7/13/2026 at 8:09:44 PM
I love investigating internet background radiation, this is interesting research. I've definitely seen spa504g.cfg (IP Phone) and spa112.cfg (Cisco analog terminal adapter) before; you should actually serve these a proper config file and spin up a disposable SIP server so you can (potentially) call them on the phone, send them a fax or even better ATDT ;)Though, come to think of it these requests are more likely from credential harvesting bots as most ITSP's provision their CPE with a <macaddr>.cfg or similar.
by vivi_
7/14/2026 at 7:34:34 PM
Were the spa504g.cfg pulls coming from the same infosec scanner IPs as everything else or from another source? Curious whether the targeted-looking requests actually separate out from the background noise.by pseudocoder204
7/14/2026 at 8:06:12 PM
Different source.by bediger4000
7/13/2026 at 9:32:58 PM
The 00000000000.cfg stuck out to me too, because that's the default/base config name for polycom phones.by racnid