Spamhaus has released the extended CSS Blocklist (eCSS) and made it available via our API service.  This provides users with additional insights relating to compromised and malicious IP addresses.

What is the Spamhaus Intelligence API (SIA)?

The name gives it away – it’s an API that’s easy to integrate with existing systems, which delivers enhanced IP reputation data. This metadata gives increased visibility and context to users, speeding up investigations and accelerating reporting relating to IP addresses.

Red Sift Open Cloud utilizes SIA to help their customers rapidly classify potential threats, enabling them to dramatically reduce the amount of time spent analyzing reports. Read more.

What is the extended CSS (eCSS)?

This dataset is specific to SMTP traffic, i.e., it only lists port-25 based detections. The focus is on spam and other low-reputation sources. Our researchers list IPs on this dataset if they observe any of the following behavior:

  • Sending bulk unsolicited email
  • Having poor email marketing list hygiene
  • Sending out malicious emails due to compromised accounts, web forms, or content management systems (CMS)

The eCSS contains between 300,000 – 1.5 million listings, with up to 285,000 new listings added every 24 hours. Not only can it be used by abuse desks for remediation, but, given its SMTP focus, senders can utilize it from a reputation perspective too. Additionally, receivers can use the CSS to take a deeper dive into the reasons behind a listing on the CSS blocklist.

What else is available via SIA?

A dataset called the extended eXploits blocklists (eXBL) is also included. This lists IP addresses belonging to any device showing signs of compromise and includes the Internet of Things (IoT) traffic. Listings on the eXBL result from:

  •  Malware infections
  • Trojan infections
  • Worm infections
  • Devices controlled by botnets command and controllers (C&Cs)
  • Third-party exploits, such as open proxies.

This dataset on average contains 7.5 million listings, with up to 75,000 newly observed IPs added every 24 hours.

How do you access the eCSS?

If you’d like to trial this data via SIA, you can sign up here. Alternatively, for those who would like an opportunity to experiment with our data over an extended period, sign up for our free Developer License, which gives six months of access to these datasets without any charge.

Related products

Spamhaus Intelligence API (SIA)

This API provides access to multiple datasets containing metadata relating to compromised IP addresses. These IP addresses may be exhibiting compromised behavior, including malware, worm, and trojan infections, and SMTP-specific traffic emitting spam, or cybercriminals are using them to control infected computers – botnet command & controllers.

The breadth of data available via an easily consumable API provides security developers with scores of opportunities.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in


Additional protection with an expanding CSS dataset

2 November 2022

Blog News

As of Wednesday, November 9th, the CSS dataset will start to grow. We anticipate the addition of 1.5 million listings over the next 4-6 months; that's approximately a 100% increase! Find out why and the impact to you in this blog.

Increased performance and search capabilities for users of IP reputation data via API

28 October 2022

Blog News

Commercial or developer subscribers to any IP datasets via Spamhaus Intelligence API (SIA) will experience improved performance and search capabilities for this service.

The Extended Botnet Controller List is now available via the Spamhaus Intelligence API

25 January 2022


The breadth of reputation data available via the Spamhaus intelligence API is increasing - the extended Botnet Controller List is now included.