3CORESEC not updating

One by one, decent sources for IP blocklist are disappearing.
After Alienvvault and EDROP vanished, I just noticed that 3CORESEC might be gone as well.

When I check my System logs and choose section IP Address Blocklist

I see starting February 03, 2025

ipblocklist: <ERROR> Could not update 3CORESEC blocklist - Download error!

Just to confirm e.g. February 02, 2025, I see

ipblocklist: Skipping 3CORESEC blocklist - It has not been modified!
or

ipblocklist: Successfully updated 3CORESEC blocklist.

I see the same thing on mine.

For clarity, Alienvault disappeared but EDROP was merged into DROP so it didn’t disappear but the two separate lists got combined into a single one.
https://www.spamhaus.org/resource-hub/network-security/spamhaus-drop-and-edrop-to-become-a-single-list/

Regarding the download error message that is because the 3coresec blacklist urls are all giving a 503 error message.

This could be because their server has gone down, in which case it should come back up again after a short time. It could be due to maintenance but again should come back up again after a short while.

Unfortunately, as it is now over two weeks since you starting getting this message, then it could also be the case that 3coresec have removed the service and the associated servers.

I have checked their website and there is no mention of the blacklists currently at all.

They have a blog which had a message about the blacklists from 2022. That was also the last entry in that blog, yet they still have a link to it on their website.

They have 13 github repositories for various projects. The oldest was last updated in 2019 and the 3 or 4 newest were last updated mid 2024.

I suspect they have pulled the blacklists and are no longer supporting them.
I am not sure how active they still are in their core business.

I will send them an email to ask about the blacklists but I am not particularly hopeful that I will get any response.

EDIT:
It is also not just the lists that are not available. The website pages that used to describe the three lists and what they did are also not available at all.
Also these three lists were available in IPFire for only 6 months before they look to have been removed. Clearly before any new lists are added we need to find some way to get a feeling for how serious and supported over time any list is going to be.

Hi all.

I noticed this yesterday because blocklist.3coresec.com was returning NXDOMAIN.

It appears that they decided to decommission their blocklist earlier in the month without notifying anyone.

I found this on their X account, which makes it seem like they are planning on returning this service at some point, but they haven’t provided a date and it’s been 10 days since the post.

image1187×1204 141 KB

It is worth removing the 3COREsec lists for now. I’ll submit a bug report.

Thanks,
A G

The question would be, if they bring it back, how long will it stay like that. How confident can we be when they just removed it without any announcement or pre-warning on their website.

I saw they had an x account but as you have to join to be able to see anything, then I don’t get to see anything.

Personally, I feel that since they dropped their blocklist without any announcement, it raises concerns about their reliability as a security provider. That said, they were added at the community’s request, so if they return and prove to be stable over time, perhaps we can reconsider in the future.

Thanks,
A G

Yes, this is actually a very important question.

We have seen similar actions recently from a couple of providers where lists just disappear first and statements are being released after. I understand that (almost all) are provided for free, and so there is less of a loyalty these providers feel with their “customers”. Nobody is expecting them to host their lists for the eternity of time, but it would be nice to see a strong commitment to deal with all parts of providing this properly - including any switch offs.

The reason why this matters is once again that it creates work for us. Planning this work and getting things in order in our own time is a lot easier than responding to sudden events like this.

If they bring back the list, we don’t have to do anything here, which would probably the option that I would choose. Not because it is the best thing, but the easiest in this very case. But if things are getting flaky, we should just remove them.

When lists disappear, or even can still be downloaded but are actually empty, people will think that they actually have certain protection features enabled when they don’t. I think there is a mild security problem here.

Removing the source is an easy fix, just uncheck 3CORESEC from IP Address Blocklist in the Firewall menu and click Save

(This screen shot is outdated so let me know if you need more assistance )

2000×1052 244 KB

Looks like I have been recommending 3CORESEC since I started using the official IPFire blocklist, in Aug 2022,

They were a reputable source way before that and part of Emerging Threads and Suricata rules.

It is even stranger that ET removed them without any announcements and now they return 404 error
https://rules.emergingthreats.net/open/suricata-7.0.3/rules/3coresec.rules

image1124×797 53.8 KB

Ah this is very interesting… I can’t talk about this in public, but this is very interesting.

It’s been a while, are you able to give at least a clue on what happened?

There has been no email communication response from 3coresec, there has been no reference to the loss of the blocklists on the 3coresec website and as far as I am aware no further news in the twitter message that suggested they might come back.

My view is that they are gone and that later in April we will remove those three 3coresec blocklists from the IP Blocklist Sources file.

I was hoping Michael would shed some light on his background info