[tor-relays] Preventing wp-admin related abuse report

yl tor at yl.ms
Tue Sep 15 19:52:59 UTC 2015


Hallo Spiros,
in my opinion there is no real solution to it then blocking the ips in
your exit policy, but that won't help these server operators, because
the "hacker" will just exit via another exit node.

I guess there is no solution to this, just ask your hosting company to
forward the abuse emails directly to you, I usually send them an reply
similar to this:

//Beginning

Hello,
according to your abuse message there were attempts to access a resource
on your servers coming from our IP (w.x.y.z).

This machine (w.x.y.z) is a Tor exit node, which, as part of its normal
operation, proxies traffic for other hosts on the Internet. By design,
it is impossible for me to identify those other hosts or communicate
with their operators.

It is one of those other hosts that tried to access the resource on your
server.

I have the ability to disable proxying to specific IP address ranges and
specific TCP ports, but this should be considered a last resort tactic.
It does not actually prevent anyone from using Tor to send spam to a
certain server or access a certain server or whatever; the traffic will
just move to another exit node. Access as described by you can not be
prevented with such measures.

I'm happy to work with you to minimize the impact of your service or on
your network. I hope you will consider allowing our relay/node to remain
in operation, as it is extremely valuable for people who need to conceal
their identities online, especially in countries where access to the
Internet is restricted. For more information please see
https://www.torproject.org/about/overview.html#overview

//End

However, the main thing I wanted to pass on is that standard text I use,
feel free, copy and use it.

greetings
yl



Am 15.09.2015 um 21:42 schrieb spiros_spiros at freemail.gr:
> 
> Greetings community, 
> 
> Over last eight weeks a Tor exit that I operate has attracted more and more abuse reports and the VPS data centre is starting to lose their patience with the amount of tickets they open for each incident. 
> 
> Almost all of the abuse reports are relate to attempts to access wordpress blogs by exploiting wp-admin or other scripts, and the servers are protected by bitninja, abusix, spamcop etc to automatically send abuse complaint. I am now receiving average of 2-3 per week.
> 
> I have two questions. First question - is everyone getting this high amount of wordpress related attacks from exits? Second - are there recommended steps to take to reduce or prevent this kind of activity? 
> 
> Things I try so far: 
>   - run exit on reduced policy (obviously not going to have an impact on abuse traffic but did make the data centre people happy for a while)
>   - full security check on VPS including tripwire, clamav, lastcomm etc to assure provider that the VPS is not compromised
>   - Tor port on server has website running explaining that this is a Tor exit and linking to more information
>   - I have offered to work with ISP to change WHOIS to my email address, but they do not seem keen on it (some blacklists that the server is added to will also block the /16 of the IP range)
>   - Block offended host on the firewall (as a last resort)
> 
> Thanks for any suggestions
> 
> Spiros
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 



More information about the tor-relays mailing list