🛡️ Spamhaus DROP Blocklist Scraper

🚀 Pull the live Spamhaus DROP and EDROP blocklists in one run. Get every hijacked or criminal netblock as a clean row with its CIDR, Spamhaus SBL reference, and regional internet registry, ready for firewall and routing blocklists.

🕒 Last updated: 2026-06-05 · 📊 6 fields per record · IPv4 and IPv6 lists · Global RIR coverage (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC)

Spamhaus DROP (Don't Route Or Peer) and EDROP are public, free blocklists published by The Spamhaus Project. They list IP netblocks that are directly allocated to, or hijacked by, spammers and cyber criminals. This Actor fetches the official Spamhaus DROP feeds and returns one clean row per netblock so network and security teams can ingest fresh indicators without parsing raw feed lines by hand.

This is a defensive, public-data threat-intelligence tool. Every record comes straight from the Spamhaus DROP download feed. Use it to feed firewall and BGP null-route blocklists, enrich alerts in a SOC, confirm whether a prefix is on the DROP list, or back research into criminal hosting patterns.

🎯 Target Audience	💡 Primary Use Cases
Network and security engineers	Block hijacked netblocks at the edge
SOC and blue-team analysts	Enrich alerts with DROP context
Threat intelligence teams	Track criminal netblock allocations
ISPs and hosting providers	Null-route DROP prefixes via BGP
Security researchers	Study RIR and netblock abuse trends

📋 What the Spamhaus DROP Blocklist Scraper does

• Fetches the official Spamhaus DROP feeds for IPv4 (drop_v4), IPv6 (drop_v6), or both.
• Returns one row per netblock with the CIDR, Spamhaus SBL reference, and regional internet registry.
• Builds a direct link to the matching Spamhaus SBL record for each entry.
• Filters by regional internet registry (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC).
• Caps the number of rows returned so you can pull a quick sample or the whole list.
• Uses only the public download feed, no login, no API key, no images.

🎬 Full Demo (🚧 Coming soon)

⚙️ Input

Field	Type	Description
listVersion	select	Which feed to fetch. v4 pulls the IPv4 list, v6 pulls the IPv6 list, both merges them.
rir	select	Optional registry filter. any, arin, ripencc, apnic, lacnic, afrinic, or other.
maxItems	integer	Maximum rows to return. Free plan is capped at 10.

Example input, IPv4 list sample:

{
  "listVersion": "v4",
  "rir": "any",
  "maxItems": 5
}

Example input, only RIPE NCC netblocks across IPv4 and IPv6:

{
  "listVersion": "both",
  "rir": "ripencc",
  "maxItems": 100
}

⚠️ Good to Know: DROP is a high-confidence, conservative list, so the IPv6 feed in particular is small and can return only a handful of rows. The sblUrl field points to the Spamhaus SBL record behind each listing, where you can read why the netblock was added. Each run fetches the feed live, so counts shift as Spamhaus adds or removes netblocks.

📊 Output

Each record has the following fields:

Field	Description
🧱 cidr	The listed netblock in CIDR notation
🔖 sblid	Spamhaus SBL reference for the listing
🌍 rir	Regional internet registry that allocated the block
🔢 ipVersion	IPv4 or IPv6
🔗 sblUrl	Direct link to the Spamhaus SBL record
🕒 scrapedAt	When this Actor fetched the record
❌ error	Null on data rows, set only when a run fails

Three real sample records from a run on 2026-06-05:

{
  "cidr": "1.10.16.0/20",
  "sblid": "SBL256894",
  "rir": "apnic",
  "ipVersion": "IPv4",
  "sblUrl": "https://www.spamhaus.org/sbl/query/SBL256894",
  "scrapedAt": "2026-06-05T17:18:20.225Z",
  "error": null
}

{
  "cidr": "1.19.0.0/16",
  "sblid": "SBL434604",
  "rir": "apnic",
  "ipVersion": "IPv4",
  "sblUrl": "https://www.spamhaus.org/sbl/query/SBL434604",
  "scrapedAt": "2026-06-05T17:18:20.285Z",
  "error": null
}

{
  "cidr": "2.56.192.0/22",
  "sblid": "SBL459831",
  "rir": "ripencc",
  "ipVersion": "IPv4",
  "sblUrl": "https://www.spamhaus.org/sbl/query/SBL459831",
  "scrapedAt": "2026-06-05T17:18:20.342Z",
  "error": null
}

✨ Why choose this Actor

• Pulls straight from the official Spamhaus DROP download, no third-party copy.
• Clean, flat rows that drop into a firewall, router, or threat-intel platform.
• Merges the IPv4 and IPv6 lists into one result set when you need both.
• Filter by regional internet registry before the data ever leaves the run.
• No API key and no login required for this public feed.
• Honest schema, only fields the source actually returns, no padded always-null columns.

📈 How it compares to alternatives

Approach	Effort	Freshness	Structured output
This Actor	One run	Live feed	Yes, flat rows
Manual download and parse	Repeated by hand	Live feed	You build the parser
Copy-pasting the website list	Slow and error prone	Stale fast	No
Generic web scraper on the page	Brittle setup	Breaks on layout change	Needs cleanup

🚀 How to use

1. Sign in or create a free Apify account using this sign-up link.
2. Open the Spamhaus DROP Blocklist Scraper and pick the v4, v6, or both list.
3. Optionally set a regional internet registry filter.
4. Set maxItems and click Start.
5. When the run finishes, browse the dataset or pull it through the API into your tools.

💼 Business use cases

🔥 Firewall and edge blocklisting

Feed listed netblocks into firewall, router, and DNS blocklists so traffic to and from hijacked prefixes is dropped at the perimeter.

Need	How this helps
Block criminal netblocks	Push fresh CIDRs to perimeter controls
Reduce exposure	Cut traffic to known bad prefixes early

🧭 SOC alert enrichment

When an alert references an external IP, check whether its prefix appears on the DROP list to confirm it sits in known criminal space.

Need	How this helps
Triage faster	Match IPs to a listed netblock instantly
Prioritize alerts	DROP hits jump the queue

🛣️ BGP and routing policy

Network operators can null-route or refuse to peer with DROP-listed prefixes to keep criminal traffic off their backbone.

Need	How this helps
Drop hijacked routes	Build null-route lists from CIDRs
Tighten peering	Refuse known bad prefixes

📊 Registry and abuse analysis

Study which regional internet registries and allocations repeatedly appear on the list to inform risk scoring and policy.

Need	How this helps
Score allocation risk	Aggregate by rir and CIDR size
Brief stakeholders	Back claims with real counts

🔌 Automating Spamhaus DROP Blocklist Scraper

Connect runs to the rest of your stack:

• Make and Zapier: trigger a run on a schedule and route new netblocks to a webhook.
• Slack: post newly listed prefixes to a network or security channel.
• Airbyte: load the dataset into your data warehouse for trend analysis.
• GitHub: commit periodic snapshots of the list to a repo for change tracking.
• Google Drive: archive each run for an auditable history of the feed.

🌟 Beyond business use cases

• Research: study criminal hosting patterns, RIR abuse, and netblock churn over time.
• Personal: block listed netblocks on a home network or personal firewall.
• Non-profit: help small organizations without a security budget harden their perimeter.
• Experimentation: build and test routing or filtering rules against a real netblock feed.

🤖 Ask an AI assistant

Paste a run output into your assistant of choice and ask for analysis:

• ChatGPT
• Claude
• Perplexity
• Microsoft Copilot

Example prompt: "Group these netblocks by regional internet registry and tell me which registries carry the most listed prefixes and the largest CIDR ranges."

❓ Frequently Asked Questions

Is this legal and safe to use? Yes. Spamhaus publishes the DROP and EDROP lists publicly for defensive use. This Actor only reads that public feed and returns it in a structured form.

Do I need a Spamhaus API key? No. The Spamhaus DROP downloads used here are public and keyless. No login or token is required.

What is DROP and EDROP? DROP (Don't Route Or Peer) lists netblocks allocated to or hijacked by spammers and cyber criminals. EDROP is an extension covering further criminal allocations. Both are meant for blocking at the firewall or routing layer.

What is the difference between the v4 and v6 lists? The v4 feed lists IPv4 netblocks and the v6 feed lists IPv6 netblocks. Choose both to merge them into a single result set.

Why did my run return only a few rows? DROP is a conservative, high-confidence list. The IPv6 feed especially is small, so a run may return a handful of rows rather than thousands.

What is the SBL reference? Each listing carries a Spamhaus Block List (SBL) reference such as SBL256894. The sblUrl field links to the SBL record explaining why the netblock was listed.

What does the rir field mean? It is the regional internet registry that allocated the block, such as ARIN, RIPE NCC, APNIC, LACNIC, or AFRINIC. You can filter to a single registry with the rir input.

How fresh is the data? Each run fetches the list live at run time, so the data is as current as the Spamhaus DROP feed itself.

Can I filter by registry? Yes. Pick a registry in the rir input to keep only netblocks allocated by that registry.

How many rows can I get on the free plan? Free runs are capped at 10 rows. A paid plan raises the cap so you can pull the entire list.

Can I schedule this to run automatically? Yes. Use Apify Schedules to run it daily and route new netblocks to your tools through integrations or the API.

Does this replace a full threat-intel platform? No. It is a clean source of one specific, high-quality blocklist that complements your existing tooling rather than replacing it.

🔌 Integrate with any app

Every run stores results in an Apify dataset you can pull through the REST API, the JavaScript and Python clients, or any of the no-code integrations above. Wire the output into a firewall management tool, a SIEM, a router automation pipeline, or a notification channel.

🔗 Recommended Actors

• Feodo Tracker C2 Scraper. Pull the abuse.ch Feodo Tracker botnet C2 IP blocklist.
• crt.sh Certificate Transparency Scraper. Search certificate transparency logs by domain.
• Have I Been Pwned Breaches Scraper. Browse the catalog of known data breaches.
• EPA FRS Facility Registry Scraper. Query the EPA Facility Registry Service.
• deps.dev Package Insights Scraper. Pull open source package security and dependency data.

💡 Pro Tip: browse the complete ParseForge collection.

🆘 Need Help? Open our contact form

⚠️ Disclaimer: This is an independent tool and is not affiliated with The Spamhaus Project. Only publicly available data is collected, and it is provided for defensive security and research purposes.