If I'm reading this correctly, they identify "mebroot" as the source of the That's probably the nasty that was sent, not necessarily the scan and injection platform in use. > My DirPort is set to 80, which may explain that value in the complaint. No, that's more likely to be the 128:80 dest ip/port pair for the flow sourced from your 210:48586 pair. You might find the log format documented at Shadowserver or via google. They obviously didn't bother to include a complete definition of all the fields in the email. > Any thoughts on what to do to avoid further complaints? Shadowserver > addresses the topic of Tor exits here: Try blocking traffic to that IP or some suitable larger subnet of the afflicted IP as might be determined from whois or BGP, for a few months. It's seems to be just a probe, nothing a simple email or config change won't fix. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
