Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
On 2/22/20 7:47 PM, Alessandro Vesely via mailop wrote: > Even without 2FA, a password different from "12345" is probably desperately > hard to guess. _No_ When users tend to re-use the same password on different web sites or a slightly different password from site to site, guessing a password might be quite easy. On a domain I will not specify : - ~5% of accounts have been compromised - ~8% of accounts have at least one compromised password associated to their email (as I do not spend that much time to retrieve lists of compromised accounts, this figure is probably below reality) - these accounts have in average 2.7 compromised passwords (same comment) Once an account is compromised, many users do not realize what it really means and try to reset the password to the previous one or use a very basic transformation (just like using 'Password12' instead of 'password' or 'mybaby2003' instead of 'mybaby03'). If an attacker have a few compromised passwords associated to an email, he may easily guess which part of a password is re-used and which part are modified. It looks like we are experiencing such attacks here. François ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
On Mon 24/Feb/2020 10:32:59 +0100 Andrew C Aitchison wrote: > On Fri, 21 Feb 2020, Alessandro Vesely via mailop wrote: > >> I'm still puzzled by that Emerald Onion Repeat Infringer >> Termination Policy. >> >> Perhaps, they have a real time incident reporting system >> to catch miscreants. > > I assumed it was what they want to do, not what they can do. > If it isn't in the policy there is more risk of push-back if > and when they succeed in doing it. Well, their "legal FAQ" says exactly that: Nonetheless, it is our policy to terminate the use of Emerald Onion by repeat infringers in appropriate circumstances. https://emeraldonion.org/faq/ Since they keep no logs, I'd infer that "repeat" means within the same session; that is, someone repeatedly failing authentication. Best Ale -- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
On Fri, 21 Feb 2020, Alessandro Vesely via mailop wrote: I'm still puzzled by that Emerald Onion Repeat Infringer Termination Policy. Perhaps, they have a real time incident reporting system to catch miscreants. I assumed it was what they want to do, not what they can do. If it isn't in the policy there is more risk of push-back if and when they succeed in doing it. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
On 2020-02-22 02:57:09 (+0800), Michael Peddemors via mailop wrote: Consider how you would safely block the bad guys, yet let the good guys still use the service. Which brings me to my favorite topic, 2FA for IMAP/SMTP Auth, as many of you know.. (we talk about CLIENTID often enough). Isn't that what OAUTH is meant to fix? ;-) Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
Even without 2FA, a password different from "12345" is probably desperately hard to guess. An activity suited for bots running at someone else's expenses. Best Ale On Fri 21/Feb/2020 19:57:09 +0100 Michael Peddemors via mailop wrote: > For the record, (just back from M3AAWG, what a great event) AUTH attacks from > Tor networks ARE a thing. > > While it might seem that the number of attacks from Tor Nodes, vs legitimate > AUTH requests from people that like using Tor for everything is really one > sided.. > > (Don't get me wrong, even we block Tor networks occassionally for different > reasosn) > > .. you need to treat this the same as if it was 10,000's of people behind the > airport Wifi, or Carrier Grade NAT. > > Consider how you would safely block the bad guys, yet let the good guys still > use the service. Which brings me to my favorite topic, 2FA for IMAP/SMTP > Auth, > as many of you know.. (we talk about CLIENTID often enough). > > It is a good thought exercise to look at this in the larger picture, rather > than being a Tor problem, (albeit their are completely different abuse > reporting options at a large CGN network), the problem is still the same, how > to address safely separating the good from the bad in a world where IPv4 > reputation is no longer viable alone. > > > > > On 2020-02-21 10:38 a.m., Alessandro Vesely via mailop wrote: >> Hi, >> >> On Thu 20/Feb/2020 11:02:47 +0100 Benoit Panizzon via mailop wrote: >>> >>> The Spamtrap / HoneyPot in question not only listens to port 25 but also >>> listens on port 465 (smtps) and 587 (submission). >>> >>> If an attacker is doing some dictionary attack on this to check for >>> valid passwords (every authentication attempt is accepted) or attempts >>> to relay spam mails (every relay attempt is answered with 200 OK) he >>> is being blacklisted and an ARF reports is sent to the abuse contact of >>> the submitting IP range. >>> >>> This is what causes those reports, not emails received on port 25. >>> >>> But I guess, just silently blacklisting Tor exist nodes and not sending >>> a ARF report to the ISP could be an option to solve that issue. >> >> >> If you can detect Tor exit nodes, maybe you can fail authentication when it >> comes from those IPs. That may make sense if the Tor host is able to detect >> multiple authentication failures and somehow stop the user. What do they >> say? >> >> I'm still puzzled by that Emerald Onion Repeat Infringer Termination Policy. >> >> Perhaps, they have a real time incident reporting system to catch miscreants. >> >> Cooperation would increase the value of both your honeypots and their nodes. >> >> >> Best >> Ale >> > > > ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
For the record, (just back from M3AAWG, what a great event) AUTH attacks from Tor networks ARE a thing. While it might seem that the number of attacks from Tor Nodes, vs legitimate AUTH requests from people that like using Tor for everything is really one sided.. (Don't get me wrong, even we block Tor networks occassionally for different reasosn) .. you need to treat this the same as if it was 10,000's of people behind the airport Wifi, or Carrier Grade NAT. Consider how you would safely block the bad guys, yet let the good guys still use the service. Which brings me to my favorite topic, 2FA for IMAP/SMTP Auth, as many of you know.. (we talk about CLIENTID often enough). It is a good thought exercise to look at this in the larger picture, rather than being a Tor problem, (albeit their are completely different abuse reporting options at a large CGN network), the problem is still the same, how to address safely separating the good from the bad in a world where IPv4 reputation is no longer viable alone. On 2020-02-21 10:38 a.m., Alessandro Vesely via mailop wrote: Hi, On Thu 20/Feb/2020 11:02:47 +0100 Benoit Panizzon via mailop wrote: The Spamtrap / HoneyPot in question not only listens to port 25 but also listens on port 465 (smtps) and 587 (submission). If an attacker is doing some dictionary attack on this to check for valid passwords (every authentication attempt is accepted) or attempts to relay spam mails (every relay attempt is answered with 200 OK) he is being blacklisted and an ARF reports is sent to the abuse contact of the submitting IP range. This is what causes those reports, not emails received on port 25. But I guess, just silently blacklisting Tor exist nodes and not sending a ARF report to the ISP could be an option to solve that issue. If you can detect Tor exit nodes, maybe you can fail authentication when it comes from those IPs. That may make sense if the Tor host is able to detect multiple authentication failures and somehow stop the user. What do they say? I'm still puzzled by that Emerald Onion Repeat Infringer Termination Policy. Perhaps, they have a real time incident reporting system to catch miscreants. Cooperation would increase the value of both your honeypots and their nodes. Best Ale -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
Hi, On Thu 20/Feb/2020 11:02:47 +0100 Benoit Panizzon via mailop wrote: > > The Spamtrap / HoneyPot in question not only listens to port 25 but also > listens on port 465 (smtps) and 587 (submission). > > If an attacker is doing some dictionary attack on this to check for > valid passwords (every authentication attempt is accepted) or attempts > to relay spam mails (every relay attempt is answered with 200 OK) he > is being blacklisted and an ARF reports is sent to the abuse contact of > the submitting IP range. > > This is what causes those reports, not emails received on port 25. > > But I guess, just silently blacklisting Tor exist nodes and not sending > a ARF report to the ISP could be an option to solve that issue. If you can detect Tor exit nodes, maybe you can fail authentication when it comes from those IPs. That may make sense if the Tor host is able to detect multiple authentication failures and somehow stop the user. What do they say? I'm still puzzled by that Emerald Onion Repeat Infringer Termination Policy. Perhaps, they have a real time incident reporting system to catch miscreants. Cooperation would increase the value of both your honeypots and their nodes. Best Ale -- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
Hi, On Thu 20/Feb/2020 11:02:47 +0100 Benoit Panizzon via mailop wrote: > > The Spamtrap / HoneyPot in question not only listens to port 25 but also > listens on port 465 (smtps) and 587 (submission). > > If an attacker is doing some dictionary attack on this to check for > valid passwords (every authentication attempt is accepted) or attempts > to relay spam mails (every relay attempt is answered with 200 OK) he > is being blacklisted and an ARF reports is sent to the abuse contact of > the submitting IP range. > > This is what causes those reports, not emails received on port 25. > > But I guess, just silently blacklisting Tor exist nodes and not sending > a ARF report to the ISP could be an option to solve that issue. If you can detect Tor exit nodes, maybe you can fail authentication when it comes from those IPs. That may make sense if the Tor host is able to detect multiple authentication failures and somehow stop the user. What do they say? I'm still puzzled by that Emerald Onion Repeat Infringer Termination Policy. Perhaps, they have a real time incident reporting system to catch miscreants. Cooperation would increase the value of both your honeypots and their nodes. Best Ale -- ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
On 2/20/20 5:51 AM, Hans-Martin Mosner via mailop wrote: This is probably a reasonable way of dealing with the problem. TOR exit nodes are somewhat like dynamic IP addresses - you will get a lot of dictionary attacks and similar stuff, and you can just block off any non-authenticated non-http access from such IPs (maybe use fail2ban to silence them for a limited time). This hints at the type of policy that I as alluding to. I.e. $Company Policies: · $Company filters traffic from ToR exit nodes. · Any malicious activity detected by $Company's spam trap / honey pot is reported. Neither policy alters the other policy. The former policy just makes it such that ToR exit nodes can't hit the latter policy. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
On 2/20/20 3:02 AM, Benoit Panizzon via mailop wrote: Hi Hi, The Spamtrap / HoneyPot in question not only listens to port 25 but also listens on port 465 (smtps) and 587 (submission). Okay. It sounds like your spam trap / honey pot is designed to detect IPs that are perpetrating abusive behavior. And that the ToR exit nodes happen to be perpetrating said abusive behavior. If an attacker is doing some dictionary attack on this to check for valid passwords (every authentication attempt is accepted) or attempts to relay spam mails (every relay attempt is answered with 200 OK) he is being blacklisted and an ARF reports is sent to the abuse contact of the submitting IP range. I don't see any problem with that. That's how you have chosen to run your spam trap / honey pot. That's your choice. This is what causes those reports, not emails received on port 25. I don't care what the behavior is. If you have designed your spam trap / honey pot to react to a specific behavior and someone is triggering the trap, then so be it. But I guess, just silently blacklisting Tor exist nodes and not sending a ARF report to the ISP could be an option to solve that issue. That's your call. But I feel like it's akin to a thief asking you to disable your security system and / or not call the police. Why do you want to honor a request from an apparent bad actor who is asking you to ignore their bad actions. I feel like this is a good use for a company policy, whatever it may be. As a company, make a policy, and configure systems in accordance with that policy. You can re-visit the policy at any point in the future. But in the mean time, things should remain configured as mandated by the policy. I don't think that your policy (current behavior representative there of) would quite likely not have any adverse impact on legitimate use of ToR. Meaning that anybody using ToR for white hat purposes to reach their business / university email servers will quite likely not connecting to your spam trap / honey pot. As such, I don't feel like your policy does anything negative to the ToR community or Internet at large. This really seems like whining on the part of ToR Exit Node operators. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
Am 20.02.2020 11:02, schrieb Benoit Panizzon via mailop: But I guess, just silently blacklisting Tor exist nodes and not sending a ARF report to the ISP could be an option to solve that issue. This is probably a reasonable way of dealing with the problem. TOR exit nodes are somewhat like dynamic IP addresses - you will get a lot of dictionary attacks and similar stuff, and you can just block off any non-authenticated non-http access from such IPs (maybe use fail2ban to silence them for a limited time). Reporting them is as futile as reporting DSL IPs is - even if the provider would be able to identify the user, it just isn't feasible to instruct those users to find and fix the hacked device(s) on their network. Cheers, Hans-Martin ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
Totally your call, but there is a LOT of AUTH abuse going on. If folks are mad that their TOR nodes are getting reported for abuse, well… thems the breaks. I get it, TOR is useful and there are legitimate reasons to use TOR. Probing ports and attempting to crack passwords is not what I consider legitimate. If the network owners react to that by saying their customers can’t run TOR output nodes, well, those are the consequences. Might it be worth talking to the TOR folks to see if they have some insight into how to minimize the actual abuse? Certainly they’re not going to want output nodes shut down or ports 587 and 465 completely. They need to stop the bad traffic in order to allow the good uses. laura > On 20 Feb 2020, at 10:02, Benoit Panizzon via mailop > wrote: > > Hi > > Just a clarification on the issue, as we just got a 2nd similar > complaint from another Tor Exit node operator (obviously same attacker > being routed through another exit, guessing from the involved email > addresses). > > The Spamtrap / HoneyPot in question not only listens to port 25 but also > listens on port 465 (smtps) and 587 (submission). > > If an attacker is doing some dictionary attack on this to check for > valid passwords (every authentication attempt is accepted) or attempts > to relay spam mails (every relay attempt is answered with 200 OK) he > is being blacklisted and an ARF reports is sent to the abuse contact of > the submitting IP range. > > This is what causes those reports, not emails received on port 25. > > But I guess, just silently blacklisting Tor exist nodes and not sending > a ARF report to the ISP could be an option to solve that issue. > > Mit freundlichen Grüssen > > -Benoît Panizzon- > -- > I m p r o W a r e A G-Leiter Commerce Kunden > __ > > Zurlindenstrasse 29 Tel +41 61 826 93 00 > CH-4133 PrattelnFax +41 61 826 93 01 > Schweiz Web http://www.imp.ch > __ > ___ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Having an Email Crisis? We can help! 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com (650) 437-0741 Email Delivery Blog: https://wordtothewise.com/blog ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
Hi Just a clarification on the issue, as we just got a 2nd similar complaint from another Tor Exit node operator (obviously same attacker being routed through another exit, guessing from the involved email addresses). The Spamtrap / HoneyPot in question not only listens to port 25 but also listens on port 465 (smtps) and 587 (submission). If an attacker is doing some dictionary attack on this to check for valid passwords (every authentication attempt is accepted) or attempts to relay spam mails (every relay attempt is answered with 200 OK) he is being blacklisted and an ARF reports is sent to the abuse contact of the submitting IP range. This is what causes those reports, not emails received on port 25. But I guess, just silently blacklisting Tor exist nodes and not sending a ARF report to the ISP could be an option to solve that issue. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ pgpezbCQbB6W1.pgp Description: Digitale Signatur von OpenPGP ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
On 2/17/20 2:35 AM, Benoit Panizzon via mailop wrote: Now I got into discussion with the operator of several TOR exit nodes. He claims that his ISP threatened to disconnect his TOR servers because they were subject to a couple of abuse complaints from our spamtraps. It sound to me like /he/ has made a choice to allow email through /his/ ToR Exit Node and now needs to deal with the ramifications of /his/ choice. As I see it, /he/ can make the same choice again, or /he/ an make a different choice and block email. I'm not saying that it's a good, much less pleasant, choice. But it is /his/ choice to make. My opinion is that /he/ should make that choice /independently/ of what other people on the Internet do. As he has no way to block the abusers on the TOR network, without completely blocking any ports involved in email abuse which would render using email sending over TOR unusable if all TOR exit node operators would block those ports. That is /his/ choice. Emphasis on /his/, as in /he/ needs to make it. /He/ should not depend on anyone else to decide for /him/. I told him to sort this out with his ISP and that his ISP would for sure understand, that he is not himself be the origin of this abuse. I agree with this. He told me that his ISP did not care what service he operates and for them, only the count of complaints is the criteria to get disconnected. That is /their/ choice. /He/ has no influence in how /they/ operate /their/ business. /He/ can choose to not do business with /them/. Or, perhaps /they/ will make that choice for /him/. So he suggests I use public available TOR exist node lists, to block them from accessing the spamtraps. My knee jerk reaction is /why/ do /you/ need to alter how /you/ run /your/ services because of something that /he/ did / does? /You/ may pontificate this issue and decide independently that /you/ want to block access to (part of) /your/ email infrastructure from ToR Exit Nodes (et al.). But that is /your/ choice and /you/ should make it independent of this particular ToR Exit Node operator. I understand his claim. In my (not so) humble opinion, the validity of his claim has, and should have, little to no influence on how an administrator chooses to operate /their/ network. But I also see a benefit from our blacklists to list abused TOR exit nodes. Indeed. So what are your opinions about this? I think that /he/ needs to make a choice. I suspect that /his/ ISP has already made a choice and it's a simple counting game before /they/ act on /their/ choice. I think that /you/ need to make a choice. Each of your choices are different, but do interact with each other. How do other spamtrap / honeypot operators deal with TOR exit nodes? I can't / won't speak for others. I don't find ToR to be that much of an annoyance. So I allow it for now. If the annoyance level goes high enough, I'll likely block them. I might start with specific services. I might block them wholesale. I might even block the IPs at the edge of my network. That's /my/ choice. Everybody has their own choice to make. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
On Tue, 18 Feb 2020, Matt Palmer via mailop wrote: great, but it's an unfortunate side-effect of providing anonymity. Frankly, if you were feeling up to the job of scripting it, pre-emptively putting all Tor exit nodes which allow connections to port 25 in your RBL would not be a bad idea (exit nodes and their exit policies are publicly available, so you could scrape the list and maintain RBL entries based on it). Asking tcp/25 only might be more complex, but there's a starting point: https://www.dan.me.uk/dnsbl ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
[side note: I run Tor middle-nodes and bridges, although I do not have the intestinal fortitude -- or a suitably supportive ISP -- to run an exit node] On Mon, Feb 17, 2020 at 10:35:45AM +0100, Benoit Panizzon via mailop wrote: > Occasionally, spam or more often, log-in attempts and dictionary > attacks on the submission ports of the spamtraps are detected from TOR > exit nodes. So a feedback is sent to the abuse-c. > > Now I got into discussion with the operator of several TOR exit > nodes. He claims that his ISP threatened to disconnect his TOR servers > because they were subject to a couple of abuse complaints from our > spamtraps. [...] > He told me that his ISP did not care what service he operates and for > them, only the count of complaints is the criteria to get disconnected. Running a Tor exit node is always going to attract abuse complaints of varying degrees of validity and severity, so if this exit node is at an ISP which is not supportive of Tor exit nodes and will terminate service based on complaints, it's not going to last long, regardless of whether you are sending abuse reports. > As he has no way to block the abusers on the TOR network, without > completely blocking any ports involved in email abuse which would > render using email sending over TOR unusable if all TOR exit node > operators would block those ports. As has already been mentioned, the default exit node policy does not include port 25, so if this exit node is allowing connections to port 25, the operator has configured it that way... and probably shouldn't have, given their ISP's complaint handling policies. Given that Tor exit nodes would have appalling IP reputation, I'd expect very few SMTP servers would accept mail for delivery, so I have trouble imagining that a Tor exit node should really allow connections to port 25. Submission and POP3/IMAP ports, on the other hand, would be useful to access via Tor. Anonymous access to mail accounts (or even just unblocked access, from networks that have restrictive outbound policies) is undoubtedly handy. On the other hand, of course, it attracts a certain amount of abuse, but then again so do open proxies, compromised machines, and a whole host of other places, so networks have to have defences against all of them anyway -- Tor isn't special in that regard. At the end of the day, I think it comes down to your level of desire to support the Tor network and its mission. If you decided to just ignore its existence and keep sending abuse reports, I think that's a perfectly defensible position -- it *is* abuse, even though your report has no chance of stopping the abuse happening (because of the nature of the Tor network). Causing an exit node shut down due to your abuse reports is not *great*, but as I said earlier, plenty of other abuse reports will be coming in as well, so yours won't be the *only* reason it goes down. On the other hand, since you *know* that the abuse reports won't be actioned (because they *can't* be, in any meaningful sense), not sending reports about activity from known Tor exit nodes is also a reasonable position to take. Whether you "special case" Tor exit nodes in your reporting code, or just stop the abusive activity by firewalling off Tor exit nodes, or use some other method, is down to personal taste. It'll save you the angst of dealing with cranky Tor node operators, and I suppose there's an infinitesimal chance that it'll avoid some node being taken down, if you just happen to be "the straw that broke the camel's back". > But I also see a benefit from our blacklists to list abused TOR exit > nodes. There are two sorts of Tor exit nodes -- those that are being actively used for abuse at the moment, and those that will be Real Soon Now. It's not great, but it's an unfortunate side-effect of providing anonymity. Frankly, if you were feeling up to the job of scripting it, pre-emptively putting all Tor exit nodes which allow connections to port 25 in your RBL would not be a bad idea (exit nodes and their exit policies are publicly available, so you could scrape the list and maintain RBL entries based on it). - Matt ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
Hi, On Mon 17/Feb/2020 10:35:45 +0100 Benoit Panizzon via mailop wrote: > > We operate Spamtraps which feed the SWINOG Anti-Spam Blacklist. > > A feedback loop is sent to the abuse-c of the IP Address from which > email or attackts to spamtraps was detected. > > Occasionally, spam or more often, log-in attempts and dictionary > attacks on the submission ports of the spamtraps are detected from TOR > exit nodes. So a feedback is sent to the abuse-c. It must be login attempts, since port 25 is not available to Tor users. > Now I got into discussion with the operator of several TOR exit > nodes. He claims that his ISP threatened to disconnect his TOR servers > because they were subject to a couple of abuse complaints from our > spamtraps. > > As he has no way to block the abusers on the TOR network, without > completely blocking any ports involved in email abuse which would > render using email sending over TOR unusable if all TOR exit node > operators would block those ports. For port 25, that's already the case: What about spammers? First of all, the default Tor exit policy rejects all outgoing port 25 (SMTP) traffic. So sending spam mail through Tor isn't going to work by default. It's possible that some relay operators will enable port 25 on their particular exit node, in which case that computer will allow outgoing mails; but that individual could just set up an open mail relay too, independent of Tor. In short, Tor isn't useful for spamming, because nearly all Tor relays refuse to deliver the mail. https://2019.www.torproject.org/docs/faq-abuse.html.en#WhatAboutSpammers For port 587, I too send abuse reports on authentication failures. Only once I happened to get a reply from a Tor operator. Their web sites has a curious faq entry: Emerald Onion Repeat Infringer Termination Policy Emerald Onion does not have subscribers or account holders and cannot identify the IP addresses of individuals who send communications over the Tor network. Nonetheless, it is our policy to terminate the use of Emerald Onion by repeat infringers in appropriate circumstances. https://emeraldonion.org/faq/ Don't ask me how do they identify repeat infringers, I have no idea. However, I get hundreds of bad login attempts, and tens of auto reply follow-up every day. Only one was from Tor, so it seems that they somehow can manage. I heard about Tor users who access imap and submission accounts via Tor just because their University blocks those ports and Tor was the easiest workaround they found. Hence, it's not that it is inconvenient to use Tor. Perhaps, since most of those desperate dictionary attacks seem to come from Owned hosts, low abuse rates are due to Tor operators detecting/ avoiding intrusions better than others...? Best Ale ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
[mailop] Opinions? Email Abuse over TOR Network? (spamtraps)
Dear List We operate Spamtraps which feed the SWINOG Anti-Spam Blacklist. A feedback loop is sent to the abuse-c of the IP Address from which email or attackts to spamtraps was detected. Occasionally, spam or more often, log-in attempts and dictionary attacks on the submission ports of the spamtraps are detected from TOR exit nodes. So a feedback is sent to the abuse-c. Now I got into discussion with the operator of several TOR exit nodes. He claims that his ISP threatened to disconnect his TOR servers because they were subject to a couple of abuse complaints from our spamtraps. As he has no way to block the abusers on the TOR network, without completely blocking any ports involved in email abuse which would render using email sending over TOR unusable if all TOR exit node operators would block those ports. I told him to sort this out with his ISP and that his ISP would for sure understand, that he is not himself be the origin of this abuse. He told me that his ISP did not care what service he operates and for them, only the count of complaints is the criteria to get disconnected. So he suggests I use public available TOR exist node lists, to block them from accessing the spamtraps. I understand his claim. But I also see a benefit from our blacklists to list abused TOR exit nodes. So what are your opinions about this? How do other spamtrap / honeypot operators deal with TOR exit nodes? Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G-Leiter Commerce Kunden __ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 PrattelnFax +41 61 826 93 01 Schweiz Web http://www.imp.ch __ ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop