An all-encompassing search
Since SIA’s launch just over 18 months ago, we’ve been releasing additional IP datasets that users can query. As the number of datasets via SIA has increased, we’ve received requests to query “ALL” the IP datasets. Well, in the words of the genie of the lamp, “your wish is our command”. Actually, genies had nothing to do with it – it was the Spamhaus development team who’ve been beavering away adding this “ALL” command to the search values [https://docs.spamhaus.com/sia/docs/source/10-API-Interface/110-API.html#ip-reputation-data].
With this addition, you can instantly access a broad range of intelligence, from IPs listed as hosting botnet command and controllers (C&Cs) to compromised content management systems (CMS) spewing out spam. In other words, it searches all the intelligence our researchers are observing that is available via SIA.
What’s included with the “ALL” query?
Users can query the following datasets when using the “ALL” command. Each one highlights different areas of abuse:
- Exploits Blocklist (XBL)
- Combined Spam Sources (CSS)
- Botnet Controller List (BCL)
The XBL focuses on single IP addresses belonging to devices that are showing signs of compromise, i.e., exploited devices. This can be because of malware, trojan and/or worm infections, machines controlled by botnet command and controllers (C&Cs), or third-party exploits such as open proxies.
Meanwhile, the CSS focuses on port-25-based detections, i.e., SMTP traffic. This dataset contains IPV4 and IPV6 addresses that are sending bulk unsolicited email, IPs we observe to be sending email with poor marketing list hygiene [https://www.spamhaus.com/resource-center/address-acquisition-for-mailing-lists/] or sending out spam as a result of webforms or CMS like WordPress being compromised.
Finally, there’s the BCL; this small but perfectly formed dataset packs a punch. Containing only single IPV4 addresses, this dataset highlights IP addresses under the direct control of miscreants using them to host botnet C&CS.
How can this pooled intelligence assist you?
Combining this data provides you with a rounded 360 view of any issues relating to an IP address*. Where the research team has listed an IP, detailed metadata is returned, including the timestamp of the listing, the destination IP address of the connection that triggered the detection, the associated bot name, and the geolocation, among many more [https://docs.spamhaus.com/sia/docs/source/02-data-explained/data-anatomy.html].
This rich data provides a deeper (and clearer) understanding of events, helping speed up mitigation. Additionally, the context the intelligence provides around a listing can help automate reporting, as Red Sift discovered [https://www.spamhaus.com/resource-center/red-sift-and-spamhaus-intelligence-api/].
Increased performance
Not only have our developers been busy, but so have our engineers. They have made numerous enhancements to ensure the infrastructure scales automatically according to the load and dramatically reduces latency. Delivering replies with very low latency enables customers to optimize and scale their code.
Want to trial the data?
If you haven’t trialed the data yet, or have been waiting for this functionality and would like to trial the data again there are two options:
- A free 30-day trial. Sign-up [https://www.spamhaus.com/free-trial/free-30-day-trial-for-spamhaus-intelligence-api/] to get free access to SIA at the Enterprise level, providing you with up to 250,000 queries for the month and up to 150 queries per second.
- A developer license. Sign up [https://www.spamhaus.com/developer/sia/] and get the opportunity to experiment and build with SIA for six months, with up to 5,000 queries per month.
We welcome your feedback on this service as we continually look to provide further intelligence to help you overcome your security-based challenges.
*Please note that the Spamhaus Blocklist (SBL) will be available in 2023, however, the CSS component of the SBL is already included in SIA.