Status:  Production
Type:  IPv4, IPv6

Cloud DNS:  authbl.mail.abusix.zone.
Rsync File:  lists/authbl.zone

Return Codes:  127.0.0.4
Test Points:  127.0.0.2, 127.0.0.4, ::FFFF:7F00:2, ::FFFF:7F00:4

Listing duration:  Approximately 12 hours from when traffic was last seen 

Description
This list is a subset of the exploit zone but only lists hosts which have been seen within the last 12 hours, instead of the usual 5.2 days.  The listing time is shorter to avoid false-positives where the listed IP is returned back to a DHCP pool.

It contains IP addresses of hosts that are infected, botnet members, proxies, VPNs, TOR exit nodes and hosts that have been attempting to authenticate to our honeypots.

It is intended to be used to identify and prevent account compromises or as a blacklist to prevent listed hosts from authenticating to your services running on HTTP, IMAP, SMTP, SSH etc. to prevent dictionary attacks, brute force or logging in with Phished credentials etc.

This zone is provided as a rbldnsd combined zone like our other lists, however you can post-process the zone file and use it as an access control list for many other services by stripping out the rbldnsd metadata by running:

grep -Pv '^(\#|\$|:[^:]|127\.0\.0\.[24]|::FFFF:7F00:[24])' authbl.zone > authbl_ip_list

authbl_ip_list will then contain just the IP addresses and can be imported into other software.

Did this answer your question?