Looks like they may have gone closed source. With there new relation ship with AWS.
It seams this is becoming more common.
Which us very disappointing.
Just had a look at all the lists on the Abus.ch SSL blacklist page. All of them are either listed as deprecated or haven’t been updated for some time. None of the lists on that page have been recently updated.
SSL Certificate Blacklist (CSV) last updated on 2025-06-25
Suricata SSL Certificate Ruleset last updated on 2025-06-25
Botnet C2 IP Blacklist (CSV) deprecated on 2025-01-03
Suricata Botnet C2 IP Ruleset deprecated on 2025-01-03
Botnet C2 DNS Response Policy Zone (RPZ) deprecated on 2025-02-28
JA3 Fingerprint Blacklist (CSV) last updated on 2021-08-03
Suricata JA3 Fingerprint Ruleset last updated on 2021-08-03
Basically all the lists from Abuse.ch are no longer supported.
Abuse.ch are now part of Spamhaus and the Abuse.ch offerring from Spamhaus is for Real Time Threat intelligence feeds for which you have to pay.
As far as I can see Spamhaus now charge for all their services except for the DROP list.
I just had a look to see if anything is still valid and found it is all no longer valid, some of them since 2021.
Basically there is now an abuse.ch web site that has no lists still being updated or some even without any contents now but no mention anywhere on the web page.
Yes, the founder of abuse CH “sold out”
I think his name is Roman. To his credit, he put a lot of effort into fighting malware and phishing and getting results.
and Yes, pretty much most of abuse.ch lists were discontinued but these are still active and functional:
The aggressive rules should not be used. They were removed from IPFire a while back.
This is a file that contains every botnet that has ever been detected by Feodo since they started tracking, including all botnets that no longer exist because the users re-installed their systems. So it has a huge false positive rate.
The feodotracker rules is a list of all botnets that were active in the last 30 days. So there can again be a high false positive rate as withing 30 days the botnets could be taken down or the users of the systems realise they are infected and re-install. Again removed from IPFire at the same time as the aggressive ruleset.
The recommended feodo rules list contains botnets that have been active in the last few hours. False positive rate pretty low. It can be empty and from CU196 omwards the IDS will accept empty rulesets, so that users don’t end up with an out of date ruleset because the replacement was not uploaded due to being empty.
This is not used in IPFire.
Looking at the contents and as abuse.ch is part of spamhaus now, it is not clear to me why the IP’s that they list are not in the DROP list from spamhaus. Some of them are but some of them are not.
The more sensible thing would be for spamhaus to merge the urlhaus list into the DROP list unless they have concerns about the false positive rate.
I added the threatfox rules to my IPFire system and even after 15 minutes the memory stabilised at around 1.8GB compared to 400MB before but that still left me with 80% of my memory free. So I can’t replicate the “most of RAM being used up” scenario. My system has 8GB RAM.
I agree, I included the aggressive list just to compare with the recommended list. You can see how it looked before and after Operation Endgame.
These are not IP’s necessarily, but URL’s. This list is also available just as a list of domains. If you check the RPZ addon thread that Jon created, it is a decent RPZ list to use.. This might be helpful mitigating some of the “fast-flux” techniques.
Who ever runs the abuse lists finally posted a clarification on their blog - pretty much confirming that we need to pay to play.
Who will have to pay to access the data?
Spamhaus Technology is making the abuse.ch data available to organizations that are NOT making significant contributions to the community, but are deriving commercial gain from the use of this data. And yes, a cost will be associated with accessing these feeds. Users of the paid version of the data will get additional benefits such as unified APIs, including access to technical documentation and more efficient false positive remediation.
Meanwhile, if you contribute data, you will be able to access the data for free.