Blacklisting
What Is Blacklisting?
Blacklisting is the practice of compiling and enforcing a list of entities that are explicitly denied access to a system, service, or resource, while permitting all others by default. In computing and network security, the entities subject to blacklisting include IP addresses, domain names, email addresses, file hashes, application identifiers, and user accounts. Blacklisting is one of two foundational access control strategies; its counterpart, allowlisting, inverts the default by permitting only explicitly approved entities and denying all others. Blacklisting is easier to deploy incrementally but structurally weaker, because any threat not yet catalogued on the list passes through unrestricted.
The practice gained formal attention in digital security during the rise of email spam in the mid-1990s, when mail server administrators began sharing lists of known spamming IP ranges. Since then, blacklisting has expanded into endpoint security, firewall management, web content filtering, and threat intelligence sharing.
How Blacklisting Works
A blacklisting system checks each incoming entity against a stored list of prohibited entries and takes a blocking action when a match is found. In a network firewall, this manifests as a deny rule evaluated against source IP addresses or domain names. In an email gateway, the check runs against the sending server's IP and the domain in the message's From header. In endpoint security software, file hashes of known malware samples are compared against each file before execution is permitted. The speed of this lookup is critical: high-throughput environments process millions of connection attempts per second, so blacklists are commonly implemented as hash tables or Bloom filters to minimize per-lookup latency. NIST Special Publication 800-83, which covers malware incident prevention and handling, discusses the role of signature-based blocking, a form of blacklisting, in endpoint protection architectures.
Blacklisting Versus Allowlisting
The choice between blacklisting and allowlisting reflects different threat models. Blacklisting is appropriate when the population of legitimate users and behaviors is too large or variable to enumerate in advance, and the set of known bad actors is smaller and more stable. An email provider cannot enumerate every legitimate sender in the world but can maintain a list of confirmed spam sources. Allowlisting is appropriate in environments where the set of authorized programs or network peers is small, predictable, and changes infrequently, such as industrial control systems or high-security computing enclaves. NIST Special Publication 800-167 on application whitelisting (now called allowlisting) describes the conditions under which the allowlist model provides stronger security assurances than blacklisting alone. Most production security architectures combine both approaches: a blocklist filters known threats, while allowlists restrict which processes can access sensitive resources.
Terminology and Contemporary Usage
The term "blacklist" has faced criticism as potentially carrying racial connotations, and several major technology organizations, including Google, Twitter, and the Linux kernel maintainers, shifted their documentation to use "blocklist" or "denylist" in 2020 and 2021. The terms are functionally identical in security contexts. The IETF guidance on inclusive terminology recommends "blocklist" as the preferred replacement in protocol documentation and standards work. The underlying security mechanism described by either term remains unchanged, and both appear in current industry tools, vendor documentation, and regulatory language.
Applications
Blacklisting has applications in a range of fields, including:
- Network perimeter defense, where firewall rules block traffic from known malicious IP address ranges and autonomous systems
- Antivirus and endpoint detection, where hash-based signature databases identify and block known malware files
- Email security, where real-time blackhole lists and sender reputation databases filter inbound messages
- Web filtering, where browser safeguards and enterprise proxies block navigation to known phishing and malware distribution domains
- Certificate revocation, where certificate authority revocation lists block acceptance of compromised TLS certificates