Our
Datasets

Botnet command and controller (C2) servers. The status of these single IPv4 addresses is re-evaluated several times a day to identify active botnet controllers only. Utilize for protection or threat intelligence requirements.

IP addresses known to host bots using stolen credentials or brute-forcing SMTP-AUTH (and other authentication protocols), helping detect and mitigate ongoing abuse from malicious login attempts.

IP addresses exhibiting signs of compromise, which can include downloaded malware, security vulnerabilities allowing unauthorized access, etc. Designed to protect networks from malware and spam by preventing connections from these IPs. Available in binary and contextual format.

Contextual metadata on every domain observed and analyzed by our researchers. This includes reputation areas to strengthen, domain contexts, senders data, nameserver reputation, A Record reputation, correlated related domains, listed Hostnames, and malware.

Spam-emitting IPs that are direct spam sources or senders posing a risk. This includes emails showing indications of an unsolicited nature, sending malicious emails due to a compromise, and other indicators of low reputation or abuse.

A list of autonomous system numbers (ASNs) that are hijacked or leased by professional spam or cyber-crime operations and used for dissemination of malware, trojan downloaders, botnet controllers, etc, and send no legitimate traffic.

The worst of the worst malicious traffic IPs - an advisory to “drop all traffic” - with activity directly originating from rogue networks, such as encryption via ransomware, DNS-hijacking, authentication attacks, harvesting, DDoS attacks, and spam campaigns.

Domains and hosts used for suspicious or malicious activity, e.g., those associated with phishing, spam, malware, botnet command and controllers (C2s), and redirector domains; may be owned by malicious actors or have been hijacked. Available in binary and contextual formats.

Malicious internet resources, including cryptowallets, malware files, email addresses, and URLs (including shorteners, redirectors, and online file storage providers). Provided as cryptographic hashes and described by users as "a game-changer".

A non-public platform that executes malware samples in a controlled environment to collect the associated signals and metadata - before and during the execution. This data is only available via the Real Time Intelligence Feed.

This dataset exposes IPs being observed in a range of adversarial activities, derived through Open Source Intelligence (OSINT) from Spamhaus' most specialized and experienced researchers.

A log of domains or hosts confirmed to be involved in malware-related activity, e.g., domains being used for malware distribution. This dataset provides a binary list of domain names, in addition to associated malware family. Unconfirmed but suspicious domains can also be made available.

Retrieve IP addresses, domains, URLs, and file hashes linked to malware activities. Gain crucial context with confidence levels, first/last seen timestamps, threat type , reporter, and sightings - indicating trustworthiness, relevance over time, nature of the threat, source legitimacy, and frequency of observation.

A vast, continuously updated collection of malicious files enriched with metadata, offering a high-fidelity view of the evolving threat landscape for security analysis and research needs. Samples available to download.

Tracked URLs that are being used for malware distribution. Access real-time contextual details, including associated payloads, tags, malware families, and whether the URL status is offline or online, to hunt with and better understand adversarial TTPs.

IPs that should never send email directly to the MX servers of third parties. Networks add and maintain many of these ranges, resulting in strong data efficacy. Spamhaus supplements by identifying end-user IP space that is observed as having high concentrations of botnet zombies.

A repository of DNS infrastructure connections, capturing CNAMEs, nameservers, TXT, MX, and other query responses over time. This dataset enables analysts and hunters to pivot, enrich indicators, track malicious infrastructure changes, and uncover related threats—critical for correlation, incident response, and proactive defense.

Metadata based on millions of suspicious malware sample scans. Enhance your retroactive or active hunting capabilities by matching known malware patterns, automating malware classification, and improving detection accuracy with this large, community-driven signal repository.

Newly registered or newly observed domains. These domains are included in this dataset for 24 hours; newly created domains are rarely used for legitimate purposes within 24 hours of registration, which provides a strong indicator of potential malicious behavior.