It’s not just Brazil. China and Huawei’s Singapore datacenter are common bots for me too, but I have less of a problem blocking those off for most services, as I only have a few applications running where server-to-server traffic makes sense. There are a few Indian CGNAT exit points that sometimes show up as well, but their traffic is low enough that it doesn’t stand out. When spam traffic is coming from local (European) sources, it’s almost always from server IP blocks. Not a lot of domestic ISPs in my spam logs from most countries.

For some reason, Brazillian consumer ISPs just seems infested with certain strains of malware. It’s probably a brand of cheap IP cameras or routers that keeps getting infected, I remember Mirai hitting Brazil pretty badly. But I also get the feeling that Brazilian ISPs care even less about their networks’ security than the ones I’m used to with how much infected customers find their way to my servers. I would’ve expected similarly populous countries like the USA and India to hit my servers at a similar rate, but Brazil seems to stand out for some reason.

I don’t tend to block countries directly (they have too many IP ranges for me to bother, to be honest), not that I have anything that they’d be interested in anyway. I do get waves of Brazilian IP addresses trying to submitp spam to my mail server, though. I haven’t seen those coming from other countries yet. I know it’s not Brazilians themselves sending those, but that doesn’t make the spam any less annoying. For larger websites, I can see why they block IP ranges so aggressively.

I don’t think of ISPs in terms of nationality per se. I block per ISP, not per country, with the exception of China whose great firewall should probably “protect” their citizens from my websites anyway, and there I’m probably missing a whole bunch of ASNs anyway. It’s up to ISPs to maintain the reputation of their networks and to stop their infected customers from bothering everyone else, and if they don’t do it, I block their networks. In fact most filters that throw up blockades and CAPTCHAs and fail2ban blocks are doing this entirely automatically, if countries get blocked out it’s usually for legal reasons rather than anti bot protection.

If you get a lot of these blocks, it’s possible you’re in the same subnet as someone with a hacked device or shitty VPN app and got hit as collateral damage. I got that for a while after switching to an ISP that had just bought a block of IP addresses from a Ukrainian ISP. It’s just an unfortunate side effect of the modern Internet that you must either figure out how to get a new IP or hope the malware on your IP neighbours gets cleaned up. I don’t have enough time and energy to protect the innocent from the guilty when it comes to my small, insignificant websites, and I shouldn’t be needing to take such aggressive action against these IP ranges in the first place.

In a similar vein, I get a lot of 403 errors when browsing websites like Reddit because news websites still block off GDPR countries. I know how annoying it can be.