"Here's a node that only accepts HTTP traffic for Google and MySpace; it resides under Verizon:Or, maybe it's trying to capture credentials, like Google cookie stealing.
AS | IP | AS Name — 19262 | 18.104.22.168 | VZGNI-TRANSIT - Verizon Internet Services Inc.
While curious and perhaps even suspicious, it isn't necessarily malicious. It could just be a Samaritan particularly concerned with anonymous searches and MySpace profiles for some reason. But there's no way to tell, so why use such a node if you don't have to?"
"But how about this one?TOR users: caveat.
Now here's a node that was monitoring SSL traffic and was engaging in Man-in-the-Middle (MITM) attacks. Definitely bad.
AS | IP | CC | AS Name — 3320 | 22.214.171.124 | DE | DTAG Deutsche Telekom AG
Here's how the testing was done:
A test machine with a Web server and a real SSL certificate was configured.
A script was used to run through the current exit nodes in the directory cache.
Connections were made to the test machine.
A comparison of the certificates was made.
And the exit node at 126.96.36.199 provided a fake SSL certificate!
Now note, this was only one of about 400 plus nodes tested. But it only takes one."
UPDATED [11/21/2007]: Here are Heise Security's findings and there is now a Slashdot thread on the subject.