Abuse Templates

Let us work on good answer for repeating situations. Hopefully, this will help other node operators. See also https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates

Hi $TO$,

I am very sorry to hear that. The IP you quote hosts a Tor exit node
(open relay). I can offer you to block specific destination IPs and 
ports, but the abuser doesn't use our relays specifically; he/she 
will just be routed through a different exit node outside of our 
control instead.

You will be much better off blocking Tor temporarily from your side.
Please only issue a temporary block to not affect other, legitimate
users of Tor.

Tor is a research project, funded by the National Science Foundation and
previously DARPA (among others). Its primary goal is to provide people
from hostile environments with encrypted and uncensored access to the
Internet. For more than a third of the worlds population, the Internet
is being either filtered or monitored. Every day, activists and bloggers
are imprisoned or threatened for what we in the western  countries see
as a Human Right.

There are usage stats on the www.torproject.org website that show that
more than 500,000 users from China, Iran and similar regimes (have to)
use Tor to access the Internet every day.

Torservers.net is a non-profit organization comprised of volunteers who 
are willing to run Tor relays for the benefit of everyone.

I hope that you understand the importance of Tor, and don't block the 
whole Tor network because of a single attack/misuse.

Please let me know if I can be of further assistance. You can find a
guide on how to identify all Tor exit nodes on the Torproject website
www.torproject.org. Please send Tor users through additional "screening"
(CAPTCHA, etc) instead of just blocking them completely. 

Thanks for your understanding. If you have further questions, feel free
to contact us again.

Yours sincerely,
-- 
$FROM$
Abuse Department 
https://www.torservers.net/

We're sorry to hear about this incident. It is not our goal to support
or condone criminal activities. We provide our services to people behind
censoring firewalls in oppressive regimes. Tor is key technology for
Internet users and citizens in China, Iran, Syria, Kazakhstan and many
other countries to be able to access uncensored media and exchange
information freely. We strongly stand for this and see it as a modern
human right. Unfortunately, this means we have to take a close watch on
illegal activities and abuse of anonymizing technology like Tor.

Your reports are very important to understand how usage of Tor is
developing over time. As a network of 13 non-profit organizations in 10
countries, we push quite some large amounts of data at various locations
for Tor (20G+). Based on the limited amount of information we are
legally allowed to look at to protect our users, and the number of
reports like yours, we still feel that the balance is very much on the
legal side. We are in close contact with "regular" ISPs, and it seems
our level of "abuse per traffic/number of users" is on par with what
they see.

Please understand that Tor makes it technically impossible to single out
individual users. We also are legally bound to respective privacy
rights. What I can offer is to block certain destination ports and IP
addresses, but I strongly advocate against these types of blocks because
they will affect _all_ users of Tor, not only the "bad apples". You can
also simply block Tor users -- again, all of them! -- on your end. If
you need help with that, let us know. If levels of abuse turn out to
become too high, please consider to lift the block after some time so
friendly users of Tor can again access your resources. If you value the
privacy of your visitors, we can also talk about less "either-or"
strategies modeled around your service.

Thanks for your understanding! Please use $XYZ to best
reach us should any issues arise.

-- 
Moritz Bartl 
Abuse Department

The attacker is using Tor. Tor will automatically select one of the
hundreds of available exit servers, that's why you see changing IPs. We
can block destination IPs for our small subset of Tor exit relays, but
that won't really help, the attacker will not even notice the change in 
exit relays available for him.

The only real solution here is to take care of Tor users on your side.
Please be aware that by blocking Tor, you also block all legitimate
users! Please lift the ban after the attack is over, or take care of Tor
users with other means (for example by only blocking access to sensitive
content, displaying extra CAPTCHAs for Tor users, etc).

You can detect Tor users via two mechanisms:

https://check.torproject.org/cgi-bin/TorBulkExitList.py
https://www.torproject.org/projects/tordnsel.html.en

Please only issue a temporary ban so legitimate Tor users are not 
affected for too long.

Hope this helps!

Hi $TO$,

Thanks for your report. The request passed through one of our Tor exit
nodes. We do not allow email to be sent from our systems (port 25 is 
blocked), so the offender must have used a web based email account. 
You should direct your complaint to the mail server given in the email 
header, so they can close and/or track down the account.

Please let me know if I can be of further assistance.

I know this very unfortunate. Thanks for your understanding!
Yours sincerely,
-- 
$FROM$
Abuse Department 
http://www.torservers.net/ 

see dmca