Port numbers might “limit” traffic when a service is using default ports.
However I could configure SSH to run on port 80 without an issue.

Similarly, no matter what the port is, a malware author can use it to send
malware out.

Talk to your ISP about what Tor is and ask them to disable the virus filter
on your account.

Cordially,
Nathaniel

before tackling the actual question, a short description of how detection of malware activity is
usually performed in this context - at least in the context of these kinds of "abuse" emails:

* organizations like shadowservers [1] and others operate sinkhole servers that listen
for incoming connections on IPs or domains used by malware (i.e. former C&C server)
* everytime they get a connection to their sinkhole systems they write down where the connection came from (i.e. your exit IP address)
* then they automatically inform that IP holder (usually the AS abuse contact or a national CERT of the
country where the AS is located) of that registered event since it is a sign of a potential
infection of the source IP

This makes sense for most of the internet, unfortunately this methodology of source IP based attribution
causes "abuse" emails for Tor exits when infected clients (or security researchers or anyone) visits sinkhole IPs via
their Tor.


- you can not solve this based on a port level because ports 80 and 443 is frequently used
by malware for outbound connections and 80+443 is required for the exit flag

- there is a methodology to reduce the amount of such emails that does not get you the BadExit flag:
blacklisting sinkhole IPs in your exit policy, but these are not generally public.

There are lists of IP addresses of such sinkholes that exit operators could use in their exit policy but the problem is:
- they can not be comprehensive (sinkhole IPs try to remain secret)
- they can contain false positives
- they might contain old IPs
- there trustworthiness is unknown

In a little side project I'm aiming to evaluate the effectiveness of these sinkhole lists
by correlating them with such related "abuse" notifications to answer the questions:

Do these public sinkhole IP list match IPs from actual sinkhole IPs mentioned in abuse notifications?
How effective would using these IPs in a Tor exit relay's ExitPolicy be at reducing the amount of such notification emails?
How much overblocking would occur?
How static are these lists?

If you are an exit operator and want to help with that little project you can submit information covering
such cases in a specific CSV format to the email address bellow.

To prevent getting spammed the email must be send from the email address mentioned in the relay's ContactInfo field following this spec:
https://github.com/nusenu/ContactInfo-Information-Sharing-Specification#email
and you should not send more than one email per day per sender. (plus points for DKIM signed emails)

**Please do NOT submit data that is related to other types of abuse emails**

CSV format:

timestamp,destination IP address,destination port,feed-name

timestamp: YYYY-MM (please do not include more fine grained time information)
destination IP address: IPv4 or IPv6 address (mandatory)
destination port (if available)
feed-name (if available) example value: shadowserver-drone

email address:
sinkhole-malware-alerts riseup net



[1] https://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-Drone-Hadoop