Badness, Enumerated by Robots

© 2018 Peter N. M. Hansteen

A condensed summary of the blocklist data generated from traffic hitting bsdly.net and cooperating sites.

After my runbsd.info entry (previously bsdjobs.com) was posted, there has been an uptick in interest about the security related data generated at the bsdly.net site. I have written quite extensively about these issues earlier so I'll keep this piece short. If you want to go deeper, the field note-like articles I reference and links therein will offer some further insights.

There are three separate sets of downloadable data, all automatically generated and with only very occasional manual intervention.


Note: This piece is also available with trackers but nicer formatting here.

Known spam sources during the last 24 hours


This is the list directly referenced in the runbsd.info piece.

This is a greytrapping based list, where the conditions for inclusion are simple: Attempts at delivery to known-bad addresses (download link here) in domains we handle mail for have happened within the last 24 hours.

In addition there will occasionally be some addresses added by cron jobs I run that pick the IP addresses of hosts that sent mail that made it through greylisting performed by our spamd(8) but did not pass the subsequent spamassassin or clamav treatment. The bsdly.net system is part of the bgp-spamd cooperation.

The traplist has a home page and at one point was furnished with a set of guidelines.

A partial history (the log starts 2017-05-20) of when spamtraps were added and from which sources can be found in this log directory (or at this alternate location). Read on for a bit of information on the alternate sources.

Note: The list is generated at ten past every full hour by a script that uses essentially the one-liner

doas spamdb | grep TRAPPED | awk -F\| '{print $2}' >bsdly.net.traplist

to generate the body of the list.

For those interested in the entire history of the greytrapping-based blocklist, the 2025 article Eighteen Years of Greytrapping - Is the Weirdness Finally Paying Off? (2025), also available tracked, prettified will be of interest.

Misc other bots: SSH Password bruteforcing, malicious web activity, POP3 Password Bruteforcing.


The bruteforcers list is really a combination of several things, delivered as one file but with minimal scripting ability you should be able to dig out the distinct elements, described in this piece (also here).

The (usually) largest chunk is a list of hosts that hit the rate limit for SSH connections described in the article or that was caught trying to log on as a non-existent user or other undesirable activity aimed at my sshd(8) service. Some as yet unpublished scriptery helps me feed the miscreants that the automatic processes do not catch into the table after a manual quality check. For a more thorough treatment of ssh bruteforcers, see the The Hail Mary Cloud and the Lessons Learned overview article which links to several other articles in the sequence.

The second part is a list of IP addresses that tried to access our web service in undesirable ways, including trying for specific URLs or files that will never be found at any world-facing part of our site.

After years of advocating short lifetimes (typically 24 hours) for blocklist entries only to see my logs fill up with attempts made at slightly slower speeds, I set the lifetime for entries in this data set to 28 days (since expanded to 2419200 seconds, or if you will, six weeks). The background including some war stories of monitoring SSH password groping can be found in this piece, while the more recent piece here covers some of the weeding out bad web activity.

The POP3 gropers list comes in two variations. Again lists of IP addresses caught trying to access a service, most of those accesses are to non-existent user names with an almost perfect overlap with the spamtraps list, local-part only (the part before the @ sign).

The big list is a complete corpus of IP addresses that have tried these kinds of accesses since I started recording and trapping them (see this piece for some early experience and this one for the start of the big collection).

There is also a smaller set, produced from the longterm table described in this piece (also here). For much the same reason I did not stick to 24-hour expiry for the SSH list, this one has six-week expiry. With some minimal scriptery I run by hand one or two times per day, any invalid POP3 accesses to valid accounts get their IP adresses added to the longterm table and the exported list.

NOTE: The BIG pop3 gropers list is for history only, use the sixweeks one for IP reputation evaluations instead
As stated earlier, the big list of pop3 gropers was intended as a collection of all hosts that had ever tried and failed in guessing passwords (see Password Gropers Take the Spamtrap Bait for background). This means that the list only exists as a historical collection of sorts, and if you are intrerested in seeing when a particular host entered the data set, you can look it up in the pop3 gropers archive directory.

For any reasonably current IP Reputation purposes, you will be better served with the pop3 gropers during the last six weeks list, which conveniently is also archived for those who wish to study developments.

For what it's worth, there is an archive of the greytrapped hosts list available too, along with a separate archive of the SSH bruteforcers list, all kept around for as long as I find it at least a little useful to do so.

For reference on just what triggered the inclusion, see the log extracts preserved in the pop3logs directory, which has entries going back to February of 2024.

The most recent exports of all lists generated here can be found in this directory. Before making any inguiries on removal from any of the lists, check all files in this directory for occurences or not of the IP address in question.


Note: The lists generated by table exports are generated by variations of pfctl's show table subcommand. At ruleset reload such as reboots after a sysupgrade, the tables are re-initialized from these same exported files.

If you're wondering about the title, the term "enumerating badness" stems from Marcus Ranum's classic piece The Six Dumbest Ideas in Computer Security. Please do read that one.

Here are a few other references other than those referenced in the paragraphs above that you might find useful:

The Book of PF, 4th edition
Hey, spammer! Here's a list for you! which contains the announcement of the bsdly.net traplist.
Effective Spam and Malware Countermeasures, a more complete treatment of those keywords

If you're interested in further information on any of this, the most useful contact information is in the comment blocks in the exported lists.

Update 2020-07-29: I added a direct link to the complete list of spamtraps, since the web page seemed a bit crowded to at least one visitor. Direct link again here for your convenience.


Update 2021-01-15: Note that at some point after the article was written I cranked up expiry for the bruteforce tables to six weeks (sorry, I forgot to note the exact date).

Update 2021-03-11: In light of recent Microsoft Exchange exploits it might interest some that any request to bsdly.net for "GET /owa/" lands the source in the webtrash table, exported as part of the bruteforcers list.

Update 2021-08-03: Added notes about how the lists are generated and table maintenance.

Update 2025-03-23: Addresses matching a jumble of regexps for "silly web things" are now also exported separately as webtrash.

Update 2025-07-19: If you found this piece to be useful, informative, annoying or would for some other reason like to contact me or comment, please do.

You might also be interested in reading selected pieces via That Grumpy BSD Guy: A Short Reading List (also here).