From: Name Withheld <surv...@gmail.com> To: tor-talk@lists.torproject.org >Sent: Wednesday, July 4, 2012 12:36 PM >Subject: Re: [tor-talk] [Need quick help] 30+ mbps node taken down by host > >Thank you for the response. Unfortunately, it looks like this might be >an impossible problem to solve, since they followed it up and said it's >forum spam and hack attempts, not just email spam. Basically, my node >is pushing more traffic than most, so it's getting more abuse, faster >(even though this is a tiny percentage of the overall traffic). > >Here's what they sent me from their upstream provider: > > > >---------------------------------------------------------------------- >The first email came in for a hack attempt from your IP: >Dear Sir/Madam, >We noticed something that resembles a RIP attempt from one of your IP >addresses. Our system temporarily blocked the IP address. Please, >contact the respective user. >In case that there is a need for UPSTREAM content download, they can >register and make use of our legal (xml) download interface ]UPSTREAM URL]. >In case that the IP is used for search engine crawling, the user can >inform us to whitelist the respective IP addresss. > >52 requests during period Fri Jun 22 02:14:01 2012 - Fri Jun 22 02:15:01 >2012 (GMT +1) >was denied at Fri Jun 22 02:15:01 2012 (GMT +1) >user-agent: Mozilla/5.0 (X11; U; Linux x86_64; fr-FR) AppleWebKit/534.7 >(KHTML, like Gecko) Chrome/7.0.514.0 Safari/534.7 > >Kind regards, >Open UPSTREAM Team >---------------------------------------------------------------------- > >---------------------------------------------------------------------- >The second and all following emails (4 emails in total) came in for spam, >StopForumSpam report for ASN16265 (as of >25 Jan 2011) > >IP Number XX.XX.XXX.XXX Link > >Last seen at 22-Jun-12 04:06:45 Fri >IP reported 31 times (by 2 different sites) in the >last 24 hours >IP seen 34 times in the last month > >Usernames seen from this IP >24H 1month Username >1 1 Eirena >1 1 Sheehan >1 2 Rafu >1 1 Barnabas >1 1 Rowland >1 1 Parvati >2 2 Chelsia >1 5 Gwen >1 1 Rudi >1 1 Etienette >1 1 Erianthe >1 1 Alzena >1 1 Starveling >1 3 Althea >1 4 Brayden >1 1 Carlen >1 2 Armorel >1 3 Brennan >3 3 Kinga >1 1 Rarna >3 9 Richard >1 1 Rendor >1 3 Stanton >1 1 Enola >1 1 Pankhudi >1 1 Bhrigu >1 1 Astrea >1 3 Pebbles >2 3 Sage >1 10 Ella >1 1 Brodny > >Emails seen from this IP >24H 1month Username >4 27 e...@buyandsmoke.net >3 19 e...@buyandsmoke.net >4 22 e...@buyandsmoke.net >2 21 e...@buyandsmoke.net >2 22 e...@buyandsmoke.net >4 25 e...@buyandsmoke.net >3 18 e...@buyandsmoke.net >5 22 e...@buyandsmoke.net >3 23 e...@buyandsmoke.net >3 21 e...@buyandsmoke.net >2 22 e...@buyandsmoke.net >2 22 e...@buyandsmoke.net >2 20 e...@buyandsmoke.net >4 28 e...@buyandsmoke.net >2 21 e...@buyandsmoke.net >4 23 e...@buyandsmoke.net >4 21 e...@buyandsmoke.net >3 19 e...@buyandsmoke.net >4 26 e...@buyandsmoke.net > > > >Since the forum spam is all over http, I'm not sure there's anything I >can do without crippling it for other users. Any ideas? > >Thank you again. > > > > > >On 7/3/2012 9:29 PM, morphium wrote: >> Hi, >> >> you are right, SMTP is blocked by default. But people can i.e. access >> hotmail.com via webinterface (where your IP is then put into the mail >> as originating IP aswell) or use SMTP on secure ports (but that mostly >> comes with authentication, I guess). >> >> You should ask your provider to get the mail headers of the spam, to >> see how exactly it was done, and then maybe block i.e. exit to the >> hotmail IPs, if it was sent via hotmail webinterface (to show them you >> are doing something). >> >> Best regards! >> morphium >> >> 2012/7/4 Name Withheld <surv...@gmail.com>: >>> Hello, >>> >>> My VPS fast tor exit got taken down by the host today for sending spam >>> emails. Apparently the upstream provider complained to them about it. I >>> thought SMTP was supposed to be disabled by default in the tor config, but >>> apparently my node was sending stuff through (even though I didn't do >>> anything to change the default setting for that). >>> >>> The host is going to give me a chance to see if I can block it, but if I >>> can't get the spam to stop, they're going to make me kill the node. I prefer >>> not to do this kind of thing, but since it's their house, it's their rules. >>> >>> Can someone please tell me precisely (what file, what entry) how to >>> configure: >>> >>> 1) Tor to block smtp >>> >>> 2) Local machine to block smtp egress >>> >>> 3) Any other possible way to detect/filter outgoing mail Thank you very much >>> >>> >>> >>> _______________________________________________ >>> tor-talk mailing list >>> tor-talk@lists.torproject.org >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >> >> > >_______________________________________________ >tor-talk mailing list >tor-talk@lists.torproject.org >https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > >
This is likely a recurring problem. See this tor-talk thread: https://lists.torproject.org/pipermail/tor-talk/2011-September/021446.html _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
