Portscans/PROXY scans

Matthew Sullivan matthew at sorbs.net
Mon Nov 3 03:40:06 UTC 2003

Andrew D Kirch wrote:

>There are however legitimate reasons for a portscan, responding to incoming abuse and attack being one of them, automatically searching for openrealys used to send you spam is another.
And on that note I would like to inform all, the new SORBS scanning 
process is running, this involves scanning all ports of machines used to 
send spam or high spamassassin scoring mail.  When scanning is complete 
it will test each port for various proxy and relay methods, 
identification rate varies, but I have found a large number of proxy 
servers recently (as many as 30 in any one minute) on unusual ports 
(similar to jeem, but appearing anywhere port 1 through 65535).

If you see a scan, the SORBS scans are initiated with nmap and are not 
using any of the stealth options (deliberately), each host scanning has 
a PTR record indicating a sorbs.net host barring one - that one will 
answer on port 80 with the SORBS website.

Scans are performed after a host sends spam or high scoring mail only, 
and should only be tested once in any 3 month period, unless spam is 
received in which case it may be tested manually as well.

I'm sorry if that inconvinences users, and/or admins, however I believe 
it is for the greater good.

As before anyone wanting network reports for the networks they are 
responsible for should send email to me (off list) and I will arrange 
it, there is a weekly reporting system already running at SORBS.



More information about the NANOG mailing list