Data for Integration - Spamhaus Technology

Benefits

To identify internet resources connected with malicious activity, Spamhaus analyzes over 13.4 billion global SMTP connections, 1.5 million IPs, 3 million domains, and 18k malware samples every day.

Gain access to this expertly researched reputation data to enrich your cyber-security products, services, and more.

Accuracy of data
Our data has a 0.02% false positive rate. Have confidence that IPs and domains listed are legitimately indicative of badness.
Breadth of coverage
With unique global data partnerships, Spamhaus analyzes c.80k data points every second.
Set and forget
Once you’re configured, that’s it. Nothing more to do than see improved threat intelligence.

Features

Trusted

With 20+ years’ experience, our data is utilized by many of the biggest brands in the industry.

Flexible

Choose the datasets and delivery mechanism that best suits your use case.

24/7 intelligence

Highly experienced threat hunters working constantly on your behalf

Real time

As soon as we list threats, the intelligence is made available to you.

About the data

How is the data generated?

For 23 years, we have been developing a vast network of sensors to provide the broadest possible view of online networks. Data sources range from government organizations around the world to industry-leading internet providers to specialized researchers, analysts, honey pots, and beyond.

This truly big, raw data is then put under scrutiny with machine learning, robust manual investigations, and heuristics to compile listings of malicious activities into IP, domain, and content-based datasets. The listings are objective, based on policies that have been carefully defined over years with the wider industry, and are now relied on by billions of people every day.

IP-based datasets

Our IP datasets contain information on IP addresses that have been observed to be involved in sending or hosting spam, connected to hijacked servers or computers infected with botnets. The IP data is broken down into 3 primary datasets:

Spamhaus Blocklist (SBL) – contains IP addresses that are observed to be involved in sending spam, snowshoe spamming, botnet command and controllers (C&Cs), bulletproof hosting companies and hijacked IP space. Indicative size: 30 million listings
eXploits Blocklist (XBL) – individual IPs (/32s) that are infected with malware, worms, and Trojans; third party exploits, such as open proxies; or devices controlled by botnets. Indicative size: 4 million listings
Policy Blocklist (PBL) – IP address ranges for end-user devices, such as home routers, smart TVs, and other Information of Things (IoT) devices, from which email should never be sent. Indicative size: 1.2 billion listings

We also have available the following datasets – subsets of the 3 primary datasets:

Auth Blocklist (AuthBL) – lists IP addresses known to host bots using brute force or stolen SMTP-AUTH credentials to send spam, phishing, and malware emails
Extended XBL (eXBL) – containing live and historical metadata to bring context to XBL listings
Botnet Controller List (BCL) – an advisory “drop all traffic” list consisting of single IPv4 addresses, used by cybercriminals to control infected computers (bots).
eBCL – containing live and historical metadata to bring context to BCL listings
CSS – specific to SMTP traffic, only listing port-25 based detections. These target spam and other low-reputation sources.
eCSS – containing live and historical metadata to bring context to CSS listings
DROP – Don’t Route Or Peer – advisory “drop all traffic” lists, consisting of netblocks that are “hijacked” or leased by professional spam or cyber-crime operations

Content-based datasets

Our content datasets contain information relating to content that has been connected to malicious activity – be that compromised domains, crypto wallets such as Bitcoin, malware and email addresses. The content data is broken down into 3 primary datasets:

Domain Blocklist (DBL) – Domains owned by spammers and used for spam or other malicious purposes. This blocklist also contains domains owned by non-spammers which are used for legitimate purposes, but have been hijacked by spammers. Indicative size: 350k listings
Zero Reputation Blocklist (ZRD) – lists newly registered domains for 24 hours. Domains that have just been registered are rarely used by legitimate organizations immediately. Indicative size: 200k listings
Hash Blocklist (HBL) – this blocklist contains the following content areas: Cryptowallet (Bitcoin etc.), Malware and Email addresses. Indicative size: 1.1 million listings

Available via an API, we also have available the extended DBL (eDBL) containing live and historical metadata to bring context to DBL listings.

How is the data delievered?

There are a variety of options – it really depends on your use case. It can be delivered via:

Rsync – consume all the data with awareness of potential drawbacks due to batch processing and synchronization
Realtime Updates – if you need all the data but require updates in real-time, 24/7
Data Query Service – to make individual queries rather than consuming all the data. Data is accurate to the second
Spamhaus Intelligence API – the eXBL and eCSS datasets are also available via API, with additional datasets being added

Or if you have an alternative integration method in mind, or require delivery by API beyond the data listed, please get in touch with your request.

Who is the data relevant for?

Typically, data for integration is adopted by Product Managers to incorporate into end-user products or Security Operations Managers and Security Incident Event Managers for internal threat intelligence operations.

Blocklists

Data for Investigation

Datasets providing additional insight into networks and their associated internet identifiers, to reduce investigation times and highlight potential risk.

Learn more

Content Blocklists

Constantly updated content-based lists including the Domain and Hash blocklists. These use multiple sources to define whether the entity is involved in malicious activity, or whether it is hosting or sending harmful content.

Learn More

IP Blocklists

IP addresses that have been observed to be involved in sending or hosting spam, including hijacked servers and computers infected with botnet malware. These are the longest established blocklists in the industry.

Learn More

Resources

What does Spamhaus do?

30 November 2021

Blog

I write this article for all of you out there who aren't deeply embedded in this industry because the people I work with are remarkable. The world should know what they are doing to quietly protect all those who say “Spamwho?” be that your grandma or the network nerd at work.

Learn more

Red Sift increases customers’ insight and productivity with Spamhaus Intelligence API

23 March 2021

Case Study

Global cybersecurity software company, Red Sift, use the Spamhaus Intelligence API to free up time for their customers while providing important insight on why an IP is blocked.

Learn more

Reduce Phishing and Ransomware – The Whitepaper 2021

30 March 2021

Uncategorized

In this Osterman Report, 130 cybersecurity professionals were interviewed to find out how the threats of phishing and ransomware are impacting their businesses. Compare yourself to the market place, and find out how others are protecting themselves.

Download

Benefits

Accuracy of data

Breadth of coverage

Set and forget

Features

Trusted

Flexible

24/7 intelligence

Real time

About the data

How is the data generated?

IP-based datasets

Content-based datasets

How is the data delievered?

Who is the data relevant for?

Blocklists

Data for Investigation

Content Blocklists

IP Blocklists

Resources

What does Spamhaus do?

Red Sift increases customers’ insight and productivity with Spamhaus Intelligence API

Reduce Phishing and Ransomware – The Whitepaper 2021