2010 IP Blacklist

♦ Posted by Jeff Starr in .htaccess, Security

Updated July 17, 2018 • 36 comments

Over the course of each year, I blacklist a considerable number of individual IP addresses. Every day, Perishable Press is hit with countless numbers of spammers, scrapers, crackers and all sorts of other hapless turds. Weekly examinations of my site’s error logs enable me to filter through the chaff and cherry-pick only the most heinous, nefarious attackers for blacklisting. Minor offenses are generally dismissed, but the evil bastards that insist on wasting resources running redundant automated scripts are immediately investigated via IP lookup and denied access via simple htaccess directive:

<Limit GET POST PUT>
 Order Allow,Deny
 Allow from all
 Deny from 123.456.789
</LIMIT>

Although many of the worst attacks happen in randomized, zombie-like fashion, I have found that individual IPs that are not blacklisted will return repeatedly until finally blocked. Yet, despite the short-term success enjoyed by denying access to the most malicious IPs, the long-term futility of such blacklisting reflects the temporary nature of this solution.

Update: Check out the new and improved 2013 IP Blacklist »

In other words, I have found that blocking individual IPs is useful only for limited periods of time. Thus, every year, I gather my code and flush the blacklist of all individually blocked IP addresses. I then start fresh, adding the worst villains to the list, blocking entire IP ranges if necessary, and referring to previous versions of my htaccess files to cross-check suspiciously familiar entities. Eventually, a new blacklist emerges and I share it at Perishable Press. Here is the current version for 2010..

2010 IP Blacklist, Featuring over 100 Blocked IPs

Here is my custom-built IP blacklist for 2010:

# 2010 IP BLACKLIST
<Limit GET POST PUT>
 Order Allow,Deny
 Allow from all
 Deny from 208.120.202.98
 Deny from 208.64.202.134
 Deny from 217.218.166.14
 Deny from 173.65.81.35
 Deny from 77.21.46.241
 Deny from 82.166.163.
 Deny from 85.175.209.175
 Deny from 212.107.136.66
 Deny from 76.70.116.52
 Deny from 70.106.192.200
 Deny from 213.98.214.17
 Deny from 114.58.253.56
 Deny from 70.27.145.208
 Deny from 208.99.193.10
 Deny from 58.243.5.216
 Deny from 146.115.72.39
 Deny from 219.136.130.241
 Deny from 65.208.151.
 Deny from 222.73.173.11
 Deny from 65.55.106.
 Deny from 72.206.102.189
 Deny from 99.159.41.74
 Deny from 188.40.42.199
 Deny from 195.10.218.132
 Deny from 69.116.41.121
 Deny from 84.220.96.39
 Deny from 85.137.90.133
 Deny from 85.137.83.160
 Deny from 91.144.190.35
 Deny from 83.233.165.88
 Deny from 86.35.12.14
 Deny from 24.182.45.28
 Deny from 97.74.24.41
 Deny from 24.182.45.26
 Deny from 211.206.123.177
 Deny from 213.215.116.99
 Deny from 188.40.89.203
 Deny from 65.55.207.
 Deny from 71.95.178.74
 Deny from 98.189.159.150
 Deny from 174.143.3.188
 Deny from 66.96.248.69
 Deny from 71.235.77.152
 Deny from 67.36.185.44
 Deny from 65.242.250.130
 Deny from 194.8.75.
 Deny from 188.26.51.239
 Deny from 118.208.240.173
 Deny from 24.43.155.122
 Deny from 91.149.157.136
 Deny from 88.0.172.95
 Deny from 66.82.9.92
 Deny from 66.63.167.50
 Deny from 208.99
 Deny from 64.219.110.207
 Deny from 98.189.159.153
 Deny from 174.127.132.10
 Deny from 67.185.43.239
 Deny from 83.246.164.78
 Deny from 213.227.252.26
 Deny from 91.213.121.24
 Deny from 96.243.186.28
 Deny from 67.142.164.34
 Deny from 173.58.132.100
 Deny from 59.160.160.9
 Deny from 67.225.242.171
 Deny from 71.34.43.102
 Deny from 67.205.45.142
 Deny from 77.49.61.248
 Deny from 79.174.64.184
 Deny from 207.241.228.162
 Deny from 204.12.192.135
 Deny from 218.24.170.133
 Deny from 200.90.216.146
 Deny from 86.18.88.15
 Deny from 212.225.185.11
 Deny from 76.115.45.61
 Deny from 213.37.57.113
 Deny from 192.117.105.105
 Deny from 69.45.51.98
 Deny from 72.193.217.97
 Deny from 115.133.252.31
 Deny from 117.196.229.254
 Deny from 117.196.234.101
 Deny from 117.196.236.41
 Deny from 77.49.57.214
 Deny from 71.95.178.68
 Deny from 92.233.3.91
 Deny from 76.25.146.62
 Deny from 66.25.140.85
 Deny from 79.103.230.53
 Deny from 76.65.178.130
 Deny from 41.129.5.121
 Deny from 84.40.30.37
 Deny from 110.45.143.142
 Deny from 66.221.63.33
 Deny from 121.254.228.146
 Deny from 222.236.47.182
 Deny from 118.129.170.49
 Deny from 88.191.94.188
 Deny from 62.141.56.136
 Deny from 174.120.219.160
 Deny from 67.222.152.66
 Deny from 92.240.42.10
 Deny from 174.142.75.205
 Deny from 91.142.208.158
 Deny from 64.22.96.66
 Deny from 78.86.185.224
 Deny from 91.205.96.19
 Deny from 202.70.54.115
 Deny from 213.167.96.196
 Deny from 195.117.223.98
 Deny from 85.17.211.164
 Deny from 213.93.38.160
</Limit>

I use this blacklist on all of my sites, which are mostly WordPress, Joomla, and hand-rolled. Just pop it into the root .htaccess file and done. These are some of the worst offenders, so it’s nice knowing that they’re denied access.

How to get on next year’s list

Be a lowlife scumbag who gets off on malicious activity. If you suck enough, you’re going to get caught and appear on a list somewhere. Makes it easy to build effective IP blacklists. But remember that things change quickly, so you should refresh your ban lists as they become available. If you are using my 2007 IP Blacklist, I recommend replacing it with this one.

I’m listening, go a little deeper..

This blacklist was built over the past couple of years. Each week I review and analyze my log files, looking for patterns, noting behavior, checking data, etc. Most of the time attacks are executed simultaneously from multiple unique IPs. It’s futile to chase these “zombie” IPs around, but there are plenty of autonomous machines acting stupid to make IP blocking worthwhile.

Why so bad?

Because these IPs were associated with some seriously messed up behavior. Scanning through thousands of error logs, you see a lot of nasty stuff. Most of it seems very deliberate, hit or miss kind of activity. Other requests are just plain evil. Then there are the relentless “DoS”-like attacks. But in every crop of logs, there are those nefarious IPs that are both relentless and evil.

I’m sold. Wrap it up with an example

For example, one IP in the blacklist was recorded on July 22nd, 2009, as hitting my server 4783 times with all sorts of evil scripted payload. Most of the malicious requests are now blocked in the upcoming 5G Blacklist, but the IP address was consistent throughout the attack, so we block it as well. That’s the kind of stuff we’re blocking with the 2010 IP Blacklist.

Plaintxt for EZ Updates

To make things easier, I’ve uploaded a plain-text version of the 2010 IP Blacklist. The text file contains the IP addresses only, each on its own line. I will try to keep this file updated with fresh data as it becomes available. I will also post some of my other blacklists in plaintxt format and keep those updated as well. Any of these files may be used in your own security/blacklist scripts as a source of data. It’s nice to automate this kind of stuff, but you still want to keep an eye on my feed for news of updates.

Grab the plain-text version of the IP blacklist »

Thanks to Eric Marden for the “plaintxt” suggestion!

blacklist ip spam websites

About the Author

Jeff Starr = Web Developer. Security Specialist. WordPress Buff.

36 responses to “2010 IP Blacklist”

Jeff Starr 2010/08/31 1:06 pm • Post Author

Hi Micah, have you cross-referenced the visitor IPs with your server access/error logs and also with the blacklist? All three should match and correspond to some event in the logbok such as the “410 – Gone” error. Also keep in mind that some of these users are working from infested machines, so they may not be the only ones using it. I hope this helps!

Daniel 2010/11/09 1:34 pm

Is it mandatory to write the line?

Ambassador of Rock 2011/02/24 12:30 pm

What about using fail2ban? Over time, would this not build the same list?

Chris 2011/05/29 6:49 pm

When I add this to my .htaccess file it breaks the site, no matter where I put it or whether or not I have any IPs listed. I’m adding this to the .htaccess in the root.

Pali Madra 2011/06/22 6:07 am

I was just curious to know if the list at https://perishablepress.com/blacklist/ip.txt is still being updated or not?

@jeff if the list is updated what is the method used to update the list. Is there a dynamic way by which the list can be updated? (looking for some magic!).

Great job.

Thanks.

Jeff Starr 2011/06/22 10:02 am • Post Author

Yes, I just updated that ip.txt file about a month ago, just haven’t a lot of time for doing more with it lately. I’ll be adding another block here soon with the latest batch of bad guys.

There are dynamic ways of setting up and using blacklists using PHP et al, but I hand-cultivate my lists for maximum freshness.

Marty Thornley 2011/07/12 11:57 am

Hey Jeff,
Looking for a good spam blocker so once again am back at your site looking for answers..

I have an IP to add to your list. One blog in my muslitsite install is being hit with huge amounts of spam. We are catching it and it ends up marked spam but still eats up the database. He had 25,000 + spam comments, 1200+ pages of them! Within ten minutes of deleting, there were 10 more already there.

Almost all are coming from these IP’s
46.4.104.73
46.4.114.8
46.4.107.79
46.4.84.242

You can see the pattern, multiple from each individual IP but all coming from 46.4.

Any help on adding this to htaccess mucho appreciated!

Jeff Starr 2011/07/12 1:03 pm • Post Author

Hey Marty, this will work to block the entire lot of IPs:

<Limit GET POST PUT>
   Order Allow,Deny
   Allow from all
   Deny from 46.4
</Limit>

Just add to the root htaccess file and you’re all set. You could even get more specific to avoid blocking as many IPs as possible.

<Limit GET POST PUT>
   Order Allow,Deny
   Allow from all
   Deny from 46.4.1
   Deny from 46.4.8
</Limit>

And so forth. There are other ways to blacklist as well, just in case they start using a different IP address.

Good luck!

Marty Thornley 2011/07/12 10:45 pm

Thank you for the quick answer!

That seemed to solve it. For now at least. Added your whole IP list and 4g list as well. :)

George 2011/10/04 4:17 am

Hi Jeff,

Do you have a good way of blocking incoming connections from proxy servers which don’t modify the HTTP headers? You posted an article before that relied on modified headers such as X_FORWARDED_FOR but sites such as quickprox.info simply forward the headers from the client’s browser verbatim.

urlblacklist.com has a decent blacklist but it’s over 65,000 domains and would be even more for IPs which don’t RDNS, such as the above example proxy. There must be a better way.

I was thinking of maybe blocking top level domains that ISPs don’t commonly use but web proxies do, such as .info, .biz, .cc and .tk. Any thoughts?

Jeff Starr 2011/10/04 8:49 am • Post Author

Something like this may help:

https://perishablepress.com/block-tough-proxies/

I would not advise blocking top-level domains, unless they’re really obscure ones that nobody cares about.

Also, I heart the .biz TLD =)

George 2011/10/04 10:00 am

Thanks for the feedback :)

An example is .cc for the Cocos islands. Population 600, but over 450 known proxies there, and as it’s an Australian territory it’s most likely that any ISP that serves those 600 people would use either .com.au or .net rather than .cc. The same goes for .tk, which has a population of around 1500 but gives away thousands of free domains for redirection, or .li for Liechtenstein with a population of around 35,000. Many small islands, principalities and tax havens tend to fall into this list.

I highly doubt there are (m)any ISPs which rDNS their customers back to a .biz domain either. Same goes for .name and .info.

In fact out of the entire blacklist, around half seem to be on .info, so just blocking .info means blocking around half of the list, without affecting any real people at all.

Comments are closed for this post. Something to add? Let me know.

Jeff Starr 2010/08/31 1:06 pm • Post Author

Hi Micah, have you cross-referenced the visitor IPs with your server access/error logs and also with the blacklist? All three should match and correspond to some event in the logbok such as the “410 – Gone” error. Also keep in mind that some of these users are working from infested machines, so they may not be the only ones using it. I hope this helps!
Daniel 2010/11/09 1:34 pm

Is it mandatory to write the line?
Ambassador of Rock 2011/02/24 12:30 pm

What about using fail2ban? Over time, would this not build the same list?
Chris 2011/05/29 6:49 pm

When I add this to my .htaccess file it breaks the site, no matter where I put it or whether or not I have any IPs listed. I’m adding this to the .htaccess in the root.
Pali Madra 2011/06/22 6:07 am

I was just curious to know if the list at https://perishablepress.com/blacklist/ip.txt is still being updated or not?

@jeff if the list is updated what is the method used to update the list. Is there a dynamic way by which the list can be updated? (looking for some magic!).

Great job.

Thanks.
Jeff Starr 2011/06/22 10:02 am • Post Author

Yes, I just updated that ip.txt file about a month ago, just haven’t a lot of time for doing more with it lately. I’ll be adding another block here soon with the latest batch of bad guys.

There are dynamic ways of setting up and using blacklists using PHP et al, but I hand-cultivate my lists for maximum freshness.
Marty Thornley 2011/07/12 11:57 am

Hey Jeff,
Looking for a good spam blocker so once again am back at your site looking for answers..

I have an IP to add to your list. One blog in my muslitsite install is being hit with huge amounts of spam. We are catching it and it ends up marked spam but still eats up the database. He had 25,000 + spam comments, 1200+ pages of them! Within ten minutes of deleting, there were 10 more already there.

Almost all are coming from these IP’s
46.4.104.73
46.4.114.8
46.4.107.79
46.4.84.242

You can see the pattern, multiple from each individual IP but all coming from 46.4.

Any help on adding this to htaccess mucho appreciated!
Jeff Starr 2011/07/12 1:03 pm • Post Author

Hey Marty, this will work to block the entire lot of IPs:

<Limit GET POST PUT>
   Order Allow,Deny
   Allow from all
   Deny from 46.4
</Limit>

Just add to the root htaccess file and you’re all set. You could even get more specific to avoid blocking as many IPs as possible.

<Limit GET POST PUT>
   Order Allow,Deny
   Allow from all
   Deny from 46.4.1
   Deny from 46.4.8
</Limit>

And so forth. There are other ways to blacklist as well, just in case they start using a different IP address.

Good luck!
Marty Thornley 2011/07/12 10:45 pm

Thank you for the quick answer!

That seemed to solve it. For now at least. Added your whole IP list and 4g list as well. :)
George 2011/10/04 4:17 am

Hi Jeff,

Do you have a good way of blocking incoming connections from proxy servers which don’t modify the HTTP headers? You posted an article before that relied on modified headers such as X_FORWARDED_FOR but sites such as quickprox.info simply forward the headers from the client’s browser verbatim.

urlblacklist.com has a decent blacklist but it’s over 65,000 domains and would be even more for IPs which don’t RDNS, such as the above example proxy. There must be a better way.

I was thinking of maybe blocking top level domains that ISPs don’t commonly use but web proxies do, such as .info, .biz, .cc and .tk. Any thoughts?
Jeff Starr 2011/10/04 8:49 am • Post Author

Something like this may help:

https://perishablepress.com/block-tough-proxies/

I would not advise blocking top-level domains, unless they’re really obscure ones that nobody cares about.

Also, I heart the .biz TLD =)
George 2011/10/04 10:00 am

Thanks for the feedback :)

An example is .cc for the Cocos islands. Population 600, but over 450 known proxies there, and as it’s an Australian territory it’s most likely that any ISP that serves those 600 people would use either .com.au or .net rather than .cc. The same goes for .tk, which has a population of around 1500 but gives away thousands of free domains for redirection, or .li for Liechtenstein with a population of around 35,000. Many small islands, principalities and tax havens tend to fall into this list.

I highly doubt there are (m)any ISPs which rDNS their customers back to a .biz domain either. Same goes for .name and .info.

In fact out of the entire blacklist, around half seem to be on .info, so just blocking .info means blocking around half of the list, without affecting any real people at all.

« Previous Comments • 123