Skip to content

Firewall & Network Device Integration

vspam.org serves plain-text blocklists over HTTP. Point your firewall at the URL, set a refresh interval. That's it.

Web submissions are normalized to canonical domains before publication, so the firewall surface focuses on IP and domain artifacts rather than long-lived raw URL lists.

Firewall feeds now prioritize deterministic shadow scoring. Public feeds only publish high-score malicious artifacts and use legacy live confidence as a fallback when a shadow score is not available.

Every firewall export also carries operator-intent metadata in bothX-VSpam-*headers and leading#comment lines, so simple download consumers can preserve block, watch, and context semantics even outside the web catalog.

Feed URL Builder

https://api.vspam.org/api/v1/firewall/ips
Public feeds use a fixed operator-safe threshold. Enterprise consumers can additionally tunescore_min,shadow_confidence_min,confidence, andmanual_review=true. Comment-prefixed lines can be ignored safely by consumers that only need artifact values.

Selection Policy

Public defaults

  • Only malicious shadow verdicts are published.
  • Default threshold is shadow score ≥ 80 and shadow confidence ≥ 0.55.
  • Artifacts marked for manual review are excluded.
  • Legacy live confidence only applies when a shadow score is missing.

Enterprise tuning

# Lower the shadow score floor for broader coverage
curl -s "https://api.vspam.org/api/v1/firewall/ips?key=<KEY>&score_min=65&shadow_confidence_min=0.40"

# Explicitly include manual-review artifacts with inline comments
curl -s "https://api.vspam.org/api/v1/firewall/domains?key=<KEY>&manual_review=true&comments=true"

Platform Guides

Replace FEED_URL with the URL from the builder above.

Palo Alto NetworksExternal Dynamic Lists
Objects → External Dynamic Lists → Add
  Name: vspam-blocklist
  Type: IP List / Domain List
  Source: FEED_URL
  Repeat: Hourly
FortiGateExternal Connectors
config system external-resource
  edit "vspam-blocklist"
    set type address
    set resource "FEED_URL"
    set refresh-rate 60
  next
end
pfSense / OPNsenseFirewall → Aliases
Firewall → Aliases → Add
  Name: vspam_blocklist
  Type: URL Table (IPs)
  URL: FEED_URL
  Update Freq: 1 (days)
Juniper SRXsecurity dynamic-address
set security dynamic-address feed-server vspam-feed url FEED_URL
set security dynamic-address feed-server vspam-feed update-interval 3600
set security dynamic-address address-name vspam-blocklist profile feed-name vspam-feed
Cisco FirepowerObjects → Object Management
Objects → Object Management → External Feed → Add
  Name: vspam-blocklist
  Feed URL: FEED_URL
  Type: IP / Domain
  Update Frequency: 3600 seconds
Linux iptables / nftablescron + ipset
#!/bin/bash
# /etc/cron.hourly/vspam-blocklist
ipset create -exist vspam hash:net
curl -sf "FEED_URL" | grep -v '^#' | while read ip; do
  ipset add -exist vspam "$ip"
done
iptables -I INPUT -m set --match-set vspam src -j DROP
MikroTik RouterOSscheduler + fetch
/system scheduler add name=vspam-update interval=1h on-event={
  /tool fetch url="FEED_URL" dst-path=vspam.txt
  /ip firewall address-list remove [find list=vspam]
  :foreach line in=[/file get vspam.txt contents] do={
    :if ([:pick $line 0 1] != "#") do={
      /ip firewall address-list add list=vspam address=$line
    }
  }
}
Suricataiprep + cron
# /etc/cron.hourly/vspam-suricata
curl -sf "FEED_URL" | grep -v '^#' | \
  awk '{print $1",1,127"}' > /etc/suricata/iprep/vspam.list
suricatasc -c reload-rules

Free vs Enterprise

FeatureFreeEnterprise
IOC typesIPs, DomainsIPs, Domains
Primary gateShadow score ≥ 80, shadow confidence ≥ 0.55Shadow score/confidence are configurable
Live confidence fallback≥ 0.80 when no shadow score exists≥ 0.30 configurable fallback
Update frequency5 min cache5 min cache
CIDR aggregation/24 auto-aggregation
Metadata commentsHeader comments onlyLive confidence, shadow score, verdict, timestamp
Manual-review artifactsNever includedOptional via query param
Threshold tuningFixed operator-safe policyscore_min, shadow_confidence_min, confidence
AuthenticationNone requiredAPI key (?key=)
Rate limitsStandardElevated

FAQ

How often is the feed updated?

Feeds are cached for 5 minutes. Set your firewall refresh interval to 1 hour or more to avoid unnecessary requests.

How large is the IP blocklist?

Typically a few hundred to a few thousand entries depending on current threat activity. The list only includes confirmed, non-expired IOCs.

What format are the feeds?

Plain text, one value per line. Lines starting with # are comments (header metadata). Compatible with virtually every firewall that supports external blocklists.

Do I need an API key?

No — the free tier works without authentication. An enterprise API key unlocks lower confidence thresholds, CIDR aggregation, and metadata comments.

Need structured feeds (STIX, MISP, CSV)? See all integrations or check the API documentation.