Delivery-Date: Sun, 26 Apr 2015 07:19:34 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL,
	DKIM_SIGNED,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id DF6A51E0501
	for <archiver@seul.org>; Sun, 26 Apr 2015 07:19:32 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 6254D34D8D;
	Sun, 26 Apr 2015 11:19:28 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id A02D134B91
 for <tor-talk@lists.torproject.org>; Sun, 26 Apr 2015 11:19:24 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id SaRWzl_881nU for <tor-talk@lists.torproject.org>;
 Sun, 26 Apr 2015 11:19:24 +0000 (UTC)
Received: from mail.openmailbox.org (mail.openmailbox.org [62.4.1.34])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 741CD3499B
 for <tor-talk@lists.torproject.org>; Sun, 26 Apr 2015 11:19:24 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by mail.openmailbox.org (Postfix) with ESMTP id 4EA392E031D;
 Sun, 26 Apr 2015 13:19:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=openmailbox.org;
 h=content-transfer-encoding:content-type:content-type
 :in-reply-to:references:subject:subject:mime-version:from:from
 :date:date:message-id:received; s=openmailbox; t=1430047158; bh=
 Sfl0LQ/kSo3JSDyNGLZ5+GrEXvCLWNje9D78L/dNozc=; b=WxOp7F6vDBkMhsli
 v7oXXQsDpLNlW4ej+tRU6sJHjRJ6pbiUVPlq5VaG7xtzKyWKSr45t2m3EmI0qA4L
 ky7vjfDHGEAXZApiBVxWIWgERIawvBQj2P5Ert95PnLb5NxP7A8XHY7UyjDkAAgE
 Nv1/o8MWnCWBO5bPSs/Sxe9rLQA=
X-Virus-Scanned: amavisd-new at openmailbox.org
Received: from mail.openmailbox.org ([62.4.1.34])
 by localhost (mail.openmailbox.org [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id BmkKGQjhDoti; Sun, 26 Apr 2015 13:19:18 +0200 (CEST)
Message-ID: <553CC9AC.9080402@openmailbox.org>
Date: Sun, 26 Apr 2015 11:19:08 +0000
From: nusenu <nusenu@openmailbox.org>
MIME-Version: 1.0
To: tor-talk@lists.torproject.org, phw@nymity.ch
References: <223eaa337204f5f94241636062f9a9e4.webmail@localhost>
 <20150423040805.GA7800@moria.seul.org> <20150423043420.GA15244@nymity.ch>
 <55394871.4010205@openmailbox.org> <20150424024723.GC6723@nymity.ch>
In-Reply-To: <20150424024723.GC6723@nymity.ch>
Subject: Re: [tor-talk] SIGAINT email service targeted by 70 bad exit nodes
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> On Thu, Apr 23, 2015 at 07:30:57PM +0000, nusenu wrote:
>>> Almost all of them were younger than one month and they seem
>>> to have joined the network in small batches.  I uploaded
>>> Onionoo's JSON-formatted relay descriptors, so everybody can
>>> have a look: 
>>> <http://www.nymity.ch/badexit/bad_descriptors_2015-04-23.zip>
>> 
>> I compared your list (71 FPs) with my list (55 FPs) from
>> 2015-04-05 [1], we have an overlap of (only) 30 relays. An
>> overlap of around ~50 would be better.
> 
> Yes, I remember your list.  Thanks a lot for sharing it, it's
> really helpful!
> 
> The relays that are in your, but not in my list indeed look quite 
> similar to the rest.  They don't have a BadExit flag because nobody
> has caught them doing something nasty yet.

So you do not think that they are controlled by the same (malicious)
entity? (even though some declare their MyFamily accordingly*)

Or is the requirement to flag them as badexit to catch them red handed?

The case that one took over legit relays is unlikely since many are
rather 'fresh' ones.

Or: Are they still on the network so we can see what they are after? ;)
(rather hard given the amount of potential targets)

Did you (or anyone else?) try to reach out to them via their ISP(s)?


*) Why would a malicious entity start to declare a MyFamily at all?
I guess due to my email from
https://lists.torproject.org/pipermail/tor-talk/2015-April/037384.ht
ml and it does not actually hurt their malicious activities because
the little groups are in the same /16 anyway. (They do not put all
their relays in a family)
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVPMmsAAoJEFv7XvVCELh0DmgP/2Nl4PnaNoLbI16aEDkajNtk
4Kba6xNSPWYEgJsAFSonn8mRfPG4HR4yHJPiU2ZusHgm7SM5K3/iAb8PSaaef4M1
9D2zlcENFVJxpjQaW/JR6rINDDpj9keHLWh2flGV2jwA/+HxgpI6/go8GJ43xeb9
KSR+Ll0FqfBiTFqpMqiOiaDzQqALHdBexJ/a7KU7t+3L9hrvD5VlR8eBNPYpkI/K
se34lGnHzdhJwHh0zMo5+OByimmb6ITWfkdGY5LogQA/EgbRbh2woS2CeWGI21Lk
xaW1voGpiwHVHgbCNaeYk8Q4f+guKNzOd7mDcMdonrUdVKjvKA+VmiDznlucT0FR
QfVCCkadwbabehgersXWBb0IrLRysBV/mbIElOhaU3tnGXyTrZMcrzWEZaEDEBan
NSeVm6F9foRnzSsvLNy+ljT0A1571e0E7ej91ZGStcuPIjFFMZmOz/Ekce2ZOfC5
hYorrZXStJQkon5oT6nBQIi/BKnadeaaeaWQwdc6edVEw8NLmH8MJPtrF0jRoSVv
aKEXmOvZ9F70aqkXYS5236LCeYBF1h6h9mWS9Z4pkW8AMoyHaEy2lIAomx4KLTJt
19NG5Hzt1/wh2aevXUsZWLvtQAqnVzPFQPZGd92hAmQQHWjZTUAwzHEw8/cwdU59
Uu2ONbYmqdbEeClv4bp0
=0zDD
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

