Tor exit nodes and bored admins. - Sun, Jan 23, 2011

You may or may not know, but I’ve been a fan of tor ( for quite a while.  In fact, i’ve turned on a bunch of people into using tor such as this:

Friend of mine and I were in starbucks enjoying overpriced coffee and using their way too slow free (unencrypted) wireless network.  I was checking my email (via SSL-IMAP) and surfing the internet through tor.  It was a little slow, but thats life.  My friend asked me why I was using tor since all I was doing was checking my email and surfing slashdot and other mindless webpages.

I put my laptop’s wifi into promisc mode and ran tcpdump.  Some idiot was using some filesharing program that I was too lazy to look up the port, another idiot was checking his gmail, another idiot was surfing youtube.  Few people were on facebook, etc.  I told him that I didn’t care to have people here know that I run a mail server, where my mail server is, or what I do on it.  I dont want people to know what im surfing.  Its none of their business.  ALL of my traffic does is hit a tor entrance and disappear (to them).  He understood, i wish more people understood.

So I decided to man-up and run a tor exit node.  Figure I use tor everywhere where there is a public wireless network, its the least I can do to give back.  I’ve ran a relay for years without any problems, so I figure that as long as I follow the documentation on properly running an exit node, use a stripped down ExitPolicy, and bookmark the boilerplate abuse templates I should be fine.  Day 2 of running an exit-node I get my first abuse complaint.

Massive hack?  Stolen credit card?  Letter from the FBI? Something tasty and awesome?

No, some “admin” saying his “IDS system caught” one request to /foo/fjl93rjs9fj/xploitable.php and decides to write this massive abuse email on how this server is trying to “hack” his website.  Really? Fucking really?  In this day of age of nothing but bots and zombies you are going to waste both my and my ISP’s time with something as stupid as this? My webserver gets hundreds of these a day, and I have NEVER EVER sent off an email to an ISP about it.  Its called running a public webserver on the internet.  Don’t like it? Unplug your server and save us all your leet admin IDS skillz.

What makes things even better, is that the IP address that he’s bitching about is mapped to  If you go to that URL, is a webpage saying that this is a tor exit node, what tor is, and how its just a traffic relay.

Now if you’ll excuse me, I’m going to write 1000 abuse emails for every invalid URL request that came into my server this week.