bds_atif Artillery Threat Intelligence Feed and Banlist Feed ipv4 hash:ip 649 unique IPs updated every 1 day from this link bitcoin_nodes BitNodes Bitcoin connected nodes, globally. ipv4 hash:ip 7196 unique IPs updated every 10 mins from this link bitcoin_nodes_1d BitNodes Bitcoin connected nodes, globally. ipv4 hash:ip 7998 unique IPs updated every 10 mins from this link bitcoin_nodes_30d BitNodes Bitcoin connected nodes, globally. ipv4 hash:ip 15789 unique IPs updated every 10 mins from this link bitcoin_nodes_7d BitNodes Bitcoin connected nodes, globally. ipv4 hash:ip 9777 unique IPs updated every 10 mins from this link blocklist_de Blocklist.de IPs that have been detected by fail2ban in the last 48 hours ipv4 hash:ip 32510 unique IPs updated every 15 mins from this link blocklist_de_apache Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks. ipv4 hash:ip 10389 unique IPs updated every 15 mins from this link blocklist_de_bots Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = it has posted a Spam-Comment on a open Forum or Wiki). ipv4 hash:ip 6623 unique IPs updated every 15 mins from this link blocklist_de_bruteforce Blocklist.de All IPs which attacks Joomla, Wordpress and other Web-Logins with Brute-Force Logins. ipv4 hash:ip 2013 unique IPs updated every 15 mins from this link blocklist_de_ftp Blocklist.de All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP. ipv4 hash:ip 436 unique IPs updated every 15 mins from this link blocklist_de_imap Blocklist.de All IP addresses which have been reported within the last 48 hours for attacks on the Service imap, sasl, pop3, etc. ipv4 hash:ip 6802 unique IPs updated every 15 mins from this link blocklist_de_mail Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix. ipv4 hash:ip 16105 unique IPs updated every 15 mins from this link blocklist_de_sip Blocklist.de All IP addresses that tried to login in a SIP, VOIP or Asterisk Server and are included in the IPs list from infiltrated.net ipv4 hash:ip 48 unique IPs updated every 15 mins from this link blocklist_de_ssh Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH. ipv4 hash:ip 6868 unique IPs updated every 15 mins from this link blocklist_de_strongips Blocklist.de All IPs which are older then 2 month and have more then 5.000 attacks. ipv4 hash:ip 306 unique IPs updated every 15 mins from this link blocklist_net_ua blocklist.net.ua The BlockList project was created to become protection against negative influence of the harmful and potentially dangerous events on the Internet. First of all this service will help internet and hosting providers to protect subscribers sites from being hacked. BlockList will help to stop receiving a large amount of spam from dubious SMTP relays or from attempts of brute force passwords to servers and network equipment. ipv4 hash:ip 83725 unique IPs updated every 10 mins from this link bm_tor torstatus.blutmagie.de list of all TOR network servers ipv4 hash:ip disabled updated every 30 mins from this link bogons Team-Cymru.org private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598 and netblocks that have not been allocated to a regional internet registry ipv4 hash:net 13 subnets, 592708608 unique IPs updated every 1 day botscout BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots. ipv4 hash:ip 60 unique IPs updated every 30 mins from this link botscout_1d BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots. ipv4 hash:ip 549 unique IPs updated every 30 mins from this link botscout_30d BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots. ipv4 hash:ip 9241 unique IPs updated every 30 mins from this link botscout_7d BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots. ipv4 hash:ip 3099 unique IPs updated every 30 mins from this link botvrij_dst botvrij.eu Indicators of Compromise (IOCS) about malicious destination IPs, gathered via open source information feeds (blog pages and PDF documents) and then consolidated into different datasets. To ensure the quality of the data all entries older than approx. 6 months are removed. ipv4 hash:ip disabled updated every 1 day from this link botvrij_src botvrij.eu Indicators of Compromise (IOCS) about malicious source IPs, gathered via open source information feeds (blog pages and PDF documents) and then consolidated into different datasets. To ensure the quality of the data all entries older than approx. 6 months are removed. ipv4 hash:ip disabled updated every 1 day from this link bruteforceblocker danger.rulez.sk bruteforceblocker (fail2ban alternative for SSH on OpenBSD). This is an automatically generated list from users reporting failed authentication attempts. An IP seems to be included if 3 or more users report it. Its retention pocily seems 30 days. ipv4 hash:ip 560 unique IPs updated every 3 hours from this link ciarmy CIArmy.com IPs with poor Rogue Packet score that have not yet been identified as malicious by the community ipv4 hash:ip 15000 unique IPs updated every 3 hours from this link cidr_report_bogons Unallocated (Free) Address Space, generated on a daily basis using the IANA registry files, the Regional Internet Registry stats files and the Regional Internet Registry whois data. ipv4 hash:net 18 subnets, 588514808 unique IPs updated every 1 day from this link cleantalk CleanTalk Today's HTTP Spammers (includes: cleantalk_new cleantalk_updated) ipv4 hash:ip 494 unique IPs updated every 1 min cleantalk_1d CleanTalk Today's HTTP Spammers (includes: cleantalk_new_1d cleantalk_updated_1d) ipv4 hash:ip 1900 unique IPs updated every 1 min cleantalk_30d CleanTalk Today's HTTP Spammers (includes: cleantalk_new_30d cleantalk_updated_30d) ipv4 hash:ip 37919 unique IPs updated every 1 min cleantalk_7d CleanTalk Today's HTTP Spammers (includes: cleantalk_new_7d cleantalk_updated_7d) ipv4 hash:ip 9233 unique IPs updated every 1 min cleantalk_new CleanTalk Recent HTTP Spammers ipv4 hash:ip 250 unique IPs updated every 15 mins from this link cleantalk_new_1d CleanTalk Recent HTTP Spammers ipv4 hash:ip 754 unique IPs updated every 15 mins from this link cleantalk_new_30d CleanTalk Recent HTTP Spammers ipv4 hash:ip 15416 unique IPs updated every 15 mins from this link cleantalk_new_7d CleanTalk Recent HTTP Spammers ipv4 hash:ip 3989 unique IPs updated every 15 mins from this link cleantalk_top20 CleanTalk Top 20 HTTP Spammers ipv4 hash:ip 20 unique IPs updated every 1 day from this link cleantalk_updated CleanTalk Recurring HTTP Spammers ipv4 hash:ip 250 unique IPs updated every 15 mins from this link cleantalk_updated_1d CleanTalk Recurring HTTP Spammers ipv4 hash:ip 1278 unique IPs updated every 15 mins from this link cleantalk_updated_30d CleanTalk Recurring HTTP Spammers ipv4 hash:ip 28579 unique IPs updated every 15 mins from this link cleantalk_updated_7d CleanTalk Recurring HTTP Spammers ipv4 hash:ip 6171 unique IPs updated every 15 mins from this link cta_cryptowall Cyber Threat Alliance CryptoWall is one of the most lucrative and broad-reaching ransomware campaigns affecting Internet users today. Sharing intelligence and analysis resources, the CTA profiled the latest version of CryptoWall, which impacted hundreds of thousands of users, resulting in over US $325 million in damages worldwide. ipv4 hash:ip 1360 unique IPs updated every 1 day from this link cybercrime CyberCrime A project tracking Command and Control. ipv4 hash:ip 216 unique IPs updated every 12 hours from this link darklist_de darklist.de ssh fail2ban reporting ipv4 hash:net 6008 subnets, 274857 unique IPs updated every 1 day from this link dataplane_dnsrd DataPlane.org IP addresses that have been identified as sending recursive DNS queries to a remote host. This report lists addresses that may be cataloging open DNS resolvers or evaluating cache entries. ipv4 hash:ip 54455 unique IPs updated every 1 hour dataplane_dnsrdany DataPlane.org IP addresses that have been identified as sending recursive DNS IN ANY queries to a remote host. This report lists addresses that may be cataloging open DNS resolvers for the purpose of later using them to facilitate DNS amplification and reflection attacks. ipv4 hash:ip 47952 unique IPs updated every 1 hour dataplane_dnsversion DataPlane.org IP addresses that have been identified as sending DNS CH TXT VERSION.BIND queries to a remote host. This report lists addresses that may be cataloging DNS software. ipv4 hash:ip 5878 unique IPs updated every 1 hour dataplane_sipinvitation DataPlane.org IP addresses that have been seen initiating a SIP INVITE operation to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SIP client cataloging or conducting various forms of telephony abuse. ipv4 hash:ip 56 unique IPs updated every 1 hour dataplane_sipquery DataPlane.org IP addresses that has been seen initiating a SIP OPTIONS query to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SIP server cataloging or conducting various forms of telephony abuse. ipv4 hash:ip 4747 unique IPs updated every 1 hour dataplane_sipregistration DataPlane.org IP addresses that have been seen initiating a SIP REGISTER operation to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SIP client cataloging or conducting various forms of telephony abuse. ipv4 hash:ip 475 unique IPs updated every 1 hour dataplane_sshclient DataPlane.org IP addresses that has been seen initiating an SSH connection to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SSH server cataloging or conducting authentication attack attempts. ipv4 hash:ip 36666 unique IPs updated every 1 hour dataplane_sshpwauth DataPlane.org IP addresses that has been seen attempting to remotely login to a host using SSH password authentication. This report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks. ipv4 hash:ip 29300 unique IPs updated every 1 hour dataplane_vncrfb DataPlane.org IP addresses that have been seen initiating a VNC remote frame buffer (RFB) session to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be VNC server cataloging or conducting various forms of remote access abuse. ipv4 hash:ip 2108 unique IPs updated every 1 hour dm_tor dan.me.uk dynamic list of TOR nodes ipv4 hash:ip 7284 unique IPs updated every 30 mins from this link dronebl_anonymizers DroneBL.org List of open proxies. It includes IPs which DroneBL categorizes as SOCKS proxies (8), HTTP proxies (9), web page proxies (11), WinGate proxies (14), proxy chains (10). ipv4 hash:net 1276703 subnets, 1380407 unique IPs updated every 1 min dronebl_auto_botnets DroneBL.org IPs of automatically detected botnets. It includes IPs for which DroneBL responds with 17. ipv4 hash:net 32127 subnets, 33657 unique IPs updated every 1 min dronebl_autorooting_worms DroneBL.org IPs of autorooting worms. It includes IPs for which DroneBL responds with 16. These are usually SSH bruteforce attacks. ipv4 hash:net 36 subnets, 36 unique IPs updated every 1 min dronebl_compromised DroneBL.org IPs of compromised routers / gateways. It includes IPs for which DroneBL responds with 15 (BOPM detected). ipv4 hash:net 46270 subnets, 47714 unique IPs updated every 1 min dronebl_ddos_drones DroneBL.org IPs of DDoS drones. It includes IPs for which DroneBL responds with 7. ipv4 hash:net 7297 subnets, 7453 unique IPs updated every 1 min dronebl_dns_mx_on_irc DroneBL.org List of IPs of DNS / MX hostname detected on IRC. It includes IPs for which DroneBL responds with 18. ipv4 hash:net 16 subnets, 16 unique IPs updated every 1 min dronebl_irc_drones DroneBL.org List of IRC spam drones (litmus/sdbot/fyle). It includes IPs for which DroneBL responds with 3. ipv4 hash:net 836294 subnets, 1005887 unique IPs updated every 1 min dronebl_unknown DroneBL.org List of IPs of uncategorized threats. It includes IPs for which DroneBL responds with 255. ipv4 hash:net 16 subnets, 16 unique IPs updated every 1 min dronebl_worms_bots DroneBL.org IPs of unknown worms or spambots. It includes IPs for which DroneBL responds with 6 ipv4 hash:net 432997 subnets, 444506 unique IPs updated every 1 min dshield DShield.org top 20 attacking class C (/24) subnets over the last three days ipv4 hash:net 20 subnets, 5120 unique IPs updated every 10 mins from this link dshield_1d DShield.org top 20 attacking class C (/24) subnets over the last three days ipv4 hash:net 29 subnets, 7424 unique IPs updated every 10 mins from this link dshield_30d DShield.org top 20 attacking class C (/24) subnets over the last three days ipv4 hash:net 58 subnets, 15616 unique IPs updated every 10 mins from this link dshield_7d DShield.org top 20 attacking class C (/24) subnets over the last three days ipv4 hash:net 40 subnets, 10752 unique IPs updated every 10 mins from this link et_block EmergingThreats.net default blacklist (at the time of writing includes spamhaus DROP, dshield and abuse.ch trackers, which are available separately too - prefer to use the direct ipsets instead of this, they seem to lag a bit in updates) ipv4 hash:net 1477 subnets, 15039491 unique IPs updated every 12 hours from this link et_compromised EmergingThreats.net compromised hosts ipv4 hash:ip 515 unique IPs updated every 12 hours from this link et_dshield EmergingThreats.net dshield blocklist ipv4 hash:net 20 subnets, 5120 unique IPs updated every 12 hours from this link et_spamhaus EmergingThreats.net spamhaus blocklist ipv4 hash:net 1457 subnets, 15035136 unique IPs updated every 12 hours from this link et_tor EmergingThreats.net TOR list of TOR network IPs ipv4 hash:ip 7300 unique IPs updated every 12 hours from this link feodo Abuse.ch Feodo tracker trojan includes IPs which are being used by Feodo (also known as Cridex or Bugat) which commits ebanking fraud ipv4 hash:ip 1 unique IPs updated every 30 mins from this link feodo_badips Abuse.ch Feodo tracker BadIPs The Feodo Tracker Feodo BadIP Blocklist only contains IP addresses (IPv4) used as C&C communication channel by the Feodo Trojan version B. These IP addresses are usually servers rented by cybercriminals directly and used for the exclusive purpose of hosting a Feodo C&C server. Hence you should expect no legit traffic to those IP addresses. The site highly recommends you to block/drop any traffic towards any Feodo C&C using the Feodo BadIP Blocklist. Please consider that this blocklist only contains IP addresses used by version B of the Feodo Trojan. C&C communication channels used by version A, version C and version D are not covered by this blocklist. ipv4 hash:ip 4 unique IPs updated every 30 mins from this link firehol_abusers_1d An ipset made from blocklists that track abusers in the last 24 hours. (includes: botscout_1d cleantalk_new_1d cleantalk_updated_1d php_commenters_1d php_dictionary_1d php_harvesters_1d php_spammers_1d stopforumspam_1d) ipv4 hash:net 6025 subnets, 6117 unique IPs updated every 1 min firehol_abusers_30d An ipset made from blocklists that track abusers in the last 30 days. (includes: cleantalk_new_30d cleantalk_updated_30d php_commenters_30d php_dictionary_30d php_harvesters_30d php_spammers_30d stopforumspam sblam) ipv4 hash:net 161597 subnets, 171772 unique IPs updated every 1 min firehol_anonymous An ipset that includes all the anonymizing IPs of the world. (includes: anonymous dm_tor firehol_proxies tor_exits) ipv4 hash:net 1970605 subnets, 2402615 unique IPs updated every 1 min firehol_level1 A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls. (includes: dshield feodo fullbogons spamhaus_drop spamhaus_edrop) ipv4 hash:net 4574 subnets, 611801153 unique IPs updated every 1 min firehol_level2 An ipset made from blocklists that track attacks, during about the last 48 hours. (includes: blocklist_de dshield_1d greensnow) ipv4 hash:net 24902 subnets, 41745 unique IPs updated every 1 min firehol_level3 An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. (includes: bruteforceblocker ciarmy dshield_30d myip vxvault) ipv4 hash:net 12980 subnets, 30096 unique IPs updated every 1 min firehol_level4 An ipset made from blocklists that track attacks, but may include a large number of false positives. (includes: blocklist_net_ua botscout_30d cybercrime iblocklist_hijacked iblocklist_spyware iblocklist_webexploit) ipv4 hash:net 84036 subnets, 9182461 unique IPs updated every 1 min firehol_proxies An ipset made from all sources that track open proxies. It includes IPs reported or detected in the last 30 days. (includes: iblocklist_proxies ip2proxy_px1lite socks_proxy_30d sslproxies_30d) ipv4 hash:net 1964780 subnets, 2389415 unique IPs updated every 1 min firehol_webclient An IP blacklist made from blocklists that track IPs that a web client should never talk to. This list is to be used on top of firehol_level1. (includes: cybercrime) ipv4 hash:net 216 subnets, 216 unique IPs updated every 1 min firehol_webserver A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous). (includes: myip stopforumspam_toxic) ipv4 hash:net 892 subnets, 123874 unique IPs updated every 1 min fullbogons Team-Cymru.org IP space that has been allocated to an RIR, but not assigned by that RIR to an actual ISP or other end-user ipv4 hash:net 2909 subnets, 596503104 unique IPs updated every 1 day geolite2_asn MaxMind GeoLite2 ASN ipv4 hash:net disabled updated every 7 days from this link geolite2_country MaxMind GeoLite2 databases are free IP geolocation databases comparable to, but less accurate than, MaxMind’s GeoIP2 databases. They include IPs per country, IPs per continent, IPs used by anonymous services (VPNs, Proxies, etc) and Satellite Providers. ipv4 hash:net All the world updated every 7 days from this link gofferje_sip Stefan Gofferje A personal blacklist of networks and IPs of SIP attackers. To end up here, the IP or network must have been the origin of considerable and repeated attacks on my PBX and additionally, the ISP didn't react to any complaint. Note from the author: I don't give any guarantees of accuracy, completeness or even usability! USE AT YOUR OWN RISK! Also note that I block complete countries, namely China, Korea and Palestine with blocklists from ipdeny.com, so some attackers will never even get the chance to get noticed by me to be put on this blacklist. I also don't accept any liabilities related to this blocklist. If you're an ISP and don't like your IPs being listed here, too bad! You should have done something about your customers' behavior and reacted to my complaints. This blocklist is nothing but an expression of my personal opinion and exercising my right of free speech. ipv4 hash:net disabled updated every 6 hours from this link gpf_comics The GPF DNS Block List is a list of IP addresses on the Internet that have attacked the GPF Comics family of Web sites. IPs on this block list have been banned from accessing all of our servers because they were caught in the act of spamming, attempting to exploit our scripts, scanning for vulnerabilities, or consuming resources to the detriment of our human visitors. ipv4 hash:ip 2536 unique IPs updated every 1 day from this link graphiclineweb GraphiclineWeb The IP’s, Hosts and Domains listed in this table are banned universally from accessing websites controlled by the maintainer. Some form of bad activity has been seen from the addresses listed. Bad activity includes: unwanted spiders, rule breakers, comment spammers, trackback spammers, spambots, hacker bots, registration bots and other scripting attackers, harvesters, nuisance spiders, spy bots and organizations spying on websites for commercial reasons. ipv4 hash:net 2579 subnets, 330527 unique IPs updated every 1 day from this link greensnow GreenSnow is a team harvesting a large number of IPs from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Their list is updated automatically and you can withdraw at any time your IP address if it has been listed. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel, etc. ipv4 hash:ip 5485 unique IPs updated every 30 mins from this link iblocklist_abuse_palevo palevotracker.abuse.ch IP blocklist. ipv4 hash:net 12 subnets, 12 unique IPs updated every 12 hours from this link iblocklist_abuse_spyeye spyeyetracker.abuse.ch IP blocklist. ipv4 hash:net 83 subnets, 84 unique IPs updated every 12 hours from this link iblocklist_abuse_zeus zeustracker.abuse.ch IP blocklist that contains IP addresses which are currently beeing tracked on the abuse.ch ZeuS Tracker. ipv4 hash:net 209 subnets, 212 unique IPs updated every 12 hours from this link iblocklist_ads Advertising trackers and a short list of bad/intrusive porn sites. ipv4 hash:net 3392 subnets, 888719 unique IPs updated every 12 hours iblocklist_bogons Unallocated address space. ipv4 hash:net 2692 subnets, 645673639 unique IPs updated every 12 hours iblocklist_ciarmy_malicious ciarmy.com IP blocklist. Based on information from a network of Sentinel devices deployed around the world, they compile a list of known bad IP addresses. Sentinel devices are uniquely positioned to pick up traffic from bad guys without requiring any type of signature-based or rate-based identification. If an IP is identified in this way by a significant number of Sentinels, the IP is malicious and should be blocked. ipv4 hash:net 12539 subnets, 15000 unique IPs updated every 12 hours from this link iblocklist_cidr_report_bogons cidr-report.org IP list of Unallocated address space. ipv4 hash:net 18 subnets, 588514808 unique IPs updated every 12 hours from this link iblocklist_cruzit_web_attacks CruzIT IP list with individual IP addresses of compromised machines scanning for vulnerabilities and DDOS attacks. ipv4 hash:net 14096 subnets, 14397 unique IPs updated every 12 hours from this link iblocklist_dshield known Hackers and such people. ipv4 hash:net 16 subnets, 2566 unique IPs updated every 12 hours iblocklist_edu IPs used by Educational Institutions. ipv4 hash:net 43893 subnets, 227913408 unique IPs updated every 12 hours iblocklist_exclusions Exclusions. ipv4 hash:net 313 subnets, 7488 unique IPs updated every 12 hours iblocklist_fornonlancomputers IP blocklist for non-LAN computers. ipv4 hash:net 4 subnets, 302055424 unique IPs updated every 12 hours iblocklist_forumspam Forum spam. ipv4 hash:net 455 subnets, 479 unique IPs updated every 12 hours iblocklist_hijacked Hijacked IP-Blocks. Contains hijacked IP-Blocks and known IP-Blocks that are used to deliver Spam. This list is a combination of lists with hijacked IP-Blocks. Hijacked IP space are IP blocks that are being used without permission by organizations that have no relation to original organization (or its legal successor) that received the IP block. In essence it's stealing of somebody else's IP resources. ipv4 hash:net 512 subnets, 8736512 unique IPs updated every 12 hours iblocklist_iana_multicast IANA Multicast IPs. ipv4 hash:net 1 subnets, 268435456 unique IPs updated every 12 hours iblocklist_iana_private IANA Private IPs. ipv4 hash:net 58 subnets, 51643646 unique IPs updated every 12 hours iblocklist_iana_reserved IANA Reserved IPs. ipv4 hash:net 1 subnets, 536870912 unique IPs updated every 12 hours iblocklist_isp_aol AOL IPs. ipv4 hash:net 16 subnets, 6627584 unique IPs updated every 1 day from this link iblocklist_isp_att AT&T IPs. ipv4 hash:net 35 subnets, 55845128 unique IPs updated every 1 day from this link iblocklist_isp_cablevision Cablevision IPs. ipv4 hash:net 11 subnets, 1787136 unique IPs updated every 1 day from this link iblocklist_isp_charter Charter IPs. ipv4 hash:net 21 subnets, 6138112 unique IPs updated every 1 day from this link iblocklist_isp_comcast Comcast IPs. ipv4 hash:net 33 subnets, 45121536 unique IPs updated every 1 day from this link iblocklist_isp_embarq Embarq IPs. ipv4 hash:net 14 subnets, 2703360 unique IPs updated every 1 day from this link iblocklist_isp_qwest Qwest IPs. ipv4 hash:net 73 subnets, 15777552 unique IPs updated every 1 day from this link iblocklist_isp_sprint Sprint IPs. ipv4 hash:net 73 subnets, 6310570 unique IPs updated every 1 day from this link iblocklist_isp_suddenlink Suddenlink IPs. ipv4 hash:net 3 subnets, 458752 unique IPs updated every 1 day from this link iblocklist_isp_twc Time Warner Cable IPs. ipv4 hash:net 56 subnets, 15015936 unique IPs updated every 1 day from this link iblocklist_isp_verizon Verizon IPs. ipv4 hash:net 22 subnets, 18087936 unique IPs updated every 1 day from this link iblocklist_level1 Level 1 (for use in p2p): Companies or organizations who are clearly involved with trying to stop filesharing (e.g. Baytsp, MediaDefender, Mediasentry). Companies which anti-p2p activity has been seen from. Companies that produce or have a strong financial interest in copyrighted material (e.g. music, movie, software industries a.o.). Government ranges or companies that have a strong financial interest in doing work for governments. Legal industry ranges. IPs or ranges of ISPs from which anti-p2p activity has been observed. Basically this list will block all kinds of internet connections that most people would rather not have during their internet travels. ipv4 hash:net 235633 subnets, 725210077 unique IPs updated every 12 hours iblocklist_level2 Level 2 (for use in p2p). General corporate ranges. Ranges used by labs or researchers. Proxies. ipv4 hash:net 78366 subnets, 337851677 unique IPs updated every 12 hours iblocklist_level3 Level 3 (for use in p2p). Many portal-type websites. ISP ranges that may be dodgy for some reason. Ranges that belong to an individual, but which have not been determined to be used by a particular company. Ranges for things that are unusual in some way. The L3 list is aka the paranoid list. ipv4 hash:net 18867 subnets, 137054866 unique IPs updated every 12 hours iblocklist_malc0de malc0de.com IP blocklist. Addresses that have been identified distributing malware during the past 30 days. ipv4 hash:net 21 subnets, 21 unique IPs updated every 12 hours from this link iblocklist_onion_router The Onion Router IP addresses. ipv4 hash:net 853 subnets, 1196 unique IPs updated every 12 hours from this link iblocklist_org_activision Activision IPs. ipv4 hash:net 49 subnets, 4902 unique IPs updated every 1 day from this link iblocklist_org_apple Apple IPs. ipv4 hash:net 1 subnets, 16777216 unique IPs updated every 1 day from this link iblocklist_org_blizzard Blizzard IPs. ipv4 hash:net 8 subnets, 16795139 unique IPs updated every 1 day from this link iblocklist_org_crowd_control Crowd Control Productions IPs. ipv4 hash:net 2 subnets, 768 unique IPs updated every 1 day from this link iblocklist_org_electronic_arts Electronic Arts IPs. ipv4 hash:net 42 subnets, 69720 unique IPs updated every 1 day from this link iblocklist_org_joost Joost IPs. ipv4 hash:net 4 subnets, 16779456 unique IPs updated every 1 day from this link iblocklist_org_linden_lab Linden Lab IPs. ipv4 hash:net 11 subnets, 23600 unique IPs updated every 1 day from this link iblocklist_org_logmein LogMeIn IPs. ipv4 hash:net 13 subnets, 16781568 unique IPs updated every 1 day from this link iblocklist_org_microsoft Microsoft IP ranges. ipv4 hash:net 901 subnets, 1848599 unique IPs updated every 12 hours iblocklist_org_ncsoft NCsoft IPs. ipv4 hash:net 5 subnets, 12560 unique IPs updated every 1 day from this link iblocklist_org_nintendo Nintendo IPs. ipv4 hash:net 45 subnets, 3927 unique IPs updated every 1 day from this link iblocklist_org_pandora Pandora IPs. ipv4 hash:net 1 subnets, 2048 unique IPs updated every 1 day from this link iblocklist_org_pirate_bay The Pirate Bay IPs. ipv4 hash:net 5 subnets, 323 unique IPs updated every 1 day from this link iblocklist_org_punkbuster Punkbuster IPs. ipv4 hash:net 1 subnets, 1 unique IPs updated every 1 day from this link iblocklist_org_riot_games Riot Games IPs. ipv4 hash:net 6 subnets, 1792 unique IPs updated every 1 day from this link iblocklist_org_sony_online Sony Online Entertainment IPs. ipv4 hash:net 7 subnets, 24616 unique IPs updated every 1 day from this link iblocklist_org_square_enix Square Enix IPs. ipv4 hash:net 2 subnets, 4112 unique IPs updated every 1 day from this link iblocklist_org_steam Steam IPs. ipv4 hash:net 53 subnets, 596448 unique IPs updated every 1 day from this link iblocklist_org_ubisoft Ubisoft IPs. ipv4 hash:net 10 subnets, 5308 unique IPs updated every 1 day from this link iblocklist_org_xfire XFire IPs. ipv4 hash:net 3 subnets, 3328 unique IPs updated every 1 day from this link iblocklist_pedophiles IP ranges of people who we have found to be sharing child pornography in the p2p community. ipv4 hash:net 29188 subnets, 847889 unique IPs updated every 12 hours from this link iblocklist_proxies Open Proxies IPs list (without TOR) ipv4 hash:ip 672 unique IPs updated every 12 hours iblocklist_rangetest Suspicious IPs that are under investigation. ipv4 hash:net 576 subnets, 4280758 unique IPs updated every 12 hours iblocklist_spamhaus_drop Spamhaus.org DROP (Don't Route Or Peer) list. ipv4 hash:net 900 subnets, 17338368 unique IPs updated every 12 hours from this link iblocklist_spider IP list intended to be used by webmasters to block hostile spiders from their web sites. ipv4 hash:net 773 subnets, 846788 unique IPs updated every 12 hours iblocklist_spyware Known malicious SPYWARE and ADWARE IP Address ranges. It is compiled from various sources, including other available spyware blacklists, HOSTS files, from research found at many of the top anti-spyware forums, logs of spyware victims, etc. ipv4 hash:net 3355 subnets, 339271 unique IPs updated every 12 hours iblocklist_webexploit Web server hack and exploit attempts. IP addresses related to current web server hack and exploit attempts that have been logged or can be found in and cross referenced with other related IP databases. Malicious and other non search engine bots will also be listed here, along with anything found that can have a negative impact on a website or webserver such as proxies being used for negative SEO hijacks, unauthorised site mirroring, harvesting, scraping, snooping and data mining / spy bot / security & copyright enforcement companies that target and continuosly scan webservers. ipv4 hash:ip 15382 unique IPs updated every 12 hours iblocklist_yoyo_adservers pgl.yoyo.org ad servers ipv4 hash:net 7532 subnets, 8909 unique IPs updated every 12 hours from this link ip2location_country IP2Location.com geolocation database ipv4 hash:net All the world updated every 1 day from this link ip2location_country_eh Western Sahara (EH) -- IP2Location.com ipv4 hash:net 1 subnets, 256 unique IPs updated every 1 day from this link ip2proxy_px1lite IP2Location.com IP2Proxy LITE IP-COUNTRY Database contains IP addresses which are used as public proxies. The LITE edition is a free version of database that is limited to public proxies IP address. ipv4 hash:net 1963209 subnets, 2387794 unique IPs updated every 1 day ipdeny_country IPDeny.com geolocation database ipv4 hash:net All the world updated every 1 day from this link myip myip.ms IPs identified as web bots in the last 10 days, using several sites that require human action ipv4 hash:ip 889 unique IPs updated every 1 day from this link php_bad projecthoneypot.org bad web hosts (this list is composed using an RSS feed) ipv4 hash:ip disabled updated every 1 hour from this link php_commenters projecthoneypot.org comment spammers (this list is composed using an RSS feed) ipv4 hash:ip 47 unique IPs updated every 1 hour from this link php_commenters_1d projecthoneypot.org comment spammers (this list is composed using an RSS feed) ipv4 hash:ip 96 unique IPs updated every 1 hour from this link php_commenters_30d projecthoneypot.org comment spammers (this list is composed using an RSS feed) ipv4 hash:ip 1150 unique IPs updated every 1 hour from this link php_commenters_7d projecthoneypot.org comment spammers (this list is composed using an RSS feed) ipv4 hash:ip 309 unique IPs updated every 1 hour from this link php_dictionary projecthoneypot.org directory attackers (this list is composed using an RSS feed) ipv4 hash:ip 49 unique IPs updated every 1 hour from this link php_dictionary_1d projecthoneypot.org directory attackers (this list is composed using an RSS feed) ipv4 hash:ip 97 unique IPs updated every 1 hour from this link php_dictionary_30d projecthoneypot.org directory attackers (this list is composed using an RSS feed) ipv4 hash:ip 1013 unique IPs updated every 1 hour from this link php_dictionary_7d projecthoneypot.org directory attackers (this list is composed using an RSS feed) ipv4 hash:ip 326 unique IPs updated every 1 hour from this link php_harvesters projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed) ipv4 hash:ip 50 unique IPs updated every 1 hour from this link php_harvesters_1d projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed) ipv4 hash:ip 62 unique IPs updated every 1 hour from this link php_harvesters_30d projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed) ipv4 hash:ip 246 unique IPs updated every 1 hour from this link php_harvesters_7d projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed) ipv4 hash:ip 104 unique IPs updated every 1 hour from this link php_spammers projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed) ipv4 hash:ip 46 unique IPs updated every 1 hour from this link php_spammers_1d projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed) ipv4 hash:ip 92 unique IPs updated every 1 hour from this link php_spammers_30d projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed) ipv4 hash:ip 1150 unique IPs updated every 1 hour from this link php_spammers_7d projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed) ipv4 hash:ip 353 unique IPs updated every 1 hour from this link proxyrss proxyrss.com open proxies syndicated from multiple sources. ipv4 hash:ip disabled updated every 4 hours from this link ri_connect_proxies rosinstrument.com open CONNECT proxies (this list is composed using an RSS feed) ipv4 hash:ip disabled updated every 1 hour from this link ri_web_proxies rosinstrument.com open HTTP proxies (this list is composed using an RSS feed) ipv4 hash:ip disabled updated every 1 hour from this link sblam sblam.com IPs used by web form spammers, during the last month ipv4 hash:ip 1363 unique IPs updated every 1 day from this link socks_proxy socks-proxy.net open SOCKS proxies ipv4 hash:ip 302 unique IPs updated every 10 mins from this link socks_proxy_1d socks-proxy.net open SOCKS proxies ipv4 hash:ip 1445 unique IPs updated every 10 mins from this link socks_proxy_30d socks-proxy.net open SOCKS proxies ipv4 hash:ip 2664 unique IPs updated every 10 mins from this link socks_proxy_7d socks-proxy.net open SOCKS proxies ipv4 hash:ip 1968 unique IPs updated every 10 mins from this link sorbs_anonymizers Sorbs.net List of open HTTP and SOCKS proxies. ipv4 hash:net disabled sorbs_block Sorbs.net List of hosts demanding that they never be tested by SORBS. ipv4 hash:net disabled sorbs_escalations Sorbs.net Netblocks of spam supporting service providers, including those who provide websites, DNS or drop boxes for a spammer. Spam supporters are added on a 'third strike and you are out' basis, where the third spam will cause the supporter to be added to the list. ipv4 hash:net disabled sorbs_new_spam Sorbs.net List of hosts that have been noted as sending spam/UCE/UBE within the last 48 hours ipv4 hash:net disabled sorbs_noserver Sorbs.net IP addresses and netblocks of where system administrators and ISPs owning the network have indicated that servers should not be present. ipv4 hash:net disabled sorbs_recent_spam Sorbs.net List of hosts that have been noted as sending spam/UCE/UBE within the last 28 days (includes sorbs_new_spam) ipv4 hash:net disabled sorbs_smtp Sorbs.net List of SMTP Open Relays. ipv4 hash:net disabled sorbs_web Sorbs.net List of IPs which have spammer abusable vulnerabilities (e.g. FormMail scripts) ipv4 hash:net disabled sorbs_zombie Sorbs.net List of networks hijacked from their original owners, some of which have already used for spamming. ipv4 hash:net disabled spamhaus_drop Spamhaus.org DROP list (according to their site this list should be dropped at tier-1 ISPs globally) ipv4 hash:net 1456 subnets, 15034112 unique IPs updated every 12 hours from this link spamhaus_edrop Spamhaus.org EDROP (extended matches that should be used with DROP) ipv4 hash:net 336 subnets, 731392 unique IPs updated every 12 hours from this link sslproxies SSLProxies.org open SSL proxies ipv4 hash:ip 102 unique IPs updated every 10 mins from this link sslproxies_1d SSLProxies.org open SSL proxies ipv4 hash:ip 193 unique IPs updated every 10 mins from this link sslproxies_30d SSLProxies.org open SSL proxies ipv4 hash:ip 1764 unique IPs updated every 10 mins from this link sslproxies_7d SSLProxies.org open SSL proxies ipv4 hash:ip 592 unique IPs updated every 10 mins from this link stopforumspam StopForumSpam.com Banned IPs used by forum spammers ipv4 hash:ip 129791 unique IPs updated every 1 day from this link stopforumspam_180d StopForumSpam.com IPs used by forum spammers (last 180 days) ipv4 hash:ip 272168 unique IPs updated every 1 day from this link stopforumspam_1d StopForumSpam.com IPs used by forum spammers in the last 24 hours ipv4 hash:ip 3498 unique IPs updated every 1 hour from this link stopforumspam_30d StopForumSpam.com IPs used by forum spammers (last 30 days) ipv4 hash:ip 51062 unique IPs updated every 1 day from this link stopforumspam_365d StopForumSpam.com IPs used by forum spammers (last 365 days) ipv4 hash:ip 542819 unique IPs updated every 1 day from this link stopforumspam_7d StopForumSpam.com IPs used by forum spammers (last 7 days) ipv4 hash:ip 17248 unique IPs updated every 1 day from this link stopforumspam_90d StopForumSpam.com IPs used by forum spammers (last 90 days) ipv4 hash:ip 130118 unique IPs updated every 1 day from this link stopforumspam_toxic StopForumSpam.com Networks that have large amounts of spambots and are flagged as toxic. Toxic IP ranges are infrequently changed. ipv4 hash:net 56 subnets, 122988 unique IPs updated every 1 day from this link tor_exits TorProject.org list of all current TOR exit points (TorDNSEL) ipv4 hash:ip 1195 unique IPs updated every 5 mins from this link tor_exits_1d TorProject.org list of all current TOR exit points (TorDNSEL) ipv4 hash:ip 1203 unique IPs updated every 5 mins from this link tor_exits_30d TorProject.org list of all current TOR exit points (TorDNSEL) ipv4 hash:ip 1489 unique IPs updated every 5 mins from this link tor_exits_7d TorProject.org list of all current TOR exit points (TorDNSEL) ipv4 hash:ip 1275 unique IPs updated every 5 mins from this link urandomusto_dns IP Feed about dns, crawled from several sources, including several twitter accounts. ipv4 hash:ip disabled updated every 1 hour from this link urandomusto_ftp IP Feed about ftp, crawled from several sources, including several twitter accounts. ipv4 hash:ip disabled updated every 1 hour from this link urandomusto_http IP Feed about http, crawled from several sources, including several twitter accounts. ipv4 hash:ip disabled updated every 1 hour from this link urandomusto_mailer IP Feed about mailer, crawled from several sources, including several twitter accounts. ipv4 hash:ip disabled updated every 1 hour from this link urandomusto_malware IP Feed about malware, crawled from several sources, including several twitter accounts. ipv4 hash:ip disabled updated every 1 hour from this link urandomusto_ntp IP Feed about ntp, crawled from several sources, including several twitter accounts. ipv4 hash:ip disabled updated every 1 hour from this link urandomusto_rdp IP Feed about rdp, crawled from several sources, including several twitter accounts. ipv4 hash:ip disabled updated every 1 hour from this link urandomusto_smb IP Feed about smb, crawled from several sources, including several twitter accounts. ipv4 hash:ip disabled updated every 1 hour from this link urandomusto_spam IP Feed about spam, crawled from several sources, including several twitter accounts. ipv4 hash:ip disabled updated every 1 hour from this link urandomusto_ssh IP Feed about ssh, crawled from several sources, including several twitter accounts. ipv4 hash:ip disabled updated every 1 hour from this link urandomusto_telnet IP Feed about telnet, crawled from several sources, including several twitter accounts. ipv4 hash:ip disabled updated every 1 hour from this link urandomusto_unspecified IP Feed about unspecified, crawled from several sources, including several twitter accounts. ipv4 hash:ip disabled updated every 1 hour from this link urandomusto_vnc IP Feed about vnc, crawled from several sources, including several twitter accounts. ipv4 hash:ip disabled updated every 1 hour from this link vxvault VxVault The latest 100 additions of VxVault. ipv4 hash:ip 66 unique IPs updated every 12 hours from this link yoyo_adservers Yoyo.org IPs of ad servers ipv4 hash:ip 8909 unique IPs updated every 12 hours from this link zeus Abuse.ch Zeus tracker standard, contains the same data as the ZeuS IP blocklist (zeus_badips) but with the slight difference that it doesn't exclude hijacked websites (level 2) and free web hosting providers (level 3). This means that this blocklist contains all IPv4 addresses associated with ZeuS C&Cs which are currently being tracked by ZeuS Tracker. Hence this blocklist will likely cause some false positives. ipv4 hash:ip disabled updated every 30 mins from this link zeus_badips Abuse.ch Zeus tracker badips includes IPv4 addresses that are used by the ZeuS trojan. It is the recommened blocklist if you want to block only ZeuS IPs. It excludes IP addresses that ZeuS Tracker believes to be hijacked (level 2) or belong to a free web hosting provider (level 3). Hence the false postive rate should be much lower compared to the standard ZeuS IP blocklist. ipv4 hash:ip disabled updated every 30 mins from this link