Not only are they scanning for open web proxies, but they're scanning for open web proxies that would allow mail relaying as the :25 shows. You're probably seeing the result of a spammer in search of open relays to abuse. -Russell At 02:34 PM 7/29/2002 -0400, you wrote: >The most recent scan I observed added more ports (the 4480 and 6588 are new), >and now the test pattern is a > CONNECT ipaddress:25 HTTP/1.0 >where ipaddress is a different host than the scanner. > >Somebody is collecting web proxies. I am interested in hearing whether >other sites are seeing this, or whether it's somebody uniquely focussed >on my site. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 29 2002 - 12:54:43 PDT