arth1's Journal: Slashdot clandestinely scanning its users

I just discovered something I'm not sure I like.

Whenever I post something to slashdot, slashdot connects back to port 80 on the machine I post from, looking for an open proxy on port 80.
This isn't behavior I really like to see. It's unsolicited, and more to the point, it takes advantage of a local firewall possibly being temporarily open for traffic FROM an address for a short while after connecting TO it.
There might be a "good cause", like collecting a list of open proxies for the poor guy behind the Great Firewall of China or something similar, but it's still unsolicted, clandestine and not documented.

Here are a couple of web log entries showing this:
216.34.181.45 - - [10/Sep/2008:15:47:47 -0400] "GET http://news.slashdot.org/ok.txt HTTP/1.0" 404 271 "-" "libwww-perl/5.812"
216.34.181.45 - - [10/Sep/2008:20:32:18 -0400] "GET http://mobile.slashdot.org/ok.txt HTTP/1.0" 404 273 "-" "libwww-perl/5.812"

Not new, unfortunately

[damn_registrars]

I've seen this behavior from slashdot for probably two years or more. I'm not sure exactly how long they've done it because I haven't been running a web server at home the whole time I've been posting on slashdot.

However, it did occur to me that a corporate webmaster could use the logs to determine when the worker bees are posting to slashdot on company time...

Proxy scanning

[Qzukk]

Scanning for proxies has been around for years and years (at least IRC servers typically warn you that this is going to happen in their MOTD), usually for the purpose of kicking off people who appear to be using proxies to get around whatever ban, which is probably why slashdot does it.

As for the firewall, unless your client is badly, badly broken, you're connecting from some randomly selected port like 18231, to slashdot's port 80. Unless your firewall is badly broken, it shouldn't allow slashdot (much le