I prefer to only report genuinely malicious behavior. As long as there's no active attempt at block evasion I figure reporting it is just increasing noise and generally making things worse for everyone. It's the active block evasion crowd that make any and every network communication protocol a pain in the ass to use at scale. It wasn't simpletons using a single static IP address that triggered such widespread adoption of Anubis overnight.
Look I'm just trying to distinguish "active circumvention of blocks" from pretty much everything else. Because the former is what destroys the usefulness of protocols while the vast majority of other things can be trivially resolved by blocking the offending party. Including { corporate service } that I don't use sending me { unwanted thing }.
If a bot that sends a fixed set of headers and is behind a single static IP is behaving poorly and slowing down your server you can block it and move on. Whereas when an abhorrently selfish operator with a client that actively hinders fingerprinting rapidly rotates through hundreds of thousands of IPs you end up with mass adoption of solutions like Anubis.
99.9% of spam is not active circumvention of blocks. It comes from so many sources you can't block them, but they are true different sources and not a block circumvention technique. That's why we decided to come down with the biggest hammer on every single source.
That doesn't match my experience at all. If I disable filtering what I see is a slew of ephemeral domains. Without DMARC I'm sure they would instead be official looking and fake.
> It comes from so many sources you can't block them,
Nonsense. If it were really countless fixed sources then a centralized domain blacklist would be sufficient. The issue is that the sources - both domain and IP - are aggressively rotated and even spoofed whenever possible.
That's how it looks now, in a world of ubiquitous spam blockers. Originally, it was each company sending you a few pieces of spam from a legitimate address.
