Blacklist 📓

Every day our honeypot network processes hundreds of thousands of events. Blacklist 📓 aims to make them more actionable.

While we often partner with projects such as the D4 Project to share our threat information, it is our goal with Blacklist 📓 to make a subset of this information openly available to the public.

Below you'll find the lists we make available as well a short description of each. To avoid decaying of indicators each list is generated several times per day and holds information for malicious activity seen in the last 24 hours (from the time the list is generated).

Last update: 19 January 2022 00:13:01 AM UTC

Feedback? Reach out to us using the social media information below or send an e-mail to

Hosts involved in SSH brute-force

SSH Activity

List available at: /lists/ssh.txt

Hosts involved in HTTP brute-force and/or enumeration

Web Server Activity

List available at: /lists/http.txt

Hosts involved in mass scanning and/or exploitation attempts

Scanning and Intrusion Detection

List available at: /lists/misc.txt

All hosts from the previous lists


List available at: /lists/all.txt

Available by default to users of the Emerging Threats Open ruleset

Blacklist 📓 is part of ET Open ruleset, the leading open source threat information provider for network intrusion detection systems.

Now vailable in the Zeek Intel Framework format

The combined results of Blacklist 📓 are now being generated under the Zeek Intelligence Framework: /lists/zeek-all.dat

Want to request the removal of an IP (and you have a valid reason not to be in the list)? Email us at indicating the PTR records or IPs you'd like for us to remove. Visit the PTR Bouncer project page to know more about our community reverse DNS whitelisting project.