On Wed, Jul 04, 2012 at 12:36:36AM -1000, Name Withheld wrote: > Thank you for the response. Unfortunately, it looks like this might be > an impossible problem to solve, since they followed it up and said it's > forum spam and hack attempts, not just email spam. Basically, my node
So they're keep changing their story. It seems they want to get rid of you. > is pushing more traffic than most, so it's getting more abuse, faster > (even though this is a tiny percentage of the overall traffic). Of what concern should be the traffic, if it's a flat rodent data plan? If it is, you have to throttle your node down to a dull roar (e.g. I'm currently throttling mine down to about 1.5 TByte/month). I personally use the following Exit Policy: reject 0.0.0.0/8:* reject 169.254.0.0/16:* reject 127.0.0.0/8:* reject 192.168.0.0/16:* reject 10.0.0.0/8:* reject 172.16.0.0/12:* reject put-your-node's-ip-here:* accept *:22 accept *:443 accept *:465 accept *:563 accept *:992-995 reject *:* which so far has generated zero complaints. If they still complain, go total middleman. Even middlemen throttled to 120 kBytes/s or higher are of value to the network, especially if they're stable. > Here's what they sent me from their upstream provider: > > > > ---------------------------------------------------------------------- > The first email came in for a hack attempt from your IP: > Dear Sir/Madam, > We noticed something that resembles a RIP attempt from one of your IP > addresses. Our system temporarily blocked the IP address. Please, > contact the respective user. > In case that there is a need for UPSTREAM content download, they can > register and make use of our legal (xml) download interface ]UPSTREAM > URL]. > In case that the IP is used for search engine crawling, the user can > inform us to whitelist the respective IP addresss. > > 52 requests during period Fri Jun 22 02:14:01 2012 - Fri Jun 22 02:15:01 > 2012 (GMT +1) > was denied at Fri Jun 22 02:15:01 2012 (GMT +1) > user-agent: Mozilla/5.0 (X11; U; Linux x86_64; fr-FR) AppleWebKit/534.7 > (KHTML, like Gecko) Chrome/7.0.514.0 Safari/534.7 > > Kind regards, > Open UPSTREAM Team > ---------------------------------------------------------------------- > > ---------------------------------------------------------------------- > The second and all following emails (4 emails in total) came in for spam, > StopForumSpam report for ASN16265 (as of > 25 Jan 2011) > > IP Number XX.XX.XXX.XXX Link > > Last seen at 22-Jun-12 04:06:45 Fri > IP reported 31 times (by 2 different sites) in the > last 24 hours > IP seen 34 times in the last month > > Usernames seen from this IP > 24H 1month Username > 1 1 Eirena > 1 1 Sheehan > 1 2 Rafu > 1 1 Barnabas > 1 1 Rowland > 1 1 Parvati > 2 2 Chelsia > 1 5 Gwen > 1 1 Rudi > 1 1 Etienette > 1 1 Erianthe > 1 1 Alzena > 1 1 Starveling > 1 3 Althea > 1 4 Brayden > 1 1 Carlen > 1 2 Armorel > 1 3 Brennan > 3 3 Kinga > 1 1 Rarna > 3 9 Richard > 1 1 Rendor > 1 3 Stanton > 1 1 Enola > 1 1 Pankhudi > 1 1 Bhrigu > 1 1 Astrea > 1 3 Pebbles > 2 3 Sage > 1 10 Ella > 1 1 Brodny > > Emails seen from this IP > 24H 1month Username > 4 27 e...@buyandsmoke.net > 3 19 e...@buyandsmoke.net > 4 22 e...@buyandsmoke.net > 2 21 e...@buyandsmoke.net > 2 22 e...@buyandsmoke.net > 4 25 e...@buyandsmoke.net > 3 18 e...@buyandsmoke.net > 5 22 e...@buyandsmoke.net > 3 23 e...@buyandsmoke.net > 3 21 e...@buyandsmoke.net > 2 22 e...@buyandsmoke.net > 2 22 e...@buyandsmoke.net > 2 20 e...@buyandsmoke.net > 4 28 e...@buyandsmoke.net > 2 21 e...@buyandsmoke.net > 4 23 e...@buyandsmoke.net > 4 21 e...@buyandsmoke.net > 3 19 e...@buyandsmoke.net > 4 26 e...@buyandsmoke.net > > > > Since the forum spam is all over http, I'm not sure there's anything I > can do without crippling it for other users. Any ideas? > > Thank you again. > > > > > > On 7/3/2012 9:29 PM, morphium wrote: >> Hi, >> >> you are right, SMTP is blocked by default. But people can i.e. access >> hotmail.com via webinterface (where your IP is then put into the mail >> as originating IP aswell) or use SMTP on secure ports (but that mostly >> comes with authentication, I guess). >> >> You should ask your provider to get the mail headers of the spam, to >> see how exactly it was done, and then maybe block i.e. exit to the >> hotmail IPs, if it was sent via hotmail webinterface (to show them you >> are doing something). >> >> Best regards! >> morphium >> >> 2012/7/4 Name Withheld <surv...@gmail.com>: >>> Hello, >>> >>> My VPS fast tor exit got taken down by the host today for sending spam >>> emails. Apparently the upstream provider complained to them about it. I >>> thought SMTP was supposed to be disabled by default in the tor config, but >>> apparently my node was sending stuff through (even though I didn't do >>> anything to change the default setting for that). >>> >>> The host is going to give me a chance to see if I can block it, but if I >>> can't get the spam to stop, they're going to make me kill the node. I prefer >>> not to do this kind of thing, but since it's their house, it's their rules. >>> >>> Can someone please tell me precisely (what file, what entry) how to >>> configure: >>> >>> 1) Tor to block smtp >>> >>> 2) Local machine to block smtp egress >>> >>> 3) Any other possible way to detect/filter outgoing mail Thank you very much >>> >>> >>> >>> _______________________________________________ >>> tor-talk mailing list >>> tor-talk@lists.torproject.org >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >> >> > > _______________________________________________ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
