Banned IPs from the TOR network

Off topic discussion zone.

Moderators: winston, another_commander, Cody

Post Reply
User avatar
Tichy
---- E L I T E ----
---- E L I T E ----
Posts: 345
Joined: Wed Jul 11, 2012 5:48 pm

Banned IPs from the TOR network

Post by Tichy »

I noticed that the forum bans some TOR ( https://en.wikipedia.org/wiki/Tor_(anonymity_network) ) exit nodes IPs. This is quite annoying for Tor users and, i think, not very useful for forum security, since the Tor client changes, by default, his exit nodes every 10 minutes.

The result is that even if a Tor ip is banned, an abuser have just to wait to have another exit IP, or force the change... but as a normal user, being forced to wait for his tor client to build another circuit or, restart it to force it, is an annoyace.

Is it possible to unban those Tor IPs?
Last edited by Tichy on Tue Aug 13, 2013 3:20 pm, edited 1 time in total.
User avatar
Disembodied
Jedi Spam Assassin
Jedi Spam Assassin
Posts: 6885
Joined: Thu Jul 12, 2007 10:54 pm
Location: Carter's Snort

Re: Banned IPs from the TOR network

Post by Disembodied »

There was a problem like this a while back with some Russian IPs: they were being blocked by Aegidian's provider, and not from within the forum. Generally an IP doesn't get banned unless it's the source of a lot - several hundred, usually, as a minimum - of recent spam attacks, as logged on SFS. If you give me some example IP addresses, I can check them out and see if (and possibly why) they are banned.
User avatar
Tichy
---- E L I T E ----
---- E L I T E ----
Posts: 345
Joined: Wed Jul 11, 2012 5:48 pm

Re: Banned IPs from the TOR network

Post by Tichy »

Ok. Let's try.
The next occasions I'll get the "Banned from the forum" page, I'll check and post the IP.
User avatar
Tichy
---- E L I T E ----
---- E L I T E ----
Posts: 345
Joined: Wed Jul 11, 2012 5:48 pm

Re: Banned IPs from the TOR network

Post by Tichy »

Here's one.
IP: 74.120.15.150
FQDN: raskin.torservers.net
User avatar
Disembodied
Jedi Spam Assassin
Jedi Spam Assassin
Posts: 6885
Joined: Thu Jul 12, 2007 10:54 pm
Location: Carter's Snort

Re: Banned IPs from the TOR network

Post by Disembodied »

Tichy wrote:
Here's one.
IP: 74.120.15.150
FQDN: raskin.torservers.net
That's on the forum ban list ... if you check that IP on Stop Forum Spam, though, you'll see that there's a good reason why: 1,000 hits (which is where SFS stops counting). Project Honeypot has it as an active source of forum spam, too, dating back several years. I'm not wild about the idea of unbanning it, to be honest.

Even if I did unban it, the next time we received a spambot attempt from that IP, whichever Assassin deleted it would be likely to IP ban it again, because of its rating. We don't (or I don't anyway) check who owns the IPs being blocked: all I look at is their nature. If they're prolific spam pumps, like this one, then I'll ban them.
User avatar
Tichy
---- E L I T E ----
---- E L I T E ----
Posts: 345
Joined: Wed Jul 11, 2012 5:48 pm

Re: Banned IPs from the TOR network

Post by Tichy »

I completely agree. A also checked two other banned IPs, and they appear in the Stop Forum Spam list (ironically, even SFS doesn't accept connections from the tor network...).
They are: 212.63.218.1 (tor01.spacedump.net) and 171.25.193.20 (tor-exit0-readme.dfri.se).
User avatar
Disembodied
Jedi Spam Assassin
Jedi Spam Assassin
Posts: 6885
Joined: Thu Jul 12, 2007 10:54 pm
Location: Carter's Snort

Re: Banned IPs from the TOR network

Post by Disembodied »

The really aggravating thing is that, from a look at the email address variants being used, all these bots are probably the work of one person. Is it wrong to hope that he falls under a bus?
User avatar
Cody
Sharp Shooter Spam Assassin
Sharp Shooter Spam Assassin
Posts: 16081
Joined: Sat Jul 04, 2009 9:31 pm
Location: The Lizard's Claw
Contact:

Re: Banned IPs from the TOR network

Post by Cody »

Disembodied wrote:
Generally an IP doesn't get banned unless it's the source of a lot - several hundred, usually, as a minimum - of recent spam attacks, as logged on SFS.
I'd just like to emphasise this point - we don't ban IPs just for the hell of it!
I would advise stilts for the quagmires, and camels for the snowy hills
And any survivors, their debts I will certainly pay. There's always a way!
User avatar
Tichy
---- E L I T E ----
---- E L I T E ----
Posts: 345
Joined: Wed Jul 11, 2012 5:48 pm

Re: Banned IPs from the TOR network

Post by Tichy »

Disembodied wrote:
The really aggravating thing is that, from a look at the email address variants being used, all these bots are probably the work of one person. Is it wrong to hope that he falls under a bus?
:lol:
As long as it's a vesa local bus... :)
Cody wrote:
I'd just like to emphasise this point - we don't ban IPs just for the hell of it!
I thought that they were IPs from abusive users or taken from some public black lists. ;)
Anyway, I found a way to exclude these exit nodes from my tor configuration.

In your torrc file (in gnu-linux /etc/tor/torrc)
ExcludeNodes node,node,...
A list of identity fingerprints, nicknames, country codes and address patterns of nodes to avoid when
building a circuit. (Example: ExcludeNodes SlowServer, ABCD1234CDEF5678ABCD1234CDEF5678ABCD1234, {cc},
255.254.0.0/8)

By default, this option is treated as a preference that Tor is allowed to override in order to keep
working. For example, if you try to connect to a hidden service, but you have excluded all of the hidden
service’s introduction points, Tor will connect to one of them anyway. If you do not want this behavior,
set the StrictNodes option (documented below).

Note also that if you are a relay, this (and the other node selection options below) only affects your
own circuits that Tor builds for you. Clients can still build circuits through you to any node.
Controllers can tell Tor to build circuits through any node.

ExcludeExitNodes node,node,...
A list of identity fingerprints, nicknames, country codes and address patterns of nodes to never use when
picking an exit node---that is, a node that delivers traffic for you outside the Tor network. Note that
any node listed in ExcludeNodes is automatically considered to be part of this list too. See also the
caveats on the "ExitNodes" option below.
User avatar
Disembodied
Jedi Spam Assassin
Jedi Spam Assassin
Posts: 6885
Joined: Thu Jul 12, 2007 10:54 pm
Location: Carter's Snort

Re: Banned IPs from the TOR network

Post by Disembodied »

Tichy wrote:
As long as it's a vesa local bus... :)
:lol: They can be quite jaggy, but I was hoping for something significantly heavier ... just one of the problems of increasing miniaturisation, I suppose. Glad you've found a workaround, though!
User avatar
Tichy
---- E L I T E ----
---- E L I T E ----
Posts: 345
Joined: Wed Jul 11, 2012 5:48 pm

Re: Banned IPs from the TOR network

Post by Tichy »

Just because it could be useful to other users, this is a snippet of my torrc file:

Code: Select all

ExcludeExitNodes raskin,DFRI0,212.63.218.1
ExcludeNodes {US},{GB},{IT},{IL}
(without spaces after the commas)

The country codes are from countries that I know that censors the net or track their users (we all know enough about the DataGate scandal :D ).

Anyway, that settings are not imperatives. Tor will use those nodes if he's unable to find another path. To be more strict, you should add that option: StrictNodes 1

To check the exit IP, one could use vidalia.

...That also have a nice world map to make you feel like you are playing "War Games" :D
Image
Post Reply