Contents

• About this repo

• Using these ipsets

• Which ones to use?

• Why are open proxy lists included

• Using them in FireHOL

  • Adding the ipsets in your firehol.conf
  • Updating the ipsets while the firewall is running

• Dynamic List of ipsets included

• Comparison of ipsets

---

About this repo

This repository includes a list of ipsets dynamically updated with firehol's (https://github.com/ktsaou/firehol) update-ipsets.sh script found here.

This repo is self maintained. It it updated automatically from the script via a cron job.

You can find the ipset comparison to the pages of this repo: http://ktsaou.github.io/blocklist-ipsets.

Why do we need blocklists?

As time passes and the internet matures in our life, cyber crime is becoming increasingly sophisticated. Although there are many tools (detection of malware, viruses, intrusion detection and prevension systems, etc) to help us isolate the budguys, there are now a lot more than just such attacks.

What is more interesting is that the fraudsters or attackers in many cases are not going to do a direct damage to you or your systems. They will use you and your systems to gain something else, possibly not related or indirectly related to your business. Nowdays the attacks cannot be identified easily. They are distributed and come to our systems from a vast amount of IPs around the world.

To get an idea, check for example the XRumer software. This thing mimics human behaviour to post ads, it creates email accounts, responds to emails it receives, bypasses captchas, it goes gently to stay unoticed, etc.

To increase our effectiveness we need to complement our security solutions with our shared knowledge, our shared experience in this fight.

Hopefully, there are many teams out there that do their best to identify the attacks and pinpoint the attackers. These teams release blocklists. Blocklists of IPs (for use in firewalls), domains & URLs (for use in proxies), etc.

What we are interested here is IPs.

Using IP blocklists at the internet side of your firewall is a key component of internet security. These lists share key knowledge between us, allowing us to learn from each other and effectively isolate fraudsters and attackers from our services.

I decided to upload these lists to a github repo because:

1. They are freely available on the internet. The intention of their creators is to help internet security. Keep in mind though that a few of these lists may have special licences attached. Before using them, please check their source site for any information regarding proper use.

2. Github provides (via git pull) a unified way of updating all the lists together. Pulling this repo regularly on your machines, you will update all the IP lists at once.

3. Github also provides a unified version control. Using it we can have a history of what each list has done, which IPs or subnets were added and which were removed.

DNSBLs

Check also another tool included in FireHOL v3+, called dnsbl-ipset.sh.

This tool is capable of creating an ipset based on your traffic by looking up information on DNSBLs and scoring it according to your preferences.

More information here.

---

Using these ipsets

Please be very careful what you choose to use and how you use it. If you blacklist traffic using these lists you may end up blocking your users, your customers, even yourself (!) from accessing your services.

1. Go to to the site of each list and read how each list is maintained. You are going to trust these guys for doing their job right.

2. Most sites have either a donation system or commercial lists of higher quality. Try to support them.

3. I have included the TOR network in these lists (bm_tor, dm_tor, et_tor). The TOR network is not necessarily bad and you should not block it if you want to allow your users be anonymous. I have included it because for certain cases, allowing an anonymity network might be a risky thing (such as eCommerce).

4. Apply any blacklist at the internet side of your firewall. Be very carefull. The bogons and fullbogons lists contain private, unroutable IPs that should not be routed on the internet. If you apply such a blocklist on your DMZ or LAN side, you will be blocked out of your firewall.

5. Always have a whitelist too, containing the IP addresses or subnets you trust. Try to build the rules in such a way that if an IP is in the whitelist, it should not be blocked by these blocklists.

Which ones to use

Level 1 - Basic

These are the ones I install on all my firewalls. Level 1 provides basic security against the most well known attackers, with the minimum of false positives.

1. Abuse.ch lists feodo, palevo, sslbl, zeus, zeus_badips

   These folks are doing a great job tracking crimeware. Their blocklists are very focused. Keep in mind zeus may include some false positives. You can use zeus_badips instead.

2. DShield.org list dshield

   It contains the top 20 attacking class C (/24) subnets, over the last three days.

3. Spamhaus.org lists spamhaus_drop, spamhaus_edrop

   DROP (Don't Route Or Peer) and EDROP are advisory "drop all traffic" lists, consisting of netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). According to Spamhaus.org:

   When implemented at a network or ISP's 'core routers', DROP and EDROP will help protect the network's users from spamming, scanning, harvesting, DNS-hijacking and DDoS attacks originating on rogue netblocks.

   Spamhaus strongly encourages the use of DROP and EDROP by tier-1s and backbones.

Spamhaus is very responsive to adapt these lists when a network owner updates them that the issue has been solved (I had one such incident with one of my users).

4. Team-Cymru.org list bogons or fullbogons

   These are lists of IPs that should not be routed on the internet. No one should be using them. Be very careful to apply either of the two on the internet side of your network.

Level 2 - Essentials

Level 2 provide protection against current brute force attacks. This level may have a small percentage of false positives, mainly due to dynamic IPs being re-used by other users.

1. OpenBL.org lists openbl*

   The team of OpenBL tracks brute force attacks on their hosts. They have a very short list for hosts, under their own control, collecting this information, to eliminate false positives. They suggest to use the default blacklist which has a retention policy of 90 days (openbl), but they also provide lists with different retention policies (from 1 day to 1 year). Their goal is to report abuse to the responsible provider so that the infection is disabled.

2. Blocklist.de lists blocklist_de*

   Is a network of users reporting abuse mainly using fail2ban. They eliminate false positives using other lists available. Since they collect information from their users, their lists may be subject to poisoning, or false positives. I asked them about poisoning. Here you can find their answer. In short, they track it down so that they have an ignorable rate of false positives. Also, they only include individual IPs (no subnets) which have attacked their users the last 48 hours and their list contains 20.000 to 40.000 IPs (which is small enough considering the size of the internet). Like openbl, their goal is to report abuse back, so that the infection is disabled. They also provide their blocklist per type of attack (mail, web, etc).

Of course there are more lists included. You can check them and decide if they fit for your needs.

Why are open proxy lists included

Of course, I haven't included them for you to use the open proxies. The port the proxy is listening, or the type of proxy, are not included (although most of them use the standard proxy ports and do serve web requests).

If you check the comparisons for the open proxy lists (ri_connect_proxies, ri_web_proxies, xroxy, proxz, proxyrss, etc) you will find that they overlap to a great degree with other blocklists, like blocklist_de, stopforumspam, etc.

This means the attackers also use open proxies to execute attacks.

So, if you are under attack, blocking the open proxies may help isolate a large part of the attack.

I don't suggest to permanenly block IPs using the proxy lists. Their purpose of existance is questionable. Their quality though may be acceptable, since lot of these sites advertise that they test open proxies before including them in their lists, so that there are no false positives, at least at the time they tested them.

---

Using them in FireHOL

update-ipsets.sh itself does not alter your firewall. It can be used to update ipsets both on disk and in the kernel for any firewall solution you use.

The information below, shows you how to configure FireHOL to use the provides ipsets.

Adding the ipsets in your firehol.conf

I use something like this:

	# our wan interface
	wan="dsl0"
	
	# our whitelist
	ipset4 create whitelist hash:net
	ipset4 add whitelist A.B.C.D/E # A.B.C.D/E is whitelisted
	
	# subnets - netsets
	for x in fullbogons dshield spamhaus_drop spamhaus_edrop
	do
		ipset4 create  ${x} hash:net
		ipset4 addfile ${x} ipsets/${x}.netset
		blacklist4 full inface "${wan}" log "BLACKLIST ${x^^}" ipset:${x} \
			except src ipset:whitelist
	done

	# individual IPs - ipsets
	for x in feodo palevo sslbl zeus openbl blocklist_de
	do
		ipset4 create  ${x} hash:ip
		ipset4 addfile ${x} ipsets/${x}.ipset
		blacklist4 full inface "${wan}" log "BLACKLIST ${x^^}" ipset:${x} \
			except src ipset:whitelist
	done

	... rest of firehol.conf ...

If you are concerned about iptables performance, change the blacklist4 keyword full to input. This will block only inbound NEW connections, i.e. only the first packet for every NEW inbound connection will be checked. All other traffic passes through unchecked.

Before adding these rules to your firehol.conf you should run update-ipsets.sh to enable them.

Updating the ipsets while the firewall is running

Just use the update-ipsets.sh script from the firehol distribution. This script will update each ipset and call firehol to update the ipset while the firewall is running.

You can add update-ipsets.sh to cron, to run every 30 mins. update-ipsets.sh is smart enough to download a list only when it needs to.

---

List of ipsets included

The following list was automatically generated on Fri Sep 18 18:11:09 UTC 2015.

The update frequency is the maximum allowed by internal configuration. A list will never be downloaded sooner than the update frequency stated. A list may also not be downloaded, after this frequency expired, if it has not been modified on the server (as reported by HTTP IF_MODIFIED_SINCE method).

name	info	type	entries	update
alienvault_reputation	AlienVault.com IP reputation database	ipv4 hash:ip	172620 unique IPs	updated every 6 hours from this link
asprox_c2	h3x.eu ASPROX Tracker - Asprox C&C Sites	ipv4 hash:ip	936 unique IPs	updated every 1 day from this link
bambenek_banjori	Bambenek Consulting feed of current IPs of banjori C&Cs with 90 minute lookback	ipv4 hash:ip	0 unique IPs	updated every 30 mins from this link
bambenek_bebloh	Bambenek Consulting feed of current IPs of bebloh C&Cs with 90 minute lookback	ipv4 hash:ip	3 unique IPs	updated every 30 mins from this link
bambenek_c2	Bambenek Consulting master feed of known, active and non-sinkholed C&Cs IP addresses	ipv4 hash:ip	237 unique IPs	updated every 30 mins from this link
bambenek_cl	Bambenek Consulting feed of current IPs of cl C&Cs with 90 minute lookback	ipv4 hash:ip	0 unique IPs	updated every 30 mins from this link
bambenek_cryptowall	Bambenek Consulting feed of current IPs of cryptowall C&Cs with 90 minute lookback	ipv4 hash:ip	16 unique IPs	updated every 30 mins from this link
bambenek_dircrypt	Bambenek Consulting feed of current IPs of dircrypt C&Cs with 90 minute lookback	ipv4 hash:ip	1 unique IPs	updated every 30 mins from this link
bambenek_dyre	Bambenek Consulting feed of current IPs of dyre C&Cs with 90 minute lookback	ipv4 hash:ip	2 unique IPs	updated every 30 mins from this link
bambenek_geodo	Bambenek Consulting feed of current IPs of geodo C&Cs with 90 minute lookback	ipv4 hash:ip	disabled	updated every 30 mins from this link
bambenek_hesperbot	Bambenek Consulting feed of current IPs of hesperbot C&Cs with 90 minute lookback	ipv4 hash:ip	2 unique IPs	updated every 30 mins from this link
bambenek_matsnu	Bambenek Consulting feed of current IPs of matsnu C&Cs with 90 minute lookback	ipv4 hash:ip	13 unique IPs	updated every 30 mins from this link
bambenek_necurs	Bambenek Consulting feed of current IPs of necurs C&Cs with 90 minute lookback	ipv4 hash:ip	disabled	updated every 30 mins from this link
bambenek_p2pgoz	Bambenek Consulting feed of current IPs of p2pgoz C&Cs with 90 minute lookback	ipv4 hash:ip	disabled	updated every 30 mins from this link
bambenek_pushdo	Bambenek Consulting feed of current IPs of pushdo C&Cs with 90 minute lookback	ipv4 hash:ip	2 unique IPs	updated every 30 mins from this link
bambenek_pykspa	Bambenek Consulting feed of current IPs of pykspa C&Cs with 90 minute lookback	ipv4 hash:ip	6 unique IPs	updated every 30 mins from this link
bambenek_qakbot	Bambenek Consulting feed of current IPs of qakbot C&Cs with 90 minute lookback	ipv4 hash:ip	3 unique IPs	updated every 30 mins from this link
bambenek_ramnit	Bambenek Consulting feed of current IPs of ramnit C&Cs with 90 minute lookback	ipv4 hash:ip	5 unique IPs	updated every 30 mins from this link
bambenek_ranbyus	Bambenek Consulting feed of current IPs of ranbyus C&Cs with 90 minute lookback	ipv4 hash:ip	1 unique IPs	updated every 30 mins from this link
bambenek_simda	Bambenek Consulting feed of current IPs of simda C&Cs with 90 minute lookback	ipv4 hash:ip	66 unique IPs	updated every 30 mins from this link
bambenek_suppobox	Bambenek Consulting feed of current IPs of suppobox C&Cs with 90 minute lookback	ipv4 hash:ip	104 unique IPs	updated every 30 mins from this link
bambenek_symmi	Bambenek Consulting feed of current IPs of symmi C&Cs with 90 minute lookback	ipv4 hash:ip	0 unique IPs	updated every 30 mins from this link
bambenek_tinba	Bambenek Consulting feed of current IPs of tinba C&Cs with 90 minute lookback	ipv4 hash:ip	11 unique IPs	updated every 30 mins from this link
bambenek_volatile	Bambenek Consulting feed of current IPs of volatile C&Cs with 90 minute lookback	ipv4 hash:ip	3 unique IPs	updated every 30 mins from this link
bds_atif	Binary Defense Systems Artillery Threat Intelligence Feed and Banlist Feed	ipv4 hash:ip	14635 unique IPs	updated every 1 day from this link
bi_any_2_1d	BadIPs.com Bad IPs in category any with score above 2 and age less than 1d	ipv4 hash:ip	1016 unique IPs	updated every 30 mins from this link
bi_any_2_30d	BadIPs.com Bad IPs in category any with score above 2 and age less than 30d	ipv4 hash:ip	8131 unique IPs	updated every 1 day from this link
bi_any_2_7d	BadIPs.com Bad IPs in category any with score above 2 and age less than 7d	ipv4 hash:ip	2633 unique IPs	updated every 6 hours from this link
bi_bruteforce_2_30d	BadIPs.com Bad IPs in category bruteforce with score above 2 and age less than 30d	ipv4 hash:ip	0 unique IPs	updated every 1 day from this link
bi_ftp_2_30d	BadIPs.com Bad IPs in category ftp with score above 2 and age less than 30d	ipv4 hash:ip	177 unique IPs	updated every 1 day from this link
bi_http_2_30d	BadIPs.com Bad IPs in category http with score above 2 and age less than 30d	ipv4 hash:ip	72 unique IPs	updated every 1 day from this link
bi_mail_2_30d	BadIPs.com Bad IPs in category mail with score above 2 and age less than 30d	ipv4 hash:ip	763 unique IPs	updated every 1 day from this link
bi_proxy_2_30d	BadIPs.com Bad IPs in category proxy with score above 2 and age less than 30d	ipv4 hash:ip	1 unique IPs	updated every 1 day from this link
bi_sql_2_30d	BadIPs.com Bad IPs in category sql with score above 2 and age less than 30d	ipv4 hash:ip	0 unique IPs	updated every 1 day from this link
bi_ssh_2_30d	BadIPs.com Bad IPs in category ssh with score above 2 and age less than 30d	ipv4 hash:ip	7110 unique IPs	updated every 1 day from this link
bi_voip_2_30d	BadIPs.com Bad IPs in category voip with score above 2 and age less than 30d	ipv4 hash:ip	38 unique IPs	updated every 1 day from this link
bitcoin_blockchain_info	Blockchain.info Bitcoin nodes connected to Blockchain.info.	ipv4 hash:ip	878 unique IPs	updated every 10 mins from this link
bitcoin_blockchain_info_1d	Blockchain.info Bitcoin nodes connected to Blockchain.info.	ipv4 hash:ip	1083 unique IPs	updated every 10 mins from this link
bitcoin_blockchain_info_30d	Blockchain.info Bitcoin nodes connected to Blockchain.info.	ipv4 hash:ip	10656 unique IPs	updated every 10 mins from this link
bitcoin_blockchain_info_7d	Blockchain.info Bitcoin nodes connected to Blockchain.info.	ipv4 hash:ip	3659 unique IPs	updated every 10 mins from this link
bitcoin_nodes	BitNodes Bitcoin connected nodes, globally.	ipv4 hash:ip	5354 unique IPs	updated every 10 mins from this link
bitcoin_nodes_1d	BitNodes Bitcoin connected nodes, globally.	ipv4 hash:ip	8370 unique IPs	updated every 10 mins from this link
bitcoin_nodes_30d	BitNodes Bitcoin connected nodes, globally.	ipv4 hash:ip	46406 unique IPs	updated every 10 mins from this link
bitcoin_nodes_7d	BitNodes Bitcoin connected nodes, globally.	ipv4 hash:ip	18438 unique IPs	updated every 10 mins from this link
blocklist_de	Blocklist.de IPs that have been detected by fail2ban in the last 48 hours	ipv4 hash:ip	33340 unique IPs	updated every 30 mins from this link
blocklist_de_apache	Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks.	ipv4 hash:ip	23648 unique IPs	updated every 30 mins from this link
blocklist_de_bots	Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = he has posted a Spam-Comment on a open Forum or Wiki).	ipv4 hash:ip	2794 unique IPs	updated every 30 mins from this link
blocklist_de_bruteforce	Blocklist.de All IPs which attacks Joomlas, Wordpress and other Web-Logins with Brute-Force Logins.	ipv4 hash:ip	12316 unique IPs	updated every 30 mins from this link
blocklist_de_ftp	Blocklist.de All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP.	ipv4 hash:ip	452 unique IPs	updated every 30 mins from this link
blocklist_de_imap	Blocklist.de All IP addresses which have been reported within the last 48 hours for attacks on the Service imap, sasl, pop3, etc.	ipv4 hash:ip	1265 unique IPs	updated every 30 mins from this link
blocklist_de_mail	Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix.	ipv4 hash:ip	15454 unique IPs	updated every 30 mins from this link
blocklist_de_sip	Blocklist.de All IP addresses that tried to login in a SIP, VOIP or Asterisk Server and are included in the IPs list from infiltrated.net	ipv4 hash:ip	78 unique IPs	updated every 30 mins from this link
blocklist_de_ssh	Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH.	ipv4 hash:ip	2011 unique IPs	updated every 30 mins from this link
blocklist_de_strongips	Blocklist.de All IPs which are older then 2 month and have more then 5.000 attacks.	ipv4 hash:ip	201 unique IPs	updated every 30 mins from this link
blocklist_net_ua	blocklist.net.ua The BlockList project was created to become protection against negative influence of the harmful and potentially dangerous events on the Internet. First of all this service will help internet and hosting providers to protect subscribers sites from being hacked. BlockList will help to stop receiving a large amount of spam from dubious SMTP relays or from attempts of brute force passwords to servers and network equipment.	ipv4 hash:ip	24832 unique IPs	updated every 10 mins from this link
bm_tor	torstatus.blutmagie.de list of all TOR network servers	ipv4 hash:ip	6380 unique IPs	updated every 30 mins from this link
bogons	Team-Cymru.org private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598 and netblocks that have not been allocated to a regional internet registry	ipv4 hash:net	13 subnets, 592708608 unique IPs	updated every 1 day from this link
botscout	BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.	ipv4 hash:ip	64 unique IPs	updated every 30 mins from this link
botscout_1d	BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.	ipv4 hash:ip	1262 unique IPs	updated every 30 mins from this link
botscout_30d	BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.	ipv4 hash:ip	20100 unique IPs	updated every 30 mins from this link
botscout_7d	BotScout helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.	ipv4 hash:ip	6474 unique IPs	updated every 30 mins from this link
bruteforceblocker	danger.rulez.sk bruteforceblocker (fail2ban alternative for SSH on OpenBSD). This is an automatically generated list from users reporting failed authentication attempts. An IP seems to be included if 3 or more users report it. Its retention pocily seems 30 days.	ipv4 hash:ip	1437 unique IPs	updated every 3 hours from this link
ciarmy	CIArmy.com IPs with poor Rogue Packet score that have not yet been identified as malicious by the community	ipv4 hash:ip	383 unique IPs	updated every 3 hours from this link
cidr_report_bogons	Unallocated (Free) Address Space, generated on a daily basis using the IANA registry files, the Regional Internet Registry stats files and the Regional Internet Registry whois data.	ipv4 hash:net	3634 subnets, 606740744 unique IPs	updated every 1 day from this link
cleanmx_viruses	Clean-MX.de IPs with viruses	ipv4 hash:ip	3312 unique IPs	updated every 30 mins from this link
cruzit_web_attacks	CruzIt.com IPs of compromised machines scanning for vulnerabilities and DDOS attacks	ipv4 hash:ip	4667 unique IPs	updated every 12 hours from this link
cybercrime	CyberCrime A project tracking Command and Control.	ipv4 hash:ip	5056 unique IPs	updated every 12 hours from this link
darklist_de	darklist.de ssh fail2ban reporting	ipv4 hash:net	732 subnets, 130386 unique IPs	updated every 1 day from this link
dm_tor	dan.me.uk dynamic list of TOR nodes	ipv4 hash:ip	6413 unique IPs	updated every 30 mins from this link
dragon_http	Dragon Research Group IPs that have been seen sending HTTP requests to Dragon Research Pods in the last 7 days. This report lists hosts that are highly suspicious and are likely conducting malicious HTTP attacks. LEGITIMATE SEARCH ENGINE BOTS MAY BE IN THIS LIST. This report is informational. It is not a blacklist, but some operators may choose to use it to help protect their networks and hosts in the forms of automated reporting and mitigation services.	ipv4 hash:net	1644 subnets, 487680 unique IPs	updated every 1 hour from this link
dragon_sshpauth	Dragon Research Group IP address that has been seen attempting to remotely login to a host using SSH password authentication, in the last 7 days. This report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks.	ipv4 hash:net	1009 subnets, 1014 unique IPs	updated every 1 hour from this link
dragon_vncprobe	Dragon Research Group IP address that has been seen attempting to remotely connect to a host running the VNC application service, in the last 7 days. This report lists hosts that are highly suspicious and are likely conducting malicious VNC probes or VNC brute force attacks.	ipv4 hash:net	82 subnets, 135 unique IPs	updated every 1 hour from this link
dronebl_anonymizers	DroneBL.org List of open proxies. It includes IPs which DroneBL categorizes as SOCKS proxies (8), HTTP proxies (9), web page proxies (11), WinGate proxies (14), proxy chains (10).	ipv4 hash:net	161138 subnets, 167864 unique IPs
dronebl_auto_botnets	DroneBL.org IPs of automatically detected botnets. It includes IPs for which DroneBL responds with 17.	ipv4 hash:net	334837 subnets, 346836 unique IPs
dronebl_autorooting_worms	DroneBL.org IPs of autorooting worms. It includes IPs for which DroneBL responds with 16. These are usually SSH bruteforce attacks.	ipv4 hash:net	666 subnets, 739 unique IPs
dronebl_compromised	DroneBL.org IPs of compromised routers / gateways. It includes IPs for which DroneBL responds with 15 (BOPM detected).	ipv4 hash:net	15 subnets, 15 unique IPs
dronebl_ddos_drones	DroneBL.org IPs of DDoS drones. It includes IPs for which DroneBL responds with 7.	ipv4 hash:net	31 subnets, 31 unique IPs
dronebl_dns_mx_on_irc	DroneBL.org List of IPs of DNS / MX hostname detected on IRC. It includes IPs for which DroneBL responds with 18.	ipv4 hash:net	3747 subnets, 3815 unique IPs
dronebl_irc_drones	DroneBL.org List of IRC spam drones (litmus/sdbot/fyle). It includes IPs for which DroneBL responds with 3.	ipv4 hash:net	36463 subnets, 93952 unique IPs
dronebl_unknown	DroneBL.org List of IPs of uncategorized threats. It includes IPs for which DroneBL responds with 255.	ipv4 hash:net	36 subnets, 38 unique IPs
dronebl_worms_bots	DroneBL.org IPs of unknown worms or spambots. It includes IPs for which DroneBL responds with 6	ipv4 hash:net	22510 subnets, 24175 unique IPs
dshield	DShield.org top 20 attacking class C (/24) subnets over the last three days	ipv4 hash:net	15 subnets, 3840 unique IPs	updated every 15 mins from this link
dshield_1d	DShield.org top 20 attacking class C (/24) subnets over the last three days	ipv4 hash:net	275 subnets, 70912 unique IPs	updated every 15 mins from this link
dshield_30d	DShield.org top 20 attacking class C (/24) subnets over the last three days	ipv4 hash:net	3916 subnets, 1030656 unique IPs	updated every 15 mins from this link
dshield_7d	DShield.org top 20 attacking class C (/24) subnets over the last three days	ipv4 hash:net	1261 subnets, 328448 unique IPs	updated every 15 mins from this link
et_block	EmergingThreats.net default blacklist (at the time of writing includes spamhaus DROP, dshield and abuse.ch trackers, which are available separately too - prefer to use the direct ipsets instead of this, they seem to lag a bit in updates)	ipv4 hash:net	1109 subnets, 22888076 unique IPs	updated every 12 hours from this link
et_botcc	EmergingThreats.net Command and Control IPs These IPs are updates every 24 hours and should be considered VERY highly reliable indications that a host is communicating with a known and active Bot or Malware command and control server - (although they say this includes abuse.ch trackers, it does not - check its overlaps)	ipv4 hash:ip	493 unique IPs	updated every 12 hours from this link
et_compromised	EmergingThreats.net compromised hosts	ipv4 hash:ip	1477 unique IPs	updated every 12 hours from this link
et_dshield	EmergingThreats.net dshield blocklist	ipv4 hash:net	20 subnets, 5120 unique IPs	updated every 12 hours from this link
et_spamhaus	EmergingThreats.net spamhaus blocklist	ipv4 hash:net	696 subnets, 22882816 unique IPs	updated every 12 hours from this link
et_tor	EmergingThreats.net TOR list of TOR network IPs	ipv4 hash:ip	6290 unique IPs	updated every 12 hours from this link
feodo	Abuse.ch Feodo tracker trojan includes IPs which are being used by Feodo (also known as Cridex or Bugat) which commits ebanking fraud	ipv4 hash:ip	188 unique IPs	updated every 30 mins from this link
firehol_anonymous	An ipset that includes all the anonymizing IPs of the world. (includes: firehol_proxies anonymous bm_tor dm_tor tor_exits)	ipv4 hash:net	37711 subnets, 94015 unique IPs
firehol_level1	A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls. (includes: fullbogons dshield feodo palevo sslbl zeus_badips spamhaus_drop spamhaus_edrop bambenek_c2)	ipv4 hash:net	4870 subnets, 686266964 unique IPs
firehol_level2	An ipset made from blocklists that track attacks and abuse, during the last one or two days. (includes: openbl_1d dshield_1d blocklist_de stopforumspam_1d botscout_1d greensnow)	ipv4 hash:net	29027 subnets, 111126 unique IPs
firehol_level3	An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. (includes: openbl_30d dshield_30d stopforumspam_30d virbl malc0de shunlist malwaredomainlist bruteforceblocker ciarmy cleanmx_viruses snort_ipfilter ib_bluetack_spyware ib_bluetack_hijacked ib_bluetack_webexploit php_commenters php_dictionary php_harvesters php_spammers iw_wormlist zeus maxmind_proxy_fraud dragon_http dragon_sshpauth dragon_vncprobe bambenek_c2)	ipv4 hash:net	111934 subnets, 11128302 unique IPs
firehol_proxies	An ipset made from all sources that track open proxies. It includes IPs reported or detected in the last 30 days. (includes: ib_bluetack_proxies maxmind_proxy_fraud proxyrss_30d proxz_30d ri_connect_proxies_30d ri_web_proxies_30d xroxy_30d proxyspy_30d sslproxies_30d socks_proxy_30d proxylists_30d)	ipv4 hash:net	31373 subnets, 32548 unique IPs
fullbogons	Team-Cymru.org IP space that has been allocated to an RIR, but not assigned by that RIR to an actual ISP or other end-user	ipv4 hash:net	3369 subnets, 662840936 unique IPs	updated every 1 day from this link
geolite2_country	MaxMind GeoLite2 databases are free IP geolocation databases comparable to, but less accurate than, MaxMind’s GeoIP2 databases. They include IPs per country, IPs per continent, IPs used by anonymous services (VPNs, Proxies, etc) and Satellite Providers.	ipv4 hash:net	All the world	updated every 7 days from this link
gofferje_sip	Stefan Gofferje A personal blacklist of networks and IPs of SIP attackers. To end up here, the IP or network must have been the origin of considerable and repeated attacks on my PBX and additionally, the ISP didn't react to any complaint. Note from the author: I don't give any guarantees of accuracy, completeness or even usability! USE AT YOUR OWN RISK! Also note that I block complete countries, namely China, Korea and Palestine with blocklists from ipdeny.com, so some attackers will never even get the chance to get noticed by me to be put on this blacklist. I also don't accept any liabilities related to this blocklist. If you're an ISP and don't like your IPs being listed here, too bad! You should have done something about your customers' behavior and reacted to my complaints. This blocklist is nothing but an expression of my personal opinion and exercising my right of free speech.	ipv4 hash:net	443 subnets, 1094248 unique IPs	updated every 6 hours from this link
greensnow	GreenSnow is a team harvesting a large number of IPs from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Their list is updated automatically and you can withdraw at any time your IP address if it has been listed. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel, etc.	ipv4 hash:ip	2977 unique IPs	updated every 30 mins from this link
haley_ssh	Charles Haley IPs launching SSH dictionary attacks.	ipv4 hash:ip	19898 unique IPs	updated every 4 hours from this link
ib_abuse_palevo	iBlocklist.com version of palevotracker.abuse.ch IP blocklist.	ipv4 hash:net	10 subnets, 10 unique IPs	updated every 12 hours from this link
ib_abuse_spyeye	iBlocklist.com version of spyeyetracker.abuse.ch IP blocklist.	ipv4 hash:net	83 subnets, 84 unique IPs	updated every 12 hours from this link
ib_abuse_zeus	iBlocklist.com version of zeustracker.abuse.ch IP blocklist that contains IP addresses which are currently beeing tracked on the abuse.ch ZeuS Tracker.	ipv4 hash:net	209 subnets, 212 unique IPs	updated every 12 hours from this link
ib_bluetack_ads	iBlocklist.com version of BlueTack.co.uk IPs advertising trackers and a short list of bad/intrusive porn sites.	ipv4 hash:net	3314 subnets, 888645 unique IPs	updated every 12 hours from this link
ib_bluetack_badpeers	iBlocklist.com version of BlueTack.co.uk IPs that have been reported for bad deeds in p2p.	ipv4 hash:ip	47940 unique IPs	updated every 12 hours from this link
ib_bluetack_bogons	iBlocklist.com version of BlueTack.co.uk unallocated address space.	ipv4 hash:net	2699 subnets, 666661539 unique IPs	updated every 12 hours from this link
ib_bluetack_dshield	iBlocklist.com version of BlueTack.co.uk, Contains known Hackers and such people in it.	ipv4 hash:net	20 subnets, 5120 unique IPs	updated every 12 hours from this link
ib_bluetack_edu	iBlocklist.com version of BlueTack.co.uk IP list with all known Educational Institutions.	ipv4 hash:net	40792 subnets, 227983904 unique IPs	updated every 12 hours from this link
ib_bluetack_exclusions	iBlocklist.com version of BlueTack.co.uk, exclusions.	ipv4 hash:net	297 subnets, 7427 unique IPs	updated every 12 hours from this link
ib_bluetack_fornonlancomputers	iBlocklist.com version of BlueTack.co.uk, IP blocklist for non-LAN computers.	ipv4 hash:net	4 subnets, 302055424 unique IPs	updated every 12 hours from this link
ib_bluetack_forumspam	iBlocklist.com version of BlueTack.co.uk, forum spam.	ipv4 hash:net	476 subnets, 615 unique IPs	updated every 12 hours from this link
ib_bluetack_hijacked	iBlocklist.com version of BlueTack.co.uk hijacked IP-Blocks. # Contains hijacked IP-Blocks and known IP-Blocks that are used to deliver Spam. This list is a combination of lists with hijacked IP-Blocks. Hijacked IP space are IP blocks that are being used without permission by organizations that have no relation to original organization (or its legal successor) that received the IP block. In essence it's stealing of somebody else's IP resources.	ipv4 hash:net	535 subnets, 9177856 unique IPs	updated every 12 hours from this link
ib_bluetack_iana_multicast	iBlocklist.com version of BlueTack.co.uk, IANA Multicast IPs.	ipv4 hash:net	1 subnets, 268435456 unique IPs	updated every 12 hours from this link
ib_bluetack_iana_private	iBlocklist.com version of BlueTack.co.uk, IANA Private IPs.	ipv4 hash:net	56 subnets, 51643638 unique IPs	updated every 12 hours from this link
ib_bluetack_iana_reserved	iBlocklist.com version of BlueTack.co.uk, IANA Reserved IPs.	ipv4 hash:net	1 subnets, 536870912 unique IPs	updated every 12 hours from this link
ib_bluetack_level1	iBlocklist.com version of BlueTack.co.uk Level 1 (for use in p2p): Companies or organizations who are clearly involved with trying to stop filesharing (e.g. Baytsp, MediaDefender, Mediasentry a.o.). Companies which anti-p2p activity has been seen from. Companies that produce or have a strong financial interest in copyrighted material (e.g. music, movie, software industries a.o.). Government ranges or companies that have a strong financial interest in doing work for governments. Legal industry ranges. IPs or ranges of ISPs from which anti-p2p activity has been observed. Basically this list will block all kinds of internet connections that most people would rather not have during their internet travels.	ipv4 hash:net	218307 subnets, 764993634 unique IPs	updated every 12 hours from this link
ib_bluetack_level2	iBlocklist.com version of BlueTack.co.uk Level 2 (for use in p2p). General corporate ranges. Ranges used by labs or researchers. Proxies.	ipv4 hash:net	72950 subnets, 348710251 unique IPs	updated every 12 hours from this link
ib_bluetack_level3	iBlocklist.com version of BlueTack.co.uk Level 3 (for use in p2p). Many portal-type websites. ISP ranges that may be dodgy for some reason. Ranges that belong to an individual, but which have not been determined to be used by a particular company. Ranges for things that are unusual in some way. The L3 list is aka the paranoid list.	ipv4 hash:net	17812 subnets, 139104927 unique IPs	updated every 12 hours from this link
ib_bluetack_ms	iBlocklist.com version of BlueTack.co.uk with all the known Microsoft ranges.	ipv4 hash:net	734 subnets, 1848447 unique IPs	updated every 12 hours from this link
ib_bluetack_proxies	iBlocklist.com version of BlueTack.co.uk Open Proxies IPs list (without TOR)	ipv4 hash:ip	663 unique IPs	updated every 12 hours from this link
ib_bluetack_rangetest	iBlocklist.com version of BlueTack.co.uk suspicious IPs that are under investigation.	ipv4 hash:net	515 subnets, 4346058 unique IPs	updated every 12 hours from this link
ib_bluetack_spider	iBlocklist.com version of BlueTack.co.uk, intended to be used by webmasters to block hostile spiders from their web sites.	ipv4 hash:net	734 subnets, 860168 unique IPs	updated every 12 hours from this link
ib_bluetack_spyware	iBlocklist.com version of BlueTack.co.uk known malicious SPYWARE and ADWARE IP Address ranges. It is compiled from various sources, including other available Spyware Blacklists, HOSTS files, from research found at many of the top Anti-Spyware forums, logs of Spyware victims and also from the Malware Research Section here at Bluetack.	ipv4 hash:net	3297 subnets, 339021 unique IPs	updated every 12 hours from this link
ib_bluetack_webexploit	iBlocklist.com version of BlueTack.co.uk web server hack and exploit attempts. IP addresses related to current web server hack and exploit attempts that have been logged by Bluetack or can be found in and cross referenced with other related IP databases. Malicious and other non search engine bots will also be listed here, along with anything found that can have a negative impact on a website or webserver such as proxies being used for negative SEO hijacks, unauthorised site mirroring, harvesting, scraping, snooping and data mining / spy bot / security & copyright enforcement companies that target and continuosly scan webservers.	ipv4 hash:ip	1450 unique IPs	updated every 12 hours from this link
ib_ciarmy_malicious	iBlocklist.com version of ciarmy.com IP blocklist. Based on information from a network of Sentinel devices deployed around the world, they compile a list of known bad IP addresses. Sentinel devices are uniquely positioned to pick up traffic from bad guys without requiring any type of signature-based or rate-based identification. If an IP is identified in this way by a significant number of Sentinels, the IP is malicious and should be blocked.	ipv4 hash:net	358 subnets, 366 unique IPs	updated every 12 hours from this link
ib_cidr_report_bogons	iBlocklist.com version of cidr-report.org IP list of Unallocated address space.	ipv4 hash:net	3636 subnets, 606755848 unique IPs	updated every 12 hours from this link
ib_cruzit_web_attacks	iBlocklist.com version of CruzIT list with individual IP addresses of compromised machines scanning for vulnerabilities and DDOS attacks.	ipv4 hash:net	4639 subnets, 4661 unique IPs	updated every 12 hours from this link
ib_isp_aol	iBlocklist.com AOL IPs.	ipv4 hash:net	16 subnets, 6627584 unique IPs	updated every 1 day from this link
ib_isp_att	iBlocklist.com AT&T IPs.	ipv4 hash:net	35 subnets, 55845128 unique IPs	updated every 1 day from this link
ib_isp_cablevision	iBlocklist.com Cablevision IPs.	ipv4 hash:net	11 subnets, 1787136 unique IPs	updated every 1 day from this link
ib_isp_charter	iBlocklist.com Charter IPs.	ipv4 hash:net	21 subnets, 6138112 unique IPs	updated every 1 day from this link
ib_isp_comcast	iBlocklist.com Comcast IPs.	ipv4 hash:net	33 subnets, 45121536 unique IPs	updated every 1 day from this link
ib_isp_embarq	iBlocklist.com Embarq IPs.	ipv4 hash:net	14 subnets, 2703360 unique IPs	updated every 1 day from this link
ib_isp_qwest	iBlocklist.com Qwest IPs.	ipv4 hash:net	73 subnets, 15777552 unique IPs	updated every 1 day from this link
ib_isp_sprint	iBlocklist.com Sprint IPs.	ipv4 hash:net	63 subnets, 6310530 unique IPs	updated every 1 day from this link
ib_isp_suddenlink	iBlocklist.com Suddenlink IPs.	ipv4 hash:net	3 subnets, 458752 unique IPs	updated every 1 day from this link
ib_isp_twc	iBlocklist.com Time Warner Cable IPs.	ipv4 hash:net	56 subnets, 15015936 unique IPs	updated every 1 day from this link
ib_isp_verizon	iBlocklist.com Verizon IPs.	ipv4 hash:net	19 subnets, 15335424 unique IPs	updated every 1 day from this link
ib_malc0de	iBlocklist.com version of malc0de.com IP blocklist. Addresses that have been indentified distributing malware during the past 30 days.	ipv4 hash:net	343 subnets, 348 unique IPs	updated every 12 hours from this link
ib_onion_router	iBlocklist.com The Onion Router IP addresses.	ipv4 hash:net	6073 subnets, 6181 unique IPs	updated every 12 hours from this link
ib_org_activision	iBlocklist.com Activision IPs.	ipv4 hash:net	46 subnets, 4890 unique IPs	updated every 1 day from this link
ib_org_apple	iBlocklist.com Apple IPs.	ipv4 hash:net	1 subnets, 16777216 unique IPs	updated every 1 day from this link
ib_org_blizzard	iBlocklist.com Blizzard IPs.	ipv4 hash:net	7 subnets, 16794627 unique IPs	updated every 1 day from this link
ib_org_crowd_control	iBlocklist.com Crowd Control Productions IPs.	ipv4 hash:net	2 subnets, 768 unique IPs	updated every 1 day from this link
ib_org_electronic_arts	iBlocklist.com Electronic Arts IPs.	ipv4 hash:net	42 subnets, 69720 unique IPs	updated every 1 day from this link
ib_org_joost	iBlocklist.com Joost IPs.	ipv4 hash:net	4 subnets, 16779456 unique IPs	updated every 1 day from this link
ib_org_linden_lab	iBlocklist.com Linden Lab IPs.	ipv4 hash:net	11 subnets, 23600 unique IPs	updated every 1 day from this link
ib_org_logmein	iBlocklist.com LogMeIn IPs.	ipv4 hash:net	13 subnets, 16781568 unique IPs	updated every 1 day from this link
ib_org_ncsoft	iBlocklist.com NCsoft IPs.	ipv4 hash:net	5 subnets, 12560 unique IPs	updated every 1 day from this link
ib_org_nintendo	iBlocklist.com Nintendo IPs.	ipv4 hash:net	40 subnets, 3907 unique IPs	updated every 1 day from this link
ib_org_pandora	iBlocklist.com Pandora IPs.	ipv4 hash:net	1 subnets, 2048 unique IPs	updated every 1 day from this link
ib_org_pirate_bay	iBlocklist.com The Pirate Bay IPs.	ipv4 hash:net	5 subnets, 323 unique IPs	updated every 1 day from this link
ib_org_punkbuster	iBlocklist.com Punkbuster IPs.	ipv4 hash:net	1 subnets, 1 unique IPs	updated every 1 day from this link
ib_org_riot_games	iBlocklist.com Riot Games IPs.	ipv4 hash:net	6 subnets, 1792 unique IPs	updated every 1 day from this link
ib_org_sony_online	iBlocklist.com Sony Online Entertainment IPs.	ipv4 hash:net	7 subnets, 24616 unique IPs	updated every 1 day from this link
ib_org_square_enix	iBlocklist.com Square Enix IPs.	ipv4 hash:net	2 subnets, 4112 unique IPs	updated every 1 day from this link
ib_org_steam	iBlocklist.com Steam IPs.	ipv4 hash:net	51 subnets, 596440 unique IPs	updated every 1 day from this link
ib_org_ubisoft	iBlocklist.com Ubisoft IPs.	ipv4 hash:net	9 subnets, 5304 unique IPs	updated every 1 day from this link
ib_org_xfire	iBlocklist.com XFire IPs.	ipv4 hash:net	3 subnets, 3328 unique IPs	updated every 1 day from this link
ib_pedophiles	iBlocklist.com version of BlueTack.co.uk, IP ranges of people who we have found to be sharing child pornography in the p2p community.	ipv4 hash:net	22269 subnets, 876935 unique IPs	updated every 12 hours from this link
ib_spamhaus_drop	iBlocklist.com version of spamhaus.org DROP (Don't Route Or Peer) list.	ipv4 hash:net	700 subnets, 22950144 unique IPs	updated every 12 hours from this link
ib_yoyo_adservers	iBlocklist.com version of pgl.yoyo.org ad servers	ipv4 hash:net	11534 subnets, 13055 unique IPs	updated every 12 hours from this link
infiltrated	infiltrated.net (this list seems to be updated frequently, but we found no information about it)	ipv4 hash:ip	disabled	updated every 12 hours from this link
ip2location_country	IP2Location.com geolocation database	ipv4 hash:net	All the world	updated every 1 day from this link
ipdeny_country	IPDeny.com geolocation database	ipv4 hash:net	All the world	updated every 1 day from this link
iw_spamlist	ImproWare Antispam IPs sending spam, in the last 3 days	ipv4 hash:ip	4325 unique IPs	updated every 1 hour from this link
iw_wormlist	ImproWare Antispam IPs sending emails with viruses or worms, in the last 3 days	ipv4 hash:ip	1 unique IPs	updated every 1 hour from this link
lashback_ubl	The LashBack UBL The Unsubscribe Blacklist (UBL) is a real-time blacklist of IP addresses which are sending email to names harvested from suppression files (this is a big list, more than 500.000 IPs)	ipv4 hash:ip	669139 unique IPs	updated every 1 day from this link
malc0de	Malc0de.com malicious IPs of the last 30 days	ipv4 hash:ip	448 unique IPs	updated every 1 day from this link
malwaredomainlist	malwaredomainlist.com list of malware active ip addresses	ipv4 hash:ip	1339 unique IPs	updated every 12 hours from this link
maxmind_proxy_fraud	MaxMind.com list of anonymous proxy fraudelent IP addresses.	ipv4 hash:ip	368 unique IPs	updated every 4 hours from this link
myip	myip.ms IPs identified as web bots in the last 10 days, using several sites that require human action	ipv4 hash:ip	2293 unique IPs	updated every 1 day from this link
nixspam	NiX Spam IP addresses that sent spam in the last hour - automatically generated entries without distinguishing open proxies from relays, dialup gateways, and so on. All IPs are removed after 12 hours if there is no spam from there.	ipv4 hash:ip	35451 unique IPs	updated every 15 mins from this link
nt_malware_dns	No Think Malware DNS (the original list includes hostnames and domains, which are ignored)	ipv4 hash:ip	235 unique IPs	updated every 1 hour from this link
nt_malware_http	No Think Malware HTTP	ipv4 hash:ip	69 unique IPs	updated every 1 hour from this link
nt_malware_irc	No Think Malware IRC	ipv4 hash:ip	43 unique IPs	updated every 1 hour from this link
nt_ssh_7d	NoThink Last 7 days SSH attacks	ipv4 hash:ip	4431 unique IPs	updated every 1 hour from this link
openbl	OpenBL.org default blacklist (currently it is the same with 90 days). OpenBL.org is detecting, logging and reporting various types of internet abuse. Currently they monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications	ipv4 hash:ip	disabled	updated every 4 hours from this link
openbl_180d	OpenBL.org last 180 days IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse. Currently they monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.	ipv4 hash:ip	15564 unique IPs	updated every 4 hours from this link
openbl_1d	OpenBL.org last 24 hours IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse. Currently they monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.	ipv4 hash:ip	170 unique IPs	updated every 1 hour from this link
openbl_30d	OpenBL.org last 30 days IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse. Currently they monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.	ipv4 hash:ip	3003 unique IPs	updated every 4 hours from this link
openbl_360d	OpenBL.org last 360 days IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse. Currently they monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.	ipv4 hash:ip	29081 unique IPs	updated every 4 hours from this link
openbl_60d	OpenBL.org last 60 days IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse. Currently they monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.	ipv4 hash:ip	5706 unique IPs	updated every 4 hours from this link
openbl_7d	OpenBL.org last 7 days IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse. Currently they monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.	ipv4 hash:ip	861 unique IPs	updated every 4 hours from this link
openbl_90d	OpenBL.org last 90 days IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse. Currently they monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.	ipv4 hash:ip	7283 unique IPs	updated every 4 hours from this link
openbl_all	OpenBL.org last all IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse. Currently they monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.	ipv4 hash:ip	105557 unique IPs	updated every 4 hours from this link
packetmail	PacketMail.net IP addresses have been detected performing TCP SYN to 206.82.85.196/30 to a non-listening service or daemon. No assertion is made, nor implied, that any of the below listed IP addresses are accurate, malicious, hostile, or engaged in nefarious acts. Use this list at your own risk.	ipv4 hash:ip	625 unique IPs	updated every 4 hours from this link
palevo	Abuse.ch Palevo tracker worm includes IPs which are being used as botnet C&C for the Palevo crimeware	ipv4 hash:ip	11 unique IPs	updated every 30 mins from this link
php_bad	projecthoneypot.org bad web hosts (this list is composed using an RSS feed)	ipv4 hash:ip	disabled	updated every 1 hour from this link
php_commenters	projecthoneypot.org comment spammers (this list is composed using an RSS feed)	ipv4 hash:ip	50 unique IPs	updated every 1 hour from this link
php_commenters_1d	projecthoneypot.org comment spammers (this list is composed using an RSS feed)	ipv4 hash:ip	99 unique IPs	updated every 1 hour from this link
php_commenters_30d	projecthoneypot.org comment spammers (this list is composed using an RSS feed)	ipv4 hash:ip	841 unique IPs	updated every 1 hour from this link
php_commenters_7d	projecthoneypot.org comment spammers (this list is composed using an RSS feed)	ipv4 hash:ip	316 unique IPs	updated every 1 hour from this link
php_dictionary	projecthoneypot.org directory attackers (this list is composed using an RSS feed)	ipv4 hash:ip	50 unique IPs	updated every 1 hour from this link
php_dictionary_1d	projecthoneypot.org directory attackers (this list is composed using an RSS feed)	ipv4 hash:ip	98 unique IPs	updated every 1 hour from this link
php_dictionary_30d	projecthoneypot.org directory attackers (this list is composed using an RSS feed)	ipv4 hash:ip	1126 unique IPs	updated every 1 hour from this link
php_dictionary_7d	projecthoneypot.org directory attackers (this list is composed using an RSS feed)	ipv4 hash:ip	363 unique IPs	updated every 1 hour from this link
php_harvesters	projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed)	ipv4 hash:ip	50 unique IPs	updated every 1 hour from this link
php_harvesters_1d	projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed)	ipv4 hash:ip	83 unique IPs	updated every 1 hour from this link
php_harvesters_30d	projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed)	ipv4 hash:ip	600 unique IPs	updated every 1 hour from this link
php_harvesters_7d	projecthoneypot.org harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed)	ipv4 hash:ip	219 unique IPs	updated every 1 hour from this link
php_spammers	projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed)	ipv4 hash:ip	50 unique IPs	updated every 1 hour from this link
php_spammers_1d	projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed)	ipv4 hash:ip	97 unique IPs	updated every 1 hour from this link
php_spammers_30d	projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed)	ipv4 hash:ip	1124 unique IPs	updated every 1 hour from this link
php_spammers_7d	projecthoneypot.org spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed)	ipv4 hash:ip	355 unique IPs	updated every 1 hour from this link
proxylists	proxylists.net open proxies (this list is composed using an RSS feed)	ipv4 hash:ip	2420 unique IPs	updated every 1 hour from this link
proxylists_1d	proxylists.net open proxies (this list is composed using an RSS feed)	ipv4 hash:ip	4127 unique IPs	updated every 1 hour from this link
proxylists_30d	proxylists.net open proxies (this list is composed using an RSS feed)	ipv4 hash:ip	15148 unique IPs	updated every 1 hour from this link
proxylists_7d	proxylists.net open proxies (this list is composed using an RSS feed)	ipv4 hash:ip	7456 unique IPs	updated every 1 hour from this link
proxyrss	proxyrss.com open proxies syndicated from multiple sources.	ipv4 hash:ip	2213 unique IPs	updated every 4 hours from this link
proxyrss_1d	proxyrss.com open proxies syndicated from multiple sources.	ipv4 hash:ip	3875 unique IPs	updated every 4 hours from this link
proxyrss_30d	proxyrss.com open proxies syndicated from multiple sources.	ipv4 hash:ip	16096 unique IPs	updated every 4 hours from this link
proxyrss_7d	proxyrss.com open proxies syndicated from multiple sources.	ipv4 hash:ip	7119 unique IPs	updated every 4 hours from this link
proxyspy	ProxySpy open proxies (updated hourly)	ipv4 hash:ip	299 unique IPs	updated every 1 hour from this link
proxyspy_1d	ProxySpy open proxies (updated hourly)	ipv4 hash:ip	1141 unique IPs	updated every 1 hour from this link
proxyspy_30d	ProxySpy open proxies (updated hourly)	ipv4 hash:ip	5844 unique IPs	updated every 1 hour from this link
proxyspy_7d	ProxySpy open proxies (updated hourly)	ipv4 hash:ip	2733 unique IPs	updated every 1 hour from this link
proxz	proxz.com open proxies (this list is composed using an RSS feed)	ipv4 hash:ip	24 unique IPs	updated every 1 hour from this link
proxz_1d	proxz.com open proxies (this list is composed using an RSS feed)	ipv4 hash:ip	184 unique IPs	updated every 1 hour from this link
proxz_30d	proxz.com open proxies (this list is composed using an RSS feed)	ipv4 hash:ip	2656 unique IPs	updated every 1 hour from this link
proxz_7d	proxz.com open proxies (this list is composed using an RSS feed)	ipv4 hash:ip	891 unique IPs	updated every 1 hour from this link
pushing_inertia_blocklist	Pushing Inertia IPs of hosting providers that are known to host various bots, spiders, scrapers, etc. to block access from these providers to web servers.	ipv4 hash:net	720 subnets, 37737096 unique IPs	updated every 1 day from this link
ri_connect_proxies	rosinstrument.com open CONNECT proxies (this list is composed using an RSS feed)	ipv4 hash:ip	150 unique IPs	updated every 1 hour from this link
ri_connect_proxies_1d	rosinstrument.com open CONNECT proxies (this list is composed using an RSS feed)	ipv4 hash:ip	371 unique IPs	updated every 1 hour from this link
ri_connect_proxies_30d	rosinstrument.com open CONNECT proxies (this list is composed using an RSS feed)	ipv4 hash:ip	2889 unique IPs	updated every 1 hour from this link
ri_connect_proxies_7d	rosinstrument.com open CONNECT proxies (this list is composed using an RSS feed)	ipv4 hash:ip	1137 unique IPs	updated every 1 hour from this link
ri_web_proxies	rosinstrument.com open HTTP proxies (this list is composed using an RSS feed)	ipv4 hash:ip	141 unique IPs	updated every 1 hour from this link
ri_web_proxies_1d	rosinstrument.com open HTTP proxies (this list is composed using an RSS feed)	ipv4 hash:ip	566 unique IPs	updated every 1 hour from this link
ri_web_proxies_30d	rosinstrument.com open HTTP proxies (this list is composed using an RSS feed)	ipv4 hash:ip	6378 unique IPs	updated every 1 hour from this link
ri_web_proxies_7d	rosinstrument.com open HTTP proxies (this list is composed using an RSS feed)	ipv4 hash:ip	2192 unique IPs	updated every 1 hour from this link
sblam	sblam.com IPs used by web form spammers, during the last month	ipv4 hash:ip	11842 unique IPs	updated every 1 day from this link
shunlist	AutoShun.org IPs identified as hostile by correlating logs from distributed snort installations running the autoshun plugin	ipv4 hash:ip	1093 unique IPs	updated every 4 hours from this link
snort_ipfilter	labs.snort.org supplied IP blacklist (this list seems to be updated frequently, but we found no information about it)	ipv4 hash:ip	12714 unique IPs	updated every 12 hours from this link
socks_proxy	socks-proxy.net open SOCKS proxies	ipv4 hash:ip	80 unique IPs	updated every 10 mins from this link
socks_proxy_1d	socks-proxy.net open SOCKS proxies	ipv4 hash:ip	420 unique IPs	updated every 10 mins from this link
socks_proxy_30d	socks-proxy.net open SOCKS proxies	ipv4 hash:ip	2723 unique IPs	updated every 10 mins from this link
socks_proxy_7d	socks-proxy.net open SOCKS proxies	ipv4 hash:ip	1276 unique IPs	updated every 10 mins from this link
sorbs_anonymizers	Sorbs.net List of open HTTP and SOCKS proxies.	ipv4 hash:net	584850 subnets, 596508 unique IPs
sorbs_block	Sorbs.net List of hosts demanding that they never be tested by SORBS.	ipv4 hash:net	disabled
sorbs_dul	Sorbs.net Dynamic IP Addresses.	ipv4 hash:net	533431 subnets, 350094120 unique IPs
sorbs_escalations	Sorbs.net Netblocks of spam supporting service providers, including those who provide websites, DNS or drop boxes for a spammer. Spam supporters are added on a 'third strike and you are out' basis, where the third spam will cause the supporter to be added to the list.	ipv4 hash:net	9 subnets, 2560 unique IPs
sorbs_http	Sorbs.net HTTP proxies, extracted from deltas.	ipv4 hash:net	disabled
sorbs_misc	Sorbs.net MISC proxies, extracted from deltas.	ipv4 hash:net	disabled
sorbs_new_spam	Sorbs.net List of hosts that have been noted as sending spam/UCE/UBE within the last 48 hours	ipv4 hash:net	2557 subnets, 2636 unique IPs
sorbs_noserver	Sorbs.net IP addresses and Netblocks of where system administrators and ISPs owning the network have indicated that servers should not be present.	ipv4 hash:net	11893 subnets, 20132958 unique IPs
sorbs_recent_spam	Sorbs.net List of hosts that have been noted as sending spam/UCE/UBE within the last 28 days (includes sorbs_new_spam)	ipv4 hash:net	166413 subnets, 169040 unique IPs
sorbs_smtp	Sorbs.net List of SMTP Open Relays.	ipv4 hash:net	1433 subnets, 1440 unique IPs
sorbs_socks	Sorbs.net SOCKS proxies, extracted from deltas.	ipv4 hash:net	disabled
sorbs_spam	Sorbs.net Spam senders, extracted from deltas.	ipv4 hash:net	disabled
sorbs_web	Sorbs.net List of IPs which have spammer abusable vulnerabilities (e.g. FormMail scripts)	ipv4 hash:net	5281098 subnets, 5656144 unique IPs
sorbs_zombie	Sorbs.net List of networks hijacked from their original owners, some of which have already used for spamming.	ipv4 hash:net	78 subnets, 2104580 unique IPs
spamhaus_drop	Spamhaus.org DROP list (according to their site this list should be dropped at tier-1 ISPs globally)	ipv4 hash:net	702 subnets, 23016704 unique IPs	updated every 12 hours from this link
spamhaus_edrop	Spamhaus.org EDROP (extended matches that should be used with DROP)	ipv4 hash:net	64 subnets, 657920 unique IPs	updated every 12 hours from this link
sslbl	Abuse.ch SSL Blacklist bad SSL traffic related to malware or botnet activities	ipv4 hash:ip	167 unique IPs	updated every 30 mins from this link
sslbl_aggressive	Abuse.ch SSL Blacklist The aggressive version of the SSL IP Blacklist contains all IPs that SSLBL ever detected being associated with a malicious SSL certificate. Since IP addresses can be reused (e.g. when the customer changes), this blacklist may cause false positives. Hence I highly recommend you to use the standard version instead of the aggressive one.	ipv4 hash:ip	925 unique IPs	updated every 30 mins from this link
sslproxies	SSLProxies.org open SSL proxies	ipv4 hash:ip	100 unique IPs	updated every 10 mins from this link
sslproxies_1d	SSLProxies.org open SSL proxies	ipv4 hash:ip	217 unique IPs	updated every 10 mins from this link
sslproxies_30d	SSLProxies.org open SSL proxies	ipv4 hash:ip	9982 unique IPs	updated every 10 mins from this link
sslproxies_7d	SSLProxies.org open SSL proxies	ipv4 hash:ip	966 unique IPs	updated every 10 mins from this link
stopforumspam	StopForumSpam.com Banned IPs used by forum spammers	ipv4 hash:ip	229522 unique IPs	updated every 1 day from this link
stopforumspam_180d	StopForumSpam.com IPs used by forum spammers (last 180 days)	ipv4 hash:ip	489954 unique IPs	updated every 1 day from this link
stopforumspam_1d	StopForumSpam.com IPs used by forum spammers in the last 24 hours	ipv4 hash:ip	6565 unique IPs	updated every 1 hour from this link
stopforumspam_30d	StopForumSpam.com IPs used by forum spammers (last 30 days)	ipv4 hash:ip	86649 unique IPs	updated every 1 day from this link
stopforumspam_365d	StopForumSpam.com IPs used by forum spammers (last 365 days)	ipv4 hash:ip	924684 unique IPs	updated every 1 day from this link
stopforumspam_7d	StopForumSpam.com IPs used by forum spammers (last 7 days)	ipv4 hash:ip	27081 unique IPs	updated every 1 day from this link
stopforumspam_90d	StopForumSpam.com IPs used by forum spammers (last 90 days)	ipv4 hash:ip	230360 unique IPs	updated every 1 day from this link
stopforumspam_toxic	StopForumSpam.com Networks that have large amounts of spambots and are flagged as toxic. Toxic IP ranges are infrequently changed.	ipv4 hash:net	74 subnets, 514190 unique IPs	updated every 1 day from this link
talosintel_ipfilter	TalosIntel.com List of known malicious network threats	ipv4 hash:ip	12962 unique IPs	updated every 15 mins from this link
tor_exits	TorProject.org list of all current TOR exit points (TorDNSEL)	ipv4 hash:ip	1036 unique IPs	updated every 5 mins from this link
tor_exits_1d	TorProject.org list of all current TOR exit points (TorDNSEL)	ipv4 hash:ip	1124 unique IPs	updated every 5 mins from this link
tor_exits_30d	TorProject.org list of all current TOR exit points (TorDNSEL)	ipv4 hash:ip	3098 unique IPs	updated every 5 mins from this link
tor_exits_7d	TorProject.org list of all current TOR exit points (TorDNSEL)	ipv4 hash:ip	1584 unique IPs	updated every 5 mins from this link
virbl	VirBL is a project of which the idea was born during the RIPE-48 meeting. The plan was to get reports of virusscanning mailservers, and put the IP-addresses that were reported to send viruses on a blacklist.	ipv4 hash:ip	13 unique IPs	updated every 1 hour from this link
voipbl	VoIPBL.org a distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's. Several algorithms, external sources and manual confirmation are used before they categorize something as an attack and determine the threat level.	ipv4 hash:net	11750 subnets, 12241 unique IPs	updated every 4 hours from this link
vxvault	VxVault The latest 100 additions of VxVault.	ipv4 hash:ip	40 unique IPs	updated every 12 hours from this link
xroxy	xroxy.com open proxies (this list is composed using an RSS feed)	ipv4 hash:ip	61 unique IPs	updated every 1 hour from this link
xroxy_1d	xroxy.com open proxies (this list is composed using an RSS feed)	ipv4 hash:ip	131 unique IPs	updated every 1 hour from this link
xroxy_30d	xroxy.com open proxies (this list is composed using an RSS feed)	ipv4 hash:ip	556 unique IPs	updated every 1 hour from this link
xroxy_7d	xroxy.com open proxies (this list is composed using an RSS feed)	ipv4 hash:ip	269 unique IPs	updated every 1 hour from this link
yoyo_adservers	Yoyo.org IPs of ad servers	ipv4 hash:ip	13764 unique IPs	updated every 12 hours from this link
zeus	Abuse.ch Zeus tracker standard, contains the same data as the ZeuS IP blocklist (zeus_badips) but with the slight difference that it doesn't exclude hijacked websites (level 2) and free web hosting providers (level 3). This means that this blocklist contains all IPv4 addresses associated with ZeuS C&Cs which are currently being tracked by ZeuS Tracker. Hence this blocklist will likely cause some false positives.	ipv4 hash:ip	212 unique IPs	updated every 30 mins from this link
zeus_badips	Abuse.ch Zeus tracker badips includes IPv4 addresses that are used by the ZeuS trojan. It is the recommened blocklist if you want to block only ZeuS IPs. It excludes IP addresses that ZeuS Tracker believes to be hijacked (level 2) or belong to a free web hosting provider (level 3). Hence the false postive rate should be much lower compared to the standard ZeuS IP blocklist.	ipv4 hash:ip	181 unique IPs	updated every 30 mins from this link