sfw/fix
http:BL block medium

Blocked by Project Honey Pot http:BL (DNS blacklist)

A site security plugin queried Project Honey Pot's http:BL and blocked the visitor's IP as a flagged threat.

What you see

403 Forbidden
Access denied. Your IP has been identified as a known
threat by Project Honey Pot (http:BL).
Threat score: 52 — Comment Spammer

What’s actually happening

A specific visitor — sometimes you — gets a 403 or a custom block page that names Project Honey Pot or http:BL, while everyone else reaches the site normally. It's usually a WordPress install running a security plugin (Wordfence, AIS, or a dedicated http:BL plugin). The block follows the IP, so the same person loads the site fine from a phone on cellular. The page often prints a threat score and a visitor type.

Common causes

  • The visitor's IP is listed in Project Honey Pot as a harvester, comment spammer, or suspicious host (4th octet of the 127.x.y.z response is a bitset of those types)
  • The plugin's blocking threshold is set lower than the IP's threat score (3rd octet, 0–255, logarithmic)
  • A shared or recycled IP inherited a previous tenant's bad reputation
  • CGI/proxy or datacenter ranges getting caught by an aggressive policy
  • A misconfigured or stale http:BL API key returning unexpected results

How to fix it

  1. Look up the IP at Project Honey PotSearch the blocked address on projecthoneypot.org. The result shows the threat score and last-activity age. Decode the http:BL answer: octet 2 is days since last seen, octet 3 is the 0–255 threat score, octet 4 is the type bitset (1=suspicious, 2=harvester, 4=comment spammer). That tells you whether the block is justified.
  2. Whitelist a known-good IPIf a real user or your own office is caught, add their IP to the plugin's allowlist (in Wordfence, Tools > Allowlisted URLs / the IP allowlist; in dedicated http:BL plugins, the whitelist box). This bypasses the http:BL check for that address.
  3. Raise the threat-score thresholdPlugins block when the score meets a configured floor. Bumping the threshold from, say, 25 up to 50 stops catching marginal IPs while still blocking the worst offenders. Tune it against your actual spam volume.
  4. Request delisting at the source for a clean IPIf you own the flagged IP and it's clean now, there's no manual removal button — Project Honey Pot ages entries out based on inactivity. Stop the abusive behavior (or, on a recycled IP, wait it out) and the score decays. The last-activity octet shows progress.
  5. Verify your http:BL API keyA revoked or wrong access key makes the lookup return a non-127 first octet (an error). Confirm the key in the plugin settings matches your Project Honey Pot account so blocks are based on real data, not failed queries.

Stop it recurring

Set the plugin's block threshold to match your real spam pressure and keep a standing IP allowlist for staff and monitoring tools, so legitimate visitors don't get caught.

Related errors

Domain listed on a URI blocklist (SURBL / URIBL)

high

Your domain appears in spam or phishing message bodies, so SURBL or URIBL blocklisted the domain itself.

Akamai "Access Denied — Reference #18..." (Kona WAF block)

high

Akamai's edge WAF or Bot Manager rejected the request with a 403 and a Reference #18 error ID.

Cisco Umbrella / OpenDNS "This site is blocked" (DNS-layer category block)

high

A network's Umbrella or OpenDNS resolver classified the domain and returned its block page instead of the site.

Google Safe Browsing "Deceptive site ahead" warning

critical

Google Safe Browsing flagged the site for phishing or malware, so Chrome shows a full red interstitial before the page loads.