// downloads
| window | entries | updated | nginx | apache |
|---|---|---|---|---|
| toxicalways-malicious ranges | 561 KB nginx · 1 KB apache | 2026-05-17 | nginx | apache |
| 24 hours | 1,96146 KB nginx · 53 KB apache | 2026-05-18 | nginx | apache |
| 7 days | 14,409336 KB nginx · 393 KB apache | 2026-05-17 | nginx | apache |
| 30 days | 46,3621.1 MB nginx · 1.3 MB apache | 2026-05-17 | nginx | apache |
| 90 daysrecommended default | 126,6312.9 MB nginx · 3.5 MB apache | 2026-05-17 | nginx | apache |
| 180 days | 240,9185.6 MB nginx · 6.6 MB apache | 2026-05-17 | nginx | apache |
| 365 dayswidest net | 516,09712.0 MB nginx · 14.1 MB apache | 2026-05-17 | nginx | apache |
counts & dates are live from the mirror; lists rebuild automatically
when it refreshes (24-hour list ~hourly, the rest ~daily). responses send an
ETag — poll with If-None-Match for a cheap 304.
// usage — 90-day list; swap the path for any window
$curl -fsS "https://sfs.ipinfo.app/api/downloads/nginx/90/" -o /etc/nginx/conf.d/sfs.conf && nginx -s reload
$curl -fsS "https://sfs.ipinfo.app/api/downloads/htaccess/90/" -o /etc/apache2/conf-enabled/sfs.conf && apachectl -k graceful
$0 4 * * * curl -fsS "https://sfs.ipinfo.app/api/downloads/nginx/90/" -o /etc/nginx/conf.d/sfs.conf && nginx -s reload
// which list?
toxic — small, hand-curated ranges that exist only to abuse. safe to block outright.
1–365 days — ips reported as spammers within that window. shorter = fresher & smaller; longer = broader coverage. 90 days is the sensible default.
// notes
- This is a blunt, IP-level block. Reported addresses are shared, recycled and dynamic — CGNAT, mobile carriers, VPNs and corporate NAT mean one blocked IP can take real users with it. Expect false positives.
- Reported ≠ currently malicious. An IP listed months ago may now belong to someone legitimate. Shorter windows reduce this; none eliminate it.
- Daily, not real-time. The upstream rebuilds ~daily (the 24-hour list ~hourly), so a brand-new spam source won't be listed yet. It's a baseline, not an active defense.
- IPv4 only. The mirrored feeds are IPv4; IPv6 abuse is not covered.
- Big lists belong in a packet filter. Apache
Deny fromwith 100k+ entries is evaluated per request and will wreck performance. nginxdenyis better but a 500k-rule config is still heavy — for the long windows, load the IPs intoipset/nftablesat the firewall instead. - Data & warranty. Data is from Stop Forum Spam; this is an unofficial mirror, served as-is with no guarantee of accuracy or availability. Respect SFS's terms.
// when to use it
good fit
- forums, blogs, wikis, comment & signup forms — the abuse SFS actually tracks
- apps you can't fix from the inside — drowning in spam but no way to add a blocklist, CAPTCHA or checks (closed-source, legacy, hosted/SaaS): enforce at the proxy/firewall in front instead
- defense-in-depth alongside CAPTCHA, rate limiting and moderation — not the only layer
- edge / reverse-proxy filtering for low-stakes public content
- cutting obvious bot noise before it hits the app
not for every site
- e-commerce / SaaS / auth where blocking one real customer outweighs the spam saved
- audiences behind heavy CGNAT (mobile-first or developing regions) — high collateral
- latency- or throughput-critical apps that can't absorb large deny-list evaluation per request
- services with availability/accessibility or compliance obligations (gov, healthcare, ADA-sensitive)
- anything needing real-time threat response — this is a daily list