Award Winning Content Management and Security Solutions

Overview and FAQ

Overview
We have been building lists of undesirable and malicious addresses longer than almost anyone. We started with our CYBERsitter product 26 years ago, blocking adult and other age inappropriate content for family computers. We've learned a lot about maintaining lists over the years.

IT professionals know that every device exposed to the public side of the internet gets bombarded by thousands of malicious bad actors daily. Unless you have considerable experience in fighting back against these intrusions, you are basically playing Russian roulette and hoping the next bullet is a blank.

Considerations
While numerous blacklists are available to help prevent intrusions, navigating the field can be a time consuming task even for those who have the expertise. Most are category specific and knowing what lists to use can be confusing. Additionally, there is generally no way to know how the list is maintained or where they get their data from. Some offerings in fact, are merely aggregated from open source lists found online. Quality control is often non-existent. We do things differently. Our list is tightly maintained and we list only when we can provide complete provenance.
Focus
Our research indicated that greater than 95% of the risk comes from the daily deluge of bad actors. They prod you and test you all day long looking for weaknesses they can try to exploit. Many times they don't even know what they are looking for. They are hoping they will stumble across something they can use or sell to other criminals.

Concentrating on the "tip of the spear" allows us to significantly reduce exposure to bad actors. Ransomware and other criminal gangs don't spend all day looking for prospective victims themselves. They rely on others to find potentially lucrative targets. The "Dark Web" is loaded with data offerings and exploitation opportunities.

We consider every malicious contact to have the potential to be dangerous. It is impossible to tell what their motive might be and ignoring even one might lead to a very undesirable outcome.
Operation
We use our own purpose-built "honeypot" boxes and have them deployed in various locations. They all run specialized proprietary software designed to attract malicious actors. We capture whatever data we can from them in real-time. Honeypot data is aggregated and analyzed centrally, also in real time. We do not use external lists as sources, ever.

We automatically generate a new collection of blacklists every 15 minutes and output them in various formats suitable for use on almost every commercial grade router, firewall, or internet server. We review activity throughout the day and if we see bursts of traffic we'll frequently run manual updates to get them out sooner.

Our lists contain only single IP addresses. We do not use ranges because we feel extreme accuracy is important. We know with certainty that every IP address we list has attempted an intrusion on equipment we own. We can confidently claim that our lists contain zero false positives.
Frequently Asked Questions
What is your false positive rate?
Zero. Every address we list has attempted to gain access to non-public services on our servers.
How do I get whitelisted>
We can whitelist addresses, ranges, or ASN numbers, however we are extremely careful about what we add to our whitelist exclusion list. Please visit the whitelisting page for full details.
How do you determine malicious intent?
We monitor various ports on our honeypots that are not accessed accidentally. They are all popular attack surfaces that malicious actors would attempt to penetrate. In other words, they would not be there by mistake.
Can we submit reports of bad addresses?
No, sorry. If we do not observe malicious activity ourselves we will not list it.
How do you handle cases where a computer has been hijacked?
Unfortunately that happens a lot. As part of the analysis, we try to determine the ISP that owns the IP address. We maintain our own database of major ISPs and their allocations. Whenever possible, we notify them of offending addresses with dates and times and type of attack so that they can notify innocent hijacked abusers and identify users who are acting intentionally.

We don't remove addresses ourselves, but if the problem is corrected, the address will fall off the production list within 7 days or less.
How do you handle research organizations who regularly scan the internet for open ports?
We see a lot of these every day. While many claim they are legitimate, we will still list them. Our basic rule is that if they are attempting to access non-public services and they are not invited or authorized, they get listed and blocked. No exceptions.