LISTS
Browse community lists.
Curated address lists you can subscribe your RouterOS device to. Click a list for entries, sources, and the subscription URL. Every individual list is free, forever — see support for the bundle builder + higher daily pull cap.
Threat
4 listscommunity-blocklist — entries
IPv4 + IPv6 ranges that should not be routing legitimate traffic, seeded from Spamhaus DROP / EDROP / DROPv6. Spamhaus tracks ranges hijacked by criminal organisations and known bulletproof-hosting allocations. **Credit: Spamhaus Project — https://www.spamhaus.org/drop/.** Refreshed hourly. Community submissions extend it via /submit; pending entries land in the mod queue.
botnet-c2 — entries
Active botnet command-and-control infrastructure for Emotet, Heodo, TrickBot, QakBot, Dridex (and any other malware families abuse.ch tracks via Feodo Tracker). Drop is safe — these IPs are command servers for active malware, not legitimate hosts. **Credit: abuse.ch Feodo Tracker — https://feodotracker.abuse.ch/.** Refreshed hourly.
malware-ioc — entries
Active malware infrastructure — C2 servers, payload hosts, drop sites — across a broad family set (Emotet, AgentTesla, RemcosRAT, AsyncRAT, Cobalt Strike, etc.). Broader scope than `botnet-c2`; subscribers wanting only banker-trojan C2 use `botnet-c2` alone. Default action `drop` is safe — these IPs are confirmed-malicious infrastructure, not legitimate hosts. **Credit: abuse.ch ThreatFox — https://threatfox.abuse.ch/.** Refreshed hourly.
mikrotik-bruteforce — entries
IPs caught attempting failed authentication against RouterOS management surfaces (Winbox, SSH, API, Webfig) on the project's volunteer honeypot network. 30-day rolling TTL — an IP that stops reoffending drops off automatically. Default action `drop` is safe; these IPs are confirmed-hostile (multiple failed auth attempts against routers in different ASNs). Honeypot setup instructions at `/docs/honeypot-setup`.
Privacy / posture
1 listtor-exit — entries
Public Tor exit-node IPs from check.torproject.org, refreshed hourly. Informational by default — most admins want to log Tor traffic rather than drop it. Use as a source-address-list match in a logging rule, not in a drop rule, unless you have a specific policy reason.
Reference
2 listsbogon-v4 — entries
IPv4 ranges that should never appear as a source on the public internet — RFC 1918 private use, IETF reserved, documentation, multicast.
bogon-v6 — entries
IPv6 ranges that should never appear as a source on the public internet — ULA, link-local, documentation, multicast, IETF reserved.
Country (geo allocations)
8 listscountry-au — entries
IPv4 + IPv6 prefixes allocated to Australia per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.
country-nz — entries
IPv4 + IPv6 prefixes allocated to New Zealand per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.
country-us — entries
IPv4 + IPv6 prefixes allocated to United States per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.
country-gb — entries
IPv4 + IPv6 prefixes allocated to United Kingdom per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.
country-de — entries
IPv4 + IPv6 prefixes allocated to Germany per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.
country-cn — entries
IPv4 + IPv6 prefixes allocated to China per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.
country-ru — entries
IPv4 + IPv6 prefixes allocated to Russia per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.
country-jp — entries
IPv4 + IPv6 prefixes allocated to Japan per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.
Need another country?
The eight defaults above cover most operators' policies.
For anything else, request the country by ISO 3166-1
alpha-2 code (e.g. br, se,
mx) — the list lands within an hour of
request as the next country-cron tick fulfills it.
Ranges refresh monthly thereafter (RIR delegated stats
tick monthly; nothing more frequent helps).
Sign-in required so per-user pending
limits can apply (max 10 pending at once).
Currently queued
User-published
0 listsThese lists are published by individual users, not curated or vetted by mikrotikfilters. Verify the source before subscribing in production. Want to publish your own? Create a list →