We have been incorporating more malicious IP addresses lists into our databases. Here goes the details of the new IP Blacklist of March 2018: BRUTEFORCEBLOCKER, SSLBL, UCEPROTECT and ZEUS:

BRUTEFORCEBLOCKER – Bruteforce SSH blacklist

BruteForceBlocker is a Perl script, that works along with pf – firewall developed by OpenBSD team (Which is also available on FreeBSD since version 5.2 is out). Its main purpose is to block SSH bruteforce attacks via firewall. It checks sshd logs from syslog and looks for Failed Login attempts – mostly some annoying script attacks, and counts the number of such attempts. Since the version of BruteForceBlocker 1.2 it is also possible to report blocked IPs to the project site and share your information with other users.

IP addresses in these lists are used to perform SSH attacks to end-user services. Sometimes these attacks can be stopped blocking full access to a website with a firewall, but a fine-grained access control at the application level can be necessary.

This blacklist updates every 60 minutes and has an average of 1500 IP addresses.

SSLBL-IP blacklist

SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of ‘bad’ SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates. SSLBL offers various types of blacklists that allows you to block bad SSL traffic related to malware or botnet activities (e.g. botnet C&C traffic).

The SSL IP Blacklist contains all hosts (IP addresses) that SSLBL has seen in the past 30 days being associated with a malicious SSL certificate. The list contains IP address of malicious SSL hosts.

This blacklist updates every 60 minutes and has an average of 60 IP addresses.

UCEPROTECT-Network Level 1 – Spam IP blacklist

The project’s mission is to stop mail abuse, globally. Every IP address listed will expire 7 days after the last abuse is detected. UCEPROTECT-Network´s core database is fed by a cluster of more than 50 UCEPROTECT-Servers located in Germany, Austria, Switzerland, Canada, and Australia.

3 different BLACKLIST-Levels are distributed by the project and can be downloaded from multiple mirrors out there, FREE of charge. Level 1 policy only contains single IP addresses, which were used by spammers/abusers.

This blacklist updates every 60 minutes and has an average of 120000 IP addresses.

UCEPROTECT-BACKSCATTERER – Backscatterer IP blacklist

The project’s mission is to stop misdirected bounces and misdirected autoresponders and sender callouts from abusive systems. Backscatter is a type of unsolicited spam/email message that is mistakenly directed to an email inbox. They are disguised as bounce messages so that they are not filtered as spam by the email server. Backscatter is also known as outscatter, misdirected bounces, blowback, and collateral spam.

Listing Policy is quite simple: Every IP which backscatters will be listed the next 4 weeks here. Unfortunately many and also big providers do still backscatter. We recommend using this blacklist in SAFE MODE to prevent false positives.

This blacklist updates every 60 minutes and has an average of 9000 IP addresses.

ZEUS-BADIP-IP Blacklist – IP of ZeuS Command&Control

ZeuS Tracker offers various IP-blacklists that contains known ZeuS Command&Control server (C&C) assocaited with the ZeuS crimeware. ZeuS Tracker offers blacklists in various formats and for different purposes.

This blacklists only includes IPv4 addresses that are used by the ZeuS trojan. It is the recommened blacklist if you want to block only ZeuS IPs. It excludes IP addresses that ZeuS Tracker believes to be hijacked (level 2) or belong to a free web hosting provider (level 3). Hence the false postive rate should be much lower compared to the standard ZeuS Standard IP blacklist.

This blacklist updates every 60 minutes and has an average of 100 IP addresses.

ZEUS-STANDARD-IP Blacklist – IP of ZeuS Command&Control

ZeuS Tracker offers various IP-blacklists that contains known ZeuS Command&Control server (C&C) assocaited with the ZeuS crimeware. ZeuS Tracker offers blacklists in various formats and for different purposes.

This blacklist contains the same data as the ZeuS IP blacklist (BadIPs) but with the slight difference that it doesn’t exclude hijacked websites (level 2) and free web hosting providers (level 3). This means that this blacklist contains all IPv4 addresses associated with ZeuS C&Cswhich are currently being tracked by ZeuS Tracker. Hence this blacklist will likely cause some false positives.

This blacklist updates every 60 minutes and has an average of 100 IP addresses.

How to enable these new lists

If you are new to Apility.io and you have not signed up yet (it’s free!), then you don’t need to do anything since these lists are enabled by default with all new accounts. If you already have an Apility.io account, then you have to log into the Dashboard, go to Blacklists to enable and disable the lists individually.

Apility.io deselect Free Mail

As an example in the animated GIF above we are enabling Freemail blacklists. You should do the same with your favorite lists in the IP addresses tab.