Protection Against Malware and Ransomware

Block Lists for the Security Community Since 2005

We offer non-commercial block lists in formats compatible with several of the most commonly used DNS, firewall, IPS/IDS and AV tools, such as SpamAssassin, ClamAV, and SquidGuard, among others. These lists include verified data for active malware and ransomware.

non-commercial subscription

Configuration guides to help you ingest our data are available on our website. If you need additional assistance, check out our tech support page.

Participate and Protect Others

The Malware Patrol project began over a decade ago as a group sharing malicious URLs. This community, more active than ever, continues to collect, analyze, and monitor malware. We gladly provide a platform and resources to facilitate the collection and distribution of our community’s data because we believe that information sharing is one of the most effective ways to fight cyber threats.

Send your suspicious emails and URLs to or set up a spam trap. All submissions are verified hourly and any new malicious URLs will be immediately added to our block lists. A single submission could help protect thousands of users.

Want a Free Subscription?

We offer free Basic Defense block list subscriptions (valued at $40/year) to the following:

  1. Educational organizations: For security teams, not students, to protect your organization’s networks and users. Request here.
  2. Regular contributors: Forward your suspicious emails to us regularly or set up a spam trap and you can have free data.
  3. Configuration guide authors: Write instructions for a tool/system/platform that we don’t already have and submit to us.


A commercial license is required if you use our data to protect your customers.

Block List Subscription Options 

Free Guard

Includes the last 7 days of malware URLs from our database, updated EVERY 72 HOURS. Available in the formats listed below. This data is for non-commercial use by any individual, group or organization.

Basic Defense

Includes the last 15 days of malware URLs from our database, updated EVERY 4 HOURS. Non-commercial use only. The subscription fees help us maintain our infrastructure. Options listed below.

Educational Organizations

Educational organizations and regular contributors qualify for free subscriptions to our Basic Defense Block Lists for the protection of their internal users and networks. Request your account here.

Block List FAQs


Duplicate Entries

Our lists include what we call “MBL ID”, a unique identifier that correlates to each entry in the database. This number assigned to each entry means our system is actually structured to detect, and therefore avoid, duplicates. Basically, the “MBL_ID” helps us organize and debug the large amount of data in our lists.

The most common report of duplicate entries is related to what appears to be repeated domains or partial URLs. While it may seem that these are duplicates, it is usually the case that there are multiple malware samples hosted in a website’s directory. Each instance of malware on a single domain has its own unique identifier because it represents a different URL, directory, or was detected at a different point in time, for example.

False Positives

The quality of our data is very important to us. We ask that you send reports of false positives to fp (@) We’ll investigate promptly, update our database (if necessary), and let you know the results.

Please read this before submitting a report:

We often receive false positive reports on domains like docs(.)google(.)com, drive(.)google(.)com, dropbox(.)com and github(.)com. Unfortunately, these sites host bad malware more frequently than ever. To further complicate things, systems like Google Docs serve files from their root directories, forcing some formats of block lists to affect (block) the entire domain.

We understand that it is not always possible to block mainstream websites. To help our customers in this situation, we modified our download script to allow for domain exclusions. These will be applied right after the lists are downloaded. The exact way to do it depends on your environment and configuration, but simple shell commands like ‘cat _filename_ | grep -v _domain_ > _new_file_name_’ can remove entries.

For help automating the removal of domains from block lists, contact our tech support via email – support (@) – and they’ll be happy to help. Please remember to mention the block list you use and how you download it.