Re: Probe from UK Provider ?

[arrigo () ALBOURNE COM (Arrigo Triulzi)]

Pauline van Winsen scripsit:
[...]
|i sent an email to abuse () demon co uk last year in october with little
|success. they mumbled something about problems with hardware
|mangling packets. sigh...

Are you sure this is not another of those load-balancing tricks?  All
Demon users (I was one, notice the "was") get a web site,
www.hostname.demon.co.uk, which is provided over their virtual web
hosting service according to particular rules (high traffic puts you
on a throttled subnet, etc.).  They advertised on their magazine,
Demon Dispatches, that they were now using "advanced cache technology"
with "integrated mirroring" (translated: layer 3 switching and mirrors
of big sites so that they become local) and so on.

You can only reach a Demon subscriber's dialup host when they are
dialled in so you should distinguish scans from a dialup host,
generally, hostname.demon.co.uk, from their virtually hosted web site
at www.hostname.demon.co.uk.  Furthermore there have been reports of
scans from punt-xx.mail.demon.net.  These are Demon SMTP "kick" boxes
which upload e-mail via SMTP when a user dials in.  These I have no
explanation for except that they might be spoofed IPs.

Concerning Demon's security/abuse bunch when I was seeing packets from
192.168.x.y coming up through my dialin I reported them and they went
off to work discovering that it was an AOL IM "feature" for keeping
the line open.  They had a word with AOL, AOL basically said "thank,
have a nice day and don't bother us" so they firewalled. This was
approx. 6 months ago.  I stopped being a customer of theirs about a
month ago so things might have changed.

Ciao,

Arrigo