What are feed-based blocklists?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Feed-based blocklists are continuously updated streams of threat indicators that security systems subscribe to and consume automatically. They differ from traditional blocklists (which you query on-demand) in that the data pushes to you in near-real-time rather than you pulling it on a schedule.

The feeds typically carry four types of indicators: IP addresses associated with spam, phishing, or malware distribution. Domains being used for malicious activity. URLs serving malicious content. File hashes for known malware attachments. Each indicator comes with metadata: when it was first seen, which threat categories it's associated with, confidence score, and sometimes who reported it.

Security systems that consume these feeds use them to make real-time decisions. An email security gateway that gets a new phishing URL added to a feed can block emails containing that URL within seconds of the indicator being published. Without a feed, the same gateway would only block it after running a scheduled blocklist query (which might happen hourly or daily).

Feed quality varies significantly and matters more than quantity. A feed with high false positives (flagging legitimate content as malicious) causes missed emails that look like spam to legitimate senders. A feed with high latency defeats the purpose of near-real-time blocking. Well-regarded feed providers in email include Spamhaus, Talos (Cisco's threat intelligence), and Emerging Threats.

For email security teams evaluating feeds: the key metrics are coverage (how many unique threats do they catch), latency (how fast do they publish new indicators), false positive rate, and whether they provide context (just IP lists vs. structured data with context). More data isn't always better if the quality isn't there.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Evaluate my threat feed options

I'm evaluating threat intelligence feeds for our email security setup. Here's our situation: - Our email security gateway: name or 'evaluating' - Current blocklist coverage: which lists we query - Whether we currently use real-time feeds: yes / no - Our primary threat concern: spam / phishing / malware / all - Our organization size and email volume: rough scale Help me understand which feed types would improve our current coverage and what to look for when evaluating feed providers.

Edit the yellow boxes, then send to the AI of your choice.