Spamhaus has released the extended CSS Blocklist (eCSS) and made it available via our API service.  This provides users with additional insights relating to compromised and malicious IP addresses.

What is the Spamhaus Intelligence API (SIA)?

The name gives it away – it’s an API that’s easy to integrate with existing systems, which delivers enhanced IP reputation data. This metadata gives increased visibility and context to users, speeding up investigations and accelerating reporting relating to IP addresses.

Red Sift Open Cloud utilizes SIA to help their customers rapidly classify potential threats, enabling them to dramatically reduce the amount of time spent analyzing reports. Read more.

What is the extended CSS (eCSS)?

This dataset is specific to SMTP traffic, i.e., it only lists port-25 based detections. The focus is on spam and other low-reputation sources. Our researchers list IPs on this dataset if they observe any of the following behavior:

  • Sending bulk unsolicited email
  • Having poor email marketing list hygiene
  • Sending out malicious emails due to compromised accounts, web forms, or content management systems (CMS)

The eCSS contains between 300,000 – 1.5 million listings, with up to 285,000 new listings added every 24 hours. Not only can it be used by abuse desks for remediation, but, given its SMTP focus, senders can utilize it from a reputation perspective too. Additionally, receivers can use the CSS to take a deeper dive into the reasons behind a listing on the CSS blocklist.

What else is available via SIA?

A dataset called the extended eXploits blocklists (eXBL) is also included. This lists IP addresses belonging to any device showing signs of compromise and includes the Internet of Things (IoT) traffic. Listings on the eXBL result from:

  •  Malware infections
  • Trojan infections
  • Worm infections
  • Devices controlled by botnets command and controllers (C&Cs)
  • Third-party exploits, such as open proxies.

This dataset on average contains 7.5 million listings, with up to 75,000 newly observed IPs added every 24 hours.

How do you access the eCSS?

If you’d like to trial this data via SIA, you can sign up here. Alternatively, for those who would like an opportunity to experiment with our data over an extended period, sign up for our free Developer License, which gives six months of access to these datasets without any charge.

Related products

Spamhaus Intelligence API (SIA)

This API provides access to multiple datasets containing metadata relating to compromised IP addresses. These IP addresses may be exhibiting compromised behavior, including malware, worm, and trojan infections, and SMTP-specific traffic emitting spam, or cybercriminals are using them to control infected computers – botnet command & controllers.

The breadth of data available via an easily consumable API provides security developers with scores of opportunities.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in


The Extended Botnet Controller List is now available via the Spamhaus Intelligence API

25 January 2022


The breadth of reputation data available via the Spamhaus intelligence API is increasing - the extended Botnet Controller List is now included.

Using OMI on Microsoft Azure? Here’s an update you need to read

28 September 2021


An easy-to-exploit security vulnerability that allows remote code execution (RCE) on virtual machines where Open Management Infrastructure (OMI) is installed has been observed. Users need to take action.

Welcome to the Spamhaus Developer License

23 March 2021


We're aware that it can take time to find the right use case and build the right application to meet its needs. So, we've created a license to give developers access to the data without the 30-day time limit attached to a trial. The developer license runs for six-month periods.