Now that we know it's Bobax scanning http://isc.sans.org/diary.php do we know if the source IP's are legit or spoofed?

----- Original Message -----
From: "Geo." <geoincidents@nls.net>
To: <nanog@merit.edu>
Sent: Tuesday, May 18, 2004 8:15 AM
Subject: Port 5000

We are seeing many customers here probing port 5000 across the network. It appears to be some new worm or something but I've had no luck yet in figuring out what it is except to say norton AV detects nothing yet.

Anyone have a clue?

http://isc.incidents.org/port_details.php?isc=b4827221b7f45feeb0c12bc5040cabc9&port=5000&repax=1&tarax=2&srcax=2&percent=N&days=10&Redraw=Submit+Query

the jump in traffic is obvious.

Geo.