Product Details

What is the Spamhaus Intelligence API?

The Spamhaus Intelligence API (SIA) is an API that allows you to easily access our IP reputation datasets for integration into your existing infrastructure, including threat intelligence platforms, websites, analysis, and reporting mechanisms.

Who can use SIA?

Anyone who needs to provide context around IP addresses that are compromised or sending spam.

How to deploy

Visit our technical documentation for access details and additional technical information regarding SIA.


Based on the number of queries per month and second, prices start at $5,000 per year. Contact our sales team for further details.

Developer License

Developers wishing to take the time to explore, build and test with the data can sign-up for free access to SIA via our Developer License, with up to 5,000 queries per month.

What data is included?

SIA provides access to live and historical metadata relating to IP addresses that indicate compromise, are emitting spam, or are dedicated botnet command and control servers. These IPs are listed on the Spamhaus extended eXploits Blocklist (eXBL), the extended CSS Blocklist (eCSS), or the extended Botnet Controller List (eBCL).


This dataset focuses on compromised devices. Our research team lists IP addresses showing indications of malware, Trojan or worm infections, devices controlled by botnets command and controllers (C&Cs), along with third-party exploits, such as open proxies.

This dataset on average contains 4 million listings, with up to 75,000 newly observed IPs added every 24 hours.


This dataset is specific to SMTP traffic, only listing port-25 based detections. Potential triggers for a listing include unsolicited emails, having poor email marketing list hygiene, or sending out malicious emails due to compromised accounts or content management systems (CMS).

This dataset contains between 300,000 – 1.5 million listings, with up to 285,000 new listings added every 24 hours.


This dataset only contains single IPv4 addresses which are being used to host botnet command and controller servers (C&Cs). No inbound or outbound network connections should be made to these IP addresses under any circumstances.

This dataset contains approximately 300 – 1,500 listings, with up to 50 new entries every 24 hours.