[tor-relays] Tor Exit: Complaints of IP being used for "spam" despite exit policy

Hi,

A day or two ago, my Tor exit host, Psychz Networks, has sent me complaints about my IPs being used to send "spam" despite me having blocked Port 25 (and 465/587) in the exit policy.

Psychz threatened to block Port 25 even when my exit policy explicitly blocks 25/465/587.

The URLs I got were from Cisco Talos:

···

* https://talosintelligence.com/reputation_center/lookup?search=104.149.136.246#email-history
  * https://talosintelligence.com/reputation_center/lookup?search=104.149.133.54#email-history

Sometimes I think "is my FreeBSD exploited and being used to send spam", but then I also see Linux relays on other ISPs also on the blocklists.

Yes, I am aware Tor exit relays will land on blacklists. But getting complaints from spam is new, especially when my relays are blocking SMTP.

I am worried I would have to find a new host if they continue complaining. Darn, Psychz has been one of the more reliable exit hosts (on-and-off) for many years, although they are more vigilant on abuse than say BuyVM.

BuyVM is similarly priced (although my Psychz is an special offer) and solid but has too many exits. OVH and TerraHost only allow exits on much more expensive dedicated servers. Prgmr and HostMaze allow exits but has so-so peering.

I just hope Psychz doesn't continue to complain.

-Neel
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like

Neel,

Your Exit Policies do appear to be configured to block standard smtp ports. Reach out to Psychz and request mail headers for sample pieces of spam originating from the offending Exits in question. This will assist in determining whether the spam is destine for non-standard smtp ports and you can adjust your Exit policies from there.

Respectfully,

Gary

···


This Message Originated by the Sun.
iBigBlue 63W Solar Array (~12 Hour Charge)

  • 2 x Charmast 26800mAh Power Banks
    = iPhone XS Max 512GB (~2 Weeks Charged)

On Wednesday, May 4, 2022, 1:20:17 AM MDT, Neel Chauhan neel@neelc.org wrote:

Hi,

A day or two ago, my Tor exit host, Psychz Networks, has sent me

complaints about my IPs being used to send “spam” despite me having

blocked Port 25 (and 465/587) in the exit policy.

Psychz threatened to block Port 25 even when my exit policy explicitly

blocks 25/465/587.

The URLs I got were from Cisco Talos:

https://talosintelligence.com/reputation_center/lookup?search=104.149.136.246#email-history

https://talosintelligence.com/reputation_center/lookup?search=104.149.133.54#email-history

Sometimes I think “is my FreeBSD exploited and being used to send spam”,

but then I also see Linux relays on other ISPs also on the blocklists.

Yes, I am aware Tor exit relays will land on blacklists. But getting

complaints from spam is new, especially when my relays are blocking

SMTP.

I am worried I would have to find a new host if they continue

complaining. Darn, Psychz has been one of the more reliable exit hosts

(on-and-off) for many years, although they are more vigilant on abuse

than say BuyVM.

BuyVM is similarly priced (although my Psychz is an special offer) and

solid but has too many exits. OVH and TerraHost only allow exits on much

more expensive dedicated servers. Prgmr and HostMaze allow exits but has

so-so peering.

I just hope Psychz doesn’t continue to complain.

-Neel


tor-relays mailing list

tor-relays@lists.torproject.org

https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

A day or two ago, my Tor exit host, Psychz Networks, has sent me
complaints about my IPs being used to send "spam" despite me having
blocked Port 25 (and 465/587) in the exit policy.

Psychz threatened to block Port 25 even when my exit policy explicitly
blocks 25/465/587.

Yes, unfortunately you get this SPAM abuse, although it is clear that the mail
was submitted via a webmailer :frowning:

Sometimes I think "is my FreeBSD exploited and being used to send spam",
but then I also see Linux relays on other ISPs also on the blocklists.

It's actually very unlikely that a longer running exit can send mails. :wink:
I can't even send myself log mails from my exit IP's because all IP's are
blacklisted. On abusix.com and similar.

Yes, I am aware Tor exit relays will land on blacklists. But getting
complaints from spam is new, especially when my relays are blocking
SMTP.

I am worried I would have to find a new host if they continue
complaining. Darn, Psychz has been one of the more reliable exit hosts
(on-and-off) for many years, although they are more vigilant on abuse
than say BuyVM.

If possible, try to get an ARIN SWIP record:

5. Get ARIN registration

99% of the abuse is f*cking auto-generated stuff from tools like fail2ban. If
you reply, you will not get an answer or 'message is undeliverable' back.

BuyVM is similarly priced (although my Psychz is an special offer) and
solid but has too many exits. OVH and TerraHost only allow exits on much
more expensive dedicated servers. Prgmr and HostMaze allow exits but has
so-so peering.

https://rdp.sh/ is not overcrowded yet.

I just hope Psychz doesn't continue to complain.

We all hope with you.
As I've mentioned here before, IPv6 only relays are important. An AS with
IPv6/48 is affordable. Then it's much easier to set up your own bulletproof
ISP.

···

On Tuesday, May 3, 2022 8:42:20 PM CEST Neel Chauhan wrote:

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

1 Like

Hi,

Yes, unfortunately you get this SPAM abuse, although it is clear that the mail
was submitted via a webmailer :frowning:

Probably true.

Sometimes I think "is my FreeBSD exploited and being used to send spam",
but then I also see Linux relays on other ISPs also on the blocklists.

It's actually very unlikely that a longer running exit can send mails. :wink:
I can't even send myself log mails from my exit IP's because all IP's are
blacklisted. On abusix.com and similar.

If you need to send emails, you could:

a. use Sendgrid or Mailgun or whatever to send emails if they don't block exit IPs from connecting to their SMTP relays

b. Run your own SMTP relay on a $3.5 VPS to forward emails

If possible, try to get an ARIN SWIP record:
Tips for Running an Exit Node | The Tor Project
5. Get ARIN registration

I could look into that. I do have a LLC that I could use for the SWIP record if needed.

99% of the abuse is f*cking auto-generated stuff from tools like fail2ban. If
you reply, you will not get an answer or 'message is undeliverable' back.

Probably true.

Psychz is still more automated but not so much, but I do know some hosts where abuse is very automated to the extent that they ignore automated complaints. Think AWS, Azure, OVH, or DigitalOcean, or a Big Telecom provider like Comcast, AT&T, Deutsche Telekom, Telefonica, etc.

On the opposite end of the spectrum, some hosts such as GTHost and Primcast both asked me to turn off my exit relay due to "too much abuse" because their abuse departments are very manual.

BuyVM is similarly priced (although my Psychz is an special offer) and
solid but has too many exits. OVH and TerraHost only allow exits on much
more expensive dedicated servers. Prgmr and HostMaze allow exits but has
so-so peering.

https://rdp.sh/ is not overcrowded yet.

Thanks for the suggestion.

I prefer to run my exits on FreeBSD (well, I am a FreeBSD committer), but I will keep rdp.sh in mind in case I need a new host.

We all hope with you.
As I've mentioned here before, IPv6 only relays are important. An AS with
IPv6/48 is affordable. Then it's much easier to set up your own bulletproof
ISP.

That sounds good :-). I'd love to have my own ASN, but don't have the mental or financial bandwidth to do this right now.

Fortunately Psychz got off my case, for now at least :-).

-Neel

···

On 2022-05-04 12:31, lists@for-privacy.net wrote:
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Hello Neel,
I found in the past year, that these Spam abuse complaints are about Spam sent via some webmailer, so someone uses port 80/443 and then sent spam via a email providers website. Very strange they even report this as spam.

Regards
yl

···

On 5/3/22 20:42, Neel Chauhan wrote:

Hi,

A day or two ago, my Tor exit host, Psychz Networks, has sent me complaints about my IPs being used to send "spam" despite me having blocked Port 25 (and 465/587) in the exit policy.

Psychz threatened to block Port 25 even when my exit policy explicitly blocks 25/465/587.

The URLs I got were from Cisco Talos:

* https://talosintelligence.com/reputation_center/lookup?search=104.149.136.246#email-history

* https://talosintelligence.com/reputation_center/lookup?search=104.149.133.54#email-history

Sometimes I think "is my FreeBSD exploited and being used to send spam", but then I also see Linux relays on other ISPs also on the blocklists.

Yes, I am aware Tor exit relays will land on blacklists. But getting complaints from spam is new, especially when my relays are blocking SMTP.

I am worried I would have to find a new host if they continue complaining. Darn, Psychz has been one of the more reliable exit hosts (on-and-off) for many years, although they are more vigilant on abuse than say BuyVM.

BuyVM is similarly priced (although my Psychz is an special offer) and solid but has too many exits. OVH and TerraHost only allow exits on much more expensive dedicated servers. Prgmr and HostMaze allow exits but has so-so peering.

I just hope Psychz doesn't continue to complain.

-Neel
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

I wonder if you could use msmtp to replace sendmail and then sent your mail as a client via some SMTP server. Wonder if these mail providers check users IPs towards blacklists?

···

On 5/4/22 14:31, lists@for-privacy.net wrote:

It's actually very unlikely that a longer running exit can send mails.:wink:
I can't even send myself log mails from my exit IP's because all IP's are
blacklisted. On abusix.com and similar.

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

You could also run an SMTP-to-something else protocol bridge to work around it. I use a
fake SMTP server that relays every message it gets over XMPP to work around that problem.

The Doctor [412/724/301/703/415/510]
WWW: https://drwho.virtadpt.net/
The old world is dying, and the new world struggles to be born. Now is the time of monsters.

···

------- Original Message -------
On Wednesday, May 4th, 2022 at 11:16, Neel Chauhan <neel@neelc.org> wrote:

If you need to send emails, you could:

a. use Sendgrid or Mailgun or whatever to send emails if they don't
block exit IPs from connecting to their SMTP relays

b. Run your own SMTP relay on a $3.5 VPS to forward emails

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Thanks, Neel and yl had already messaged me privately. I replied to them
yesterday. I had already solved the problem, unattended-upgrades and logcheck
mails reach me again.

Actually, I should know that we should avoid exit IPs for DNS, mail and other
things. I configured nullmailer as usual, then it takes the first IP and
interface it finds. I was sending mail as a client through|to my DNS
provider's SMTP server 'easydns.com'. They recently started using abusix
before smtpauth as well. Only a /27 are exit IP's per server. Now the mail
goes out on a completely different subnet and network card.

Well I could have pinged Mark Jeftovic @ easyDNS too, please whitelist _my_ IP
for _my_ mailbox. Or sending mail out via the SMTP server from IN-Berlin, like
my iRMC (BMC) do.

···

On Thursday, May 5, 2022 3:57:02 PM CEST The Doctor wrote:

------- Original Message -------

On Wednesday, May 4th, 2022 at 11:16, Neel Chauhan <neel@neelc.org> wrote:
> If you need to send emails, you could:
>
> a. use Sendgrid or Mailgun or whatever to send emails if they don't
> block exit IPs from connecting to their SMTP relays
>
> b. Run your own SMTP relay on a $3.5 VPS to forward emails

You could also run an SMTP-to-something else protocol bridge to work around
it. I use a fake SMTP server that relays every message it gets over XMPP
to work around that problem.

The Doctor [412/724/301/703/415/510]

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

1 Like