Mon Nov 21 06:43:52 UTC 2016 update
This commit is contained in:
Costa Tsaousis
parent
181d7fd8d0
commit
ce505aaddc
68
README.md
68
README.md
|
|
@ -220,7 +220,7 @@ This script will update each ipset and call firehol to update the ipset while th
|
|||
|
||||
# List of ipsets included
|
||||
|
||||
The following list was automatically generated on Mon Nov 21 06:37:03 UTC 2016.
|
||||
The following list was automatically generated on Mon Nov 21 06:43:52 UTC 2016.
|
||||
|
||||
The update frequency is the maximum allowed by internal configuration. A list will never be downloaded sooner than the update frequency stated. A list may also not be downloaded, after this frequency expired, if it has not been modified on the server (as reported by HTTP `IF_MODIFIED_SINCE` method).
|
||||
|
||||
|
|
@ -243,7 +243,7 @@ name|info|type|entries|update|
|
|||
[atlas_fastflux_7d](http://iplists.firehol.org/?ipset=atlas_fastflux_7d)|[ATLAS Fastflux](https://atlas.arbor.net/summary/fastflux) - Fast flux hosting is a technique where the nodes in a botnet are used as the endpoints in a website hosting scheme. The DNS records change frequently, often every few minutes, to point to new bots. The actual nodes themselves simply proxy the request back to the central hosting location. This gives the botnet a robust hosting infrastructure. Many different kinds of botnets use fastflux DNS techniques, for malware hosting, for illegal content hosting, for phishing site hosting, and other such activities. These hosts are likely to be infected with some form of malware.|ipv4 hash:ip|24 unique IPs|updated every 1 day from [this link](https://atlas.arbor.net/summary/fastflux.csv)
|
||||
[atlas_phishing](http://iplists.firehol.org/?ipset=atlas_phishing)|[ATLAS Phishing](https://atlas.arbor.net/summary/fastflux) - Phishing servers host content that is designed to socially engineer unsuspecting users into surrendering private information used for identity theft. These servers are installed on compromised web servers or botnets, at times. Phishing Web sites mimic legitimate Web sites, often of a financial institution, in order to steal logins, passwords, and personal information. Attackers trick users into using the fake Web site by sending the intended victim an e-mail claiming to be a legitimate institution requesting the information for valid reasons, such as account verification. They may then use the stolen credentials to withdraw large amounts of money from the victim's account or commit other fraudulent acts. Most targeted brands are usually in the financial sector, including banks and online commerce sites.|ipv4 hash:ip|10 unique IPs|updated every 1 day from [this link](https://atlas.arbor.net/summary/phishing.csv)
|
||||
[atlas_phishing_2d](http://iplists.firehol.org/?ipset=atlas_phishing_2d)|[ATLAS Phishing](https://atlas.arbor.net/summary/fastflux) - Phishing servers host content that is designed to socially engineer unsuspecting users into surrendering private information used for identity theft. These servers are installed on compromised web servers or botnets, at times. Phishing Web sites mimic legitimate Web sites, often of a financial institution, in order to steal logins, passwords, and personal information. Attackers trick users into using the fake Web site by sending the intended victim an e-mail claiming to be a legitimate institution requesting the information for valid reasons, such as account verification. They may then use the stolen credentials to withdraw large amounts of money from the victim's account or commit other fraudulent acts. Most targeted brands are usually in the financial sector, including banks and online commerce sites.|ipv4 hash:ip|11 unique IPs|updated every 1 day from [this link](https://atlas.arbor.net/summary/phishing.csv)
|
||||
[atlas_phishing_30d](http://iplists.firehol.org/?ipset=atlas_phishing_30d)|[ATLAS Phishing](https://atlas.arbor.net/summary/fastflux) - Phishing servers host content that is designed to socially engineer unsuspecting users into surrendering private information used for identity theft. These servers are installed on compromised web servers or botnets, at times. Phishing Web sites mimic legitimate Web sites, often of a financial institution, in order to steal logins, passwords, and personal information. Attackers trick users into using the fake Web site by sending the intended victim an e-mail claiming to be a legitimate institution requesting the information for valid reasons, such as account verification. They may then use the stolen credentials to withdraw large amounts of money from the victim's account or commit other fraudulent acts. Most targeted brands are usually in the financial sector, including banks and online commerce sites.|ipv4 hash:ip|17 unique IPs|updated every 1 day from [this link](https://atlas.arbor.net/summary/phishing.csv)
|
||||
[atlas_phishing_30d](http://iplists.firehol.org/?ipset=atlas_phishing_30d)|[ATLAS Phishing](https://atlas.arbor.net/summary/fastflux) - Phishing servers host content that is designed to socially engineer unsuspecting users into surrendering private information used for identity theft. These servers are installed on compromised web servers or botnets, at times. Phishing Web sites mimic legitimate Web sites, often of a financial institution, in order to steal logins, passwords, and personal information. Attackers trick users into using the fake Web site by sending the intended victim an e-mail claiming to be a legitimate institution requesting the information for valid reasons, such as account verification. They may then use the stolen credentials to withdraw large amounts of money from the victim's account or commit other fraudulent acts. Most targeted brands are usually in the financial sector, including banks and online commerce sites.|ipv4 hash:ip|16 unique IPs|updated every 1 day from [this link](https://atlas.arbor.net/summary/phishing.csv)
|
||||
[atlas_phishing_7d](http://iplists.firehol.org/?ipset=atlas_phishing_7d)|[ATLAS Phishing](https://atlas.arbor.net/summary/fastflux) - Phishing servers host content that is designed to socially engineer unsuspecting users into surrendering private information used for identity theft. These servers are installed on compromised web servers or botnets, at times. Phishing Web sites mimic legitimate Web sites, often of a financial institution, in order to steal logins, passwords, and personal information. Attackers trick users into using the fake Web site by sending the intended victim an e-mail claiming to be a legitimate institution requesting the information for valid reasons, such as account verification. They may then use the stolen credentials to withdraw large amounts of money from the victim's account or commit other fraudulent acts. Most targeted brands are usually in the financial sector, including banks and online commerce sites.|ipv4 hash:ip|13 unique IPs|updated every 1 day from [this link](https://atlas.arbor.net/summary/phishing.csv)
|
||||
[atlas_scans](http://iplists.firehol.org/?ipset=atlas_scans)|[ATLAS Scans](https://atlas.arbor.net/summary/scans) - Host scanning is a process whereby automated network sweeps are initiated in search of hosts running a particular service. This may be indicative of either legitimate host scanners (including network management systems and authorized vulnerability scanners) or an attacker (or automated malicious code, such as a worm) trying to enumerate potential hosts for subsequent compromise. Scans are often the prelude to an attack, and services scanned by attackers usually indicate known vulnerabilities for those services. Types of port scans include connect() scans, SYN scans, stealth scans, bounce scans, XMAS and Null scans. All reveal to the attacker which services on what hosts are listening for connections. Scans may be launched from compromised hosts, and their sources may be forged.|ipv4 hash:ip|10 unique IPs|updated every 1 day from [this link](https://atlas.arbor.net/summary/scans.csv)
|
||||
[atlas_scans_2d](http://iplists.firehol.org/?ipset=atlas_scans_2d)|[ATLAS Scans](https://atlas.arbor.net/summary/scans) - Host scanning is a process whereby automated network sweeps are initiated in search of hosts running a particular service. This may be indicative of either legitimate host scanners (including network management systems and authorized vulnerability scanners) or an attacker (or automated malicious code, such as a worm) trying to enumerate potential hosts for subsequent compromise. Scans are often the prelude to an attack, and services scanned by attackers usually indicate known vulnerabilities for those services. Types of port scans include connect() scans, SYN scans, stealth scans, bounce scans, XMAS and Null scans. All reveal to the attacker which services on what hosts are listening for connections. Scans may be launched from compromised hosts, and their sources may be forged.|ipv4 hash:ip|21 unique IPs|updated every 1 day from [this link](https://atlas.arbor.net/summary/scans.csv)
|
||||
|
|
@ -288,14 +288,14 @@ bambenek_p2pgoz|[Bambenek Consulting](http://osint.bambenekconsulting.com/feeds/
|
|||
[bi_sql_2_30d](http://iplists.firehol.org/?ipset=bi_sql_2_30d)|[BadIPs.com](https://www.badips.com/) Bad IPs in category sql with score above 2 and age less than 30d|ipv4 hash:ip|0 unique IPs|updated every 1 day from [this link](https://www.badips.com/get/list/sql/2?age=30d)
|
||||
[bi_ssh_2_30d](http://iplists.firehol.org/?ipset=bi_ssh_2_30d)|[BadIPs.com](https://www.badips.com/) Bad IPs in category ssh with score above 2 and age less than 30d|ipv4 hash:ip|8887 unique IPs|updated every 1 day from [this link](https://www.badips.com/get/list/ssh/2?age=30d)
|
||||
[bi_voip_2_30d](http://iplists.firehol.org/?ipset=bi_voip_2_30d)|[BadIPs.com](https://www.badips.com/) Bad IPs in category voip with score above 2 and age less than 30d|ipv4 hash:ip|86 unique IPs|updated every 1 day from [this link](https://www.badips.com/get/list/voip/2?age=30d)
|
||||
[bitcoin_blockchain_info](http://iplists.firehol.org/?ipset=bitcoin_blockchain_info)|[Blockchain.info](https://blockchain.info/en/connected-nodes) Bitcoin nodes connected to Blockchain.info.|ipv4 hash:ip|185 unique IPs|updated every 10 mins from [this link](https://blockchain.info/en/connected-nodes)
|
||||
[bitcoin_blockchain_info](http://iplists.firehol.org/?ipset=bitcoin_blockchain_info)|[Blockchain.info](https://blockchain.info/en/connected-nodes) Bitcoin nodes connected to Blockchain.info.|ipv4 hash:ip|184 unique IPs|updated every 10 mins from [this link](https://blockchain.info/en/connected-nodes)
|
||||
[bitcoin_blockchain_info_1d](http://iplists.firehol.org/?ipset=bitcoin_blockchain_info_1d)|[Blockchain.info](https://blockchain.info/en/connected-nodes) Bitcoin nodes connected to Blockchain.info.|ipv4 hash:ip|193 unique IPs|updated every 10 mins from [this link](https://blockchain.info/en/connected-nodes)
|
||||
[bitcoin_blockchain_info_30d](http://iplists.firehol.org/?ipset=bitcoin_blockchain_info_30d)|[Blockchain.info](https://blockchain.info/en/connected-nodes) Bitcoin nodes connected to Blockchain.info.|ipv4 hash:ip|4403 unique IPs|updated every 10 mins from [this link](https://blockchain.info/en/connected-nodes)
|
||||
[bitcoin_blockchain_info_7d](http://iplists.firehol.org/?ipset=bitcoin_blockchain_info_7d)|[Blockchain.info](https://blockchain.info/en/connected-nodes) Bitcoin nodes connected to Blockchain.info.|ipv4 hash:ip|1726 unique IPs|updated every 10 mins from [this link](https://blockchain.info/en/connected-nodes)
|
||||
[bitcoin_nodes](http://iplists.firehol.org/?ipset=bitcoin_nodes)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|4226 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
|
||||
[bitcoin_nodes_1d](http://iplists.firehol.org/?ipset=bitcoin_nodes_1d)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|5444 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
|
||||
[bitcoin_nodes_30d](http://iplists.firehol.org/?ipset=bitcoin_nodes_30d)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|21279 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
|
||||
[bitcoin_nodes_7d](http://iplists.firehol.org/?ipset=bitcoin_nodes_7d)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|9053 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
|
||||
[bitcoin_nodes](http://iplists.firehol.org/?ipset=bitcoin_nodes)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|4223 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
|
||||
[bitcoin_nodes_1d](http://iplists.firehol.org/?ipset=bitcoin_nodes_1d)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|5447 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
|
||||
[bitcoin_nodes_30d](http://iplists.firehol.org/?ipset=bitcoin_nodes_30d)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|21282 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
|
||||
[bitcoin_nodes_7d](http://iplists.firehol.org/?ipset=bitcoin_nodes_7d)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|9054 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
|
||||
[blocklist_de](http://iplists.firehol.org/?ipset=blocklist_de)|[Blocklist.de](https://www.blocklist.de/) IPs that have been detected by fail2ban in the last 48 hours|ipv4 hash:ip|21924 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/all.txt)
|
||||
[blocklist_de_apache](http://iplists.firehol.org/?ipset=blocklist_de_apache)|[Blocklist.de](https://www.blocklist.de/) All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks.|ipv4 hash:ip|9311 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/apache.txt)
|
||||
[blocklist_de_bots](http://iplists.firehol.org/?ipset=blocklist_de_bots)|[Blocklist.de](https://www.blocklist.de/) All IP addresses which have been reported within the last 48 hours as having run attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = he has posted a Spam-Comment on a open Forum or Wiki).|ipv4 hash:ip|1683 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/bots.txt)
|
||||
|
|
@ -316,10 +316,10 @@ bambenek_p2pgoz|[Bambenek Consulting](http://osint.bambenekconsulting.com/feeds/
|
|||
[blueliv_crimeserver_recent](http://iplists.firehol.org/?ipset=blueliv_crimeserver_recent)|[blueliv.com](https://www.blueliv.com/) Recent Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com)|ipv4 hash:ip|37 unique IPs|updated every 1 day from [this link](https://freeapi.blueliv.com/v1/crimeserver/recent)
|
||||
[bm_tor](http://iplists.firehol.org/?ipset=bm_tor)|[torstatus.blutmagie.de](https://torstatus.blutmagie.de) list of all TOR network servers|ipv4 hash:ip|6894 unique IPs|updated every 30 mins from [this link](https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv)
|
||||
[bogons](http://iplists.firehol.org/?ipset=bogons)|[Team-Cymru.org](http://www.team-cymru.org) private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598 and netblocks that have not been allocated to a regional internet registry|ipv4 hash:net|13 subnets, 592708608 unique IPs|updated every 1 day from [this link](http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt)
|
||||
[botscout](http://iplists.firehol.org/?ipset=botscout)|[BotScout](http://botscout.com/) helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.|ipv4 hash:ip|37 unique IPs|updated every 30 mins from [this link](http://botscout.com/last_caught_cache.htm)
|
||||
[botscout_1d](http://iplists.firehol.org/?ipset=botscout_1d)|[BotScout](http://botscout.com/) helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.|ipv4 hash:ip|1195 unique IPs|updated every 30 mins from [this link](http://botscout.com/last_caught_cache.htm)
|
||||
[botscout_30d](http://iplists.firehol.org/?ipset=botscout_30d)|[BotScout](http://botscout.com/) helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.|ipv4 hash:ip|13230 unique IPs|updated every 30 mins from [this link](http://botscout.com/last_caught_cache.htm)
|
||||
[botscout_7d](http://iplists.firehol.org/?ipset=botscout_7d)|[BotScout](http://botscout.com/) helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.|ipv4 hash:ip|4409 unique IPs|updated every 30 mins from [this link](http://botscout.com/last_caught_cache.htm)
|
||||
[botscout](http://iplists.firehol.org/?ipset=botscout)|[BotScout](http://botscout.com/) helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.|ipv4 hash:ip|64 unique IPs|updated every 30 mins from [this link](http://botscout.com/last_caught_cache.htm)
|
||||
[botscout_1d](http://iplists.firehol.org/?ipset=botscout_1d)|[BotScout](http://botscout.com/) helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.|ipv4 hash:ip|1200 unique IPs|updated every 30 mins from [this link](http://botscout.com/last_caught_cache.htm)
|
||||
[botscout_30d](http://iplists.firehol.org/?ipset=botscout_30d)|[BotScout](http://botscout.com/) helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.|ipv4 hash:ip|13243 unique IPs|updated every 30 mins from [this link](http://botscout.com/last_caught_cache.htm)
|
||||
[botscout_7d](http://iplists.firehol.org/?ipset=botscout_7d)|[BotScout](http://botscout.com/) helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.|ipv4 hash:ip|4416 unique IPs|updated every 30 mins from [this link](http://botscout.com/last_caught_cache.htm)
|
||||
[botvrij_dst](http://iplists.firehol.org/?ipset=botvrij_dst)|[botvrij.eu](http://www.botvrij.eu/) Indicators of Compromise (IOCS) about malicious destination IPs, gathered via open source information feeds (blog pages and PDF documents) and then consolidated into different datasets. To ensure the quality of the data all entries older than approx. 6 months are removed.|ipv4 hash:ip|333 unique IPs|updated every 1 day from [this link](http://www.botvrij.eu/data/ioclist.ip-dst.raw)
|
||||
[botvrij_src](http://iplists.firehol.org/?ipset=botvrij_src)|[botvrij.eu](http://www.botvrij.eu/) Indicators of Compromise (IOCS) about malicious source IPs, gathered via open source information feeds (blog pages and PDF documents) and then consolidated into different datasets. To ensure the quality of the data all entries older than approx. 6 months are removed.|ipv4 hash:ip|0 unique IPs|updated every 1 day from [this link](http://www.botvrij.eu/data/ioclist.ip-src.raw)
|
||||
[bruteforceblocker](http://iplists.firehol.org/?ipset=bruteforceblocker)|[danger.rulez.sk bruteforceblocker](http://danger.rulez.sk/index.php/bruteforceblocker/) (fail2ban alternative for SSH on OpenBSD). This is an automatically generated list from users reporting failed authentication attempts. An IP seems to be included if 3 or more users report it. Its retention pocily seems 30 days.|ipv4 hash:ip|1408 unique IPs|updated every 3 hours from [this link](http://danger.rulez.sk/projects/bruteforceblocker/blist.php)
|
||||
|
|
@ -331,18 +331,18 @@ bambenek_p2pgoz|[Bambenek Consulting](http://osint.bambenekconsulting.com/feeds/
|
|||
[cleanmx_phishing](http://iplists.firehol.org/?ipset=cleanmx_phishing)|[Clean-MX.de](http://support.clean-mx.de/) IPs sending phishing messages|ipv4 hash:ip|4519 unique IPs|updated every 30 mins from [this link](http://support.clean-mx.de/clean-mx/xmlphishing?response=alive&format=csv&domain=)
|
||||
[cleanmx_viruses](http://iplists.firehol.org/?ipset=cleanmx_viruses)|[Clean-MX.de](http://support.clean-mx.de/clean-mx/viruses.php) IPs with viruses|ipv4 hash:ip|12190 unique IPs|updated every 30 mins from [this link](http://support.clean-mx.de/clean-mx/xmlviruses.php?response=alive&fields=ip)
|
||||
[cleantalk](http://iplists.firehol.org/?ipset=cleantalk)|[CleanTalk](https://cleantalk.org/) Today's HTTP Spammers (includes: cleantalk_new cleantalk_updated)|ipv4 hash:ip|3071 unique IPs|
|
||||
[cleantalk_1d](http://iplists.firehol.org/?ipset=cleantalk_1d)|[CleanTalk](https://cleantalk.org/) Today's HTTP Spammers (includes: cleantalk_new_1d cleantalk_updated_1d)|ipv4 hash:ip|7461 unique IPs|
|
||||
[cleantalk_1d](http://iplists.firehol.org/?ipset=cleantalk_1d)|[CleanTalk](https://cleantalk.org/) Today's HTTP Spammers (includes: cleantalk_new_1d cleantalk_updated_1d)|ipv4 hash:ip|7457 unique IPs|
|
||||
[cleantalk_30d](http://iplists.firehol.org/?ipset=cleantalk_30d)|[CleanTalk](https://cleantalk.org/) Today's HTTP Spammers (includes: cleantalk_new_30d cleantalk_updated_30d)|ipv4 hash:ip|66508 unique IPs|
|
||||
[cleantalk_7d](http://iplists.firehol.org/?ipset=cleantalk_7d)|[CleanTalk](https://cleantalk.org/) Today's HTTP Spammers (includes: cleantalk_new_7d cleantalk_updated_7d)|ipv4 hash:ip|20416 unique IPs|
|
||||
[cleantalk_7d](http://iplists.firehol.org/?ipset=cleantalk_7d)|[CleanTalk](https://cleantalk.org/) Today's HTTP Spammers (includes: cleantalk_new_7d cleantalk_updated_7d)|ipv4 hash:ip|20419 unique IPs|
|
||||
[cleantalk_new](http://iplists.firehol.org/?ipset=cleantalk_new)|[CleanTalk](https://cleantalk.org/) Recent HTTP Spammers|ipv4 hash:ip|1071 unique IPs|updated every 15 mins from [this link](https://cleantalk.org/blacklists/submited_today)
|
||||
[cleantalk_new_1d](http://iplists.firehol.org/?ipset=cleantalk_new_1d)|[CleanTalk](https://cleantalk.org/) Recent HTTP Spammers|ipv4 hash:ip|2194 unique IPs|updated every 15 mins from [this link](https://cleantalk.org/blacklists/submited_today)
|
||||
[cleantalk_new_30d](http://iplists.firehol.org/?ipset=cleantalk_new_30d)|[CleanTalk](https://cleantalk.org/) Recent HTTP Spammers|ipv4 hash:ip|43008 unique IPs|updated every 15 mins from [this link](https://cleantalk.org/blacklists/submited_today)
|
||||
[cleantalk_new_7d](http://iplists.firehol.org/?ipset=cleantalk_new_7d)|[CleanTalk](https://cleantalk.org/) Recent HTTP Spammers|ipv4 hash:ip|9452 unique IPs|updated every 15 mins from [this link](https://cleantalk.org/blacklists/submited_today)
|
||||
[cleantalk_top20](http://iplists.firehol.org/?ipset=cleantalk_top20)|[CleanTalk](https://cleantalk.org/) Top 20 HTTP Spammers|ipv4 hash:ip|20 unique IPs|updated every 1 day from [this link](https://cleantalk.org/blacklists/top20)
|
||||
[cleantalk_updated](http://iplists.firehol.org/?ipset=cleantalk_updated)|[CleanTalk](https://cleantalk.org/) Recurring HTTP Spammers|ipv4 hash:ip|2000 unique IPs|updated every 15 mins from [this link](https://cleantalk.org/blacklists/updated_today)
|
||||
[cleantalk_updated_1d](http://iplists.firehol.org/?ipset=cleantalk_updated_1d)|[CleanTalk](https://cleantalk.org/) Recurring HTTP Spammers|ipv4 hash:ip|6343 unique IPs|updated every 15 mins from [this link](https://cleantalk.org/blacklists/updated_today)
|
||||
[cleantalk_updated_30d](http://iplists.firehol.org/?ipset=cleantalk_updated_30d)|[CleanTalk](https://cleantalk.org/) Recurring HTTP Spammers|ipv4 hash:ip|31398 unique IPs|updated every 15 mins from [this link](https://cleantalk.org/blacklists/updated_today)
|
||||
[cleantalk_updated_7d](http://iplists.firehol.org/?ipset=cleantalk_updated_7d)|[CleanTalk](https://cleantalk.org/) Recurring HTTP Spammers|ipv4 hash:ip|14389 unique IPs|updated every 15 mins from [this link](https://cleantalk.org/blacklists/updated_today)
|
||||
[cleantalk_updated_1d](http://iplists.firehol.org/?ipset=cleantalk_updated_1d)|[CleanTalk](https://cleantalk.org/) Recurring HTTP Spammers|ipv4 hash:ip|6333 unique IPs|updated every 15 mins from [this link](https://cleantalk.org/blacklists/updated_today)
|
||||
[cleantalk_updated_30d](http://iplists.firehol.org/?ipset=cleantalk_updated_30d)|[CleanTalk](https://cleantalk.org/) Recurring HTTP Spammers|ipv4 hash:ip|31400 unique IPs|updated every 15 mins from [this link](https://cleantalk.org/blacklists/updated_today)
|
||||
[cleantalk_updated_7d](http://iplists.firehol.org/?ipset=cleantalk_updated_7d)|[CleanTalk](https://cleantalk.org/) Recurring HTTP Spammers|ipv4 hash:ip|14390 unique IPs|updated every 15 mins from [this link](https://cleantalk.org/blacklists/updated_today)
|
||||
[continent_af](http://iplists.firehol.org/?ipset=continent_af)|Africa (AF), with countries: Rwanda (RW), Somalia (SO), Tanzania (TZ), Kenya (KE), Congo (CD), Djibouti (DJ), Uganda (UG), Central African Republic (CF), Seychelles (SC), Ethiopia (ET), Eritrea (ER), Egypt (EG), Sudan (SD), Burundi (BI), Zimbabwe (ZW), Zambia (ZM), Comoros (KM), Malawi (MW), Lesotho (LS), Botswana (BW), Mauritius (MU), Swaziland (SZ), Réunion (RE), South Africa (ZA), Mayotte (YT), Mozambique (MZ), Madagascar (MG), Libya (LY), Cameroon (CM), Senegal (SN), Republic of the Congo (CG), Liberia (LR), Ivory Coast (CI), Ghana (GH), Equatorial Guinea (GQ), Nigeria (NG), Burkina Faso (BF), Togo (TG), Guinea-Bissau (GW), Mauritania (MR), Benin (BJ), Gabon (GA), Sierra Leone (SL), São Tomé and Príncipe (ST), Gambia (GM), Guinea (GN), Chad (TD), Niger (NE), Mali (ML), Tunisia (TN), Morocco (MA), Algeria (DZ), Angola (AO), Namibia (NA), Saint Helena (SH), Cape Verde (CV), South Sudan (SS), -- [MaxMind GeoLite2](http://dev.maxmind.com/geoip/geoip2/geolite2/)|ipv4 hash:net|2744 subnets, 94817313 unique IPs|updated every 7 days from [this link](http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip)
|
||||
[continent_an](http://iplists.firehol.org/?ipset=continent_an)|Antarctica (AN), with countries: French Southern Territories (TF), South Georgia and the South Sandwich Islands (GS), Antarctica (AQ), -- [MaxMind GeoLite2](http://dev.maxmind.com/geoip/geoip2/geolite2/)|ipv4 hash:net|14 subnets, 1331 unique IPs|updated every 7 days from [this link](http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip)
|
||||
[continent_as](http://iplists.firehol.org/?ipset=continent_as)|Asia (AS), with countries: Yemen (YE), Iraq (IQ), Saudi Arabia (SA), Iran (IR), Syria (SY), Armenia (AM), Hashemite Kingdom of Jordan (JO), Lebanon (LB), Kuwait (KW), Oman (OM), Qatar (QA), Bahrain (BH), United Arab Emirates (AE), Israel (IL), Turkey (TR), Azerbaijan (AZ), Georgia (GE), Afghanistan (AF), Pakistan (PK), Bangladesh (BD), Turkmenistan (TM), Tajikistan (TJ), Sri Lanka (LK), Bhutan (BT), India (IN), Maldives (MV), British Indian Ocean Territory (IO), Nepal (NP), Myanmar (Burma) (MM), Uzbekistan (UZ), Kazakhstan (KZ), Kyrgyzstan (KG), Cocos (Keeling) Islands (CC), Vietnam (VN), Thailand (TH), Indonesia (ID), Laos (LA), Taiwan (TW), Philippines (PH), Malaysia (MY), China (CN), Hong Kong (HK), Brunei (BN), Macao (MO), Cambodia (KH), Republic of Korea (KR), Japan (JP), North Korea (KP), Singapore (SG), Mongolia (MN), Christmas Island (CX), Palestine (PS), (), -- [MaxMind GeoLite2](http://dev.maxmind.com/geoip/geoip2/geolite2/)|ipv4 hash:net|22181 subnets, 883382437 unique IPs|updated every 7 days from [this link](http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip)
|
||||
|
|
@ -600,7 +600,7 @@ bambenek_p2pgoz|[Bambenek Consulting](http://osint.bambenekconsulting.com/feeds/
|
|||
[dataplane_sipquery](http://iplists.firehol.org/?ipset=dataplane_sipquery)|[DataPlane.org](https://dataplane.org/) IP addresses that has been seen initiating a SIP OPTIONS query to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SIP server cataloging or conducting various forms of telephony abuse.|ipv4 hash:ip|334 unique IPs|updated every 1 hour from [this link](https://dataplane.org/sipquery.txt)
|
||||
[dataplane_sshclient](http://iplists.firehol.org/?ipset=dataplane_sshclient)|[DataPlane.org](https://dataplane.org/) IP addresses that has been seen initiating an SSH connection to a remote host. This report lists hosts that are suspicious of more than just port scanning. These hosts may be SSH server cataloging or conducting authentication attack attempts.|ipv4 hash:ip|3158 unique IPs|updated every 1 hour from [this link](https://dataplane.org/sshclient.txt)
|
||||
[dataplane_sshpwauth](http://iplists.firehol.org/?ipset=dataplane_sshpwauth)|[DataPlane.org](https://dataplane.org/) IP addresses that has been seen attempting to remotely login to a host using SSH password authentication. This report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks.|ipv4 hash:ip|1367 unique IPs|updated every 1 hour from [this link](https://dataplane.org/sshpwauth.txt)
|
||||
[dm_tor](http://iplists.firehol.org/?ipset=dm_tor)|[dan.me.uk](https://www.dan.me.uk) dynamic list of TOR nodes|ipv4 hash:ip|6891 unique IPs|updated every 30 mins from [this link](https://www.dan.me.uk/torlist/)
|
||||
[dm_tor](http://iplists.firehol.org/?ipset=dm_tor)|[dan.me.uk](https://www.dan.me.uk) dynamic list of TOR nodes|ipv4 hash:ip|6915 unique IPs|updated every 30 mins from [this link](https://www.dan.me.uk/torlist/)
|
||||
[dragon_http](http://iplists.firehol.org/?ipset=dragon_http)|[Dragon Research Group](http://www.dragonresearchgroup.org/) IPs that have been seen sending HTTP requests to Dragon Research Pods in the last 7 days. This report lists hosts that are highly suspicious and are likely conducting malicious HTTP attacks. LEGITIMATE SEARCH ENGINE BOTS MAY BE IN THIS LIST. This report is informational. It is not a blacklist, but some operators may choose to use it to help protect their networks and hosts in the forms of automated reporting and mitigation services.|ipv4 hash:net|219 subnets, 59136 unique IPs|updated every 1 hour from [this link](http://www.dragonresearchgroup.org/insight/http-report.txt)
|
||||
[dragon_sshpauth](http://iplists.firehol.org/?ipset=dragon_sshpauth)|[Dragon Research Group](http://www.dragonresearchgroup.org/) IP address that has been seen attempting to remotely login to a host using SSH password authentication, in the last 7 days. This report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks.|ipv4 hash:net|324 subnets, 333 unique IPs|updated every 1 hour from [this link](https://www.dragonresearchgroup.org/insight/sshpwauth.txt)
|
||||
[dragon_vncprobe](http://iplists.firehol.org/?ipset=dragon_vncprobe)|[Dragon Research Group](http://www.dragonresearchgroup.org/) IP address that has been seen attempting to remotely connect to a host running the VNC application service, in the last 7 days. This report lists hosts that are highly suspicious and are likely conducting malicious VNC probes or VNC brute force attacks.|ipv4 hash:net|60 subnets, 60 unique IPs|updated every 1 hour from [this link](https://www.dragonresearchgroup.org/insight/vncprobe.txt)
|
||||
|
|
@ -656,15 +656,15 @@ esentire_burmundisoul_ru|Ursnif Variant CnC|ipv4 hash:ip|disabled|updated every
|
|||
[et_tor](http://iplists.firehol.org/?ipset=et_tor)|[EmergingThreats.net TOR list](http://doc.emergingthreats.net/bin/view/Main/TorRules) of TOR network IPs|ipv4 hash:ip|6880 unique IPs|updated every 12 hours from [this link](http://rules.emergingthreats.net/blockrules/emerging-tor.rules)
|
||||
[feodo](http://iplists.firehol.org/?ipset=feodo)|[Abuse.ch Feodo tracker](https://feodotracker.abuse.ch) trojan includes IPs which are being used by Feodo (also known as Cridex or Bugat) which commits ebanking fraud|ipv4 hash:ip|715 unique IPs|updated every 30 mins from [this link](https://feodotracker.abuse.ch/blocklist/?download=ipblocklist)
|
||||
[feodo_badips](http://iplists.firehol.org/?ipset=feodo_badips)|[Abuse.ch Feodo tracker BadIPs](https://feodotracker.abuse.ch) The Feodo Tracker Feodo BadIP Blocklist only contains IP addresses (IPv4) used as C&C communication channel by the Feodo Trojan version B. These IP addresses are usually servers rented by cybercriminals directly and used for the exclusive purpose of hosting a Feodo C&C server. Hence you should expect no legit traffic to those IP addresses. The site highly recommends you to block/drop any traffic towards any Feodo C&C using the Feodo BadIP Blocklist. Please consider that this blocklist only contains IP addresses used by version B of the Feodo Trojan. C&C communication channels used by version A, version C and version D are not covered by this blocklist.|ipv4 hash:ip|0 unique IPs|updated every 30 mins from [this link](https://feodotracker.abuse.ch/blocklist/?download=badips)
|
||||
[firehol_abusers_1d](http://iplists.firehol.org/?ipset=firehol_abusers_1d)|An ipset made from blocklists that track abusers in the last 24 hours. (includes: botscout_1d cleantalk_new_1d cleantalk_updated_1d php_commenters_1d php_dictionary_1d php_harvesters_1d php_spammers_1d stopforumspam_1d)|ipv4 hash:net|12186 subnets, 12728 unique IPs|
|
||||
[firehol_abusers_30d](http://iplists.firehol.org/?ipset=firehol_abusers_30d)|An ipset made from blocklists that track abusers in the last 30 days. (includes: cleantalk_new_30d cleantalk_updated_30d php_commenters_30d php_dictionary_30d php_harvesters_30d php_spammers_30d stopforumspam sblam)|ipv4 hash:net|199756 subnets, 212586 unique IPs|
|
||||
[firehol_anonymous](http://iplists.firehol.org/?ipset=firehol_anonymous)|An ipset that includes all the anonymizing IPs of the world. (includes: anonymous bm_tor dm_tor firehol_proxies tor_exits)|ipv4 hash:net|39370 subnets, 46420 unique IPs|
|
||||
[firehol_abusers_1d](http://iplists.firehol.org/?ipset=firehol_abusers_1d)|An ipset made from blocklists that track abusers in the last 24 hours. (includes: botscout_1d cleantalk_new_1d cleantalk_updated_1d php_commenters_1d php_dictionary_1d php_harvesters_1d php_spammers_1d stopforumspam_1d)|ipv4 hash:net|12186 subnets, 12725 unique IPs|
|
||||
[firehol_abusers_30d](http://iplists.firehol.org/?ipset=firehol_abusers_30d)|An ipset made from blocklists that track abusers in the last 30 days. (includes: cleantalk_new_30d cleantalk_updated_30d php_commenters_30d php_dictionary_30d php_harvesters_30d php_spammers_30d stopforumspam sblam)|ipv4 hash:net|199757 subnets, 212588 unique IPs|
|
||||
[firehol_anonymous](http://iplists.firehol.org/?ipset=firehol_anonymous)|An ipset that includes all the anonymizing IPs of the world. (includes: anonymous bm_tor dm_tor firehol_proxies tor_exits)|ipv4 hash:net|39450 subnets, 46500 unique IPs|
|
||||
[firehol_level1](http://iplists.firehol.org/?ipset=firehol_level1)|A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls. (includes: bambenek_c2 dshield feodo fullbogons palevo spamhaus_drop spamhaus_edrop sslbl zeus_badips ransomware_rw)|ipv4 hash:net|17218 subnets, 662542731 unique IPs|
|
||||
[firehol_level2](http://iplists.firehol.org/?ipset=firehol_level2)|An ipset made from blocklists that track attacks, during about the last 48 hours. (includes: blocklist_de dshield_1d greensnow openbl_1d virbl)|ipv4 hash:net|14913 subnets, 32027 unique IPs|
|
||||
[firehol_level2](http://iplists.firehol.org/?ipset=firehol_level2)|An ipset made from blocklists that track attacks, during about the last 48 hours. (includes: blocklist_de dshield_1d greensnow openbl_1d virbl)|ipv4 hash:net|14915 subnets, 32029 unique IPs|
|
||||
[firehol_level3](http://iplists.firehol.org/?ipset=firehol_level3)|An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. (includes: bruteforceblocker ciarmy dragon_http dragon_sshpauth dragon_vncprobe dshield_30d dshield_top_1000 malc0de maxmind_proxy_fraud myip openbl_30d shunlist snort_ipfilter sslbl_aggressive talosintel_ipfilter zeus vxvault)|ipv4 hash:net|23748 subnets, 128604 unique IPs|
|
||||
[firehol_level4](http://iplists.firehol.org/?ipset=firehol_level4)|An ipset made from blocklists that track attacks, but may include a large number of false positives. (includes: cleanmx_viruses blocklist_net_ua botscout_30d cruzit_web_attacks cybercrime haley_ssh iblocklist_hijacked iblocklist_spyware iblocklist_webexploit ipblacklistcloud_top iw_wormlist malwaredomainlist)|ipv4 hash:net|75464 subnets, 9571263 unique IPs|
|
||||
[firehol_level4](http://iplists.firehol.org/?ipset=firehol_level4)|An ipset made from blocklists that track attacks, but may include a large number of false positives. (includes: cleanmx_viruses blocklist_net_ua botscout_30d cruzit_web_attacks cybercrime haley_ssh iblocklist_hijacked iblocklist_spyware iblocklist_webexploit ipblacklistcloud_top iw_wormlist malwaredomainlist)|ipv4 hash:net|75477 subnets, 9571276 unique IPs|
|
||||
[firehol_proxies](http://iplists.firehol.org/?ipset=firehol_proxies)|An ipset made from all sources that track open proxies. It includes IPs reported or detected in the last 30 days. (includes: iblocklist_proxies maxmind_proxy_fraud proxylists_30d proxyrss_30d proxz_30d proxyspy_30d ri_connect_proxies_30d ri_web_proxies_30d socks_proxy_30d sslproxies_30d xroxy_30d)|ipv4 hash:net|32737 subnets, 33555 unique IPs|
|
||||
[firehol_webclient](http://iplists.firehol.org/?ipset=firehol_webclient)|An IP blacklist made from blocklists that track IPs that a web client should never talk to. This list is to be used on top of firehol_level1. (includes: ransomware_online sslbl_aggressive cybercrime atlas_phishing_2d atlas_fastflux_2d dyndns_ponmocup maxmind_proxy_fraud)|ipv4 hash:net|11938 subnets, 12018 unique IPs|
|
||||
[firehol_webclient](http://iplists.firehol.org/?ipset=firehol_webclient)|An IP blacklist made from blocklists that track IPs that a web client should never talk to. This list is to be used on top of firehol_level1. (includes: ransomware_online sslbl_aggressive cybercrime atlas_phishing_2d atlas_fastflux_2d dyndns_ponmocup maxmind_proxy_fraud)|ipv4 hash:net|11937 subnets, 12017 unique IPs|
|
||||
[firehol_webserver](http://iplists.firehol.org/?ipset=firehol_webserver)|A web server IP blacklist made from blocklists that track IPs that should never be your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous). (includes: hphosts_emd hphosts_exp hphosts_fsa hphosts_hjk hphosts_psh hphosts_wrz maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic)|ipv4 hash:net|50583 subnets, 50960158 unique IPs|
|
||||
[fullbogons](http://iplists.firehol.org/?ipset=fullbogons)|[Team-Cymru.org](http://www.team-cymru.org) IP space that has been allocated to an RIR, but not assigned by that RIR to an actual ISP or other end-user|ipv4 hash:net|3760 subnets, 636477992 unique IPs|updated every 1 day from [this link](http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt)
|
||||
[geolite2_country](https://github.com/firehol/blocklist-ipsets/tree/master/geolite2_country)|[MaxMind GeoLite2](http://dev.maxmind.com/geoip/geoip2/geolite2/) databases are free IP geolocation databases comparable to, but less accurate than, MaxMind’s GeoIP2 databases. They include IPs per country, IPs per continent, IPs used by anonymous services (VPNs, Proxies, etc) and Satellite Providers.|ipv4 hash:net|All the world|updated every 7 days from [this link](http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip)
|
||||
|
|
@ -672,7 +672,7 @@ esentire_burmundisoul_ru|Ursnif Variant CnC|ipv4 hash:ip|disabled|updated every
|
|||
[gpf_comics](http://iplists.firehol.org/?ipset=gpf_comics)|The GPF DNS Block List is a list of IP addresses on the Internet that have attacked the [GPF Comics](http://www.gpf-comics.com/) family of Web sites. IPs on this block list have been banned from accessing all of our servers because they were caught in the act of spamming, attempting to exploit our scripts, scanning for vulnerabilities, or consuming resources to the detriment of our human visitors.|ipv4 hash:ip|3348 unique IPs|updated every 1 day from [this link](https://www.gpf-comics.com/dnsbl/export.php)
|
||||
[graphiclineweb](http://iplists.firehol.org/?ipset=graphiclineweb)|[GraphiclineWeb](https://graphiclineweb.wordpress.com/tech-notes/ip-blacklist/) The IP’s, Hosts and Domains listed in this table are banned universally from accessing websites controlled by the maintainer. Some form of bad activity has been seen from the addresses listed. Bad activity includes: unwanted spiders, rule breakers, comment spammers, trackback spammers, spambots, hacker bots, registration bots and other scripting attackers, harvesters, nuisance spiders, spy bots and organisations spying on websites for commercial reasons.|ipv4 hash:net|2579 subnets, 330527 unique IPs|updated every 1 day from [this link](https://graphiclineweb.wordpress.com/tech-notes/ip-blacklist/)
|
||||
[graphiclineweb](http://iplists.firehol.org/?ipset=graphiclineweb)|[GraphiclineWeb](https://graphiclineweb.wordpress.com/tech-notes/ip-blacklist/) The IP’s, Hosts and Domains listed in this table are banned universally from accessing websites controlled by the maintainer. Some form of bad activity has been seen from the addresses listed. Bad activity includes: unwanted spiders, rule breakers, comment spammers, trackback spammers, spambots, hacker bots, registration bots and other scripting attackers, harvesters, nuisance spiders, spy bots and organisations spying on websites for commercial reasons.|ipv4 hash:net|2579 subnets, 330527 unique IPs|updated every 1 day from [this link](https://graphiclineweb.wordpress.com/tech-notes/ip-blacklist/)
|
||||
[greensnow](http://iplists.firehol.org/?ipset=greensnow)|[GreenSnow](https://greensnow.co/) is a team harvesting a large number of IPs from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Their list is updated automatically and you can withdraw at any time your IP address if it has been listed. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel, etc.|ipv4 hash:ip|1933 unique IPs|updated every 30 mins from [this link](http://blocklist.greensnow.co/greensnow.txt)
|
||||
[greensnow](http://iplists.firehol.org/?ipset=greensnow)|[GreenSnow](https://greensnow.co/) is a team harvesting a large number of IPs from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Their list is updated automatically and you can withdraw at any time your IP address if it has been listed. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel, etc.|ipv4 hash:ip|1934 unique IPs|updated every 30 mins from [this link](http://blocklist.greensnow.co/greensnow.txt)
|
||||
[haley_ssh](http://iplists.firehol.org/?ipset=haley_ssh)|[Charles Haley](http://charles.the-haleys.org) IPs launching SSH dictionary attacks.|ipv4 hash:ip|22549 unique IPs|updated every 4 hours from [this link](http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt)
|
||||
[hphosts_ats](http://iplists.firehol.org/?ipset=hphosts_ats)|[hpHosts](http://hosts-file.net/?s=Download) ad/tracking servers listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses.|ipv4 hash:ip|15711 unique IPs|updated every 1 day from [this link](http://hosts-file.net/ad_servers.txt)
|
||||
[hphosts_emd](http://iplists.firehol.org/?ipset=hphosts_emd)|[hpHosts](http://hosts-file.net/?s=Download) malware sites listed in the hpHosts database. The maintainer's file contains hostnames, which have been DNS resolved to IP addresses.|ipv4 hash:ip|22077 unique IPs|updated every 1 day from [this link](http://hosts-file.net/emd.txt)
|
||||
|
|
@ -1271,10 +1271,10 @@ php_bad|[projecthoneypot.org](http://www.projecthoneypot.org/?rf=192670) bad web
|
|||
[php_spammers_1d](http://iplists.firehol.org/?ipset=php_spammers_1d)|[projecthoneypot.org](http://www.projecthoneypot.org/?rf=192670) spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed)|ipv4 hash:ip|50 unique IPs|updated every 1 hour from [this link](http://www.projecthoneypot.org/list_of_ips.php?t=s&rss=1)
|
||||
[php_spammers_30d](http://iplists.firehol.org/?ipset=php_spammers_30d)|[projecthoneypot.org](http://www.projecthoneypot.org/?rf=192670) spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed)|ipv4 hash:ip|1211 unique IPs|updated every 1 hour from [this link](http://www.projecthoneypot.org/list_of_ips.php?t=s&rss=1)
|
||||
[php_spammers_7d](http://iplists.firehol.org/?ipset=php_spammers_7d)|[projecthoneypot.org](http://www.projecthoneypot.org/?rf=192670) spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed)|ipv4 hash:ip|329 unique IPs|updated every 1 hour from [this link](http://www.projecthoneypot.org/list_of_ips.php?t=s&rss=1)
|
||||
[proxylists](http://iplists.firehol.org/?ipset=proxylists)|[proxylists.net](http://www.proxylists.net/) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|1165 unique IPs|updated every 1 hour from [this link](http://www.proxylists.net/proxylists.xml)
|
||||
[proxylists_1d](http://iplists.firehol.org/?ipset=proxylists_1d)|[proxylists.net](http://www.proxylists.net/) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|2563 unique IPs|updated every 1 hour from [this link](http://www.proxylists.net/proxylists.xml)
|
||||
[proxylists_30d](http://iplists.firehol.org/?ipset=proxylists_30d)|[proxylists.net](http://www.proxylists.net/) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|8762 unique IPs|updated every 1 hour from [this link](http://www.proxylists.net/proxylists.xml)
|
||||
[proxylists_7d](http://iplists.firehol.org/?ipset=proxylists_7d)|[proxylists.net](http://www.proxylists.net/) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|5488 unique IPs|updated every 1 hour from [this link](http://www.proxylists.net/proxylists.xml)
|
||||
[proxylists](http://iplists.firehol.org/?ipset=proxylists)|[proxylists.net](http://www.proxylists.net/) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|1113 unique IPs|updated every 1 hour from [this link](http://www.proxylists.net/proxylists.xml)
|
||||
[proxylists_1d](http://iplists.firehol.org/?ipset=proxylists_1d)|[proxylists.net](http://www.proxylists.net/) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|2472 unique IPs|updated every 1 hour from [this link](http://www.proxylists.net/proxylists.xml)
|
||||
[proxylists_30d](http://iplists.firehol.org/?ipset=proxylists_30d)|[proxylists.net](http://www.proxylists.net/) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|8767 unique IPs|updated every 1 hour from [this link](http://www.proxylists.net/proxylists.xml)
|
||||
[proxylists_7d](http://iplists.firehol.org/?ipset=proxylists_7d)|[proxylists.net](http://www.proxylists.net/) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|5470 unique IPs|updated every 1 hour from [this link](http://www.proxylists.net/proxylists.xml)
|
||||
[proxyrss](http://iplists.firehol.org/?ipset=proxyrss)|[proxyrss.com](http://www.proxyrss.com) open proxies syndicated from multiple sources.|ipv4 hash:ip|1028 unique IPs|updated every 4 hours from [this link](http://www.proxyrss.com/proxylists/all.gz)
|
||||
[proxyrss_1d](http://iplists.firehol.org/?ipset=proxyrss_1d)|[proxyrss.com](http://www.proxyrss.com) open proxies syndicated from multiple sources.|ipv4 hash:ip|2346 unique IPs|updated every 4 hours from [this link](http://www.proxyrss.com/proxylists/all.gz)
|
||||
[proxyrss_30d](http://iplists.firehol.org/?ipset=proxyrss_30d)|[proxyrss.com](http://www.proxyrss.com) open proxies syndicated from multiple sources.|ipv4 hash:ip|8451 unique IPs|updated every 4 hours from [this link](http://www.proxyrss.com/proxylists/all.gz)
|
||||
|
|
@ -1283,16 +1283,16 @@ php_bad|[projecthoneypot.org](http://www.projecthoneypot.org/?rf=192670) bad web
|
|||
[proxyspy_1d](http://iplists.firehol.org/?ipset=proxyspy_1d)|[ProxySpy](http://spys.ru/en/) open proxies (updated hourly)|ipv4 hash:ip|1169 unique IPs|updated every 1 hour from [this link](http://txt.proxyspy.net/proxy.txt)
|
||||
[proxyspy_30d](http://iplists.firehol.org/?ipset=proxyspy_30d)|[ProxySpy](http://spys.ru/en/) open proxies (updated hourly)|ipv4 hash:ip|6176 unique IPs|updated every 1 hour from [this link](http://txt.proxyspy.net/proxy.txt)
|
||||
[proxyspy_7d](http://iplists.firehol.org/?ipset=proxyspy_7d)|[ProxySpy](http://spys.ru/en/) open proxies (updated hourly)|ipv4 hash:ip|2772 unique IPs|updated every 1 hour from [this link](http://txt.proxyspy.net/proxy.txt)
|
||||
[proxz](http://iplists.firehol.org/?ipset=proxz)|[proxz.com](http://www.proxz.com) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|26 unique IPs|updated every 1 hour from [this link](http://www.proxz.com/proxylists.xml)
|
||||
[proxz_1d](http://iplists.firehol.org/?ipset=proxz_1d)|[proxz.com](http://www.proxz.com) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|237 unique IPs|updated every 1 hour from [this link](http://www.proxz.com/proxylists.xml)
|
||||
[proxz_30d](http://iplists.firehol.org/?ipset=proxz_30d)|[proxz.com](http://www.proxz.com) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|2559 unique IPs|updated every 1 hour from [this link](http://www.proxz.com/proxylists.xml)
|
||||
[proxz_7d](http://iplists.firehol.org/?ipset=proxz_7d)|[proxz.com](http://www.proxz.com) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|965 unique IPs|updated every 1 hour from [this link](http://www.proxz.com/proxylists.xml)
|
||||
[proxz](http://iplists.firehol.org/?ipset=proxz)|[proxz.com](http://www.proxz.com) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|25 unique IPs|updated every 1 hour from [this link](http://www.proxz.com/proxylists.xml)
|
||||
[proxz_1d](http://iplists.firehol.org/?ipset=proxz_1d)|[proxz.com](http://www.proxz.com) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|236 unique IPs|updated every 1 hour from [this link](http://www.proxz.com/proxylists.xml)
|
||||
[proxz_30d](http://iplists.firehol.org/?ipset=proxz_30d)|[proxz.com](http://www.proxz.com) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|2557 unique IPs|updated every 1 hour from [this link](http://www.proxz.com/proxylists.xml)
|
||||
[proxz_7d](http://iplists.firehol.org/?ipset=proxz_7d)|[proxz.com](http://www.proxz.com) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|960 unique IPs|updated every 1 hour from [this link](http://www.proxz.com/proxylists.xml)
|
||||
[pushing_inertia_blocklist](http://iplists.firehol.org/?ipset=pushing_inertia_blocklist)|[Pushing Inertia](https://github.com/pushinginertia/ip-blacklist) IPs of hosting providers that are known to host various bots, spiders, scrapers, etc. to block access from these providers to web servers.|ipv4 hash:net|864 subnets, 50729096 unique IPs|updated every 1 day from [this link](https://raw.githubusercontent.com/pushinginertia/ip-blacklist/master/ip_blacklist.conf)
|
||||
[ransomware_cryptowall_ps](http://iplists.firehol.org/?ipset=ransomware_cryptowall_ps)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. This list is CW_PS_IPBL: CryptoWall Ransomware Payment Sites IP blocklist.|ipv4 hash:ip|0 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/downloads/CW_PS_IPBL.txt)
|
||||
[ransomware_feed](http://iplists.firehol.org/?ipset=ransomware_feed)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. The IPs in this list have been extracted from the tracker data feed.|ipv4 hash:ip|4029 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/feeds/csv/)
|
||||
[ransomware_feed](http://iplists.firehol.org/?ipset=ransomware_feed)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. The IPs in this list have been extracted from the tracker data feed.|ipv4 hash:ip|4030 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/feeds/csv/)
|
||||
[ransomware_locky_c2](http://iplists.firehol.org/?ipset=ransomware_locky_c2)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. This list is LY_C2_IPBL: Locky Ransomware C2 URL blocklist.|ipv4 hash:ip|212 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/downloads/LY_C2_IPBL.txt)
|
||||
[ransomware_locky_ps](http://iplists.firehol.org/?ipset=ransomware_locky_ps)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. This list is LY_PS_IPBL: Locky Ransomware Payment Sites IP blocklist.|ipv4 hash:ip|6 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/downloads/LY_PS_IPBL.txt)
|
||||
[ransomware_online](http://iplists.firehol.org/?ipset=ransomware_online)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. The IPs in this list have been extracted from the tracker data feed, filtering only online IPs.|ipv4 hash:ip|946 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/feeds/csv/)
|
||||
[ransomware_online](http://iplists.firehol.org/?ipset=ransomware_online)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. The IPs in this list have been extracted from the tracker data feed, filtering only online IPs.|ipv4 hash:ip|945 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/feeds/csv/)
|
||||
[ransomware_rw](http://iplists.firehol.org/?ipset=ransomware_rw)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. This list includes TC_PS_IPBL, LY_C2_IPBL, TL_C2_IPBL, TL_PS_IPBL and it is the recommended blocklist. It might not catch everything, but the false positive rate should be low. However, false positives are possible, especially with regards to RW_IPBL. IP addresses associated with Ransomware Payment Sites (*_PS_IPBL) or Locky botnet C&Cs (LY_C2_IPBL) stay listed on RW_IPBL for a time of 30 days after the last appearence. This means that an IP address stays listed on RW_IPBL even after the threat has been eliminated (e.g. the VPS / server has been suspended by the hosting provider) for another 30 days.|ipv4 hash:ip|11461 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt)
|
||||
[ransomware_teslacrypt_ps](http://iplists.firehol.org/?ipset=ransomware_teslacrypt_ps)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. This list is TC_PS_IPBL: TeslaCrypt Ransomware Payment Sites IP blocklist.|ipv4 hash:ip|10998 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/downloads/TC_PS_IPBL.txt)
|
||||
[ransomware_torrentlocker_c2](http://iplists.firehol.org/?ipset=ransomware_torrentlocker_c2)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. This list is TL_C2_IPBL: TorrentLocker Ransomware C2 IP blocklist.|ipv4 hash:ip|27 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/downloads/TL_C2_IPBL.txt)
|
||||
|
|
|
|||
Loading…
Reference in New Issue