I would concur, dynamically adding vectors as they come up is one thing, using a cloud sourced blacklist will leverage above and beyond that pedentry, so any large set from a blacklist will benefit by the use of ipset, the voipbl could benefit by using hash:net and looking it up first, a full 45% of that list are from PS (palestine)
5.11.40.0/22 # RIPE PS PS-ORANGE-PALESTINE Orange Palestine Group Co. for Technological Investment Joint Stock Private Company
5.133.24.0/22 # RIPE PS PS-ULTRANET-20120704 Ultranet for Communication and Information Technology Ltd
31.186.176.0/22 # RIPE PS NETWORK2 SuperLink ADSL Service 2
31.223.176.0/21 # RIPE PS CITYNET citynet internet provider
37.75.208.0/22 # RIPE PS PS-ORANGE-PALESTINE Orange Palestine Group Co. for Technological Investment Joint Stock Private Company
37.8.0.0/18 # RIPE PS HBSAGAZA Hadara Gaza BSA
46.32.208.0/21 # RIPE PS CallU_ADSL Call U Communications Ltd
64.182.127.160/29 # ARIN PS ASR-IT-REASSIGN-10 ASR-IT.COM For Web Services
82.102.216.0/21 # RIPE PS Hadara_BSA_02 BSA network expansion
82.205.0.0/22 # RIPE PS GZ-BSA-01 Hadara BSA 2013 3/4
83.244.0.0/20 # RIPE PS PALTEL-SFI Palestine Telecommunications Company (PALTEL)httpSubscription Free Internet Program "SFI"
85.113.96.0/20 # RIPE PS HADARA Hadara-RH3
85.114.96.0/21 # RIPE PS FUSION-SERVICES fusion company IP's
104.243.47.8/29 # ARIN PS NET-104-243-47-8-29 naeem syam
176.106.40.0/21 # RIPE PS SPEED-CLICK-LTD SpeedClick for Information Technology and Communication Ltd
176.58.64.0/22 # RIPE PS netstream first_assignment
176.67.98.0/23 # RIPE PS PS-MADA-ALARAB-20110610 Gaza-Network
185.12.184.0/23 # RIPE PS CITYNET citynet internet provider
185.19.220.0/23 # RIPE PS PS-ORANGE-PALESTINE Orange Palestine Group Co. for Technological Investment Joint Stock Private Company
185.33.168.0/24 # RIPE PS PS-DCC-MNT DCC-Infrastructure
185.40.194.0/24 # RIPE PS HBSAexp03 Hadara BSA 2013 expansion 3/4
185.5.220.0/22 # RIPE PS PS-SPEEDCLICK-20121005 SpeedClick for Information Technology and Communication Ltd
185.6.16.0/22 # RIPE PS PS-NETSTREAM-20121008 Netstream Technology Joint-Stock Private Ltd.
188.161.0.0/19 # RIPE PS PALTEL-DSL Palestine Telecommunications Company (PALTEL)
212.106.76.192/27 # RIPE PS RJ-NET Royal Jordanian
213.244.66.0/24 # RIPE PS PALTEL-GAZA-POP Palestine Telecommunications Company (PALTEL)Gaza IP POPGaza, Palestine
217.66.234.0/23 # RIPE PS FIXED_IP_GAZA Fixed IPs for GAZA BSA
217.78.56.0/21 # RIPE PS INTERPAL-ADSL-POOL INTERPAL-ADSL-POOLthe second worst offender is the US but be careful there if you are from the US as you will get all the ATT's/Apple/verizon/comcast nets that you need to process by a "secondary inspection"
But SERIOUSLY, consider only answering to SIP on a port other than 5000-5099, it's a no brainer that will reduce the driveby's by 99.99%. To compute a reasonable port to use
echo $(($RANDOM + 20001 ))
