GitPedia

Ipsum

Daily feed of bad IPs (with blacklist hit scores)

From stamparm·Updated June 21, 2026·View on GitHub·

**IPsum** is a threat intelligence feed based on 30+ different publicly available [lists](https://github.com/stamparm/maltrail) of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (every 24 hours) basis and the final result is pushed to this repository. The feed contains IP addresses plus an occurrence count (how many source lists each IP appears on). Higher counts generally mean higher confidence and fewer false positives when blocking inboun... The project is distributed under the The Unlicense license, first published in 2016. It has gained significant community traction with 2,311 stars and 180 forks on GitHub. Key topics include: blacklist, ipset, iptables, security, threats.

Logo

License

About

IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (every 24 hours) basis and the final result is pushed to this repository. The feed contains IP addresses plus an occurrence count (how many source lists each IP appears on). Higher counts generally mean higher confidence and fewer false positives when blocking inbound traffic. Also, list is sorted by occurrence count (highest to lowest).

As an example, to get a fresh and ready-to-deploy auto-ban list of "bad IPs" that appear on at least 3 (black)lists you can run:

curl -fsSL https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "^#" | grep -Ev '[[:space:]]([12])$' | cut -f 1

If you want to try it with ipset, you can do the following:

sudo -i
apt-get update && apt-get install -y iptables ipset
ipset -q flush ipsum
ipset -q create ipsum hash:ip
for ip in $(curl https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -Ev '[[:space:]]([12])$' | cut -f 1); do ipset add ipsum $ip; done
iptables -D INPUT -m set --match-set ipsum src -j DROP 2>/dev/null
iptables -I INPUT -m set --match-set ipsum src -j DROP

In directory levels you can find preprocessed raw IP lists based on number of blacklist occurrences (e.g. levels/3.txt holds IP addresses that can be found on 3 or more blacklists).

Wall of Shame (2026-06-21)

IPDNS lookupNumber of (black)lists
193.46.255.86-10
118.26.111.107-9
167.94.146.6262.146.94.167.censys-scanner.com9
213.209.159.56-9
14.55.31.113-8
14.103.10.167-8
45.148.10.121-8
80.82.77.33sky.census.shodan.io8
80.82.77.139dojo.census.shodan.io8
80.94.92.178-8
89.248.167.131mason.census.shodan.io8
93.174.95.106battery.census.shodan.io8
95.47.246.223-8
109.100.14.222-8
111.26.6.111-8
121.178.185.141-8
141.98.83.240-8
143.20.49.38-8
167.94.146.5353.146.94.167.censys-scanner.com8
167.94.146.5454.146.94.167.censys-scanner.com8
167.94.146.5656.146.94.167.censys-scanner.com8
167.94.146.6161.146.94.167.censys-scanner.com8
220.80.223.144-8
1.212.225.99-7
2.57.121.25hosting25.tronicsat.com7
2.57.122.238-7
2.59.183.60-7
13.89.125.27azpdcsga0bij.stretchoid.com7
14.63.217.28-7
18.218.118.203scan.visionheight.com7
41.63.63.211-7
45.148.10.147-7
45.148.10.152-7
45.172.152.74-7
45.227.254.170-7
51.158.120.121121-120-158-51.instances.scw.cloud7
59.12.160.91-7
60.199.224.260-199-224-2.static.tfn.net.tw7
64.226.126.224-7
65.49.139.22365.49.139.223.nwinternet.com7
66.132.172.129129.172.132.66.censys-scanner.com7
66.132.172.133133.172.132.66.censys-scanner.com7
66.132.172.140140.172.132.66.censys-scanner.com7
66.132.172.143143.172.132.66.censys-scanner.com7
66.132.172.196196.172.132.66.censys-scanner.com7
66.132.172.201201.172.132.66.censys-scanner.com7
66.132.172.208208.172.132.66.censys-scanner.com7
66.132.172.216216.172.132.66.censys-scanner.com7
66.132.186.168168.186.132.66.censys-scanner.com7
66.132.186.174174.186.132.66.censys-scanner.com7
66.132.195.3131.195.132.66.censys-scanner.com7
66.132.195.5656.195.132.66.censys-scanner.com7
66.132.195.123123.195.132.66.censys-scanner.com7
66.132.224.8181.224.132.66.censys-scanner.com7
71.6.135.131soda.census.shodan.io7
71.6.199.23einstein.census.shodan.io7
80.225.238.77-7
80.253.31.232-7
81.30.98.144-7
81.211.72.167-7
85.217.140.8o308.scanner.modat.io7
85.217.140.51o350.scanner.modat.io7
86.54.31.38blue2.census.shodan.io7
91.224.92.17srv-91-224-92-17.serveroffer.net7
92.4.76.12-7
94.183.234.128-7
95.188.91.101-7
102.88.137.80-7
115.190.113.87-7
119.160.166.237237-166.adsl.static.espeed.com.bn7
121.159.71.249-7
121.185.89.74-7
122.168.194.41abts-mp-static-041.194.168.122.airtelbroadband.in7
123.253.162.254-7
124.123.125.62broadband.actcorp.in7
125.20.210.182-7
136.232.11.10-7
138.197.39.208-7
141.98.199.231-7
144.2.91.96bbcs-91-96.pub.wingo.ch7
152.32.174.171-7
160.187.174.22-7
161.49.89.39161.49.89.39.convergeict.com7
164.92.161.148-7
165.154.163.10-7
167.94.146.4848.146.94.167.censys-scanner.com7
167.94.146.4949.146.94.167.censys-scanner.com7
167.94.146.5050.146.94.167.censys-scanner.com7
167.94.146.5151.146.94.167.censys-scanner.com7
167.94.146.5858.146.94.167.censys-scanner.com7
167.94.146.5959.146.94.167.censys-scanner.com7
167.94.146.6060.146.94.167.censys-scanner.com7
176.65.139.254-7
182.93.50.90n18293z50l90.static.ctmip.net7
185.226.197.67zl-amsc-nl-gp6-wk117a.internet-census.org7
185.227.153.56-7
195.54.179.244-7
196.216.81.126-7
197.221.232.4416.44.telone.co.zw7
198.11.178.150-7
199.45.155.6868.155.45.199.censys-scanner.com7
199.45.155.9595.155.45.199.censys-scanner.com7
199.45.155.9999.155.45.199.censys-scanner.com7
199.45.155.107107.155.45.199.censys-scanner.com7
201.76.120.3030.120.76.201.in-addr.arpa.verointernet.com.br7
218.145.181.48-7
220.247.224.226-7
222.102.21.104-7
223.85.251.55-7

Contributors

Showing top 1 contributor by commit count.

stamparm

stamparm

1 commits

View all contributors on GitHub →

This article is auto-generated from stamparm/ipsum via the GitHub API.Last fetched: 6/21/2026