LOW: Block List Report



This report is the aggregation of a variety of different Block/Deny list providers, for end-users’ reference.

The purpose in sharing this information is to alert end-users that specific IP addresses of theirs have been flagged by providers as possibly malicious, and different services might be affected because of this listing.

The option to remove any system from a block list will vary by the provider. Some will have a well documented process, and some will demand payment for removal.

Note that all timestamps are in UTC+0.

You can learn more on the report in our Block List Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

Filename(s): blocklist


  • timestamp
    Date and time of the tracked event in UTC+0
  • ip
    IP Address of the device in question
  • hostname
    Reverse DNS of the device in question
  • source
    Block list source
  • reason
    Given reason of the block list by the source
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System
  • sector
    Sector the IP belongs to
  • tag
    Additional tags for context, if any


"2010-02-10 00:00:00",low,,node01.example.com,,"Malicious Host ZZ",64512,ZZ,Region,City,0,"Communications, Service Provider, and Hosting Service",
"2010-02-10 00:00:01",low,,node02.example.com,,"Malicious Host ZZ",64512,ZZ,Region,City,0,,
"2010-02-10 00:00:02",low,,node03.example.com,,"Malicious Host ZZ",64512,ZZ,Region,City,0,,

Our 128 Report Types