if you want to read the full story, you should read these threads and posts: https://lists.torproject.org/pipermail/tor-relays/2024-October/021953.html , https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/85 and https://delroth.net/posts/spoofed-mass-scan-abuse/ . The tldr is that some actor is spoofing the IP of tor nodes, and initiating tcp connections with port 22 of a few addresses. This is pretty harmless, that actor can't receive the corresponding SYN+ACK, so they can't finish the handshake. Nonetheless, the entities behind those addresses do send report to your service provider because they believe they are being scanned by you (which is likely the goal of the actor). You should reply to your providers to inform them of such, and possibly link them to some or all of the above references.
Regards, 1686a On Mon, 4 Nov 2024 at 14:27, Richard Menedetter via tor-relays <tor-relays@lists.torproject.org> wrote: > > Hi > > I just receive a very similar abuse message. > > I answered my server hosters abuse people, i guess that should be that. > (hopefully) > > We have received an abuse report concerning your product vxxxxxxxxxxxxxxx - > RS 1000 G11 12M today. Additional information can be found at the end of this > message. > Please inspect the reported abuse and inform us within 48 hours what the > cause of the report is. If you do not reply or if further abuse reports > should arrive, we will deactivate your product, to prevent further damages. > Please note that we have to follow up with every abuse message for good > measure. If the reason for the report is not understandable or if you are not > the initiator, we still need a response from you. > You can find the abuse report at the end of this message. > > ========== Abusemeldung / Abuse report ========== > Greetings Fellow Sys Ad/s I hope this message finds you well. I'm reaching > out to you today regarding a matter of potential concern involving one or > more IP addresses associated with your system Our network security logs have > recently detected unusual activity originating from these IP addresses. While > we understand that such incidents can sometimes occur innocently, it's > crucial to investigate and address them promptly to ensure the security of > all networks involved To assist you in understanding the situation, we have > provided the relevant log data below, with timestamps adjusted to our GMT +8 > timezone: DateTime Action AttackClass SourceIP Srcport Protocol DestinationIP > DestPort > > CU, Ricsi > Gesendet: Sonntag, 3. November 2024 um 05:10 > Von: "Keifer Bly" <keifer....@gmail.com> > An: tor-relays@lists.torproject.org > Betreff: [tor-relays] Fwd: [Abuse #KMLTFQPGVQ] Abusive use of your service > vps-3e661acc.vps.ovh.net > Just got this note, I run a middle relay on ovh. Why would this suddenly > happen? Thanks. Relay is usdeserveprivacy > > > --Keifer > > ---------- Forwarded message --------- > From: <ticket+kmltfqpgvq.c...@abuse.ovh.net> > Date: Sat, Nov 2, 2024, 9:07 PM > Subject: [Abuse #KMLTFQPGVQ] Abusive use of your service > vps-3e661acc.vps.ovh.net > To: <keifer....@gmail.com> > > > Hello, > > An abusive behaviour (Intrusion) originating from your VPS > vps-3e661acc[.]vps[.]ovh[.]net has been reported to or noticed by our Abuse > Team. > > Technical details showing the aforementioned problem follow : > > -- start of the technical details -- > > <html> > <head> > <meta http-equiv="Content-Type" content="text/html; > charset=us-ascii"></head> > <body><pre> > Greetings Fellow Sys Ad/s > > I hope this message finds you well. I'm reaching out to you today > regarding a matter of potential concern involving one or more IP addresses > associated with your system > Our network security logs have recently detected unusual activity originating > from these IP addresses. While we understand that such incidents can > sometimes occur innocently, it's crucial to investigate and address them > promptly to ensure the security of all networks involved > > > To assist you in understanding the situation, we have provided the relevant > log data below, with timestamps adjusted to our GMT &#43;8 timezone: > > > DateTime Action AttackClass SourceIP Srcport Protocol > DestinationIP DestPort > 0 01-Nov-2024 05:07:55 DENIED 51[.]68[.]197[.]220 44959 > TCP 202[.]91[.]161[.]97 22 > 1 01-Nov-2024 05:24:37 DENIED 51[.]68[.]197[.]220 58734 > TCP 202[.]91[.]161[.]98 22 > 2 01-Nov-2024 08:48:23 BLOCKED 51[.]68[.]197[.]220 8551 > TCP 202[.]91[.]161[.]132 22 > 3 01-Nov-2024 08:53:27 BLOCKED 51[.]68[.]197[.]220 2419 > TCP 202[.]91[.]161[.]169 22 > 4 01-Nov-2024 08:58:05 BLOCKED 51[.]68[.]197[.]220 5917 > TCP 192[.]168[.]200[.]216 22 > 5 01-Nov-2024 08:59:24 BLOCKED 51[.]68[.]197[.]220 56858 > TCP 202[.]91[.]161[.]132 22 > 6 01-Nov-2024 09:04:23 BLOCKED 51[.]68[.]197[.]220 32161 > TCP 202[.]91[.]161[.]169 22 > 7 01-Nov-2024 09:17:30 BLOCKED 51[.]68[.]197[.]220 33472 > TCP 202[.]91[.]161[.]132 22 > 8 01-Nov-2024 09:18:02 BLOCKED 51[.]68[.]197[.]220 11282 > TCP 202[.]91[.]161[.]132 22 > 9 01-Nov-2024 09:19:00 BLOCKED 51[.]68[.]197[.]220 3727 > TCP 202[.]91[.]161[.]132 22 > 10 01-Nov-2024 09:20:31 BLOCKED 51[.]68[.]197[.]220 4388 > TCP 202[.]91[.]161[.]169 22 > 11 01-Nov-2024 09:25:57 BLOCKED 51[.]68[.]197[.]220 6898 > TCP 202[.]91[.]161[.]165 22 > 12 01-Nov-2024 09:32:06 BLOCKED 51[.]68[.]197[.]220 18202 > TCP 202[.]91[.]161[.]132 22 > 13 01-Nov-2024 09:39:40 BLOCKED 51[.]68[.]197[.]220 51142 > TCP 202[.]91[.]161[.]132 22 > 14 01-Nov-2024 09:45:32 BLOCKED 51[.]68[.]197[.]220 46914 > TCP 192[.]168[.]200[.]216 22 > 15 01-Nov-2024 10:40:48 BLOCKED 51[.]68[.]197[.]220 60991 > TCP 192[.]168[.]200[.]216 22 > 16 01-Nov-2024 10:42:58 BLOCKED 51[.]68[.]197[.]220 42833 > TCP 202[.]91[.]161[.]132 22 > 17 01-Nov-2024 10:47:13 BLOCKED 51[.]68[.]197[.]220 38382 > TCP 202[.]91[.]161[.]132 22 > 18 01-Nov-2024 10:47:23 BLOCKED 51[.]68[.]197[.]220 30596 > TCP 192[.]168[.]200[.]216 22 > 19 01-Nov-2024 10:47:46 BLOCKED 51[.]68[.]197[.]220 56767 > TCP 202[.]91[.]161[.]185 22 > 20 01-Nov-2024 10:52:10 BLOCKED 51[.]68[.]197[.]220 8983 > TCP 202[.]91[.]161[.]132 22 > 21 01-Nov-2024 10:55:04 BLOCKED 51[.]68[.]197[.]220 55684 > TCP 192[.]168[.]200[.]216 22 > 22 01-Nov-2024 10:57:43 BLOCKED 51[.]68[.]197[.]220 37003 > TCP 202[.]91[.]161[.]185 22 > 23 01-Nov-2024 10:58:43 BLOCKED 51[.]68[.]197[.]220 10524 > TCP 192[.]168[.]200[.]216 22 > 24 01-Nov-2024 11:01:06 BLOCKED 51[.]68[.]197[.]220 6384 > TCP 202[.]91[.]161[.]132 22 > 25 01-Nov-2024 11:03:46 BLOCKED 51[.]68[.]197[.]220 6779 > TCP 202[.]91[.]161[.]185 22 > 26 01-Nov-2024 11:06:05 BLOCKED 51[.]68[.]197[.]220 23062 > TCP 192[.]168[.]200[.]216 22 > 27 01-Nov-2024 11:58:01 BLOCKED 51[.]68[.]197[.]220 33174 > TCP 202[.]91[.]161[.]132 22 > 28 01-Nov-2024 11:58:05 BLOCKED 51[.]68[.]197[.]220 29422 > TCP 202[.]91[.]161[.]132 22 > 29 01-Nov-2024 11:58:26 BLOCKED 51[.]68[.]197[.]220 53504 > TCP 202[.]91[.]161[.]185 22 > 30 01-Nov-2024 12:00:03 BLOCKED 51[.]68[.]197[.]220 5898 > TCP 192[.]168[.]200[.]216 22 > 31 01-Nov-2024 12:00:20 BLOCKED 51[.]68[.]197[.]220 38324 > TCP 202[.]91[.]161[.]185 22 > 32 01-Nov-2024 12:00:30 BLOCKED 51[.]68[.]197[.]220 6362 > TCP 202[.]91[.]161[.]132 22 > 33 01-Nov-2024 12:03:11 BLOCKED 51[.]68[.]197[.]220 38581 > TCP 202[.]91[.]161[.]132 22 > 34 01-Nov-2024 12:05:37 BLOCKED 51[.]68[.]197[.]220 43932 > TCP 202[.]91[.]161[.]132 22 > 35 01-Nov-2024 12:07:27 BLOCKED 51[.]68[.]197[.]220 5141 > TCP 202[.]91[.]161[.]185 22 > 36 01-Nov-2024 12:08:42 BLOCKED 51[.]68[.]197[.]220 56161 > TCP 202[.]91[.]161[.]132 22 > 37 01-Nov-2024 12:12:26 BLOCKED 51[.]68[.]197[.]220 6269 > TCP 202[.]91[.]161[.]132 22 > 38 01-Nov-2024 12:14:33 BLOCKED 51[.]68[.]197[.]220 164 > TCP 192[.]168[.]200[.]216 22 > 39 01-Nov-2024 12:15:48 BLOCKED 51[.]68[.]197[.]220 25787 > TCP 202[.]91[.]161[.]185 22 > 40 01-Nov-2024 12:16:39 BLOCKED 51[.]68[.]197[.]220 9188 > TCP 202[.]91[.]161[.]185 22 > 41 01-Nov-2024 12:16:58 BLOCKED 51[.]68[.]197[.]220 32317 > TCP 202[.]91[.]161[.]132 22 > 42 01-Nov-2024 12:22:28 BLOCKED 51[.]68[.]197[.]220 21955 > TCP 202[.]91[.]161[.]185 22 > 43 01-Nov-2024 12:29:50 BLOCKED 51[.]68[.]197[.]220 33563 > TCP 202[.]91[.]161[.]185 22 > 44 01-Nov-2024 12:32:18 BLOCKED 51[.]68[.]197[.]220 48519 > TCP 202[.]91[.]161[.]132 22 > 45 01-Nov-2024 12:33:24 BLOCKED 51[.]68[.]197[.]220 42914 > TCP 202[.]91[.]161[.]132 22 > 46 01-Nov-2024 12:34:07 BLOCKED 51[.]68[.]197[.]220 11296 > TCP 202[.]91[.]161[.]185 22 > 47 01-Nov-2024 12:36:43 BLOCKED 51[.]68[.]197[.]220 6522 > TCP 202[.]91[.]161[.]132 22 > 48 01-Nov-2024 12:37:55 BLOCKED 51[.]68[.]197[.]220 57962 > TCP 202[.]91[.]161[.]185 22 > 49 01-Nov-2024 12:37:56 BLOCKED 51[.]68[.]197[.]220 53189 > TCP 202[.]91[.]161[.]132 22 > 50 01-Nov-2024 12:39:29 BLOCKED 51[.]68[.]197[.]220 7411 > TCP 192[.]168[.]200[.]216 22 > 51 01-Nov-2024 12:41:51 BLOCKED 51[.]68[.]197[.]220 27413 > TCP 192[.]168[.]200[.]216 22 > 52 01-Nov-2024 12:44:00 BLOCKED 51[.]68[.]197[.]220 355 > TCP 202[.]91[.]161[.]181 22 > 53 01-Nov-2024 12:50:35 BLOCKED 51[.]68[.]197[.]220 28953 > TCP 202[.]91[.]161[.]185 22 > 54 01-Nov-2024 12:50:53 BLOCKED 51[.]68[.]197[.]220 46927 > TCP 192[.]168[.]200[.]216 22 > 55 01-Nov-2024 12:52:00 BLOCKED 51[.]68[.]197[.]220 45122 > TCP 202[.]91[.]161[.]185 22 > 56 01-Nov-2024 12:55:04 BLOCKED 51[.]68[.]197[.]220 4184 > TCP 202[.]91[.]161[.]181 22 > 57 01-Nov-2024 12:55:15 BLOCKED 51[.]68[.]197[.]220 33245 > TCP 202[.]91[.]161[.]185 22 > 58 01-Nov-2024 12:57:38 BLOCKED 51[.]68[.]197[.]220 50897 > TCP 192[.]168[.]200[.]216 22 > 59 01-Nov-2024 12:58:58 BLOCKED 51[.]68[.]197[.]220 35903 > TCP 202[.]91[.]161[.]132 22 > 60 01-Nov-2024 12:59:35 BLOCKED 51[.]68[.]197[.]220 16158 > TCP 192[.]168[.]200[.]216 22 > 61 01-Nov-2024 13:01:40 BLOCKED 51[.]68[.]197[.]220 18404 > TCP 202[.]91[.]161[.]181 22 > 62 01-Nov-2024 13:04:12 BLOCKED 51[.]68[.]197[.]220 32885 > TCP 202[.]91[.]161[.]181 22 > 63 01-Nov-2024 13:05:50 BLOCKED 51[.]68[.]197[.]220 6316 > TCP 202[.]91[.]161[.]132 22 > > We believe that by working together to resolve this matter swiftly, we can > help safeguard the integrity of our networks and prevent any further issues. > If you require any additional information or support from our end to > facilitate your investigation, please don't hesitate to reach out. > Your prompt attention to this matter would be greatly appreciated. We value > your expertise and cooperation in resolving this situation effectively. Thank > you for your time and consideration. > For any corrections/updates, kindly email > email-removed@provider[.]com</pre></body></html> > > -- end of the technical details -- > > Your should investigate and fix this problem, as it constitutes a violation > to our terms of service. > > Please answer to this e-mail indicating which measures you've taken to stop > the abusive behaviour. > > Cordially, > > The OVHcloud Trust & Safety team. > _______________________________________________ tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays