Scanners are the mosquitoes of the internet. Annoying, but mostly harmless, athough some may carry pathogens.
What distinguishes a scanner from a bot/hacker is that the former publishes a webpage (or whois record) that describes the activity and tells the visitor how to opt out of it.
A limited scanner with well-defined purpose and attribution, from an academic department at the University of Virginia. We allow their scans. Hm, we did until they disappeared ...
Abuse Contact DB is a limited scanner with a well-defined purpose and attribution, and we allow their scans
A polite scanner publishes the addresses that send their probes. Part of Project Sonar, Rapid7 Labs runs a polite scanner with well-defined statement of purpose, and they offer free public access to the data. We are considering allowing their scans.
Onyphe publishes its sending IPs on their front page. They offer an opt-out form, but helpfully suggest recipients simply block those addresses. We follow that advice and drop everything they send us.
A Russian business runs a light scanner and provide a statement of "Responsible Scanning Policy.". We drop them, as they do not benefit us, though we appreciate their clear statement of policy and reponsibility.
A polite but prolific Bulgarian scanner that we drop, with thanks for their open and calm manner
A scanner operated by driftnet.io, provides the platonic ideal of a scanner's webpage, with every piece of relevant information and nothing more. They offer free access to data from your own networks. We block their probes, but were we to use such a service, it would be this one
A polite, active scanner for paid users. We drop probes from their published IP sources, but note that their listing is intentionally difficult to scrape, for no good reason
Stretchoid is not a polite scanner, but as a Microsoft property it doesn't have to be. We drop everything from the /24 networks that send these probes, for reasons.
ShadowServer is a long-running scanner that sends "free daily reports to our vetted subscribers". We too would prefer a world where we "share what [we] know, so that all parties can become more secure." Unfortunately, that information is also shared with our enemies in the US governement and its DOGE operatives, who are actively making the world less secure. It is an impolite scanner, but we drop everything sent from the /24s that send their probes
Begun as a personal project, Shodan has become one of the longest-running scanners. While they lack clear government connections, they now charge for full reports. Impolite, they are, but scans come from predictibly-named hosts and are dropped.
Censys, another long-running scanner, began as an academic project of the University of Michigan and now presents itself as an alternative to Shodan for paid users. A polite scanner, they publish sending IPs and ASNs, and we drop their traffic, as they recommend.
A very active Korean(?) scanner. We drop everything from AS202425 (CriminalIP/Recyber/AISpera)
BinaryEdge was shut down in 2025, but its binaryedge.ninja scanners are still operating. They provide no public benefit, and we drop everything from their published list of sending IPs
Infrawatch, a new British business that may be the most active scanners today. They provide no public results, but advertise paid access. Opt-out requests are only accepted by email, where "reasonable exclusion requests and abuse reports are reviewed as promptly as practicable," and they do not publish a list of sending IPs. Their probes can be heavy (e.g., HTTP GET requests sent to our SMTP server). We drop everything AS25369 sends us.