Internet privacy and security course
Aa font
AA font size
About translation
Previous Next

Chapter 62

What blacklists are for and the consequences of having your IP address on a blacklist

Suppose you were a mailman that delivers mail to the apartments in your area. Of thousands of apartments, five have some aggressive drug addicts that regularly attack mailmen. After getting attacks a few times, you decide to steer clear of these dwellers.

But you don’t stop at that, you warn other mailmen about the aggressive drug addicts as well as alert the services that monitor apartment buildings to the aggressive acts. For instance, if workers responsible for checking water meters visit all apartments without your blacklist, they will probably get assaulted by the drug addicts too. But if they use your blacklist, they will successfully avoid the encounter with “dangerous” flats.

There is an analogous situation with regard to IP addresses: companies that trace the IP addresses used for performing DDoS attacks, fraud, sending spam add these malevolent addresses to their blacklists. Then other companies, mainly mail services, ISPs, payment systems, banks and online stores buy the screening of their customers through these databases.

For instance, a customer of an online store has entered his credit card details when making a payment. The store manager checks if the customer is blacklisted. If the IP address is blacklisted, there is a high chance he will be rejected or face an additional check. In this wary stores try to prevent fraudsters from paying with stolen credit cards.

However, if a customer is assessed with modern anti-fraud systems, a simple screening of his IP address using blacklists and confirmation of the presence of this IP address on a blacklist is just one of the indicators that form the ultimate assessment of a user. Therefore if your IP address ends up blacklisted, this can’t be great, but it’s not that bad.

Users of tainted IP addresses may get especially annoyed by having to constantly enter captcha codes, for instance, when using Google and Yandex search, verifying themselves in external checks and before anti-DDoS systems like CloudFare.

The IP addresses of public VPN services are regularly blacklisted because cybercriminals resort to VPN services. If the IP address of a VPN service becomes blacklisted, all users connected to this VPN server will have problems.

Let me share a curious story that happened over a decade ago to an acquaintance of mine who works as an IT security expert. He once consulted a user who requested his help in finding proof that his computer had been hacked. However, the computer the user provided didn’t have any signs of hacking, and my acquaintance asked the customer to explain why he was so sure that there had been a hacker attack. 

It turned out that a local payment system blocked his e-wallet with money, accusing him of performing attacks on other users of the system. He had plenty of money remaining, but he was getting himself into real trouble because the representatives of the payment system were bent on filing a police report to bring criminal charges over the incident.

After long hours of communicating with the security service of the payment system and the user, he was finally able to solve the mystery. His customer used a proxy service available for public use whose server was also used by a perpetrator who hacked the accounts of the payment system. Hence their addresses coincided.

There is no way you can check if someone has used the IP address you received for committing a crime, but everyone can check if his IP address is blacklisted.


If you ever want to use a public VPN service or proxy, check if your IP address is blacklisted.

You should check your personal VPN or proxy since a hosting service can provide you with a tainted IP address. In this case you need to ask your hosting provider to make a replacement.

Remember that blacklists are not static and they are constantly updated. If someone else uses your IP address, your IP address can end up on a blacklist at any time. Today it may be clean and pure and tomorrow end up put on all popular blacklists.

Be aware that blacklists reflect current data. If an IP address used for illegal activity is detected, it will be put on a blacklist immediately. And if illegal activity coming from it ceases, it becomes removed from the blacklist after some time, usually in 15-45 days.

How do you check if your IP address is blacklisted?

There are plenty of companies that compile such lists, but Spamhaus is the largest and most respectable one. Therefore we are going to dwell on this organization and show you how to check your IP address using the rest of blacklists at the end of the chapter.

The Spamhaus Project is an international nonprofit organization based in London and Geneva and founded by Steve Linford to track spam-related activity and its sources.

The Spamhaus Project became known by composing a list of the IP addresses used for distributing spam and other malicious activity. This database is used by plenty of ISPs and email providers to reduce the amount of spam and malicious activity. Spamhaus distributes several IP address-based blacklists, but you would actually be interested in two of them:

  • The Spamhaus Block List (SBL) targets all IP addresses used to send spam. 
  • The Exploits Block List (XBL) targets the IP addresses used for sending viruses, attacking computer networks, infecting computers and servers. It also lists open proxies used for attacks. 

These two lists combined form a single database known