[tor-relays] Avoiding sinkholes

ramo at goodvikings.com ramo at goodvikings.com
Fri Mar 28 05:36:06 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Heya List

I currently run a VPS which hosts both my mailserver and my tor relay / exit.

Recently I sent an email from this mailserver and had it bounce back. It seems the receiving mailserver subscribes to the spambot list CBL (http://cbl.abuseat.org) and denied it because my IP address was on that list. It's on that list since at some point a botnet talking through tor to its C&C server used my exit node to do so - The C&C server has since been replaced with a sinkhole. That was logged, my server was deemed infected and bam, I'm blacklisted.

The site that did the blacklisting kindly has a good description of what happended (including the sinkhole IP address) and allowed an automatic delisting. I'm able to update my exit policy so it doesn't happen again, however I'd like a somewhat more proactive approach. 

So my question is - Does anyone know of a publicly available list of sinkholes created for botnets? If such a list exists I can dynamically update either my exit policy or firewall appropriately. Has anyone implemented such a system already?

(obviosuly this only works for sinkholed botnets - but if anyone knows how to stop all botnets I'm all ears....)

Cheers

Ramo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQEcBAEBAgAGBQJTNQpGAAoJEAXQWoW8lug/mdkH/jqK5ndFWbVrRnNV7a8IqgYl
4iiR6TUYLjGEdcz8VDZ+cOkW0uCQkOvD6RWl/kWHKmA4iy7alFgbKE4Lkcg4QgBB
7EgNYww3zBbj1NX5rtRN7POge2n4ns7Y7whw0qbvHXE0ur74iLyy5H3hHZeWoosU
g6t9mCsMpEpGAvbkzkDxo+idAdxYe+JiB3iaAAEUDtzeStOG5RJ/qrg8JM+U7ofA
bWPehBV8+V8E//4G/XLsePCciBN0071ylg+YoGcxDpM97WHvmQKbi5VU3KfQJFTB
AFaQ+7ib1BNhe7KEC7V0Iha6Yu/BTNhDRA/0i1C3pad32HQsfGvep261yq+KBjc=
=Wemh
-----END PGP SIGNATURE-----


More information about the tor-relays mailing list