I was running AutoSSL in my website. Initially it failed because of some strict rule of Cloudflare WAF. I disabled the rule and was running the AutoSSL again. At that time I saw lots of requests are coming with Location: T1 and hostnames like cpanel.mydomain.com, webmail.mydomain.com etc. I quickly checked the IPs and I found those are abusive IPs. The user-agents were like “python-requests”. I did not get why the requests should come while I was running AutoSSL. I checked firewall events and I could not find such requests earlier. Cloudflare could block those requests. But, my question is, is it just coincidental? How did those requests come when I was running AutoSSL? I was running AutoSSL before it expired.
T1 means Tor, and you likely are just now seeing these because bots monitor the CT logs (Certificate Transparency) and try to scan/attack hostnames that show up if they’re vulnerable.
Thanks @Judge for the reply.