Had an interesting find today as I was looking over the Apache logs for PL PHP:

85.190.0.3 - - [07/Jan/2010:09:55:55 +0100] "CONNECT 213.92.8.7:31204 HTTP/1.0" 200 4679 "-" "-"
85.190.0.3 - - [07/Jan/2010:09:55:58 +0100] "POST https://213.92.8.7:31204/ HTTP/1.0" 404 1311 "-" "-"

I had a couple of those in the logs and was rather wondering what it was - seemed fairly odd. Some quick googling didn't show anything apart from others having the same confusion over this. The explanation turned out to be simple, though: if you're connected to freenode (an IRC network), they'll scan your IP checking for open proxies. They do that to defend themselves against DDoS attacks, so it's hard to get annoyed by it ... would be nice if the user agent would specify something like it, though.

How I found out? Whois the ip the traffic comes from, and you'll see the following message:

remarks:        ****************************************************
remarks:        ****************************************************
remarks:        If you see portscans/abuse from 85.190.0.3
remarks:        Please read https://freenode.net/policy.shtml#proxies
remarks:        ****************************************************
remarks:        ****************************************************

Good old whois, always providing for the info-needy.