Award Winning Content Management and Security Solutions

Non-subscribers Download Area

Download for Free

Non-subscribers are limited to the 7-day versions of our blacklist. Lists are updated once per day and are typically up to 3 days old.

We add approximately 3000 new addresses daily, so subscribers get approximately 9000 more recent and currently active intruders. Subscribers also get additional formats plus 3, 7, and 14 day blacklists updated every 15 minutes.
Raw Format Including Netblocks
This list contains IP addresses and netblocks. It can be used wherever a specific format is not required.
Netblocks are used when our algorithm determines we can block whole ranges safely.

List Address:
Raw Format
This list contains only IP addresses. It can be used wherever a specific format is not required.

List address:

Raw Format as Unsigned Integers
This list contains IP addresses in Network Byte Order Unsigned Integer format. It can be used wherever this specific format is required.

List address:
FortiGate Format
This list contains only IP addresses. FortiGate cannot use the compressed version of the lists.

Fortigate Use Instructions:
Under the menu:
  • Security Fabric/External Connectors click "Create New"
  • From the Threat Feed section choose "IP Address"
  • Fill in the fields:
  • Name: 27 Labs Blacklist
  • URL:
  • HTTP Basic Authentication: off
  • Refresh Rate: Set to "daily" or 1440 minutes
  • Click OK.

Add list to DNS Filter Profile
Under the menu:
  • Security Profiles / DNS Filter select an existing filter or create a new filter.
  • In the "Static Domain Filter" section enable the option "External IP Block Lists"
  • In the box to the right of the External IP Block List click the '+' button and choose "27 Labs Blacklist"
  • Click OK to safe

List URL
Microsoft IIS (web.config) Format

We provide a XML version of our list specially formatted to be included in the websites web.config file.

To use, first change the configuration for the web server.

Edit the file c:\Windows\system32\inetsrv\config\applicationHost.config and change the following line:

From < section name="ipSecurity" overrideModeDefault="Deny" / >

To < section name="ipSecurity" overrideModeDefault="Allow" / >

Then change your web.config as follows:

<location path="Default Web Site"?>
<ipSecurity configSource="webconfig-bhp.xml"/>

List address:

We also provide a small utility console application to manage the download and decompression silently from a Scheduled Event. It handles everything for you and downloads the appropriate version of the list to a directory you specify.

Download utility:

BHDLIIS.EXE DestinationFolder<br

BHDLIIS.EXE C:\inetpub\MyWebSite\

Apache .htaccess Format
Apache web servers and other types of servers use an .htaccess file to control what addresses are allowed to access particular content. .htaccess files are usually located in the root directory of your website.

List address:
Nginx Format
Nginx web servers allow you to specify addresses to block in website configuration files. Here is one way to use it:

Create a directory under /etc/nginx/ called blackhole.

Create a cron job to wget the link below at an interval you select. Lists are updated once per day.

List address:


wget -q -O /etc/nginx/blackhole/nginx-bhp.conf.gz && gunzip /etc/nginx/blackhole/nginx-bhp.conf.gz

In your .conf file for the server, add this line in the server block.

include /etc/nginx/blackhole/nginx-bhp.conf
pfSense Format
Zero-hour Blacklist blocking is implemented through pfBlockerNG. You will need to install this plugin if you haven't already.

List address:

There are several different versions of pfSense and pfBlockerNG in production so we suggest you consult the documentation for your versions for instructions on using blacklists.
iptables Format
iptables is a relatively complicated way to block access to your server. We recommend you use ipset to manage the list.

List address:
Cisco ACL
Standard Cisco Access Control List format.

List address:

Formatted for MicroTic routers and firewalls.

List address:
SMTP Mail Servers

This list is a little different than normal spam blacklists. It contains only the IP addresses of abusers who have been observed trying to gain access to one or more of our network of fake SMTP servers.

Sorry, this blacklist is only available to subscribers.