Free Blocklists of Suspected Malicious IPs and URLs

A curated list of free blocklists containing IP addresses and URLs of systems suspected of malicious activity. Sources include DShield, PhishTank, and others—each with different formats, goals, collection methodologies, and usage restrictions.

Several organizations maintain and publish free blocklists of IP addresses and URLs of systems and networks suspected in malicious activities on-line. Some of these lists have usage restrictions:

Artists Against 419: Lists fraudulent websites
Blackweb Project: Optimized for Squid
CLEAN-MX Realtime Database: XML output available
DShield Blocklist
FireHOL IP Lists: Combines several blocklists from other sources
Google Safe Browsing API: Programmatic access; restrictions apply
MalwareURL List: Commercial service; free licensing options may be available
OpenPhish: Phishing sites; free for non-commercial use
PhishTank Phish Archive: Query database via API
Project Honey Pot’s Directory of Malicious IPs: Registration required to view more than 25 IPs
HoneyDB: Programmatic access available
Scumware.org
StrictBlockPAllebone
URLhaus: Programmatic access available
www.BlockList.de

The lists differ in format, goals, and data collection methodology. Be sure to read about the list before making use of it. Did you notice any blocklist sources that should be on this list, but are missing? Let me know. My other lists of on-line security resources outline Automated Malware Analysis Services and On-Line Tools for Malicious Website Lookups.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →