Protection Against Malware and Ransomware

Blocklists for the Security Community Since 2005

We offer non-commercial blocklists in formats compatible with several of the most commonly used DNS, firewall, IPS/IDS and AV tools, such as SpamAssassin, ClamAV, and SquidGuard, among others. These lists include verified data for active malware and ransomware.

non-commercial subscription

Check out our configuration guides and tech support options here.


Participate and Protect Others

The Malware Patrol project began over 15 years ago as a group sharing malicious URLs. This community, more active than ever, continues to collect, analyze, and monitor malware. We gladly provide a platform and resources to facilitate the collection and distribution of our community’s data because we believe that information sharing is one of the most effective ways to fight cyber threats.

Send your suspicious emails and URLs to or set up a spam trap. All submissions are verified hourly and any new malicious URLs will be immediately added. A single submission could help protect thousands of users.

Want a Free Subscription?

We offer free lifetime Basic Defense blocklist subscriptions (valued at $40/year) to the following:

  1. Educational organizations: For security teams (not students) to protect your organization’s networks and users. Request here.

  3. Configuration guide authors: Write instructions for a tool/system/platform that we do not already have and submit to us.


A commercial license is required if you use our data to protect your customers.

Block List Subscription Options 

Free Guard

Includes the last 7 days of malware URLs from our database, updated EVERY 72 HOURS. Available in the formats listed below. This data is for non-commercial use by any individual, group or organization.

Basic Defense

Includes the last 15 days of malware URLs from our database, updated EVERY 4 HOURS. Non-commercial use only. The subscription fees help us maintain our infrastructure. Options listed below.

Educational Organizations

Educational organizations and regular contributors qualify for free subscriptions to our Basic Defense Block Lists for the protection of their internal users and networks. Request your account here.

Blocklist FAQs

Duplicate entries

Our lists include what we call “MBL ID”, a unique identifier that correlates to each entry in the database. This number assigned to each entry means our system is actually structured to detect, and therefore avoid, duplicates. Basically, the “MBL_ID” helps us organize and debug the large amount of data in our lists.

The most common report of duplicate entries is related to what appears to be repeated domains or partial URLs. While it may seem that these are duplicates, it is usually the case that there are multiple malware samples hosted in a website’s directory. Each instance of malware on a single domain has its own unique identifier because it represents a different URL, directory, or was detected at a different point in time, for example.

False positives / whitelisting domains

The quality of our data is very important to us. We ask that you send reports of false positives to fp (@) We will investigate promptly, update our database (if necessary), and let you know the results.

Please read this before submitting a report:

We often receive false positive reports on domains like docs(.)google(.)com, drive(.)google(.)com, dropbox(.)com and github(.)com. Unfortunately, these sites host bad malware more frequently than ever. To further complicate things, systems like Google Docs serve files from their root directories, forcing some formats of block lists to affect (block) the entire domain.

We understand that it is not always possible to block very popular websites. To help our customers in this situation, we modified our download script to allow for domain exclusions. These will be applied right after the lists are downloaded. The exact way to do it depends on your environment and configuration, but simple shell commands like ‘cat _filename_ | grep -v _domain_ > _new_file_name_’ can remove entries.

For help automating the removal of domains from block lists, contact our tech support via email: support (@) – and they will be happy to help. Please remember to mention the blocklist you use and how you download it.

How can I automate data downloads?

There are multiple ways to automate the download and ingestion of our data feeds. Specifics depend on your operating system, environment and use of the data. As most of our customers utilize the data in *nix environments, the common tools used for automation are ‘wget’ and ‘curl’. A basic ‘wget’ command to download a block list looks like the following:

wget –no-check-certificate -O /etc/squid3/malware_patrol_blocklist ‘_URL_COPIED_FROM_YOUR_CUSTOMER_PORTAL_’

The download and ingestion of the data by whatever software you use also require the operating system to frequently perform these tasks. For that, ‘cron’ is the choice of most of our customers.

Error message while downloading data

Error messages:

# Your access was denied.
# You may have supplied a wrong password, your subscription may have expired or you may not have access to this resource.

The most likely cause of your problem is that you are running wget in a Linux shell and did no enclose the URL in single or double quotes. Therefore, the shell understands the ampersand (&) sign as an indication that part of the command should be sent to the background and the URL is broken.

Try the following command instead, for example, to download a ClamAV block list:

wget –no-check-certificate -O /var/lib/clamav/malwarepatrol.db ‘’

Accessing blocklist from multiple IPs

There are no restrictions in the number of IP addresses from which you can download the block lists.

Do you provide invoices?

We cannot provide invoices for Basic Defense subscriptions. Contact your account manager or support (@) for Business Protect and Enterprise subscription invoices.