TOR/VPN/Anonymizing Proxy Policy

CBL/XBL TOR/VPN/Anonymizing Proxy Policy

This page explains the policy that the CBL has towards IP addresses used as "TOR exit nodes", VPN tunnels, and other mechanisms that use shared IP addresses for relaying traffic from unattributable third parties.

First we'll give brief outlines of what these are, and then second, we'll describe the CBL policy towards TOR.

What is TOR? Why does it exist?

TOR is a method by which Internet users can make connections to the Internet (for web browsing, email and other services) in such a way that the connections and path are hidden from snooping. In other words, it's a method to anonymize connections to services, such that the service cannot determine the originator of the connection, and that deep packet inspection can't either.

From the destination service's perspective, the IP address making the final connection to them is the so-called "TOR exit node". But, in reality, the traffic has travelled a complex (and often random) path to the destination service via encrypted data streams inside the TOR infrastructure.

As such, TOR is intended be used by political dissidents or "whistleblowers" without fear of reprisal, and users who simply have a strong desire for privacy.

More information can be found on TOR at the TOR Project

What are VPN Tunnels?

A VPN tunnel is a specialized/secure "proxy" of traffic from a user to places they want to go on the Internet. VPN tunnels provide a "privacy shield" so that the user can access those places without giving away information the user doesn't wish to, such as what IP address the user is using etc. It's much simpler than TOR and generally much faster.

Unlike TOR, VPNs are usually a commercial service, and are often used in a commercial context for load balancing, geographic dispersion and for other technical/reliability reasons.

VPNs generally apply to all traffic the user wishes to send, whether it be email, web traffic or any other.

There are many VPN providers, who offer (usually commercially) these services to customers, each VPN tunnel may forward just one user's traffic or many.

What are Anonymizing proxies?

Anonymizing proxies are effectively the same thing as VPN tunnels, but unlike VPN tunnels, they generally do not use fully featured VPN protocols, and only support web traffic. Many of them are not particularly effective at suppressing privacy-related parts that a more discerning VPN or Tor user might wish.

Why does the CBL care about TOR/VPN/etc?

Not only do political dissidents and people with elevated privacy concerns want the anonymity that TOR/VPN etc provides, common criminals do as well for obvious reasons. Recent research has shown that more than half of all TOR exit nodes are transiting large amounts of demonstrably malicious traffic.

Similarly, and more worrisome is that VPN tunnels are being leased in large blocks (a dozen or hundred at a time) by individual criminals to obscure/defeat the tracking of malicious activity.

By "malicious traffic" or "activity", we mean traffic for spam or criminal activities, NOT traffic that may be objectionable or illegal for political or religious reasons. We mean traffic that is intended to facilitate spam, theft, identity theft, DDOS, phishing and compromising innocent third parties via botnets, spambots and other similar activity.

In the CBL context, "malicious traffic" specifically refers to traffic initiated by, or used by, computers that have been infected with spamware, malicious software downloaders and other forms of malware/botnet activity. As such, the CBL supports the use of TOR/VPN etc for legitimate privacy reasons, or even no reason at all, but not criminal acts.

TOR/VPN/anonymizing Proxy Abuse

In the past, TOR was heavily used to directly transit spam and malware email. As a result of complaints, pressure, and a realization that unrestricted transit of spam email endangers the future of the TOR Project, the TOR network was changed so that, by default, TOR exit nodes would not permit the transit of email traffic. But they still do forward other traffic.

However, even the alleviation of email spam is not widespread with VPN tunnels. They remain a huge source of spam in addition to botnet activity still plaguing TOR from time to time.

We occasionally get contacted by owners of TOR exit nodes or VPN tunnels suggesting that we should not be listing such IP addresses under any circumstances. The reason being because they're used by political dissidents at fear for their lives, privacy conscious individuals who are up to no harm, etc.

TOR/VPN/etc Policy

We understand, appreciate and really do not wish to interfere with the usual goals of TOR, VPN and the like. But unfortunately, as outlined in previous sections, the situation is dire. Up until now, our position was to treat TOR exit nodes just the same as any other IP address. The CBL was "TOR ignorant". It didn't care whether the IP address was a TOR exit node or not.

It is our position that it is unreasonable for the CBL (and hence Spamhaus XBL) to treat TOR, VPNs or anonymizing proxies any differently than any other IP address.

The reasoning behind this is in several parts:

    The fact that the IP is intended to transit legitimate traffic doesn't make the fact that it's provably transiting malicious traffic that our users don't want go away.
    If TOR/VPN becomes a complete safe haven, then it will become an even bigger attractant to criminal behavior. Which has two immediate consequences: the loading on these "networks" would skyrocket to the detriment of all of their users, and Governments and Law Enforcement will ultimately be forced to take action in ways that no-one would like.
    As such, the potential for CBL listings are not only the cost of running a TOR exit node, VPN tunnel or anonymizing proxy, they are a critical "braking effect" to being flooded with yet more criminal activity, with bad results for the community as a whole.
    The CBL's users would not wish us to ignore malicious traffic simply because it comes from such networks.

CBL TOR listing policy

We recently received an email from the operator of a TOR exit node who was also a CBL user (to protect his own email). He suggested that we should be automatically listing all TOR exit nodes. This resulted in internal research leading to our policy change.

We decided to not go as far as the aforementioned TOR exit node operator suggested: we will not be pre-emptively listing all TOR nodes. We are only changing the behaviour of the CBL lookup and removal system relative to TOR exit nodes that have already been listed for malicious activity.

Effective immediately: The CBL lookup/removal system is now "TOR aware" and will not permit the self-removal of TOR exit nodes, nor will it allow removal requests from TOR exit nodes. This means that once a TOR exit node becomes listed, it cannot be delisted until the listing expires (approximately 1-2 weeks after the last detection of malicious activity).

Please note: this in no way decreases the privacy of TOR. It just means that a CBL listing cannot be self-removed, nor will we allow remove requests from TOR nodes.

Note to TOR/VPN/anonymizing proxies developers and operators: This should make it obvious that the best way that your networks can maintain maximum utility for its legitimate users is by ensuring that these networks does not transit malicious/criminal traffic.

We realize that this is easier said than done. However, there really is no choice. We welcome, encourage and challenge the TOR Project, VPN operators to help reduce the deluge of malicious activity from spambots, botnets and other malware.