IBlocklist.com is either dead or a scam?



  • I recently decided to pay the $10/yr to iBlocklist.com because I thought it would be worth the money to have access to some of the subscriber only lists.  I entered my credit card info and it was processed immediately.  However, once I started downloading and analyzing the lists, I discovered they are horribly out of date (even though the timestamp in the compressed files is always current).  To verify my suspicion, I actually also signed up for the Squidblacklist.org subscription to compare their actual list with the one provided by iBlocklist.com.  To my surprise, I found the lists to differ substantially and the iBlocklist.com list appears to be frozen at some time in the distant past (even though the timestamps continue to update).  I found this same phenomenon with many other lists they provide (when compared to the original source).  I have tried contacting them multiple times and I have not received any response (and it's been about a week since my last support request with them).

    Does anyone know the story with them?  Are they just dead (except for immediately accepting money) or is it really just a scam?  Upon Googling them I did find a small number of references of people's credit cards getting "reused" after signing up with them.



  • What would you expect from a site like iblocklist.com that doesn't have forum or blog or news?
    They barely provide Email support  :o



  • Honestly, my expectation is that when you charge money that you start to provide some level of basic services congruent with the price charged.  If everything they provided right now was free, then I'd have no complaints.  In fact, I wouldn't have gone with them at all except that squidblacklist.org did call them out specifically (buried deep in the website) as being a "partner" if you just wanted IP addresses of a subset of their lists (…which was my exact need).  For $10/yr, my expectation was that they actually provide a list that was no more than 1 week old and NOT truncated.  Most of their squidblacklist lists are actually excessively old AND truncated.  Also, I don't like how they update the dates on their lists to current values without actually updating the lists.  That really looks suspicious in my opinion.



  • I was actually going to sign up yesterday since i setup pfBlocker but I decided to hold back on it. A few members shared a few lists they use over on the pfblocker thread so i'm using those for now and so far no complaints.



  • We are still able to fetch iblocklist.com urls in pfsense. It is possible to get the URL from the https://www.iblocklist.com/lists.php site as long as you don' t download any one of them, then they are hidden.
    If you are using PeerBlock 1.2, then you will get the warning about subscribing and the URL might be hidden.



  • All of the iblocklist.com URLs work for me…they just aren't being updated.  Most of the lists can be obtained directly from the original source...which is what I'm doing now and recommend for pfBlocker users.  Obviously, the Bluetack lists are old since they went dead a long time ago.  The iblocklist.com branded lists are actually quite pathetic and not worth any money.  The squidblacklist.org lists would be worth $10/yr but they haven't updated in the 3 weeks since I gave iblocklist.com free money.  It actually looks like the squidblacklist lists are several months old, likely more (but I don't have sufficient information to properly date it).  In fact, the squidblacklist list from iblocklist.com has tons of legitimate IP's in it while the list directly from squidblacklist.org has long since cleared those IPs out.

    On a different note, I'm quite pleased with squidblacklist.org.  I originally got the 1 month subscription just to verify my concerns about iblocklist.com.  Unfortunately, they are a tad pricey for home use, but their lists certainly seem comprehensive.  I'm seriously contemplating getting a longer subscription with them.  (As a side note just in case this isn't obvious, squidblacklist.org provides a list of domains names and not IP's directly.  I wrote a utility to convert squidblacklist.org's domains lists into IP lists for use in pfBlocker....as I'm not using pfBlocker's DNSBL feature just yet...just IP blocking).



  • AsgardianFW, can you please share your free list?  :)



  • The free lists I'm currently using are below.  You can check out the individual URL's to see what they target.  Please let me know if anyone has any other lists.

    https://rules.emergingthreats.net/blockrules/compromised-ips.txt
    https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
    https://www.spamhaus.org/drop/drop.txt
    http://feeds.dshield.org/block.txt
    https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
    https://www.spamhaus.org/drop/edrop.txt
    http://cinsscore.com/list/ci-badguys.txt
    https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist
    https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt
    https://feodotracker.abuse.ch/blocklist/?download=ipblocklist
    https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
    https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist.csv
    http://danger.rulez.sk/projects/bruteforceblocker/blist.php
    http://www.openbl.org/lists/base.txt
    https://labs.snort.org/feeds/ip-filter.blf
    http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
    https://reputation.alienvault.com/reputation.generic
    https://lists.blocklist.de/lists/all.txt
    

    By far, the Squidblacklist.org Malicious list is the largest and most aggressive.  Below are my IP counts from pfBlocker after aggregation.  Note that Squidblacklist reduces the effective size of the other free lists because it is so massive.  I don't have a log output from when I wasn't using the Squidblacklist malicious list.

      121994 total
       72571 /var/db/pfblockerng/deny/SquidBL_Malicious.txt
       14867 /var/db/pfblockerng/deny/Alienvault.txt
       12290 /var/db/pfblockerng/deny/Blocklist_de.txt
       11240 /var/db/pfblockerng/deny/Ransomeware_Block.txt
        4595 /var/db/pfblockerng/deny/OpenBL.txt
        3172 /var/db/pfblockerng/deny/Snort_BL.txt
         784 /var/db/pfblockerng/deny/Spamhaus_Drop.txt
         780 /var/db/pfblockerng/deny/BruteForceBlocker.txt
         665 /var/db/pfblockerng/deny/Feodo_Block.txt
         557 /var/db/pfblockerng/deny/CI_Army_List.txt
         149 /var/db/pfblockerng/deny/BBC_BL.txt
         123 /var/db/pfblockerng/deny/Zeus_Block.txt
          60 /var/db/pfblockerng/deny/ET_Compromised.txt
          57 /var/db/pfblockerng/deny/Spamhaus_EDrop.txt
          54 /var/db/pfblockerng/deny/SSL_IP_Block.txt
          20 /var/db/pfblockerng/deny/DShield_Block.txt
           6 /var/db/pfblockerng/deny/Dyre_SSL_IP_Block.txt
           4 /var/db/pfblockerng/deny/Paelvo_Block.txt
    

    Also note that since I'm using Snort and Emerging Threats lists in pfBlocker, I do not include those rules in Snort and Suricata for efficiency.


  • Moderator

    I have seen a lot of issues with IBlock. There are a lot of other feeds available. I posted a script to import approx 50 different feeds in the pfBlockerNG thread. Its a little dated and a few have since changed.

    IBlock also uses mirrors for their feeds. So the issue that you post here, could just be that one mirror is having issues and not updating its files appropriately… Not to say that its not being updated, but just an observation.

    IBlock at times tends to list RFC1918 addresses, 127.0.0.1 and someone recently noticed that the Level3 list contained 88.119.179[.]160/1  . So when packet fence sees a /1, it changes that to 0.0.0.0 which ultimately wrecked the network :)



  • They may have mirror trouble but Bluetack comprises a bulk of their lists and they have been dead for literally years now so there is no way that the Bluetack lists can be updated.  I would definitely not use any of the Bluetack lists because of this reason.

    I used your old lists for inspiration.  I weeded out the dead ones and looked at the others to learn what their intended purpose was and then weeded out the ones that didn't seem effective for me.  Also, one of the downsides of the forum format is finding an updated/current list of blocklists through literally hundreds/thousands of posts.  pfBlocker is so powerful, it almost needs its own website for updated instructions, tutorials, and resources (as if BBcan177 didn't have enough to do already).  :)

    On a side note, I noticed that even squidblacklist.org's lists have domains that literally resolve to 0.0.0.0.



  • I think these guys do a good job of merging a lot of the block lists: http://iplists.firehol.org



  • Firehol updates only once a day at midnight.

    When possible, use a list from the source and avoid the middleman.
    Most iblocklist (shadowed from other sites) shadowed on firehol.org are "older".

    Iblocklist was mostly to provide bluetack anti-p2p list for peerguardian and peerblock. I didn't see any anti-p2p list on firehol.



  • Hi all,

    I maintain iplists.firehol.org.

    As said, you should always use IP lists directly from their sources. This is why I have provided the means to do so. The program that downloads the ip lists and maintains the site http://iplists.firehol.org is open source. Check the wiki at the site. Just a cron job and you are done. This is not FireHOL specific. It should work on any unix with BASH.

    The IP Lists on the site are updated every 9 minutes.

    The iBlocklist anti-p2p list is this: http://iplists.firehol.org/?ipset=iblocklist_level1
    The name Bluetack has been removed from it, since we got several complaints (check the closed issues on github).

    As you can see on the site, the maintainer updates this list on the average every 15 days.

    Thanks!

    EDIT: fixed a typo.



  • @ktsaou:

    Hi all,

    I maintain iplists.firehol.org.

    As you can see on the site, the maintainer updates this list on the average every 15 days.

    Thanks!

    EDIT: fixed a typo.

    So, ktsaou.  Whaddya think of this whole pfBlocker/grepCIDR/reputation blocker thing going on here?

    edit: brevity


Locked