The easiest way to figure out whether a Tor user is real or not is to blast them with CAPTCHAs, but that gets annoying.

If you use Tor to anonymize your Web browsing—well, sort of anonymize—then congratulations! You’re one of the rare people who actually use the service for legitimate means. Most everyone else, according to a new report from CloudFlare, uses Tor to try and scam, phish, or digitally mess with other people.
“Based on data across the CloudFlare network, 94 percent of requests that we see across the Tor network are per se malicious.

That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers.

A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network,” CloudFlare says.
“To give you some sense, based on data from Project Honey Pot, 18 percent of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.”
CloudFlare came up with its conclusion by looking at the requests various IP addresses made across its network and determining how malicious those requests might be. Usually, a person’s browsing habits elsewhere can mitigate the fact that they might occasionally connect from a location that otherwise has a lot of malicious activity—like a coffee shop, for example.
In the case of Tor, all CloudFlare can really see is what’s coming out of the various exit nodes.

And since it’s detected a lot of malicious activity from people using Tor, these exit nodes themselves tend to have a fairly high threat level.
As for how to deal with Tor, that’s been a particular challenge for CloudFlare.
“Our customers sign up for CloudFlare to protect them from online attacks, so we can’t sacrifice security. We also believe anonymity is critical, having witnessed first hand how repressive regimes use control of the network to restrict access to content.
So that leaves sacrificing a bit of convenience for users of the Tor browser,” reads CloudFlare’s post.
Now, CloudFlare gives its customers a few ways to handle Tor traffic, so they can set up their own preferences based on how they view the service.

Customers can either whitelist Tor traffic entirely, force Tor users to enter a CAPTCHA or JavaScript challenge to prove they’re actually human (and presumably using Tor for legitimate means), or blacklist Tor entirely—but only CloudFlare’s enterprise customers get the latter option.

Going forward, CloudFlare wants to pass some of this human/bot authentication off to Tor itself, since CAPTCHAs can be a bit of a pain—especially if CloudFlare has to throw one at each Tor user for every site they visit.
CloudFlare is also hopeful it can create .onion versions of its customers’ websites, which would only be accessible via Tor—with all traffic to said .onion sites encrypted by SSL.

CloudFlare is also looking into a way to assign the CAPTCHA process directly to the Tor browser, which would allow a person to authenticate once and receive a cryptographic token that permits their annoyance-free Web browsing for the rest of the session.
“By moving the proof-of-work test to the client side, the Tor browser could send confirmation to every site visited so that users wouldn’t be asked to prove they are human repeatedly. Providing a way to distinguish a human using Tor from an automated bot would not only benefit traffic to CloudFlare but, if it became a standard, could also make it easier for other organizations that have restricted Tor traffic out of concern for abuse to start allowing verified-human Tor users back on their sites,” reads CloudFlare’s blog.