Blacklist
What Is a Blacklist?
A blacklist is an access control list that specifies entities explicitly denied permission to access a system, network, or service. Entries on the list, which may include IP addresses, domain names, email addresses, file hashes, URLs, or user accounts, are blocked on contact; every entity not on the list is permitted by default. This default-permit posture distinguishes blacklisting from allowlisting (formerly called whitelisting), where only explicitly approved entities are allowed through. Blacklists appear throughout computer security and network engineering as a basic tool for filtering known threats from unknown traffic.
The concept predates digital computing: passenger no-fly lists, financial sanction registers, and library card suspension lists all operate on the same logic. In computing, early spam filters assembled lists of known spamming IP addresses in the late 1990s, and the Real-time Blackhole List (RBL), operated initially by the Mail Abuse Prevention System, became one of the first widely shared collaborative threat lists in 1997.
Access Control and Threat Filtering
In network security, a blacklist functions as a deny rule evaluated against incoming connection metadata. A firewall configured with a blacklisted IP range drops packets from those addresses before they reach the protected host. Content-filtering proxies maintain lists of blacklisted domain categories, blocking navigation to URLs that match known malware, phishing, or policy-prohibited content. The National Institute of Standards and Technology recommends layered access control mechanisms in NIST Special Publication 800-41, which covers firewall policies including deny-list configurations for enterprise networks. The effectiveness of a blacklist depends directly on the completeness and freshness of its entries: a threat that is not yet listed passes through unimpeded.
IP and Domain Blocking
Shared threat intelligence feeds distribute blacklists of IP addresses and fully qualified domain names associated with botnets, command-and-control servers, credential-theft campaigns, and distributed denial-of-service sources. Organizations subscribe to commercial or community-maintained feeds such as those distributed through the Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) protocols, standardized under OASIS. The CISA Known Exploited Vulnerabilities catalog and its associated guidance represent a government-maintained blacklist approach applied at the vulnerability level rather than the network-address level, directing organizations to remediate or block the specific software versions associated with active exploitation.
Email Filtering and Spam Mitigation
Email security systems maintain sender reputation blacklists that score the history of each sending IP address and domain. A sending address that appears on a major blacklist such as Spamhaus's Block List (SBL) or the composite Spam URI Real-time Blocklists (SURBL) will have messages rejected or diverted to junk folders by receiving mail servers. The Spamhaus project publishes blocklist data that is used by a large proportion of Internet mail transfer agents worldwide to filter inbound messages. False positive listings, where a legitimate sender ends up on a blocklist due to a compromised machine or shared hosting, create operational problems that have driven investment in delisting procedures and reputation recovery workflows.
Applications
Blacklists have applications in a range of fields, including:
- Network security, where firewall deny rules block known malicious IP ranges at the perimeter
- Email systems, where sender IP and domain lists filter spam and phishing at the mail transfer layer
- Web security, where browser vendors and search engines block access to known malware distribution and phishing domains
- Digital rights management, where device hardware IDs and software license keys are revoked on confirmed compromise
- Financial fraud prevention, where payment processors block transactions from flagged card numbers and merchant accounts