Re: [Full-disclosure] Possible proxy scan for proactive countermeasures?

[Rob <spamproof@xxxxxxxxxxxxxx>]

the rxmr wrote:
> Even though Slashdot is often joked about on the lists, I was
> wondering if anyone has been experiencing similar scans from their IP
> address and if so has anyone confirmed it to be them or is the source
> address being spoofed?
>
> The scans are directed at proxy services and Slashdot has recently
> been getting crapflooded with anonymous posts made through open
> proxies and is rumored to be banning the IP's of those proxies. Here
> is an example:
>
> http://slashdot.org/comments.pl?sid=150000&threshold=1&commentsort=0&tid=172&mode=thread&cid=12572018
>
> Therefore it seems reasonable that the source of the scans is actually
> Slashdot.  If they are scanning me for open proxies, then are they
> scanning everyone else who visits their site today?  I gave up trying
> to get any response via email from Slashdot years ago so I am not
> going to contact them.
>
> This is the recent output of my logfile (my IP is xx'd out):

They scan everyone, it has been going on for a long time, not just recently.
I don't remember if it is when you attempt to post comments or even just when 
you attempt to read stories.

The recent crapflood might be people attempting to get TOR endpoints/egresspoints  banned, just a guess - since if those address from 
which the comments were posted were actually open proxies then /. already has the technology to block them. So I think the posters 
are maybe not being completely truthful about how and from where they are posting (otherwise they wouldn't need to try to induce 
people to mod their posts).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/