When you were growing up, did your folks tell you to avoid certain people because they were known to be bad influences? Like when they told you not to hang out with that kid who kicked puppies, or the one who got caught shoplifting. Over time you built up a list in your head of people to stay away from. Blacklists work in a similar way.
There are many different companies that compile blacklists, and different blacklists have different purposes. Some blacklists focus on IP addresses or domains that have been used to send large quantities of spam. Others may focus on websites that have been compromised and are attempting to spread malware. Some of these blacklists may be used by your companies edge firewall to keep users from visiting known bad sites.
So what does a blacklist look like? Let’s examine a well known and reputable blacklist from the Talos team at Cisco. You can view the list here: Cisco Talos IP Blacklist. If you click the link, you’ll essentially see a text file with a ton of IPv4 addresses. Each one of these IP addresses have been determined by the Talos team to be malicious in some way and should be blocked.
At the time of this post, the following IP was the first entry in the list, 91[.]238[.]134[.]77. If we look up geographical information on this IP, we can see that it originates in Poland. While Cisco doesn’t really give a lot of information to us publicly as to why it was placed on this list, we can assume that it’s related to spam or malicious email because that is what this Cisco list focuses on.
Since we use blacklists to block traffic or services, what happens when a good IP gets on a blacklist? Unfortunately, sometimes this does happen – it’s referred to as a false positive. False positives can happen on any blacklist – examples include Google or Facebook bots that scan sites to index information. Some automated services will log these scans as a type of attack, and put the originating IP addresses on a blacklist. This can cause issues, since now Google and Facebook won’t be able to index your site. No bueno.
tinyShield goes to great lengths to ensure that no legit traffic is blocked. For examples, Google offers a way to verify if a bot is a trusted indexing bot from their services. We verify that IP once we know about it and add it to our permanent whitelist if we verify it is coming from Google.
Not all IP blacklists are made the same, or have the same quality of information. Some lists are made for email while others are made for spam and then others are made for web exploits. At tinyShield we use only reputable sources, and then we verify those lists on our own. In addition to using existing blacklists compiled by others, we have our own blacklist that we’ve created based on the crowd sourced herd immunity from other tinyShield users.
Blacklists are one part of comprehensive security for your WordPress site, but they are an important part.
Stay safe out there.