Andrew D Kirch wrote:
There are however legitimate reasons for a portscan, responding to incoming abuse and attack being one of them, automatically searching for openrealys used to send you spam is another.
And on that note I would like to inform all, the new SORBS scanning process is running, this involves scanning all ports of machines used to send spam or high spamassassin scoring mail. When scanning is complete it will test each port for various proxy and relay methods, identification rate varies, but I have found a large number of proxy servers recently (as many as 30 in any one minute) on unusual ports (similar to jeem, but appearing anywhere port 1 through 65535). If you see a scan, the SORBS scans are initiated with nmap and are not using any of the stealth options (deliberately), each host scanning has a PTR record indicating a sorbs.net host barring one - that one will answer on port 80 with the SORBS website. Scans are performed after a host sends spam or high scoring mail only, and should only be tested once in any 3 month period, unless spam is received in which case it may be tested manually as well. I'm sorry if that inconvinences users, and/or admins, however I believe it is for the greater good. As before anyone wanting network reports for the networks they are responsible for should send email to me (off list) and I will arrange it, there is a weekly reporting system already running at SORBS. Yours Matthew