On 2026-06-14 21:46, Ángel via mailop wrote:
On 2026-06-14 at 19:32 -0400, postfix--- wrote:
 >> 64.62.197.0/24 shadowserver.org
>>
A lot of good words for them. HOWEVER: IMHO, the opt out model is insufficient and unacceptable. Another signal.


Shadowserver is a non-profit foundation.


Why are you arguing with a lawyer?  My [server|inbox], my rules.

Here are the counter-arguments:

(a) a non-profit foundation uses the same resources as anybody else, and should be at least as mindful about cost/benefit; and face the consequences of the externalities it causes; as anybody else.

(b) they use my resources without my permission. in my book, this is generally abusive, and being a non-profit is not ground for exemption from the general rule. Neither is being a do-gooder / white hat.

(c) they admit themself that their scanning practice is controversial. they state on their website that they scan from US subnets where, unlike other jurisdictions, the practice of non-consensual scanning is legal. MY VIEW IS THAT NON-CONSENSUAL SCANNING SHOULD BE ILLEGAL. And unless the law requires me to submit to such scan (or gives law enforcement a warrant to do such a search on my specific IP, not a fishing expedition), I have a right to block the scanning outright.

(d) their opt-out process requires me to give them more signals than I am inclined to. If they do not understand that they are being blocked at the firewall, it is their problem, not mine. I have minimized their waste of my resources. Even if they were scanning from a jurisdiction where network scanning is illegal, I would only sue them if the cost/benefit of suing would be better than just firewall blocking them.

(e) OPT-OUT IS WRONG from the start. Sadly, in this day and age, too many persons do not (want to) understand. Why do they have to behave like the deadbeat who crashed an NBA game for a selfie with a player? Any entity, individual, or organization practicing opt-out instead of opt-in deserves similar punishment as that egocentric deadbeat: exclusion.

(f) they seem to be getting privacy somewhat right: "need to know." indeed they do not need to know what I operate on my subnet; nor do their other partners and whomever they distribute their reports to.


They scan pretty much the
whole internet, detecting vulnerable services.


and now my tiny bit of the internet rejects their scan. I am only open to consensual, mutually agreed scans, at mutually agreed frequency etc.


This information is
provided free-of-charge to those than can fix it, basically network
owners and national CSIRTs.


free-of-charge is not the same as no cost. and I see no cost/benefit in being coerced to participate in their activity.


They also operate honeypots and routinely collaborates with takedowns
of malicious infrastructure, such as the recent AudiA6 cryptolaundering
takedown by europol:
https://www.europol.europa.eu/media-press/newsroom/news/ransomware-gangs-cut-eur-336-million-audia6-crypto-laundering-pipeline


(g) good for them. probably someone finds their public service is useful. not a reason to override my preference for not being scanned. I wish them luck. and I wish them to understand to stay away where they have not been invited.

Yuv

_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop

Reply via email to