README.md

May 12, 2026 · View on GitHub

Logo

About

IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (every 24 hours) basis and the final result is pushed to this repository. The feed contains IP addresses plus an occurrence count (how many source lists each IP appears on). Higher counts generally mean higher confidence and fewer false positives when blocking inbound traffic. Also, list is sorted by occurrence count (highest to lowest).

As an example, to get a fresh and ready-to-deploy auto-ban list of "bad IPs" that appear on at least 3 (black)lists you can run:

curl -fsSL https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "^#" | grep -Ev '[[:space:]]([12])$' | cut -f 1

If you want to try it with ipset, you can do the following:

sudo -i
apt-get update && apt-get install -y iptables ipset
ipset -q flush ipsum
ipset -q create ipsum hash:ip
for ip in $(curl https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -Ev '[[:space:]]([12])$' | cut -f 1); do ipset add ipsum $ip; done
iptables -D INPUT -m set --match-set ipsum src -j DROP 2>/dev/null
iptables -I INPUT -m set --match-set ipsum src -j DROP

In directory levels you can find preprocessed raw IP lists based on number of blacklist occurrences (e.g. levels/3.txt holds IP addresses that can be found on 3 or more blacklists).

Wall of Shame (2026-05-12)

IP	DNS lookup	Number of (black)lists
87.251.64.149	-	9
125.20.210.182	-	9
185.38.148.2	2.148.38.185.baremetal.zare.com	9
213.209.159.56	-	9
2.57.122.189	-	8
2.57.122.191	-	8
2.57.122.196	-	8
5.253.59.171	189809.ip-ptr.tech	8
35.194.141.75	75.141.194.35.bc.googleusercontent.com	8
45.148.10.121	-	8
45.148.10.147	-	8
45.227.254.170	-	8
66.132.224.88	88.224.132.66.censys-scanner.com	8
71.6.199.23	einstein.census.shodan.io	8
80.82.77.139	dojo.census.shodan.io	8
80.94.92.168	-	8
92.118.39.235	-	8
190.2.135.111	190-2-135-111.hosted-by-worldstream.net	8
211.37.174.180	-	8
213.209.159.158	-	8
2.57.121.25	hosting25.tronicsat.com	7
2.57.121.112	dns112.personaliseplus.com	7
2.57.122.192	-	7
2.57.122.193	-	7
2.57.122.194	-	7
2.57.122.195	-	7
14.63.217.28	-	7
16.58.56.214	scan.visionheight.com	7
18.116.101.220	scan.visionheight.com	7
27.111.32.174	-	7
45.148.10.151	-	7
45.148.10.152	-	7
45.148.10.157	-	7
45.156.24.224	-	7
45.156.128.86	sh-ams-nl-gp1-wk140a.internet-census.org	7
51.158.120.121	121-120-158-51.instances.scw.cloud	7
51.158.155.6	51-158-155-6.rev.poneytelecom.eu	7
59.12.160.91	-	7
64.62.156.80	-	7
64.62.156.192	-	7
66.132.172.40	40.172.132.66.censys-scanner.com	7
66.132.224.82	82.224.132.66.censys-scanner.com	7
66.132.224.91	91.224.132.66.censys-scanner.com	7
66.132.224.223	223.224.132.66.censys-scanner.com	7
66.132.224.224	224.224.132.66.censys-scanner.com	7
66.132.224.225	225.224.132.66.censys-scanner.com	7
66.132.224.233	233.224.132.66.censys-scanner.com	7
66.132.224.235	235.224.132.66.censys-scanner.com	7
66.240.192.138	census8.shodan.io	7
71.6.135.131	soda.census.shodan.io	7
71.6.165.200	census12.shodan.io	7
80.94.92.186	-	7
80.253.31.232	-	7
85.111.68.99	85.111.68.99.dynamic.ttnet.com.tr	7
85.217.140.36	o335.scanner.modat.io	7
92.118.39.195	-	7
92.118.39.196	-	7
92.118.39.236	-	7
101.47.8.187	-	7
103.210.22.17	-	7
117.6.44.221	-	7
131.161.204.66	-	7
138.2.102.66	-	7
138.68.243.18	-	7
152.32.162.42	-	7
161.49.89.39	161.49.89.39.convergeict.com	7
163.7.9.84	-	7
167.94.146.59	59.146.94.167.censys-scanner.com	7
167.94.146.61	61.146.94.167.censys-scanner.com	7
176.32.193.16	-	7
180.76.172.156	-	7
185.246.130.20	-	7
199.45.155.92	92.155.45.199.censys-scanner.com	7
200.232.114.71	-	7
201.76.120.30	30.120.76.201.in-addr.arpa.verointernet.com.br	7
203.252.10.3	-	7
220.80.223.144	-	7
222.108.39.109	-	7