DROP (Don’t Route Or Peer) is an advisory “drop all traffic” list, consisting of stolen ‘zombie’ netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and routing equipment.

DROP is currently available as a simple text list, but will also be available shortly as BGP with routes of listed IPs announced via an AS# allowing networks to then null those routes as being IPs that they do not wish to route traffic for.

The DROP list will NEVER include any IP space “owned” by any legitimate network and reassigned – even if reassigned to the “spammers from hell”. It will ONLY include IP space totally controlled by spammers or 100% spam hosting operations. These are “direct allocations” from ARIN, RIPE, APNIC, LACNIC, and others to known spammers, and the troubling run of “hijacked zombie” IP blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by spammers or netblock thieves who resell the space to spammers.

When implemented at a network or ISP’s ‘core routers’, DROP will protect all the network’s users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

Shell script to apply DROP

Here is a shell script, you need to run on Linux based firewall / router / dedicated Linux web / mail server:

echo ""
echo -n "Applying DROP list to existing firewall..."
[ -f $FILE ] && /bin/rm -f $FILE || :
cd /tmp
wget $URL
blocks=$(cat $FILE  | egrep -v '^;' | awk '{ print $1}')
iptables -N droplist
for ipblock in $blocks
 iptables -A droplist -s $ipblock -j LOG --log-prefix "DROP List Block"
 iptables -A droplist -s $ipblock -j DROP
iptables -I INPUT -j droplist
iptables -I OUTPUT -j droplist
iptables -I FORWARD -j droplist
echo "...Done"
/bin/rm -f $FILE

Call above script from existing firewall script every 24 hrs to update and block list. Every time it’s run by crontab it will download the list and reapply the changes. You may need to modify above script to delete droplist chain before applying list. Please note that if you are using Cicso routers, use this script for the same purpose. You can also use CISCO ‘null route’ command:

ip route <network> <mask> null0

If you don’t want to play with iptables, null route all bad ips using following route command under Linux syntax:
# route add <IP> gw lo
# route add -net <IP/mask> gw lo

Try this and you will surprise to see how much spam and other bad stuff can be blocked.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 15 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
15 comments… add one
  • Jerod Santo Oct 24, 2007 @ 17:07

    The script provided for Cisco devices simply updates a text file of the banned netblocks. Are we then supposed to use the cisco-cmd script to add the null routes to our cisco configs?

  • 🐧 nixCraft Oct 24, 2007 @ 18:11


    Yes you need to update or add those ips to null0.

  • Jerod Santo Oct 24, 2007 @ 22:05

    Correct me if I’m wrong, but doesn’t adding ip route network mask null0 only affect traffic leaving my network if said router is the gateway to my LAN?

    If so, does that add much benefit?

  • 🐧 nixCraft Oct 25, 2007 @ 12:25


    You are dropping all incoming traffic from bad guys .

  • Joe Klemmer Nov 9, 2007 @ 23:25

    Are there any metrics, empirical or subjective, measurements on the hit rate of false positives? I’d love to do more to keep the spam out.

  • Gregg Lain Nov 30, 2007 @ 12:34

    Nice posting – expanded on the alternate route and since shorewall is running happily on my servers – why not let that “manage” the drops:

    # Drop all these bad IP's
    TMPFILE=/tmp/`apg -a 1 -M nc -n 1 -m 26`
    touch $TMPFILE
    curl -s http://www.spamhaus.org/drop/drop.lasso |grep ^[1-9]|cut -f 1 -d ' ' > $TMPFILE
    for IP in `cat $TMPFILE`; do
    /sbin/shorewall drop $IP
    sleep 5
    rm $TMPFILE

    The sleep statement helps the process from hogging all server resources….

    Set this to run via cron twice daily – prefer to be a little paranoid in case of mid-day updates 🙂

  • 🐧 nixCraft Nov 30, 2007 @ 14:49


    thanks for sharing shorewall script.

  • Joe Klemmer Dec 4, 2007 @ 23:58

    I’m getting ready to try this out. There’s one thing that’s not clear to me, though.

    This article states specifically

    you need to run on Linux based firewall / router / dedicated Linux web / mail server

    My server is doing everything and it’s brother. Is this going to affect all the other crap this box is doing (well, specifically ssh)?

  • 🐧 nixCraft Dec 5, 2007 @ 1:55


    This will only block bad guyes and not ssh, until and unless your IP is one of them 😉

  • Ashi Jan 11, 2008 @ 9:24

    spamming is surely a threat to cyber space. most of the spammers are also hackers and they break into your pc as soon as you click on their email links. in order to fight the spam threat we need a strong spam filters for our emails which secures us from most of the spam mails. i have heard that http://www.zapak.com is one of the good e-mail service provider who gives maximum protection from most of the spam mails, now that is what we internet lovers require.

  • Me Jan 31, 2008 @ 11:01

    The script is problematic as a cron job.
    It will create redundant drop rules, so every day
    iptables will double its rules number.

    Just run the script a few times and see.
    1st run iptables rules count: 365
    2nd run: 592
    3rd run: 865

  • Hamish Feb 19, 2008 @ 11:17

    It works well as a cron job, but you need to flush the old rules first. I added the following lines to the top of this script:
    iptables -F

    Where regular_rules is a file containing all your standard iptables rules that you want to add the spamhaus rules to each day.

    Not sure if i should stop and start the iptables service, i don’t currently, but i guess it’s an easy addition… Thanks for the script…

  • Firas Apr 9, 2010 @ 12:23

    Should we add the script in all our vps ? or just the node ?

  • Christian Sep 14, 2011 @ 14:42

    This script could be a little more secure. I.e. use a random tmp and clean up handler. Also the list processing can be done in bash (not awk needed.)

    trap "rm -f $drop" EXIT
    echo -n "Applying DROP list to existing firewall..."
    wget -q -O $drop $URL
    blocks=$(cat $drop | egrep -v '^;' | while read line ; do echo ${line%%;*} ; done)
  • Stove Aug 24, 2013 @ 12:46

    I thought this script sounded like a good idea. I decided to tail my mail log ‘tail /var/log/exim_mainlog -f’ and check some of the IP addresses against the blacklist to see if they would have been blocked. I checked the next 20 IP’s that Spam Assassin flagged as spam and none of the IP’s were in the SpamHaus list. Back to the drawing board. I think that the way Spam Assassin rate limits offending IP’s is pretty effective anyway.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum