Page 1 of 1

Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Tue Oct 01, 2019 11:00 pm
by Shumkov
Hello!
The new parameter "output=user" provided new scripting capabilities that I decided to take full advantage of.

- the script does not need third-party servers, since address lists are downloaded directly from the source and processed directly on the router.

- the script does NOT save the downloaded files to the disk (thereby preventing premature wear and failure of the disk).

- the script can be adapted to download and process any number of address lists of a similar format (the maximum file size is 63 KiB (64512 bytes). It is better than 4 KiB :)).

At the moment the script can download and update next lists:
- DShield
- Spamhaus DROP
- Spamhaus EDROP
- Bambenek High-Confidence C2
- Abuse.ch SSLBL

Variant 1:
ip firewall address-list
:local update do={
:do {
:local data ([:tool fetch url=$url output=user as-value]->"data")
remove [find list=blacklist comment=$description]
:while ([:len $data]!=0) do={
:if ([:pick $data 0 [:find $data "\n"]]~"^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}") do={
:do {add list=blacklist address=([:pick $data 0 [:find $data $delimiter]].$cidr) comment=$description timeout=1d} on-error={}
}
:set data [:pick $data ([:find $data "\n"]+1) [:len $data]]
}
} on-error={:log warning "Address list <$description> update failed"}
}
$update url=http://feeds.dshield.org/block.txt description=DShield delimiter=("\t") cidr=/24
$update url=http://www.spamhaus.org/drop/drop.txt description="Spamhaus DROP" delimiter=("\_")
$update url=http://www.spamhaus.org/drop/edrop.txt description="Spamhaus EDROP" delimiter=("\_")
$update url=http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt description="Bambenek High-Confidence C2" delimiter=("\2C")
$update url=https://sslbl.abuse.ch/blacklist/sslipblacklist.txt description="Abuse.ch SSLBL" delimiter=("\r")
- the script deletes all addresses matching the condition "list=blacklist comment=$description", after which it fills out address lists from scratch. It's easier and faster :)

Variant 2:
ip firewall address-list
:local update do={
:do {
:local data ([:tool fetch url=$url output=user as-value]->"data")
:local array [find dynamic list=blacklist]
:foreach value in=$array do={:set array (array,[get $value address])}
:while ([:len $data]!=0) do={
:if ([:pick $data 0 [:find $data "\n"]]~"^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}") do={
:local ip ([:pick $data 0 [:find $data $delimiter]].$cidr)
:do {add list=blacklist address=$ip comment=$description timeout=1d} on-error={
:do {set ($array->([:find $array $ip]-[:len $array]/2)) timeout=1d} on-error={}
}
}
:set data [:pick $data ([:find $data "\n"]+1) [:len $data]]
}
} on-error={:log warning "Address list <$description> update failed"}
}
$update url=http://feeds.dshield.org/block.txt description=DShield delimiter=("\t") cidr=/24
$update url=http://www.spamhaus.org/drop/drop.txt description="Spamhaus DROP" delimiter=("\_")
$update url=http://www.spamhaus.org/drop/edrop.txt description="Spamhaus EDROP" delimiter=("\_")
$update url=http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt description="Bambenek High-Confidence C2" delimiter=("\2C")
$update url=https://sslbl.abuse.ch/blacklist/sslipblacklist.txt description="Abuse.ch SSLBL" delimiter=("\r")
- the script does NOT delete actual addresses, but prolongs their timeout. Addresses that are not in the downloadable list are deleted by the system automatically after their timeout. It's harder and slower :), but it makes it possible to track the date/time of addresses added to the blacklist.
Why is the script using an "array"?
Because the default "find" function is VERY slow. Using an additional array allows to speed up the script several times, since operations are performed directly with the indexes, bypassing the default "find" function.

Required policy: read, write, test.
Perhaps this script will be useful to someone :)

P.S. Sorry for my English :oops:

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Fri Oct 18, 2019 12:12 am
by Zebble
Nice Work!

I added FireHOL Level2 to the script as well, in case you're interested. Just added this line:

$update url=https://raw.githubusercontent.com/ktsao ... el2.netset description="FireHOL Level2" delimiter=("\n")

-zeb

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Fri Oct 18, 2019 4:29 pm
by liuyao
Hello:

Thank you for sharing。 But the way you write functions is hard to understand. If any boss is rewritten, the written statement is perfect like the official example. Thank you

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun Nov 03, 2019 5:20 pm
by RackKing
Hi - This looks great. I will give it a try.

Update -
I just run this and it works great - no errors and works perfectly

What is general recommendation on how often to grab new lists - daily?

Am I correct it removes or ignores duplicate entries?

It would be great to keep this updated with additional!

Thank you so much for this!!!

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun Nov 03, 2019 5:37 pm
by msatter
How does it handle 1.2.3.0/24 addresses and as far I could it enters 1.2.3.0 in the addresslist without the /24?

Update: I ran the script and it does handles the range (cidr) correctly. Going to look if I can add some more lists.

Update 2: excellent script and I have added the option to filter on a specific label in file and that also can be used to remove a list that is not used anymore, from the current blacklist in the addresslist.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun Nov 03, 2019 5:42 pm
by RackKing
Nice Work!

I added FireHOL Level2 to the script as well, in case you're interested. Just added this line:

$update url=https://raw.githubusercontent.com/ktsao ... el2.netset description="FireHOL Level2" delimiter=("\n")

-zeb
This appears to fail for me.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun Nov 03, 2019 7:50 pm
by RackKing
Nice Work!

I added FireHOL Level2 to the script as well, in case you're interested. Just added this line:

$update url=https://raw.githubusercontent.com/ktsao ... el2.netset description="FireHOL Level2" delimiter=("\n")

-zeb
This appears to fail for me.
This is the correct syntax
$update url=https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset description="FireHOL Level2" delimiter=("\n")

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun Nov 03, 2019 7:51 pm
by msatter
Nice Work!

I added FireHOL Level2 to the script as well, in case you're interested. Just added this line:

$update url=https://raw.githubusercontent.com/ktsao ... el2.netset description="FireHOL Level2" delimiter=("\n")

-zeb
This appears to fail for me.
It works if poster zeb put it as code here:
$update url=https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset description="FireHOL Level2" delimiter=("\n")

REALLY PLEASED with the script from Shumkov and the added option by Mikrotik and it is now very easy to import lists without having to use other computers to prepare the lists up front

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun Nov 03, 2019 8:00 pm
by RackKing
Nice Work!

I added FireHOL Level2 to the script as well, in case you're interested. Just added this line:

$update url=https://raw.githubusercontent.com/ktsao ... el2.netset description="FireHOL Level2" delimiter=("\n")

-zeb
This appears to fail for me.
It works if poster zeb put it as code here:
$update url=https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset description="FireHOL Level2" delimiter=("\n")

REALLY PLEASED with the script from Shumkov and the added option by Mikrotik and it is now very easy to import lists without having to use other computers to prepare the lists up front
That Level2 list is huge.... trying to sort the different levels they have. Any thoughts? Also, would you fun this daily?

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun Nov 03, 2019 8:39 pm
by Shumkov
Do not forget about file size - maximum 63 KiB.
If the file size is larger than the maximum, only part of the file will be processed (the first 63 KiB), and the rest of the file will be discarded.
FireHOL Level2 is bigger than 63 KiB :)
What is general recommendation on how often to grab new lists - daily?
I set the scheduler interval to 8 hours.
In general, the interval depends on the specific list and the frequency of updating this list by its provider.
it removes or ignores duplicate entries?
The script removes only addresses that are in the "blacklist" list and have a comment=description.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun Nov 03, 2019 10:53 pm
by RackKing
Do not forget about file size - maximum 63 KiB.
If the file size is larger than the maximum, only part of the file will be processed (the first 63 KiB), and the rest of the file will be discarded.
FireHOL Level2 is bigger than 63 KiB :)
What is general recommendation on how often to grab new lists - daily?
I set the scheduler interval to 8 hours.
In general, the interval depends on the specific list and the frequency of updating this list by its provider.
it removes or ignores duplicate entries?
The script removes only addresses that are in the "blacklist" list and have a comment=description.
Ah - that makes sense. You are quite correct. Thanks for the explanation on the removal.

Are there any other lists you would consider or a good source?

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Mon Nov 04, 2019 1:58 am
by msatter
It would be nice if this would be possible using a filter to have only the needed data in the variable. So there would be a lot more space in the variable
:local data ([/tool fetch url=$url output=user as-value~"^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}"]->"data");

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Mon Nov 04, 2019 2:42 am
by RackKing
Do not forget about file size - maximum 63 KiB.
If the file size is larger than the maximum, only part of the file will be processed (the first 63 KiB), and the rest of the file will be discarded.
FireHOL Level2 is bigger than 63 KiB :)
What is general recommendation on how often to grab new lists - daily?
I set the scheduler interval to 8 hours.
In general, the interval depends on the specific list and the frequency of updating this list by its provider.
it removes or ignores duplicate entries?
The script removes only addresses that are in the "blacklist" list and have a comment=description.
It looks like FireHOL Level1 may be a better choice and is under the file size limit.... barely. Any reason no to use this? That large of a list would probably have a pretty big performance hit on the router?

@Shumkov what was your goal/strategy based on the lists you choose? I am trying to sort what lists should be used and what is a happy medium.

Edit - after taking a closer look it appears the individual sources you are using is very similar to firehol_level1. With a goal of having no false positives this is a great place to start. I guess whether you grab them individually or through firehol is personal preference.

What a great script - thank you very much.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Mon Nov 04, 2019 2:56 am
by RackKing
malc0de

$update url=http://malc0de.com/bl/IP_Blacklist.txt description="Malc0de" delimiter=("\n")

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Mon Nov 04, 2019 9:51 am
by Shumkov
It would be nice if this would be possible using a filter to have only the needed data in the variable. So there would be a lot more space in the variable
This does not work :)
"data" is an element of the array, and is accepted for processing only in its entirety - you cannot process only part of the element.
@Shumkov what was your goal/strategy based on the lists you choose? I am trying to sort what lists should be used and what is a happy medium.

Edit - after taking a closer look it appears the individual sources you are using is very similar to firehol_level1.
That's right, I took FireHOL Level1 as the basis.
I removed “Feodo Tracker” and “Ransomware Tracker”, replaced “Bambenek C2” with “Bambenek High-Confidence C2” (as Bambenek recommended it myself), and also removed “Fullbogons” - I get them using BGP.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Mon Nov 04, 2019 10:38 am
by msatter
It would be nice if this would be possible using a filter to have only the needed data in the variable. So there would be a lot more space in the variable
This does not work :)
"data" is an element of the array, and is accepted for processing only in its entirety - you cannot process only part of the element.
I agree and my angle is to filter traffic (stream) on the way to the data array.

Like this in scripting:
wget -q -O - $url | gawk --posix --field-separator=, '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "$i a=" $1;}'  > $saveTo/$filename
This is something only Mikrotik can create to intercepting the stream.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Mon Nov 04, 2019 2:29 pm
by RackKing
That's right, I took FireHOL Level1 as the basis.
I removed “Feodo Tracker” and “Ransomware Tracker”, replaced “Bambenek C2” with “Bambenek High-Confidence C2” (as Bambenek recommended it myself), and also removed “Fullbogons” - I get them using BGP.
Makes perfect sense. Thank you again so much for this.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Mon Nov 04, 2019 4:00 pm
by RackKing
Is there a way to check the file size and have it trigger the email tool if it gets beyond the max file size?

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Thu Nov 07, 2019 12:41 pm
by Shumkov
Is there a way to check the file size and have it trigger the email tool if it gets beyond the max file size?
You can try this:
if (([tool fetch url=<url> output=user as-value]->"total")>63) do={tool e-mail send ...}

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Thu Nov 07, 2019 2:13 pm
by RackKing
Thanks you for that.

Do you have a dedicated link the fullbogons piece? I cannot seem to fined a direct url for it?

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Thu Nov 07, 2019 2:41 pm
by msatter
I tried it endless to find that and this great. I knew the "total" part but did not thought op putting that in the variable.
if (([:tool fetch url=$url output=user as-value]->"total")<64) do={:local data ([:tool fetch url={$url output=user as-value]->"data")} else= {tool e-mail send ...}
It did not work for me.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Fri Nov 08, 2019 9:30 am
by Shumkov
Do you have a dedicated link the fullbogons piece? I cannot seem to fined a direct url for it?
Fullbogons_IPv4: http://www.team-cymru.org/Services/Bogo ... s-ipv4.txt
All bogon lists: https://www.team-cymru.com/bogon-reference-http.html
Bogons via BGP: https://www.team-cymru.com/bogon-reference-bgp.html

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Fri Nov 08, 2019 10:49 am
by RackKing
Do you have a dedicated link the fullbogons piece? I cannot seem to fined a direct url for it?
Fullbogons_IPv4: http://www.team-cymru.org/Services/Bogo ... s-ipv4.txt
All bogon lists: https://www.team-cymru.com/bogon-reference-http.html
Bogons via BGP: https://www.team-cymru.com/bogon-reference-bgp.html
Many thanks.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Fri Nov 08, 2019 2:10 pm
by msatter
Do not insert lists that are bigger than 63KiB, those would only will be loaded incomplete.
# Written by Shumkov
# Adapted by blacklister
# 20191108

/ip firewall address-list
:local update do={
 :do {
 :local result [/tool fetch url=$url as-value output=user]; :if ($result->"downloaded" != "63") do={ :local data ($result->"data")
  :do { remove [find list=$blacklist] } on-error={}
   :while ([:len $data]!=0) do={
      :if ([:pick $data 0 [:find $data "\n"]]~"^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}") do={
      :do {add list=$blacklist address=([:pick $data 0 [:find $data $delimiter]].$cidr) timeout=7d} on-error={}
      }
   :set data [:pick $data ([:find $data "\n"]+1) [:len $data]]
   } ;  :log warning "Imported address list < $blacklist> from file: $url"
   } else={:log warning "Address list: <$blacklist>, downloaded file to big: $url" }
 } on-error={:log warning "Address list <$blacklist> update failed"}
}

$update url=https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset blacklist="firehole-1" delimiter=("\n") 
$update url=https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset blacklist="firehole-2" delimiter=("\n") 
The first is loaded and the second is not because of the size being over 63KiB

I use separate blacklists and not one blacklist with different comments.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Fri Nov 08, 2019 4:21 pm
by RackKing
Do not insert lists that are bigger than 63KiB, those would only will be loaded incomplete.
# Written by Shumkov
# Adapted by blacklister
# 20191108

/ip firewall address-list
:local update do={
 :do {
 :local result [/tool fetch url=$url as-value output=user]; :if ($result->"downloaded" != "63") do={ :local data ($result->"data")
  :do { remove [find list=$blacklist] } on-error={}
   :while ([:len $data]!=0) do={
      :if (([:pick $data 0 [:find $data "\n"]]~"^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}") do={
      :do {add list=$blacklist address=([:pick $data 0 [:find $data $delimiter]].$cidr) timeout=7d} on-error={}
      }
   :set data [:pick $data ([:find $data "\n"]+1) [:len $data]]
   } ;  :log warning "Imported address list < $blacklist> from file: $url"
   } else={:log warning "Address list: <$blacklist>, downloaded file to big: $url" }
 } on-error={:log warning "Address list <$blacklist> update failed"}
}

$update url=https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset blacklist="firehole-1" delimiter=("\n") 
$update url=https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset blacklist="firehole-2" delimiter=("\n") 
The first is loaded and the second is not because of the size being over 63KiB

I use separate blacklists and not one blacklist with different comments.
I gave this a shot - but it did not run. No message in the log and no address list.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Fri Nov 08, 2019 4:37 pm
by msatter
Do not insert lists that are bigger than 63KiB, those would only will be loaded incomplete.
# Written by Shumkov
# Adapted by blacklister
# 20191108

/ip firewall address-list
:local update do={
 :do {
 :local result [/tool fetch url=$url as-value output=user]; :if ($result->"downloaded" != "63") do={ :local data ($result->"data")
  :do { remove [find list=$blacklist] } on-error={}
   :while ([:len $data]!=0) do={
      :if (([:pick $data 0 [:find $data "\n"]]~"^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}") do={
      :do {add list=$blacklist address=([:pick $data 0 [:find $data $delimiter]].$cidr) timeout=7d} on-error={}
      }
   :set data [:pick $data ([:find $data "\n"]+1) [:len $data]]
   } ;  :log warning "Imported address list < $blacklist> from file: $url"
   } else={:log warning "Address list: <$blacklist>, downloaded file to big: $url" }
 } on-error={:log warning "Address list <$blacklist> update failed"}
}

$update url=https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset blacklist="firehole-1" delimiter=("\n") 
$update url=https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset blacklist="firehole-2" delimiter=("\n") 
The first is loaded and the second is not because of the size being over 63KiB

I use separate blacklists and not one blacklist with different comments.
I gave this a shot - but it did not run. No message in the log and no address list.
Remove one of the "(" in the line beginning with
:if (([:pick

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Fri Feb 28, 2020 12:53 am
by hci
I imagine the 63k limit is due to a variable size limit in Mikrotik scripting? It would be nice to be able to download larger blacklists.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Fri Feb 28, 2020 12:43 pm
by sjafka
This is beautifull mate! Thanks for your work! If you have a site with paypal donation, i would like to get you a beer! :D
PS.: I used before the squid blacklist, but the guy, who created it died (RIP m8 and thank you for your work!) last year, but it had like 30k entries, this has "only around 1500", but i see a lot of /24 subnets, so this is a huge list too!

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun Mar 01, 2020 2:30 pm
by inteq
PSA
Make sure you have whitelisted your private IPs if using https://raw.githubusercontent.com/fireh ... el1.netset

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Mon Mar 02, 2020 9:07 am
by xenuc
The script is great, thanks. Now we just wait another 10 years to bypass the 65k limit.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Mon Mar 02, 2020 9:46 pm
by HZsolt
63 --> 8192 and I downloaded the larger blacklist. But all lines did not load properly to the address-list.

https://raw.githubusercontent.com/fireh ... el1.netset
https://raw.githubusercontent.com/fireh ... el2.netset
https://raw.githubusercontent.com/fireh ... el3.netset
https://raw.githubusercontent.com/fireh ... el4.netset

How can I merge to one address-list the above addess-lists? I would like to use one address-list in the firewall of MikroTik instead of four address-lists. Fewer line in the firewall, faster processing and fewer load.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Tue Mar 03, 2020 5:06 pm
by Shumkov
Variant 2:
ip firewall address-list
:local update do={
:do {
:local data ([:tool fetch url=$url output=user as-value]->"data")
:local array [find dynamic list=blacklist]
:foreach value in=$array do={:set array (array,[get $value address])}
:while ([:len $data]!=0) do={
:if ([:pick $data 0 [:find $data "\n"]]~"^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}") do={
:local ip ([:pick $data 0 [:find $data $delimiter]].$cidr)
:do {add list=blacklist address=$ip comment=$description timeout=1d} on-error={
:do {set ($array->([:find $array $ip]-[:len $array]/2)) timeout=1d} on-error={}
}
}
:set data [:pick $data ([:find $data "\n"]+1) [:len $data]]
}
} on-error={:log warning "Address list <$description> update failed"}
}
$update url=http://feeds.dshield.org/block.txt description=DShield delimiter=("\t") cidr=/24
$update url=http://www.spamhaus.org/drop/drop.txt description="Spamhaus DROP" delimiter=("\_")
$update url=http://www.spamhaus.org/drop/edrop.txt description="Spamhaus EDROP" delimiter=("\_")
$update url=http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt description="Bambenek High-Confidence C2" delimiter=("\2C")
$update url=https://sslbl.abuse.ch/blacklist/sslipblacklist.txt description="Abuse.ch SSLBL" delimiter=("\r")
- the script does NOT delete actual addresses, but prolongs their timeout. Addresses that are not in the downloadable list are deleted by the system automatically after their timeout. It's harder and slower :), but it makes it possible to track the date/time of addresses added to the blacklist.
Why is the script using an "array"?
Because the default "find" function is VERY slow. Using an additional array allows to speed up the script several times, since operations are performed directly with the indexes, bypassing the default "find" function.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Tue Mar 03, 2020 7:57 pm
by HZsolt
Variant 2:
ip firewall address-list
:local update do={
:do {
:local data ([:tool fetch url=$url output=user as-value]->"data")
:local array [find dynamic list=blacklist]
:foreach value in=$array do={:set array (array,value,[get $value address])}
:while ([:len $data]!=0) do={
:if ([:pick $data 0 [:find $data "\n"]]~"^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}") do={
:local ip ([:pick $data 0 [:find $data $delimiter]].$cidr)
:do {add list=blacklist address=$ip comment=$description timeout=1d} on-error={
:do {set ($array->([:find key=$ip in=$array]-1)) timeout=1d} on-error={}
}
}
:set data [:pick $data ([:find $data "\n"]+1) [:len $data]]
}
} on-error={:log warning "Address list <$description> update failed"}
}
$update url=http://feeds.dshield.org/block.txt description=DShield delimiter=("\t") cidr=/24
$update url=http://www.spamhaus.org/drop/drop.txt description="Spamhaus DROP" delimiter=("\_")
$update url=http://www.spamhaus.org/drop/edrop.txt description="Spamhaus EDROP" delimiter=("\_")
$update url=http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt description="Bambenek High-Confidence C2" delimiter=("\2C")
$update url=https://sslbl.abuse.ch/blacklist/sslipblacklist.txt description="Abuse.ch SSLBL" delimiter=("\r")
- the script does NOT delete actual addresses, but prolongs their timeout. Addresses that are not in the downloadable list are deleted by the system automatically after their timeout. It's harder and slower :), but it makes it possible to track the date/time of addresses added to the blacklist.
Why is the script using an "array"?
Because the default "find" function is VERY slow. Using an additional array allows to speed up the script several times, since operations are performed directly with the indexes, bypassing the default "find" function.
With the above script can I properly (full lists) download the below lists?
https://raw.githubusercontent.com/fireh ... el1.netset
https://raw.githubusercontent.com/fireh ... el2.netset
https://raw.githubusercontent.com/fireh ... el3.netset
https://raw.githubusercontent.com/fireh ... el4.netset

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Tue Mar 03, 2020 8:15 pm
by Shumkov
With the above script can I properly (full lists) download the below lists?
Download full lists - you can’t. 63KiB is a limitation of RouterOS, here scripts are powerless.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Tue Mar 03, 2020 8:20 pm
by HZsolt
With the above script can I properly (full lists) download the below lists?
Download full lists - you can’t. 63KiB is a limitation of RouterOS, here scripts are powerless.
What is 63 KiB limitation of RouterOS?

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Tue Mar 03, 2020 9:50 pm
by msatter
My version checks for list larger than 63KiB and logs then if the list is loaded or not.

There no way to import a list bigger than that through an array.

Bigger lists can be used but that is an other story.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Wed Mar 11, 2020 11:23 am
by Krusty
LifeSaver, thank you guys you are awesome

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Thu Mar 12, 2020 2:05 pm
by Shumkov
Bugfix:
- correct regexp is "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"

The bug is not critical, it’s just that in some cases the script could process strings containing not only IP addresses, but simply numerical combinations similar in format.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Wed Mar 25, 2020 4:14 am
by Xtreme512
Nice, very nice working script, thank you!

64 KB limit, on the other hand, is so annoying though... Gotta find a workaround, like maybe splitting files on-the-fly?

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sat Apr 18, 2020 11:14 pm
by frantacech
Hello!
how can i import it?

for example aggregated ip from china?
https://www.ipdeny.com/ipblocks/
https://www.ipdeny.com/ipblocks/data/ag ... gated.zone

I try, but it doesn't work

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sat Apr 25, 2020 6:02 am
by shed909
ip firewall address-list
:local update do={
:do {
:local data ([:tool fetch url=$url output=user as-value]->"data")
remove [find list=blacklist comment=$description]
:while ([:len $data]!=0) do={
:if ([:pick $data 0 [:find $data "\n"]]~"^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}") do={
:do {add list=blacklist address=([:pick $data 0 [:find $data $delimiter]].$cidr) comment=$description timeout=1d} on-error={}
}
:if ([:pick $data 0 [:find $data "\n"]]~"[a-z0-9]+([\\-\\.]{1}[a-z0-9]+)*\\.[a-z]{2,5}(:[0-9]{1,5})?(\\/.*)?") do={
:do {add list=blacklist address=([:pick $data 0 [:find $data $delimiter]].$cidr) comment=$description timeout=1d} on-error={}
}
:set data [:pick $data ([:find $data "\n"]+1) [:len $data]]
}
} on-error={:log warning "Address list <$description> update failed"}
}
$update url=http://feeds.dshield.org/block.txt description=DShield delimiter=("\t") cidr=/24
$update url=http://www.spamhaus.org/drop/drop.txt description="Spamhaus DROP" delimiter=("\_")
$update url=http://www.spamhaus.org/drop/edrop.txt description="Spamhaus EDROP" delimiter=("\_")
$update url=http://osint.bambenekconsulting.com/fee ... t-high.txt description="Bambenek High-Confidence C2" delimiter=("\2C")
$update url=https://sslbl.abuse.ch/blacklist/sslipblacklist.txt description="Abuse.ch SSLBL" delimiter=("\r")
$update url=http://malc0de.com/bl/IP_Blacklist.txt description="malc0de" delimiter=("\n")
$update url=https://raw.githubusercontent.com/ktsao ... el2.netset description="FireHOL Level2" delimiter=("\n")
$update url=https://raw.githubusercontent.com/fireh ... el1.netset description="FireHOL Level1" delimiter=("\n")
$update url=https://raw.githubusercontent.com/hecto ... g/list.txt description="hectorm adaway.org" delimiter=("\n")
Trying to add support for address lists containing the URL as apposed to IP, such as hectorm's lists for PiHole:
https://discourse.pi-hole.net/t/update- ... 2019/13620

However, some of the comments come out as the actual URL entry and the timeouts aren't set.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sat Apr 25, 2020 6:04 am
by shed909
Hello!
how can i import it?

for example aggregated ip from china?
https://www.ipdeny.com/ipblocks/
https://www.ipdeny.com/ipblocks/data/ag ... gated.zone

I try, but it doesn't work
Try:
$update url=https://www.ipdeny.com/ipblocks/data/ag ... gated.zone description="IPdeny cn-aggregated" delimiter=("\n")

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Fri May 01, 2020 2:22 pm
by pukka
How do we get around this 63KiB limit? can we ask mikrotik about this

We are trying to automate the download and add of

https://www.ipdeny.com/ipblocks/data/countries/gb.zone which is 124KiB

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sat May 16, 2020 11:38 pm
by Lebzul
Don't forget to add
{:delay 20};
at the beginning of the script to give time if running after reboot is needed.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun May 17, 2020 8:55 am
by jvanhambelgium
How do we get around this 63KiB limit? can we ask mikrotik about this

We are trying to automate the download and add of

https://www.ipdeny.com/ipblocks/data/countries/gb.zone which is 124KiB
Perhaps the only way is to have some really smart script parse this list further into large(r) CIDR-blocks. So take several /24 "lines" and aggregate them further where there are adjacencies.
I've seen some sort of script here somewhere (used in another context) but it might be doable to gain a certain % of reduction.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun May 17, 2020 11:20 am
by msatter
The problem is thst first have to read whole list before you can start reducing.

If Miktotik implement resume download then we could chop up the file in little parts.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Mon May 18, 2020 2:02 pm
by mozerd
According to the following Manual:Scripting-examples -- file size limitation has been removed
Read and write large files

Many users requested ability to work with files. Now you can do it without limitations

Create and write to file:

:global newContent "new file content\r\nanother line\r\n";
[/lua "local f=assert(io.open('/test.txt', 'w+')); f:write(newContent); f:close()" ];
Read file content to variable:

:global cnt ""
[/lua "local f=assert(io.open('/test.txt', 'r')); cnt=f:read('*all'); f:close()" ];
:put $cnt
I just found this wiki entry but I have not tried to adapt to blacklists ..... if this code actually works that would be excellent.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Mon May 18, 2020 3:34 pm
by msatter
According to the following Manual:Scripting-examples -- file size limitation has been removed
Read and write large files

Many users requested ability to work with files. Now you can do it without limitations

Create and write to file:

:global newContent "new file content\r\nanother line\r\n";
[/lua "local f=assert(io.open('/test.txt', 'w+')); f:write(newContent); f:close()" ];
Read file content to variable:

:global cnt ""
[/lua "local f=assert(io.open('/test.txt', 'r')); cnt=f:read('*all'); f:close()" ];
:put $cnt
I just found this wiki entry but I have not tried to adapt to blacklists ..... if this code actually works that would be excellent.
Is /lua back then?

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Mon May 18, 2020 3:39 pm
by jvanhambelgium
Don't think so. That Wiki page states : This page was last edited on 18 October 2017, at 10:37.
As it says on the page : After RouterOS v4.0beta4, Lua support is removed until further notice

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Mon May 18, 2020 4:38 pm
by mozerd
Don't think so. That Wiki page states : This page was last edited on 18 October 2017, at 10:37.
As it says on the page : After RouterOS v4.0beta4, Lua support is removed until further notice
My sincere apologies -- I did not see the part that After RouterOS v4.0beta4, Lua support is removed until further notice

What a shame, all that Lua stuff should be removed IMO BUT if certainly would be nice if MikroTik brought back LUA support or provided another means to work with any file size.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sat May 23, 2020 8:09 pm
by Lebzul
Is there a reasonable way of bypassing Mk's limit or another approach?
I'm a Mk hardcore user but I'm considering other vendors if they do not apply a better concept to protect our equipments.

BTW, is there a way to have these working?
https://github.com/firehol/blocklist-ipsets/blob/master/firehol_level1.netset			40.8 KB
https://github.com/firehol/blocklist-ipsets/blob/master/normshield_all_wannacry.ipset	         6.15 KB
https://github.com/firehol/blocklist-ipsets/blob/master/normshield_all_bruteforce.ipset.     	4.64 KB
https://github.com/firehol/blocklist-ipsets/blob/master/dshield_30d.netset					2.17 KB
https://github.com/firehol/blocklist-ipsets/blob/master/spamhaus_edrop.netset				1.98 KB
https://github.com/firehol/blocklist-ipsets/blob/master/dshield_7d.netset					1.5 KB
https://github.com/firehol/blocklist-ipsets/blob/master/normshield_all_webscan.ipset	1.42 KB
https://github.com/firehol/blocklist-ipsets/blob/master/dshield.netset						1.04 KB
https://github.com/firehol/blocklist-ipsets/blob/master/normshield_all_wormscan.ipset	0.97 KB
https://github.com/firehol/blocklist-ipsets/blob/master/normshield_all_dnsscan.ipset	0.86 KB

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sat May 23, 2020 8:38 pm
by jvanhambelgium
Is there a reasonable way of bypassing Mk's limit or another approach?
I'm a Mk hardcore user but I'm considering other vendors if they do not apply a better concept to protect our equipments.
Nothing wrong with the concept I think. The idea of deploying such huge massive IP-lists and filter against them is something not infinitely possible also with other vendors.
Eg. Palo Alto networks.

A maximum of 10 External Block Lists (PanOS 7.x) on a PA-200
A maximum of 50000 IPs in all external lists combined. (1 list with 50000 IPs or 10 Lists with 5000 IPs both are supported)
If you use more than 10 EBLs in a device you will see the following error during commit:
Exceeding max number of supported external block lists (10)

In terms of harware limit

Hardware Maximum Address Entries
PA-220 : 2500
PA-820 : 2500
PA-850 : 3500
PA-3020 : 5000
PA-5020 :10000
PA-5220 : 40000
PA-7050 : 80000

So......


The only option is multiple cascaded lists that each remain within the boundary of 65K processing.
But indeed, you need some intermediate processing thing to properly "prepare" the file before download to the device, but that cannot be the show stopper I guess.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sat May 23, 2020 10:27 pm
by Lebzul
Is there a reasonable way of bypassing Mk's limit or another approach?
I'm a Mk hardcore user but I'm considering other vendors if they do not apply a better concept to protect our equipments.
Nothing wrong with the concept I think. The idea of deploying such huge massive IP-lists and filter against them is something not infinitely possible also with other vendors.
Eg. Palo Alto networks.

A maximum of 10 External Block Lists (PanOS 7.x) on a PA-200
A maximum of 50000 IPs in all external lists combined. (1 list with 50000 IPs or 10 Lists with 5000 IPs both are supported)
If you use more than 10 EBLs in a device you will see the following error during commit:
Exceeding max number of supported external block lists (10)

In terms of harware limit

Hardware Maximum Address Entries
PA-220 : 2500
PA-820 : 2500
PA-850 : 3500
PA-3020 : 5000
PA-5020 :10000
PA-5220 : 40000
PA-7050 : 80000

So......


The only option is multiple cascaded lists that each remain within the boundary of 65K processing.
But indeed, you need some intermediate processing thing to properly "prepare" the file before download to the device, but that cannot be the show stopper I guess.
I see. And then, how do people do with servers with an open port? Let's say people need to access my server in a specific port?

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun May 24, 2020 12:05 am
by jvanhambelgium
Is there a reasonable way of bypassing Mk's limit or another approach?
I'm a Mk hardcore user but I'm considering other vendors if they do not apply a better concept to protect our equipments.
Nothing wrong with the concept I think. The idea of deploying such huge massive IP-lists and filter against them is something not infinitely possible also with other vendors.
Eg. Palo Alto networks.

A maximum of 10 External Block Lists (PanOS 7.x) on a PA-200
A maximum of 50000 IPs in all external lists combined. (1 list with 50000 IPs or 10 Lists with 5000 IPs both are supported)
If you use more than 10 EBLs in a device you will see the following error during commit:
Exceeding max number of supported external block lists (10)

In terms of harware limit

Hardware Maximum Address Entries
PA-220 : 2500
PA-820 : 2500
PA-850 : 3500
PA-3020 : 5000
PA-5020 :10000
PA-5220 : 40000
PA-7050 : 80000

So......


The only option is multiple cascaded lists that each remain within the boundary of 65K processing.
But indeed, you need some intermediate processing thing to properly "prepare" the file before download to the device, but that cannot be the show stopper I guess.
I see. And then, how do people do with servers with an open port? Let's say people need to access my server in a specific port?
It is important to take all considerations into account when you make the design. If "people" are in fact scattered across the world coming from virtually anyplace then perhaps you need to provide this service at another level. Eg. use some form of authentication with your users (possibly combined with VPN-application).
What is sitting behind this specific port ? Is this something that understand the concept of user-authentication ?
If you run a business and you know your users (eg. employees) are located in country X then filter strict and only allow country X IP which will reduce the surface already A LOT.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Thu May 28, 2020 6:08 am
by Lebzul
Nice Work!

I added FireHOL Level2 to the script as well, in case you're interested. Just added this line:

$update url=https://raw.githubusercontent.com/ktsao ... el2.netset description="FireHOL Level2" delimiter=("\n")

-zeb
Lv1 was working fine and now it is not. Probably it does not fit anymore.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Thu May 28, 2020 1:15 pm
by mozerd
Lv1 was working fine and now it is not. Probably it does not fit anymore.
You [everyone] should be aware that:

level1 check frequency = 1 minute and average update frequency = 2 hours and 27 minutes
level2 check frequency = 1 minute and average update frequency = 17 minutes
level3 check frequency = 1 minute and average update frequency = 45 minutes
level4 check frequency = 1 minute and average update frequency = 44 minutes
webclient check frequency = 1 minute and average update frequency = 8 hours and 36 minutes
webserver check frequency = 1 minute and average update frequency = 23 hours and 16 minutes

So why is this important to note?
Because changes [adds/deletions] are frequent and that can have a dramatic change in file size.
Also of importance to note is that many duplicates reside when lists are combined - so your processing engine needs to remove duplicates and then reorders them for faster processing.

Depending on which MikroTik Router model being used MOAB combines some of these lists or ALL of these lists 3 times each day spaced 8 hours apart.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Fri May 29, 2020 3:18 pm
by kevinds
What is the recommended way to find out *why* an update failed?

Address list <Spamhaus DROP> update failed

Is great to see in the logs, but where do I look to try and figure out why it failed?

Spamhaus DROP and EDROP are not over 63 kb, so that isn't the reason..

At the moment I am focusing on the IPs used for email SPAM, but it doesn't really matter.. I have the Spamhaus and Bambenek lists failing but I don't know why.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Fri May 29, 2020 9:52 pm
by Shumkov
What is the recommended way to find out *why* an update failed?

Address list <Spamhaus DROP> update failed

Is great to see in the logs, but where do I look to try and figure out why it failed?
This error occurs if the file is for some reason not available for download. The address list does not load SOMETIMES? Or always?

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Fri May 29, 2020 10:42 pm
by kevinds

This error occurs if the file is for some reason not available for download. The address list does not load SOMETIMES? Or always?
They don't load always.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sat May 30, 2020 3:57 pm
by mozerd

This error occurs if the file is for some reason not available for download. The address list does not load SOMETIMES? Or always?
They don't load always.
@kevinds
You should be aware that when loading lists IF a duplicate IP is present the list will not load and processing stops.
So it is critical that duplicate IP be avoided via a pre-process that first checks for duplicates, removes the duplicates, reorders [sorts] the list for faster processing then proceeds with the load.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sat May 30, 2020 7:25 pm
by Shumkov
You should be aware that when loading lists IF a duplicate IP is present the list will not load and processing stops.
Script ignores duplicates via on-error={}, processing is not interrupted.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sat May 30, 2020 8:37 pm
by mozerd
You should be aware that when loading lists IF a duplicate IP is present the list will not load and processing stops.
Script ignores duplicates via on-error={}, processing is not interrupted.
Do you mean this line: on-error={:log warning "Address list <$description> update failed"} ?

Where in your script do you check for duplicate ip?

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sat May 30, 2020 8:44 pm
by kevinds

Do you mean this line: on-error={:log warning "Address list <$description> update failed"} ?
comment=$description timeout=1d} on-error={}

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun May 31, 2020 3:40 pm
by mozerd
comment=$description timeout=1d} on-error={}
Thanks .... I just tested @Shumkov code and it works very nicely .... excellent work.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun May 31, 2020 4:38 pm
by kevinds
Thanks .... I just tested @Shumkov code and it works very nicely .... excellent work.
Yeah, I have a couple honeypot IPs that when hit, adds the IP to a drop rule, then a script that runs that expands the /32 to a larger block.. I needed something similar to handle multiple IPs from the same larger block.. For when asshats decide to use an entire /16 to do a port-scan of every port.. lol

That was interesting to watch.. haha

But yeah, I still have lots to learn, but I'm not sure how to get a better log for why both variations are failing.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Mon Jun 01, 2020 11:55 pm
by msatter
My version:
   } ;  :log warning "Imported address list < $blacklist> from file: $url"
   } else={:log warning "Address list: <$blacklist>, downloaded file to big: $url" }
 } on-error={:log warning "Address list <$blacklist> update failed"}
Collecting ranges of IP addresses that are knocking at the door: viewtopic.php?f=2&t=152953&p=758068&hil ... os#p758068

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Tue Jun 02, 2020 12:05 am
by kevinds
My version:
   } ;  :log warning "Imported address list < $blacklist> from file: $url"
   } else={:log warning "Address list: <$blacklist>, downloaded file to big: $url" }
 } on-error={:log warning "Address list <$blacklist> update failed"}
Collecting ranges of IP addresses that are knocking at the door: viewtopic.php?f=2&t=152953&p=758068&hil ... os#p758068
Ok.. Reading this...

It downloads the list.

It tries to import it

If successful, gives a successful message,
If import fails it says too big..

So if import fails for any reason, it says too big, what if it fails for another reason?

I don't see your version checking it's size beforehand, so the error message could say 'Failed because a butterfly flapped it's wings..' and would still be a more useful error message (because it wouldn't be stating an incorrect reason for it to fail). ;)

I hope I am wrong reading this.. If I am, I am very sorry.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Tue Jun 02, 2020 12:14 am
by kevinds
Collecting ranges of IP addresses that are knocking at the door: viewtopic.php?f=2&t=152953&p=758068&hil ... os#p758068
I do something very similar to the linked thread..

I have honey-pot IP addresses, anything that attempts to connect to them, gets their IP added to the block list, these addresses have never been used, so nothing legitimate would have any reason to try and connect.

Then another script runs and turns them into a /24, with a 7 day timeout..

Usually, the router has 60-75k addresses in the list at any time. After a reboot the list is reset, takes 6-12 to get back up there.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Tue Jun 02, 2020 8:28 am
by Jotne
I have honey-pot IP addresses, anything that attempts to connect to them, gets their IP added to the block list, these addresses have never been used, so nothing legitimate would have any reason to try and connect.
I do nearly the same. Since I do not have an extra public IP, I have and access rule that if any tries to connect to a port that is not open, they get blocked to all ports (65535-6 ports) , also normally open port (6 ports) for 24 hour.

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sun Jun 07, 2020 10:01 pm
by Sigma
Have to say thank you OP for the Script works great out-of-the-box. :D

Sincerely
Sigma

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

Posted: Sat Jun 20, 2020 12:38 am
by mac86
Hello!
...........

EXCELENT POST.
THANK YOU!!!