LISTS

Browse community lists.

Curated address lists you can subscribe your RouterOS device to. Click a list for entries, sources, and the subscription URL. Every individual list is free, forever — see support for the bundle builder + higher daily pull cap.

Threat

4 lists
SCANNER
community-blocklist

— entries

IPv4 + IPv6 ranges that should not be routing legitimate traffic, seeded from Spamhaus DROP / EDROP / DROPv6. Spamhaus tracks ranges hijacked by criminal organisations and known bulletproof-hosting allocations. **Credit: Spamhaus Project — https://www.spamhaus.org/drop/.** Refreshed hourly. Community submissions extend it via /submit; pending entries land in the mod queue.


BOTNET
botnet-c2

— entries

Active botnet command-and-control infrastructure for Emotet, Heodo, TrickBot, QakBot, Dridex (and any other malware families abuse.ch tracks via Feodo Tracker). Drop is safe — these IPs are command servers for active malware, not legitimate hosts. **Credit: abuse.ch Feodo Tracker — https://feodotracker.abuse.ch/.** Refreshed hourly.


SCANNER
malware-ioc

— entries

Active malware infrastructure — C2 servers, payload hosts, drop sites — across a broad family set (Emotet, AgentTesla, RemcosRAT, AsyncRAT, Cobalt Strike, etc.). Broader scope than `botnet-c2`; subscribers wanting only banker-trojan C2 use `botnet-c2` alone. Default action `drop` is safe — these IPs are confirmed-malicious infrastructure, not legitimate hosts. **Credit: abuse.ch ThreatFox — https://threatfox.abuse.ch/.** Refreshed hourly.


BRUTE
mikrotik-bruteforce

— entries

IPs caught attempting failed authentication against RouterOS management surfaces (Winbox, SSH, API, Webfig) on the project's volunteer honeypot network. 30-day rolling TTL — an IP that stops reoffending drops off automatically. Default action `drop` is safe; these IPs are confirmed-hostile (multiple failed auth attempts against routers in different ASNs). Honeypot setup instructions at `/docs/honeypot-setup`.


Privacy / posture

1 list
TOR
tor-exit

— entries

Public Tor exit-node IPs from check.torproject.org, refreshed hourly. Informational by default — most admins want to log Tor traffic rather than drop it. Use as a source-address-list match in a logging rule, not in a drop rule, unless you have a specific policy reason.


Reference

2 lists
reference
bogon-v4

— entries

IPv4 ranges that should never appear as a source on the public internet — RFC 1918 private use, IETF reserved, documentation, multicast.


reference
bogon-v6

— entries

IPv6 ranges that should never appear as a source on the public internet — ULA, link-local, documentation, multicast, IETF reserved.


Country (geo allocations)

8 lists
country
country-au

— entries

IPv4 + IPv6 prefixes allocated to Australia per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.


country
country-nz

— entries

IPv4 + IPv6 prefixes allocated to New Zealand per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.


country
country-us

— entries

IPv4 + IPv6 prefixes allocated to United States per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.


country
country-gb

— entries

IPv4 + IPv6 prefixes allocated to United Kingdom per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.


country
country-de

— entries

IPv4 + IPv6 prefixes allocated to Germany per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.


country
country-cn

— entries

IPv4 + IPv6 prefixes allocated to China per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.


country
country-ru

— entries

IPv4 + IPv6 prefixes allocated to Russia per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.


country
country-jp

— entries

IPv4 + IPv6 prefixes allocated to Japan per RIR delegated stats, sourced via HotCakeX/Official-IANA-IP-blocks (MIT). **Allocation, not routing reality** — a Singapore ISP can route Thailand traffic on SG-allocated prefixes — so use this for filtering policy, not analytics. Default action is `log` because country filtering is policy-dependent; admins flip to `drop` (blocklist) or use as an allowlist source-address-list as their threat model dictates.


Need another country?

The eight defaults above cover most operators' policies. For anything else, request the country by ISO 3166-1 alpha-2 code (e.g. br, se, mx) — the list lands within an hour of request as the next country-cron tick fulfills it. Ranges refresh monthly thereafter (RIR delegated stats tick monthly; nothing more frequent helps). Sign-in required so per-user pending limits can apply (max 10 pending at once).