The growing adoption of network encryption protocols, like TLS, has altered the scene of monitoring network traffic. With the advent increase in network encryption, typical DPI systems that monitor network packet payload contents are becoming obsolete, while in the meantime, adversaries abuse the utilization of the TLS protocol to bypass them. In this paper, aiming to understand the botnet ecosystem in the wild, we contact IP addresses known to participate in malicious activities using the JARM tool for active probing. Based on packets acquired from TLS handshakes, server fingerprints are constructed during a time period of 7 months. We investigate if it is feasible to detect suspicious servers and re-identify other similar within blocklists with no prior knowledge of their activities. We show that it is important to update fingerprints often or follow a more effective fingerprinting approach, since the overlapping ratio with legitimate servers rises over time.