Re: When not to log

From: Joe (
Date: 05/10/02

From: Joe <>
Date: Fri, 10 May 2002 20:11:47 +0100

In article <>, Tim Haynes
<> writes
>Kasper Dupont <> writes:
>> That sounds completly ridicolous, I have never experienced any scans
>> comming as a result from downloading from a http server. (Of course
>> except from the servers offening an online security audit and telling you
>> the result.) Are you sure that this is really scans and not just you
>> filtering something you shouldn't filter. Or are you just visiting some
>> very suspicious sites?
>Agreed; as stated it's highly unlikely that merely surfin' the web would
>attract scans.

Maybe not scans, but almost all of the attempted contacts I get seem to
occur within a second or so of accessing a new website. Maybe it's
coincidence. I dial up for a total of perhaps half an hour a day, and
never get any probes during the 5-20 minutes of collecting mail and
news, which is all I do most days.

I've never been scanned as such, but nearly all of the probes are for
web, telnet, ssh, portmapper and netbeui. Mostly the usual suspects,
with some nntp and the occasional ntp. Now and then one I have to look
up. Oddly, very few smtp, imap or pop. Usually in threes, and, as I say,
nearly all immediately after contacting a website for the first time.
Not dodgy ones, either, mostly links from Google to hardware or software

I've always assumed it was some type of cause and effect. OK, I know the
usual arguments, it's perfectly legitimate and reasonable for someone to
just pick my IP out of the air and expect me to be running a web server
with content of interest to them, or a news server... so what's the
legitimate reason for randomly sniffing for telnet, ssh, netbeui and
portmapper over the Internet?