Table of Contents
Let us work on good answer for repeating situations. Hopefully, this will help other node operators. See also https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates
Reply to Abuse (general)
Hi $TO$, I am very sorry to hear that. The IP you quote hosts a Tor exit node (open relay). I can offer you to block specific destination IPs and ports, but the abuser doesn't use our relays specifically; he/she will just be routed through a different exit node outside of our control instead. You will be much better off blocking Tor temporarily from your side. Please only issue a temporary block to not affect other, legitimate users of Tor. Tor is a research project, funded by the National Science Foundation and previously DARPA (among others). Its primary goal is to provide people from hostile environments with encrypted and uncensored access to the Internet. For more than a third of the worlds population, the Internet is being either filtered or monitored. Every day, activists and bloggers are imprisoned or threatened for what we in the western countries see as a Human Right. There are usage stats on the www.torproject.org website that show that more than 500,000 users from China, Iran and similar regimes (have to) use Tor to access the Internet every day. Torservers.net is a non-profit organization comprised of volunteers who are willing to run Tor relays for the benefit of everyone. I hope that you understand the importance of Tor, and don't block the whole Tor network because of a single attack/misuse. Please let me know if I can be of further assistance. You can find a guide on how to identify all Tor exit nodes on the Torproject website www.torproject.org. Please send Tor users through additional "screening" (CAPTCHA, etc) instead of just blocking them completely. Thanks for your understanding. If you have further questions, feel free to contact us again. Yours sincerely, -- $FROM$ Abuse Department https://www.torservers.net/
Abuse of Services
We're sorry to hear about this incident. It is not our goal to support or condone criminal activities. We provide our services to people behind censoring firewalls in oppressive regimes. Tor is key technology for Internet users and citizens in China, Iran, Syria, Kazakhstan and many other countries to be able to access uncensored media and exchange information freely. We strongly stand for this and see it as a modern human right. Unfortunately, this means we have to take a close watch on illegal activities and abuse of anonymizing technology like Tor. Your reports are very important to understand how usage of Tor is developing over time. As a network of 13 non-profit organizations in 10 countries, we push quite some large amounts of data at various locations for Tor (20G+). Based on the limited amount of information we are legally allowed to look at to protect our users, and the number of reports like yours, we still feel that the balance is very much on the legal side. We are in close contact with "regular" ISPs, and it seems our level of "abuse per traffic/number of users" is on par with what they see. Please understand that Tor makes it technically impossible to single out individual users. We also are legally bound to respective privacy rights. What I can offer is to block certain destination ports and IP addresses, but I strongly advocate against these types of blocks because they will affect _all_ users of Tor, not only the "bad apples". You can also simply block Tor users -- again, all of them! -- on your end. If you need help with that, let us know. If levels of abuse turn out to become too high, please consider to lift the block after some time so friendly users of Tor can again access your resources. If you value the privacy of your visitors, we can also talk about less "either-or" strategies modeled around your service. Thanks for your understanding! Please use $XYZ to best reach us should any issues arise. -- Moritz Bartl Abuse Department
The attacker is using Tor. Tor will automatically select one of the hundreds of available exit servers, that's why you see changing IPs. We can block destination IPs for our small subset of Tor exit relays, but that won't really help, the attacker will not even notice the change in exit relays available for him. The only real solution here is to take care of Tor users on your side. Please be aware that by blocking Tor, you also block all legitimate users! Please lift the ban after the attack is over, or take care of Tor users with other means (for example by only blocking access to sensitive content, displaying extra CAPTCHAs for Tor users, etc). You can detect Tor users via two mechanisms: https://check.torproject.org/cgi-bin/TorBulkExitList.py https://www.torproject.org/projects/tordnsel.html.en Please only issue a temporary ban so legitimate Tor users are not affected for too long. Hope this helps!
Hi $TO$, Thanks for your report. The request passed through one of our Tor exit nodes. We do not allow email to be sent from our systems (port 25 is blocked), so the offender must have used a web based email account. You should direct your complaint to the mail server given in the email header, so they can close and/or track down the account. Please let me know if I can be of further assistance. I know this very unfortunate. Thanks for your understanding! Yours sincerely, -- $FROM$ Abuse Department http://www.torservers.net/