The open IP-fraud database that never sleeps. 750,000+ confirmed-malicious IPs and networks, refreshed around the clock.
The open fraud database behind ffraud.com, built together with the community. Every IP here was independently confirmed at least twice, by our honeypot sensor network and community reports, then verified and scored by the ffraud engine, and tagged with the threat category and infrastructure type we detected.
Attackers rotate infrastructure constantly, so a blocklist is only as good as its last update. This one is rebuilt every 30 minutes straight from the live engine, so what you pull is what's attacking the internet right now. No signup, no API key, no rate limits. Drop it into a firewall, a WAF, a signup form, or a fraud pipeline.
Built to be contributed to: report the IPs that hit you at ffraud.com/report or open an issue here. Confirmed reports ship in the next build, within the half hour, with credit if you want it.
| File | Rows | What it is |
|---|---|---|
threat-ips/confirmed-abusive.csv |
750,000+ | Abusive IPs, each independently confirmed 2+ times, with our 0 to 100 fraud score, the threat category (c2, malware, botnet, brute-force, web-attack, scanner, phishing, spam) and the infrastructure type (proxy, vpn, tor, datacenter, mobile) when known |
asn-reputation/high-abuse-networks.csv |
600+ | Networks (ASNs) where the IPs we observed were overwhelmingly malicious and proxy-heavy. The bulletproof-hosting and proxy-operation signature |
disposable-email-domains.txt |
207,000+ | Throwaway and disposable email domains |
ip-intelligence/examples.json |
sample | Full per-IP intelligence: score, a plain-English reason, and categories |
metadata.json |
Live counts and the UTC build time |
ip,ffraud_score,confirmations,category,type
80.82.77.33,95,40,c2,proxy
2.57.121.25,95,36,c2,proxy
193.46.255.86,95,33,c2,proxy- ffraud_score: our own 0 to 100 score.
- confirmations: how many independent times we observed the abuse. An IP only makes the list at 2 or more; the worst here carry 30 to 40.
- category: what it was caught doing (c2, malware, botnet, brute-force, web-attack, scanner, phishing, spam).
- type: the infrastructure when we can see it (proxy, vpn, tor, datacenter, mobile).
# Confirmed-abusive IPs, with category and type
curl -s https://raw.githubusercontent.com/FFraud-com/ip-fraud-database/main/threat-ips/confirmed-abusive.csv
# The worst networks
curl -s https://raw.githubusercontent.com/FFraud-com/ip-fraud-database/main/asn-reputation/high-abuse-networks.csv
# Disposable email domains
curl -s https://raw.githubusercontent.com/FFraud-com/ip-fraud-database/main/disposable-email-domains.txtThis database grows with the community. If you run servers, fail2ban, a WAF, or your own honeypots, send us the IPs that hit you and we publish them:
- Report or bulk-submit at ffraud.com/report.
- Open an issue here with a list of IPs and what they did.
We review, dedupe, score, and roll confirmed reports into the next build, within the half hour, with credit if you want it. Every report protects the next person that IP attacks.
high-abuse-networks.csv reflects the share of each network's IPs that we observed as malicious. It is a measurement of observed traffic, not a legal judgment of any operator. Run a listed network and think it's wrong? Tell us and we recheck on the next build.
Rebuilt and pushed every 30 minutes from the live ffraud engine, not a daily dump, a living feed. See metadata.json for the build time and current counts. Star the repo to keep it close.
- Disposable Email Database: our open list of 207,000+ disposable, temporary, and throwaway email domains.
- ffraud.com: free IP and email fraud intelligence, a fast API, live checkers, and open data with no limits.
MIT. Use it anywhere, including commercial products. Fork it, redistribute it, build on it. Attribution appreciated, never required.
Built by ffraud.com, free IP fraud intelligence for everyone.