IPsum - Data Source

Website	https://github.com/stamparm/ipsum
Category	Threat Intelligence

IPsum is a daily threat intelligence feed created by Miroslav Stampar that aggregates over 30 individual IP blocklists into a single scored dataset. Each IP address receives a score from 1 to 10 based on how many independent blocklists flag it as malicious. A higher score means more sources agree the IP is problematic, providing a consensus-based confidence metric for IP reputation. We use IPsum as a primary threat signal on IP lookup and reputation pages across robtex.com and rbls.org.

Source:IPsum

What is IPsum?

IPsum takes a fundamentally different approach from single-source blocklists. Rather than relying on one organization's detection methodology, it pulls from dozens of independent blocklists maintained by different security researchers and organizations around the world. Each day, IPsum downloads the latest version of each source list, checks which IPs appear on multiple lists, and assigns a score equal to the number of lists that flag each address.

An IP with a score of 1 appears on only one source list, which could be a false positive or a very recent detection. An IP with a score of 8 or higher appears on eight or more independent lists, which represents strong cross-source consensus that the address is involved in malicious activity. The underlying source lists cover a wide range of threat categories:

Spam and email abuse - Open relays, spam botnets, bulk senders
Brute force attacks - SSH, FTP, and web login scanners
Malware distribution - Hosts serving malicious payloads
Command and control - Botnet C2 infrastructure
Web attacks - SQL injection, XSS, and exploitation attempts

The project is open source and hosted on GitHub, with daily automated updates. Because it aggregates rather than generates its own detections, IPsum inherits the combined coverage of all its source lists while reducing false positives through the scoring mechanism.

How We Use This Data

On robtex.com and rbls.org, IP lookup and reputation pages display IPsum data as one of the first threat indicators to load. When you look up an IP address, we show whether it appears in IPsum and its score. This gives an immediate signal about the IP's reputation before the slower DNS-based blocklist queries complete.

The score is particularly useful for triage. A score of 1-2 suggests a recent or isolated detection that may or may not be significant. A score of 3-5 indicates moderate consensus across sources and warrants investigation. A score of 6+ represents strong agreement among independent security feeds that the IP is actively malicious.

We import the full IPsum dataset daily into our database, making lookups instantaneous rather than requiring real-time fetches from the upstream source.

FAQ

What does an IPsum score of 3 versus 8 mean in practice?

A score of 3 means three independent blocklists flag the IP, which suggests likely malicious activity but could still be a false positive from correlated sources. A score of 8 means eight or more unrelated security feeds independently identified the IP, which is strong evidence of persistent malicious behavior. Generally, scores of 3+ warrant investigation and scores of 6+ indicate high-confidence threats.

Can a legitimate IP appear in IPsum?

Yes. Shared hosting IPs, cloud provider addresses, and recently reassigned IPs can carry reputation from previous users or co-tenants. An IP running a legitimate mail server alongside a compromised account might get flagged by spam-focused lists. The score helps here: a low score (1-2) on a known hosting IP is less concerning than a high score on a dedicated address.

How does IPsum differ from checking individual blocklists?

Checking individual lists gives binary results per source. IPsum provides a meta-score that reflects cross-source consensus. An IP listed on one obscure blocklist might not matter, but an IP listed on seven independent lists almost certainly does. IPsum saves you from manually querying dozens of lists and interpreting each one's methodology.