matthew at sorbs.net
Mon Nov 3 03:40:06 UTC 2003
Andrew D Kirch wrote:
>There are however legitimate reasons for a portscan, responding to incoming abuse and attack being one of them, automatically searching for openrealys used to send you spam is another.
And on that note I would like to inform all, the new SORBS scanning
process is running, this involves scanning all ports of machines used to
send spam or high spamassassin scoring mail. When scanning is complete
it will test each port for various proxy and relay methods,
identification rate varies, but I have found a large number of proxy
servers recently (as many as 30 in any one minute) on unusual ports
(similar to jeem, but appearing anywhere port 1 through 65535).
If you see a scan, the SORBS scans are initiated with nmap and are not
using any of the stealth options (deliberately), each host scanning has
a PTR record indicating a sorbs.net host barring one - that one will
answer on port 80 with the SORBS website.
Scans are performed after a host sends spam or high scoring mail only,
and should only be tested once in any 3 month period, unless spam is
received in which case it may be tested manually as well.
I'm sorry if that inconvinences users, and/or admins, however I believe
it is for the greater good.
As before anyone wanting network reports for the networks they are
responsible for should send email to me (off list) and I will arrange
it, there is a weekly reporting system already running at SORBS.
More information about the NANOG