LOW: Block List Report

DESCRIPTION LAST UPDATED: 2024-09-10

DEFAULT SEVERITY: LOW

This report is the aggregation of a variety of different Block/Deny list providers, for end-users’ reference.

The purpose in sharing this information is to alert end-users that specific IP addresses of theirs (or an entire subnet) have been flagged by providers as possibly malicious, and different services might be affected because of this listing. We are not responsible for the listing in the report, we are only alerting you to the fact that you appear on a third-party listing.

Any concerns about a listing should be directed to the owner of the blocklist. The presence of data from a block list owner does not constitute any form of endorsement by Shadowserver. We are only informing of the fact of the listing.

The option to remove any system from a block list will vary by the provider. Some will have a well documented process, and some will demand payment for removal – note, we do not approve of the “payment for removal” practice.

Note that all timestamps are in UTC+0.

You can learn more on the report in our Block List Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

Filename(s): blocklist

Fields

  • timestamp
    Date and time of the tracked event in UTC+0
  • ip
    IP Address of the device in question or an IP range (CIDR)
  • hostname
    Reverse DNS of the device in question
  • source
    Block list source
  • reason
    Given reason of the block list by the source
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System
  • sector
    Sector the IP belongs to
  • tag
    Additional tags for context, if any

Sample

"timestamp","severity","ip","hostname","source","reason","asn","geo","region","city","naics","sector","tag"
"2010-02-10 00:00:00",low,192.168.0.1,node01.example.com,,"Malicious Host ZZ",64512,ZZ,Region,City,0,"Communications, Service Provider, and Hosting Service",
"2010-02-10 00:00:01",low,192.168.0.2,node02.example.com,,"Malicious Host ZZ",64512,ZZ,Region,City,0,,
"2010-02-10 00:00:02",low,192.168.0.3,node03.example.com,,"Malicious Host ZZ",64512,ZZ,Region,City,0,,

Our 132 Report Types