TOR (previously the Onion Routing Project) is a wonderful project that helps promote anonymity on the Internet. With all the mass tracking of people and activity for commercial gain or political control having a means of anonymity is a very good thing. The TOR project has always been on the leading edge of pushing these boundaries to help anyone utilize their services without fear.
The mantra for the TOR project is that it is free for use by anyone and everyone can share of the benefits. The services are used by almost every walk of life. From the Mom and Pop, to children, governments, security researchers, and criminals. There are no controls, no authentication, and no validation of the use of TOR. And there should not be for this to truly work as it has been envisioned. This now creates an issue between the maintainers, the owners of exit nodes, service providers, and those of us that track and report malicious activities.
Several times during the year we will inevitably get a message from someone running a TOR exit node or from the TOR maintainers directly alerting us that we have once again reported some type of malicious activity exiting their network and the ISP that hosted said device forwarded that complaint to them. At this point we are usually requested to either filter or discard all the logs and traffic we collect related to any of the TOR exit nodes. The assumption is that because it is a noble effort that a little criminal mischief is okay to accept.
We have to disagree with that sentiment. Any criminal behavior that is observed needs to be reported, no matter the source or destination. Our position is that we report everything that appears to be criminal and rely on the end network owner, which in most cases is a Service Provider, Enterprise, or University, determine what the correct path to be taken. We have seen the complete range of responses, from immediate shutdown of reported IP's, to walled gardens being instituted, to warnings being sent, and finally nothing being done at all. All of these can be appropriate because the final decision on how to act is controlled by the network owner and not us. We do not force any specific action on those that receive our reports. Each network owner needs to understand their network and be able to take appropriate actions for each incident reported.