On 2026-06-14 21:46, Ángel via mailop wrote:
On 2026-06-14 at 19:32 -0400, postfix--- wrote:
>> 64.62.197.0/24 shadowserver.org
>>
A lot of good words for them. HOWEVER: IMHO, the opt out model is
insufficient and unacceptable. Another signal.
Shadowserver is a non-profit foundation.
Why are you arguing with a lawyer? My [server|inbox], my rules.
Here are the counter-arguments:
(a) a non-profit foundation uses the same resources as anybody else, and
should be at least as mindful about cost/benefit; and face the
consequences of the externalities it causes; as anybody else.
(b) they use my resources without my permission. in my book, this is
generally abusive, and being a non-profit is not ground for exemption
from the general rule. Neither is being a do-gooder / white hat.
(c) they admit themself that their scanning practice is controversial.
they state on their website that they scan from US subnets where, unlike
other jurisdictions, the practice of non-consensual scanning is legal.
MY VIEW IS THAT NON-CONSENSUAL SCANNING SHOULD BE ILLEGAL. And unless
the law requires me to submit to such scan (or gives law enforcement a
warrant to do such a search on my specific IP, not a fishing
expedition), I have a right to block the scanning outright.
(d) their opt-out process requires me to give them more signals than I
am inclined to. If they do not understand that they are being blocked
at the firewall, it is their problem, not mine. I have minimized their
waste of my resources. Even if they were scanning from a jurisdiction
where network scanning is illegal, I would only sue them if the
cost/benefit of suing would be better than just firewall blocking them.
(e) OPT-OUT IS WRONG from the start. Sadly, in this day and age, too
many persons do not (want to) understand. Why do they have to behave
like the deadbeat who crashed an NBA game for a selfie with a player?
Any entity, individual, or organization practicing opt-out instead of
opt-in deserves similar punishment as that egocentric deadbeat: exclusion.
(f) they seem to be getting privacy somewhat right: "need to know."
indeed they do not need to know what I operate on my subnet; nor do
their other partners and whomever they distribute their reports to.
They scan pretty much the
whole internet, detecting vulnerable services.
and now my tiny bit of the internet rejects their scan. I am only open
to consensual, mutually agreed scans, at mutually agreed frequency etc.
This information is
provided free-of-charge to those than can fix it, basically network
owners and national CSIRTs.
free-of-charge is not the same as no cost. and I see no cost/benefit in
being coerced to participate in their activity.
They also operate honeypots and routinely collaborates with takedowns
of malicious infrastructure, such as the recent AudiA6 cryptolaundering
takedown by europol:
https://www.europol.europa.eu/media-press/newsroom/news/ransomware-gangs-cut-eur-336-million-audia6-crypto-laundering-pipeline
(g) good for them. probably someone finds their public service is
useful. not a reason to override my preference for not being scanned.
I wish them luck. and I wish them to understand to stay away where they
have not been invited.
Yuv
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop