The printed page even says NMap on it. nmapol=tlitcp is Transport Layer Interface and TCP. I'm not positive, but NMap OL could be NMap openvas-library, which is a vulnerability scanner. Sounds to me like someone scanning with NMap over TLI and TCP and it's hitting these printers.

Don't expose your printers to the web without a strict firewall or VPN/reverse proxy!

When nmap scans port 9100 it doesn't send anything (at least as of nmap 6.00 using -sV). It is probably a higher level vulnerability scanner, possibly metasploit, using nmap to discover open ports and then probe deeper on its own.

Nmap avoids sending to 9100 specifically to avoid sending data that the printer may misinterpret as data to be written to a page. You need to give it the --allports option.

   --allports (Don't exclude any ports from version detection) .
       By default, Nmap version detection skips TCP port 9100 because some
       printers simply print anything sent to that port, leading to dozens
       of pages of HTTP GET requests, binary SSL session requests, etc.
       This behavior can be changed by modifying or removing the Exclude
       directive in nmap-service-probes, or you can specify --allports to
       scan all ports regardless of any Exclude directive.

Thanks!

That would definitely not be a stealthy scan :)

It is not surprising that printers just accept (possibly malformed) requests just from anywhere?

If I remember the presentation I saw on this, some don't even verify firmware updates.

http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfY...

http://engineering.columbia.edu/can-you-trust-your-printer

Not if the owners don't password protect anything. Without a valid login it shouldn't print anything, unless that login were exploited, but I don't see any mention of a password being bypassed.

Agreed, I've seen this before as well. I doubt it really has anything to do with Apple and likely the HP printer server software instead - being directly related to an nmap scan.