Firewall & Network Device Integration

vspam.org serves plain-text blocklists over HTTP. Point your firewall at the URL, set a refresh interval. That's it.

Feed URL Builder

API Key (optional — unlocks enterprise features)

https://api.vspam.org/api/v1/firewall/ips

Platform Guides

Replace FEED_URL with the URL from the builder above.

Palo Alto NetworksExternal Dynamic Lists

Objects → External Dynamic Lists → Add
  Name: vspam-blocklist
  Type: IP List / Domain List / URL List
  Source: FEED_URL
  Repeat: Hourly

FortiGateExternal Connectors

config system external-resource
  edit "vspam-blocklist"
    set type address
    set resource "FEED_URL"
    set refresh-rate 60
  next
end

pfSense / OPNsenseFirewall → Aliases

Firewall → Aliases → Add
  Name: vspam_blocklist
  Type: URL Table (IPs)
  URL: FEED_URL
  Update Freq: 1 (days)

Juniper SRXsecurity dynamic-address

set security dynamic-address feed-server vspam-feed url FEED_URL
set security dynamic-address feed-server vspam-feed update-interval 3600
set security dynamic-address address-name vspam-blocklist profile feed-name vspam-feed

Cisco FirepowerObjects → Object Management

Objects → Object Management → External Feed → Add
  Name: vspam-blocklist
  Feed URL: FEED_URL
  Type: IP / URL
  Update Frequency: 3600 seconds

Linux iptables / nftablescron + ipset

#!/bin/bash
# /etc/cron.hourly/vspam-blocklist
ipset create -exist vspam hash:net
curl -sf "FEED_URL" | grep -v '^#' | while read ip; do
  ipset add -exist vspam "$ip"
done
iptables -I INPUT -m set --match-set vspam src -j DROP

MikroTik RouterOSscheduler + fetch

/system scheduler add name=vspam-update interval=1h on-event={
  /tool fetch url="FEED_URL" dst-path=vspam.txt
  /ip firewall address-list remove [find list=vspam]
  :foreach line in=[/file get vspam.txt contents] do={
    :if ([:pick $line 0 1] != "#") do={
      /ip firewall address-list add list=vspam address=$line
    }
  }
}

Suricataiprep + cron

# /etc/cron.hourly/vspam-suricata
curl -sf "FEED_URL" | grep -v '^#' | \
  awk '{print $1",1,127"}' > /etc/suricata/iprep/vspam.list
suricatasc -c reload-rules

Free vs Enterprise

Feature	Free	Enterprise
IOC types	IPs, Domains, URLs	IPs, Domains, URLs
Confidence threshold	≥ 0.80 (fixed)	≥ 0.30 (configurable)
Update frequency	5 min cache	5 min cache
CIDR aggregation	—	/24 auto-aggregation
Metadata comments	—	Confidence, category, timestamp
Category filtering	—	Per-request filtering
Authentication	None required	API key (?key=)
Rate limits	Standard	Elevated

FAQ

How often is the feed updated?

Feeds are cached for 5 minutes. Set your firewall refresh interval to 1 hour or more to avoid unnecessary requests.

How large is the IP blocklist?

Typically a few hundred to a few thousand entries depending on current threat activity. The list only includes confirmed, non-expired IOCs.

What format are the feeds?

Plain text, one value per line. Lines starting with # are comments (header metadata). Compatible with virtually every firewall that supports external blocklists.

Do I need an API key?

No — the free tier works without authentication. An enterprise API key unlocks lower confidence thresholds, CIDR aggregation, and metadata comments.

Need structured feeds (STIX, MISP, CSV)? See all integrations or check the API documentation.