Firewall & Network Device Integration
vspam.org serves plain-text blocklists over HTTP. Point your firewall at the URL, set a refresh interval. That's it.
Web submissions are normalized to canonical domains before publication, so the firewall surface focuses on IP and domain artifacts rather than long-lived raw URL lists.
Firewall feeds now prioritize deterministic shadow scoring. Public feeds only publish high-score malicious artifacts and use legacy live confidence as a fallback when a shadow score is not available.
Every firewall export also carries operator-intent metadata in bothX-VSpam-*headers and leading#comment lines, so simple download consumers can preserve block, watch, and context semantics even outside the web catalog.
Feed URL Builder
https://api.vspam.org/api/v1/firewall/ipsscore_min,shadow_confidence_min,confidence, andmanual_review=true. Comment-prefixed lines can be ignored safely by consumers that only need artifact values.Selection Policy
Public defaults
- Only malicious shadow verdicts are published.
- Default threshold is shadow score ≥ 80 and shadow confidence ≥ 0.55.
- Artifacts marked for manual review are excluded.
- Legacy live confidence only applies when a shadow score is missing.
Enterprise tuning
# Lower the shadow score floor for broader coverage
curl -s "https://api.vspam.org/api/v1/firewall/ips?key=<KEY>&score_min=65&shadow_confidence_min=0.40"
# Explicitly include manual-review artifacts with inline comments
curl -s "https://api.vspam.org/api/v1/firewall/domains?key=<KEY>&manual_review=true&comments=true"Platform Guides
Replace FEED_URL with the URL from the builder above.
Objects → External Dynamic Lists → Add
Name: vspam-blocklist
Type: IP List / Domain List
Source: FEED_URL
Repeat: Hourlyconfig system external-resource
edit "vspam-blocklist"
set type address
set resource "FEED_URL"
set refresh-rate 60
next
endFirewall → Aliases → Add
Name: vspam_blocklist
Type: URL Table (IPs)
URL: FEED_URL
Update Freq: 1 (days)set security dynamic-address feed-server vspam-feed url FEED_URL
set security dynamic-address feed-server vspam-feed update-interval 3600
set security dynamic-address address-name vspam-blocklist profile feed-name vspam-feedObjects → Object Management → External Feed → Add
Name: vspam-blocklist
Feed URL: FEED_URL
Type: IP / Domain
Update Frequency: 3600 seconds#!/bin/bash
# /etc/cron.hourly/vspam-blocklist
ipset create -exist vspam hash:net
curl -sf "FEED_URL" | grep -v '^#' | while read ip; do
ipset add -exist vspam "$ip"
done
iptables -I INPUT -m set --match-set vspam src -j DROP/system scheduler add name=vspam-update interval=1h on-event={
/tool fetch url="FEED_URL" dst-path=vspam.txt
/ip firewall address-list remove [find list=vspam]
:foreach line in=[/file get vspam.txt contents] do={
:if ([:pick $line 0 1] != "#") do={
/ip firewall address-list add list=vspam address=$line
}
}
}# /etc/cron.hourly/vspam-suricata
curl -sf "FEED_URL" | grep -v '^#' | \
awk '{print $1",1,127"}' > /etc/suricata/iprep/vspam.list
suricatasc -c reload-rulesFree vs Enterprise
| Feature | Free | Enterprise |
|---|---|---|
| IOC types | IPs, Domains | IPs, Domains |
| Primary gate | Shadow score ≥ 80, shadow confidence ≥ 0.55 | Shadow score/confidence are configurable |
| Live confidence fallback | ≥ 0.80 when no shadow score exists | ≥ 0.30 configurable fallback |
| Update frequency | 5 min cache | 5 min cache |
| CIDR aggregation | — | /24 auto-aggregation |
| Metadata comments | Header comments only | Live confidence, shadow score, verdict, timestamp |
| Manual-review artifacts | Never included | Optional via query param |
| Threshold tuning | Fixed operator-safe policy | score_min, shadow_confidence_min, confidence |
| Authentication | None required | API key (?key=) |
| Rate limits | Standard | Elevated |
FAQ
How often is the feed updated?
Feeds are cached for 5 minutes. Set your firewall refresh interval to 1 hour or more to avoid unnecessary requests.
How large is the IP blocklist?
Typically a few hundred to a few thousand entries depending on current threat activity. The list only includes confirmed, non-expired IOCs.
What format are the feeds?
Plain text, one value per line. Lines starting with # are comments (header metadata). Compatible with virtually every firewall that supports external blocklists.
Do I need an API key?
No — the free tier works without authentication. An enterprise API key unlocks lower confidence thresholds, CIDR aggregation, and metadata comments.
Need structured feeds (STIX, MISP, CSV)? See all integrations or check the API documentation.