And since i don’t post my valid urls anywhere no web-scraper can find them

You would ah… be surprised. My urls aren’t published anywhere and I currently have 4 active decisions and over 300 alerts from crowdsec.

It’s true none of those threat actors know my valid subdomains, but that doesn’t mean they don’t know I’m there.

I use Pangolin (https://github.com/fosrl/pangolin)