Hi!
I got this [...]
<quote>
The reason for the scan on the IP address that "doesn't exist" was as a
result of the following spam being reported.
Received: from donjacobo.es
(lsanca1-ar62-4-8-246-254.lsanca1.dsl-verizon.net [4.8.246.254])
by cmx0.sol.net (8.12.11/8.12.11/SNNS-1.04) with SMTP id i953lEXr053775
for ; Mon, 4 Oct 2004 22:47:28 -0500 (CDT)
Received: from by smtp.sanet.com.br;
Tue, 05 Oct 2004 03:45:23 +0000
Message-ID: <8c1001c4aa8d$e692821b$59f01b90@donjacobo.es>
From: "Josie Wooten"
To: <>
Subject: <>
Date: Mon, 04 Oct 2004 21:45:16 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
If you would like to be whitelisted from any further testing then please
notify us so that we can add your imaginary IP addresses for exemption
from further testing [sensible answers only please]
</quote>
[...] after I wrote that [...]
<quote>
If you don't scan other servers except proxies, why does my ids show you as portscanner and my scanlogs as well?
Oct 5 05:52:00 fb7-fg6 scanlogd: 82.195.234.3 to x.x.x.x ports 23, 1181, 81,889, 1027, 1028, 1029, 1066, ..., fSrpauxy, TOS 00, TTL 50 @05:52:00
Oct 5 05:52:06 fb7-fg6 scanlogd: 82.195.234.3 to x.x.x.x ports 23, 1181, 81,889, 1027, 1028, 1029, 1066, ..., fSrpauxy, TOS 00, TTL 50 @05:52:06
Oct 5 05:52:09 fb7-fg6 scanlogd: 82.195.234.3 to x.x.x.x ports 23, 1181, 81,889, 1027, 1028, 1029, 1066, ..., fSrpauxy, TOS 00, TTL 50 @05:52:09
Oct 5 05:52:13 fb7-fg6 scanlogd: 82.195.234.3 to x.x.x.x ports 23, 1181, 81,889, 1027, 1028, 1029, 1066, ..., fSrpauxy, TOS 00, TTL 50 @05:52:13
Oct 5 05:52:16 fb7-fg6 scanlogd: 82.195.234.3 to x.x.x.x ports 23, 1181, 81,889, 1027, 1028, 1029, 1066, ..., fSrpauxy, TOS 00, TTL 50 @05:52:16
Oct 5 05:52:22 fb7-fg6 scanlogd: More possible port scans follow
afaik nor this ip does not exist in our network neither it was somewhere listed.
</quote>
82.195.234.3 = open-proxy-testing-visit-web-server-on-this-host.nubian.blitzed.org
Or visit http://open-proxy-testing-visit-web-server-on-this-host.nubian.blitzed.org/ [...].
Somehow they seem for me incompetetnt, because they don't tell me, what they test.
If I would test this for myself I would test if ip exists or answers to any sort of test (e.g. a portscan or a nmap ping ...).
I would not test that much like they did.
It is not the reason because I saw a portscan, it is the reason, that the portscanner does as if he was probing kind'a' open proxies and whatever as his reason for doing portscans but not showing or telling what he exactly does.
Am I right or am I whining?
Philippe