Product Details

What is the Spamhaus Intelligence API?

The Spamhaus Intelligence API (SIA) allows you to easily access numerous signals that contribute to the reputation of IPs and domains. Derived from the 24/7 analysis of billions of datapoints, this data feed has multiple applications. Integrate into your existing infrastructure, including threat intelligence platforms, customer vetting operations, websites, analysis, and reporting mechanisms.

Who can use SIA?

  • Threat analysts – increase your understanding of security events and alerts relating to IPs and domains to more effectively prioritize and report.
  • Product Managers – enhance existing data pools to provide additional validation points to increase customer confidence in vulnerabilities and threats.
  • Email Service Providers – keep your network clean by using this data to perform in-depth vetting of potential customers. Build a comprehensive picture with a vast number of domain and IP signals.

How to deploy

To gain a better understanding of access methods and datasets available, please see here. For the detail on the anatomy of the data and the REST API, see here.

Pricing

Based on the number of queries per month and second, you gain access to both the IP and domain data. Prices start at $5,000 per year. Contact our sales team for further details.

Developer License

If you’re looking to take the time to explore, build and test with the data can sign-up for free access to SIA via our Developer License, with up to 5,000 queries per month.

What data is included?

Domain-based reputation data

Every domain observed and analyzed by our researchers is listed in this dataset. Via various API calls, metadata relating to each domain is provided. This includes:

  • High-level domain data – returns general domain-related insights e.g. last seen, compromised, domain reputation score, clusters
  • Reputation dimensions – enabling users to understand which area of their reputation need strengthening.
  • Domain contexts – insight into where researchers observed the domain, for example, “dkim-header”.
  • Domain senders data – IP addresses sending emails for the queried domain.
  • Nameserver reputation – a list of authoritative nameservers for the queried domain.
  • A Records reputation – a list of the A records the domain resolves to.
  • Clusters –used to correlate related domains across certain areas, including email authentication, registration, and infrastructure.
  • Hostnames listed – those that are (or have been) listed on a Spamhaus DNS Blocklist for a specific domain in the recent past (if available).
  • Malware – the malware name associated with the domain, including the last seen timestamp.

For more information on the API calls, what’s returned, and how to interpret each property, see our technical documentation here: https://docs.spamhaus.com/sia/docs/source/10-API-Interface/310-Domains.html

IP-based reputation data

Gain access to live and historical metadata relating to IP addresses that indicate compromise, are emitting spam, or are dedicated botnet command and control servers. These IPs are listed on the Spamhaus extended eXploits Blocklist (eXBL), the extended CSS Blocklist (eCSS), or the extended Botnet Controller List (eBCL).

XBL

Focuses on compromised devices. Our research team lists IP addresses showing indications of malware, Trojan or worm infections, devices controlled by botnets command and controllers (C&Cs), along with third-party exploits, such as open proxies.

This dataset, on average, contains 2 million listings, with 650,000 new detections relating to exploit IPs every 24 hours.

CSS

Specific to SMTP traffic, only listing port-25 based detections. Potential triggers for a listing include unsolicited emails, having poor email marketing list hygiene, or sending out malicious emails due to compromised accounts or content management systems (CMS).

This dataset contains between 300,000 – 1.5 million listings, with up to 285,000 new listings added every 24 hours.

BCL

Only contains single IPv4 addresses which are being used to host botnet command and controller servers (C&Cs). No inbound or outbound network connections should be made to these IP addresses under any circumstances.

This dataset contains approximately 300 – 1,500 listings, with up to 50 new entries every 24 hours.