if you want to read the full story, you should read these threads and
posts: 
https://lists.torproject.org/pipermail/tor-relays/2024-October/021953.html
, https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/85
and https://delroth.net/posts/spoofed-mass-scan-abuse/ .
The tldr is that some actor is spoofing the IP of tor nodes, and
initiating tcp connections with port 22 of a few addresses. This is
pretty harmless, that actor can't receive the corresponding SYN+ACK,
so they can't finish the handshake.
Nonetheless, the entities behind those addresses do send report to
your service provider because they believe they are being scanned by
you (which is likely the goal of the actor).
You should reply to your providers to inform them of such, and
possibly link them to some or all of the above references.

Regards,
1686a

On Mon, 4 Nov 2024 at 14:27, Richard Menedetter via tor-relays
<tor-relays@lists.torproject.org> wrote:
>
> Hi
>
> I just receive a very similar abuse message.
>
> I answered my server hosters abuse people, i guess that should be that. 
> (hopefully)
>
> We have received an abuse report concerning your product vxxxxxxxxxxxxxxx - 
> RS 1000 G11 12M today. Additional information can be found at the end of this 
> message.
> Please inspect the reported abuse and inform us within 48 hours what the 
> cause of the report is. If you do not reply or if further abuse reports 
> should arrive, we will deactivate your product, to prevent further damages.
> Please note that we have to follow up with every abuse message for good 
> measure. If the reason for the report is not understandable or if you are not 
> the initiator, we still need a response from you.
> You can find the abuse report at the end of this message.
>
> ========== Abusemeldung / Abuse report ==========
> Greetings Fellow Sys Ad/s I hope this message finds you well. I'm reaching 
> out to you today regarding a matter of potential concern involving one or 
> more IP addresses associated with your system Our network security logs have 
> recently detected unusual activity originating from these IP addresses. While 
> we understand that such incidents can sometimes occur innocently, it's 
> crucial to investigate and address them promptly to ensure the security of 
> all networks involved To assist you in understanding the situation, we have 
> provided the relevant log data below, with timestamps adjusted to our GMT +8 
> timezone: DateTime Action AttackClass SourceIP Srcport Protocol DestinationIP 
> DestPort
>
> CU, Ricsi
> Gesendet: Sonntag, 3. November 2024 um 05:10
> Von: "Keifer Bly" <keifer....@gmail.com>
> An: tor-relays@lists.torproject.org
> Betreff: [tor-relays] Fwd: [Abuse #KMLTFQPGVQ] Abusive use of your service 
> vps-3e661acc.vps.ovh.net
> Just got this note, I run a middle relay on ovh. Why would this suddenly 
> happen? Thanks. Relay is usdeserveprivacy
>
>
> --Keifer
>
> ---------- Forwarded message ---------
> From: <ticket+kmltfqpgvq.c...@abuse.ovh.net>
> Date: Sat, Nov 2, 2024, 9:07 PM
> Subject: [Abuse #KMLTFQPGVQ] Abusive use of your service 
> vps-3e661acc.vps.ovh.net
> To: <keifer....@gmail.com>
>
>
> Hello,
>
> An abusive behaviour (Intrusion) originating from your VPS 
> vps-3e661acc[.]vps[.]ovh[.]net has been reported to or noticed by our Abuse 
> Team.
>
> Technical details showing the aforementioned problem follow :
>
> -- start of the technical details --
>
> &lt;html&gt;
> &lt;head&gt;
> &lt;meta http-equiv=&quot;Content-Type&quot; content=&quot;text/html; 
> charset=us-ascii&quot;&gt;&lt;/head&gt;
> &lt;body&gt;&lt;pre&gt;
> Greetings Fellow Sys Ad/s
>
> I hope this message finds you well. I&#39;m reaching out to you today 
> regarding a matter of potential concern involving one or more IP addresses 
> associated with your system
> Our network security logs have recently detected unusual activity originating 
> from these IP addresses. While we understand that such incidents can 
> sometimes occur innocently, it&#39;s crucial to investigate and address them 
> promptly to ensure the security of all networks involved
>
>
> To assist you in understanding the situation, we have provided the relevant 
> log data below, with timestamps adjusted to our GMT &amp;#43;8 timezone:
>
>
>                 DateTime   Action AttackClass       SourceIP Srcport Protocol 
>    DestinationIP DestPort
> 0   01-Nov-2024 05:07:55   DENIED              51[.]68[.]197[.]220   44959    
>   TCP    202[.]91[.]161[.]97       22
> 1   01-Nov-2024 05:24:37   DENIED              51[.]68[.]197[.]220   58734    
>   TCP    202[.]91[.]161[.]98       22
> 2   01-Nov-2024 08:48:23  BLOCKED              51[.]68[.]197[.]220    8551    
>   TCP   202[.]91[.]161[.]132       22
> 3   01-Nov-2024 08:53:27  BLOCKED              51[.]68[.]197[.]220    2419    
>   TCP   202[.]91[.]161[.]169       22
> 4   01-Nov-2024 08:58:05  BLOCKED              51[.]68[.]197[.]220    5917    
>   TCP  192[.]168[.]200[.]216       22
> 5   01-Nov-2024 08:59:24  BLOCKED              51[.]68[.]197[.]220   56858    
>   TCP   202[.]91[.]161[.]132       22
> 6   01-Nov-2024 09:04:23  BLOCKED              51[.]68[.]197[.]220   32161    
>   TCP   202[.]91[.]161[.]169       22
> 7   01-Nov-2024 09:17:30  BLOCKED              51[.]68[.]197[.]220   33472    
>   TCP   202[.]91[.]161[.]132       22
> 8   01-Nov-2024 09:18:02  BLOCKED              51[.]68[.]197[.]220   11282    
>   TCP   202[.]91[.]161[.]132       22
> 9   01-Nov-2024 09:19:00  BLOCKED              51[.]68[.]197[.]220    3727    
>   TCP   202[.]91[.]161[.]132       22
> 10  01-Nov-2024 09:20:31  BLOCKED              51[.]68[.]197[.]220    4388    
>   TCP   202[.]91[.]161[.]169       22
> 11  01-Nov-2024 09:25:57  BLOCKED              51[.]68[.]197[.]220    6898    
>   TCP   202[.]91[.]161[.]165       22
> 12  01-Nov-2024 09:32:06  BLOCKED              51[.]68[.]197[.]220   18202    
>   TCP   202[.]91[.]161[.]132       22
> 13  01-Nov-2024 09:39:40  BLOCKED              51[.]68[.]197[.]220   51142    
>   TCP   202[.]91[.]161[.]132       22
> 14  01-Nov-2024 09:45:32  BLOCKED              51[.]68[.]197[.]220   46914    
>   TCP  192[.]168[.]200[.]216       22
> 15  01-Nov-2024 10:40:48  BLOCKED              51[.]68[.]197[.]220   60991    
>   TCP  192[.]168[.]200[.]216       22
> 16  01-Nov-2024 10:42:58  BLOCKED              51[.]68[.]197[.]220   42833    
>   TCP   202[.]91[.]161[.]132       22
> 17  01-Nov-2024 10:47:13  BLOCKED              51[.]68[.]197[.]220   38382    
>   TCP   202[.]91[.]161[.]132       22
> 18  01-Nov-2024 10:47:23  BLOCKED              51[.]68[.]197[.]220   30596    
>   TCP  192[.]168[.]200[.]216       22
> 19  01-Nov-2024 10:47:46  BLOCKED              51[.]68[.]197[.]220   56767    
>   TCP   202[.]91[.]161[.]185       22
> 20  01-Nov-2024 10:52:10  BLOCKED              51[.]68[.]197[.]220    8983    
>   TCP   202[.]91[.]161[.]132       22
> 21  01-Nov-2024 10:55:04  BLOCKED              51[.]68[.]197[.]220   55684    
>   TCP  192[.]168[.]200[.]216       22
> 22  01-Nov-2024 10:57:43  BLOCKED              51[.]68[.]197[.]220   37003    
>   TCP   202[.]91[.]161[.]185       22
> 23  01-Nov-2024 10:58:43  BLOCKED              51[.]68[.]197[.]220   10524    
>   TCP  192[.]168[.]200[.]216       22
> 24  01-Nov-2024 11:01:06  BLOCKED              51[.]68[.]197[.]220    6384    
>   TCP   202[.]91[.]161[.]132       22
> 25  01-Nov-2024 11:03:46  BLOCKED              51[.]68[.]197[.]220    6779    
>   TCP   202[.]91[.]161[.]185       22
> 26  01-Nov-2024 11:06:05  BLOCKED              51[.]68[.]197[.]220   23062    
>   TCP  192[.]168[.]200[.]216       22
> 27  01-Nov-2024 11:58:01  BLOCKED              51[.]68[.]197[.]220   33174    
>   TCP   202[.]91[.]161[.]132       22
> 28  01-Nov-2024 11:58:05  BLOCKED              51[.]68[.]197[.]220   29422    
>   TCP   202[.]91[.]161[.]132       22
> 29  01-Nov-2024 11:58:26  BLOCKED              51[.]68[.]197[.]220   53504    
>   TCP   202[.]91[.]161[.]185       22
> 30  01-Nov-2024 12:00:03  BLOCKED              51[.]68[.]197[.]220    5898    
>   TCP  192[.]168[.]200[.]216       22
> 31  01-Nov-2024 12:00:20  BLOCKED              51[.]68[.]197[.]220   38324    
>   TCP   202[.]91[.]161[.]185       22
> 32  01-Nov-2024 12:00:30  BLOCKED              51[.]68[.]197[.]220    6362    
>   TCP   202[.]91[.]161[.]132       22
> 33  01-Nov-2024 12:03:11  BLOCKED              51[.]68[.]197[.]220   38581    
>   TCP   202[.]91[.]161[.]132       22
> 34  01-Nov-2024 12:05:37  BLOCKED              51[.]68[.]197[.]220   43932    
>   TCP   202[.]91[.]161[.]132       22
> 35  01-Nov-2024 12:07:27  BLOCKED              51[.]68[.]197[.]220    5141    
>   TCP   202[.]91[.]161[.]185       22
> 36  01-Nov-2024 12:08:42  BLOCKED              51[.]68[.]197[.]220   56161    
>   TCP   202[.]91[.]161[.]132       22
> 37  01-Nov-2024 12:12:26  BLOCKED              51[.]68[.]197[.]220    6269    
>   TCP   202[.]91[.]161[.]132       22
> 38  01-Nov-2024 12:14:33  BLOCKED              51[.]68[.]197[.]220     164    
>   TCP  192[.]168[.]200[.]216       22
> 39  01-Nov-2024 12:15:48  BLOCKED              51[.]68[.]197[.]220   25787    
>   TCP   202[.]91[.]161[.]185       22
> 40  01-Nov-2024 12:16:39  BLOCKED              51[.]68[.]197[.]220    9188    
>   TCP   202[.]91[.]161[.]185       22
> 41  01-Nov-2024 12:16:58  BLOCKED              51[.]68[.]197[.]220   32317    
>   TCP   202[.]91[.]161[.]132       22
> 42  01-Nov-2024 12:22:28  BLOCKED              51[.]68[.]197[.]220   21955    
>   TCP   202[.]91[.]161[.]185       22
> 43  01-Nov-2024 12:29:50  BLOCKED              51[.]68[.]197[.]220   33563    
>   TCP   202[.]91[.]161[.]185       22
> 44  01-Nov-2024 12:32:18  BLOCKED              51[.]68[.]197[.]220   48519    
>   TCP   202[.]91[.]161[.]132       22
> 45  01-Nov-2024 12:33:24  BLOCKED              51[.]68[.]197[.]220   42914    
>   TCP   202[.]91[.]161[.]132       22
> 46  01-Nov-2024 12:34:07  BLOCKED              51[.]68[.]197[.]220   11296    
>   TCP   202[.]91[.]161[.]185       22
> 47  01-Nov-2024 12:36:43  BLOCKED              51[.]68[.]197[.]220    6522    
>   TCP   202[.]91[.]161[.]132       22
> 48  01-Nov-2024 12:37:55  BLOCKED              51[.]68[.]197[.]220   57962    
>   TCP   202[.]91[.]161[.]185       22
> 49  01-Nov-2024 12:37:56  BLOCKED              51[.]68[.]197[.]220   53189    
>   TCP   202[.]91[.]161[.]132       22
> 50  01-Nov-2024 12:39:29  BLOCKED              51[.]68[.]197[.]220    7411    
>   TCP  192[.]168[.]200[.]216       22
> 51  01-Nov-2024 12:41:51  BLOCKED              51[.]68[.]197[.]220   27413    
>   TCP  192[.]168[.]200[.]216       22
> 52  01-Nov-2024 12:44:00  BLOCKED              51[.]68[.]197[.]220     355    
>   TCP   202[.]91[.]161[.]181       22
> 53  01-Nov-2024 12:50:35  BLOCKED              51[.]68[.]197[.]220   28953    
>   TCP   202[.]91[.]161[.]185       22
> 54  01-Nov-2024 12:50:53  BLOCKED              51[.]68[.]197[.]220   46927    
>   TCP  192[.]168[.]200[.]216       22
> 55  01-Nov-2024 12:52:00  BLOCKED              51[.]68[.]197[.]220   45122    
>   TCP   202[.]91[.]161[.]185       22
> 56  01-Nov-2024 12:55:04  BLOCKED              51[.]68[.]197[.]220    4184    
>   TCP   202[.]91[.]161[.]181       22
> 57  01-Nov-2024 12:55:15  BLOCKED              51[.]68[.]197[.]220   33245    
>   TCP   202[.]91[.]161[.]185       22
> 58  01-Nov-2024 12:57:38  BLOCKED              51[.]68[.]197[.]220   50897    
>   TCP  192[.]168[.]200[.]216       22
> 59  01-Nov-2024 12:58:58  BLOCKED              51[.]68[.]197[.]220   35903    
>   TCP   202[.]91[.]161[.]132       22
> 60  01-Nov-2024 12:59:35  BLOCKED              51[.]68[.]197[.]220   16158    
>   TCP  192[.]168[.]200[.]216       22
> 61  01-Nov-2024 13:01:40  BLOCKED              51[.]68[.]197[.]220   18404    
>   TCP   202[.]91[.]161[.]181       22
> 62  01-Nov-2024 13:04:12  BLOCKED              51[.]68[.]197[.]220   32885    
>   TCP   202[.]91[.]161[.]181       22
> 63  01-Nov-2024 13:05:50  BLOCKED              51[.]68[.]197[.]220    6316    
>   TCP   202[.]91[.]161[.]132       22
>
> We believe that by working together to resolve this matter swiftly, we can 
> help safeguard the integrity of our networks and prevent any further issues. 
> If you require any additional information or support from our end to 
> facilitate your investigation, please don&#39;t hesitate to reach out.
> Your prompt attention to this matter would be greatly appreciated. We value 
> your expertise and cooperation in resolving this situation effectively. Thank 
> you for your time and consideration.
> For any corrections/updates, kindly email 
> email-removed@provider[.]com&lt;/pre&gt;&lt;/body&gt;&lt;/html&gt;
>
> -- end of the technical details --
>
> Your should investigate and fix this problem, as it constitutes a violation 
> to our terms of service.
>
> Please answer to this e-mail indicating which measures you've taken to stop 
> the abusive behaviour.
>
> Cordially,
>
> The OVHcloud Trust & Safety team.
> _______________________________________________ tor-relays mailing list 
> tor-relays@lists.torproject.org 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> _______________________________________________
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Reply via email to