Either the simultaneous-user limit on NT's ftp is pretty low by default, or there are a *lot* of suckers out there.
Got an eBay phishing spam, and happened to notice that the destination URL was ftp instead of http. Huh. And not just anon ftp, but an ftp url with the NT administrator password in it. Narshty.
The URL gets a 421 nineteen hits out of twenty, which apparently means it's getting a lot of bites (even if it only allows one connection, how long does it take to serve a little page where all the graphics probably come from eBay? And why doesn't eBay examine referers and track these things down proactively?)
Wish I knew how to shut down an NT server from the Internet...
