In the past 5 days, I've been getting swamped with email from registered forum users who are responding to the vB note that gets sent out when someone fails after 5 login attempts. Every one of them was telling me "it wasn't me".

Investigation of the IP addresses they're coming from reveals that they're bouncing off exit nodes from the Tor network (http://tor.eff.org/). The Tor network is a distributed cryptographic anonymizing proxy service. It is not possible at this time to identify the actual source.

So in layman's terms - the hack attempts are coming from someone who is abusing the Tor network in order to anonymously attempt to log in to this forum as a legitimate user. If they succeed, they're most likely going to use it to spam the forum with ads.

I've been firewalling out IP addresses right and left, but this is proving to be useless since there are hundreds, or maybe thousands of Tor servers out there, and the hackers simply find another one to continue their barrage. And since Tor is totally anonymous, there's no way to identify the originator, and therefore no way to halt the break in attempts.

I found an abuse FAQ (http://www.torproject.org/faq-abuse.html.en), and it has some hints on how to determine whether an IP is a Tor exit server.

What I'd like to do is have a hack that can identify a server as a Tor server, and simply block all registration and login attempts from those servers.

Has anyone does this? Any different suggestions?

have you tried PM's hack 'proxy to real ip' add-on?

How would that help?

That wouldn't help - no need to install it. About the problem - there's not much you can do :(

I'm pretty sure there is something you can add server-side that will block all Tor IPs .. at least I remember reading that on the Tor project.

Its really getting annoying, mostly because of the email that vB sends telling the account holder that someone tried to hack their account. So they get all worked up and scared, and they send me email telling me to delete their account - which I don't want to do because I hate having posts from someone named "Guest".

Proxy to IP is real helpful with identifying proxy users. Consider this hack:
https://vborg.vbsupport.ru/showthread.php?t=147280&highlight=proxy
Note that it excludes safari users.

I don't think you understand the Tor network, Alfa1. Tor makes it pretty much impossible to locate where data originally came from, as it is passed from node to node before reaching its destination.

Why not disable the email. It won't fix the main problem, however it may stop the bleeding.

wild card ban thier ip within your host, not only your site.