| Home Follow @badipscom blog

SSL enabled on

Published on 06.09.2014 11:26

We're happy to announce that we've enabled SSL on by default. It's active for quite a while now and we see no performance issues or other problems at all. Apart from the API URLs, all requests are now redirected to the SSL protected site. The API URLs have not yet been forced to use SSL because of the high diversity of tools accessing it and we're not quite sure how they'd cope with redirections and SSL at all. However, we encourage you to manually switch to HTTPS even for API calls.
Finally we'd like to send some kudos to the team for their great work and to Ivan Ristic for his exceptionally useful SSL Report tool (which gave an A+ rating).
As always we encourage you to send feedback if you have questions or suggestions.

Thanks, Amy

new features and more categories on

Published on 25.01.2014 23:08 is happy to anounce some new features, new categories and a little change in the API's behaivour.

New features, everyone!

A small but useful new filter for querying the API is "age=". The new filter allows it to receive only entries with the set maximum time since last report. Try as an example. age= undersands any number [0-9]+ and h for hour, d for day, w for week, m for month and y for year.

The second new feature we're happy about is the /get/info/ API call which allows you to check if an IP is listed on and if yes, receive some info about the IP along with a true/false flag for easy checking. Try it: or, if you like to check if this IP was active during the last month, combine with the new age= filter: .

Many of you have been asking for, now they are here: more categories!

With now 46 supported categories, we are positive to catch most of your use cases. The backend has been improved so you can report on a subcategory (e.g. postfix) and then receive all mail related IPs by querying for category mail. This will be explained a littlebit better soon. To check all available categories, see here: . We know formatting is a pain right now, but a nice overwiev of categories is planned as well.

API is now more standard oriented!

The API has changed it's behaivour a little bit. An API call which results in an error, JSON representation then is: {"err":"err description"}, leads to HTTP status code 400. The JSON is still in the payload and can be displayed for better debugging, with wget you may want to use the -d option to see the body - curl prints it anyway.

Bug fixes and speed ups!

Along with all this stuff, we have also fixed quite some bugs and made the API faster, sometimes up to 500%!


Last but not least we wanted to thank you for reporting bad IPs to our service and for your thoughts and suggestions we receive via our forum or email! We're looking forward to hear even more from you!

Scores are here!

Published on 28.11.2013 08:26

We're proud to announce our first release of the scoring system. The scoring is responsible for rating an IP on how bad it really is. Since the API allows anyone to report IPs without authentication, this is a key feature of

It's an early release and we have some ideas to further improve the algorithm, but we wanted to ship this improvements to you asap.

You can try it by accessing a block list with different scores, for example, try these two: the ssh block list containing IPs with score from 1 to 5 and this: the ssh block list containing IPs with score 5.

The score ranges from 0 to 5, from something like 'not so bad/false report' (0) over confirmed bad (3) to quite aggressive (5). The higher the score, the more evil the IPs.

Feedback is welcome, as always, in our Forum.

personalized statistics: track the attackers of all your servers with one key!

Published on 13.11.2013 15:26

There was this How To on how to get personalized stats from some time ago.
We love to see a lot of users tracking their attackers since then :)
However, we think not many are aware of the full potential of the feature: A key works over more than one server! The How To correctly describes how to get your first key:

wget -q -O -

But it is not mentioned that you can set the same key for multiple reporters to see a consolidated view over all the reported IPs. To set a key on a server, do this:<your key>

If you have already set a key but want to overwrite it, use ?force, see also here: API Documentation.

HowTo: make personalized statistics

Published on 20.09.2013 11:19

There is a new HowTo here which explains how to get personalized stats from using the 'Key' feature! We recommend to read it :)

over 50% of ssh brute forcers have port 22 open by themselves!

Published on 19.09.2013 14:34 creates statistics based on IPs reported to our database. One new feature we added is a port scan to every reported IP. It seems like most attackers are compromised hosts as well.

Some have port 22 open, others port 80 and a few have 443 open. All this ports can be used to break into a system and should be well protected.

We are planing a new free service where we send automated emails to the abuse address of hosts that have port 22,80 or 443 open to inform them about a possible compromise of their systems.

If you have been blocked or scanned as well and do not like it, please let us know: Write an email to and we will stop scanning you.