Commercial or developer subscribers to any IP datasets via Spamhaus Intelligence API (SIA) will experience improved performance and search capabilities for this service.

An all-encompassing search

Since SIA’s launch just over 18 months ago, we’ve been releasing additional IP datasets that users can query. As the number of datasets via SIA has increased, we’ve received requests to query “ALL” the IP datasets. Well, in the words of the genie of the lamp, “your wish is our command”. Actually, genies had nothing to do with it – it was the Spamhaus development team who’ve been beavering away adding this “ALL” command to the search values [].

With this addition, you can instantly access a broad range of intelligence, from IPs listed as hosting botnet command and controllers (C&Cs) to compromised content management systems (CMS) spewing out spam. In other words, it searches all the intelligence our researchers are observing that is available via SIA.

What’s included with the “ALL” query?

Users can query the following datasets when using the “ALL” command. Each one highlights different areas of abuse:

  • Exploits Blocklist (XBL)
  • Combined Spam Sources (CSS)
  • Botnet Controller List (BCL)

The XBL focuses on single IP addresses belonging to devices that are showing signs of compromise, i.e., exploited devices. This can be because of malware, trojan and/or worm infections, machines controlled by botnet command and controllers (C&Cs), or third-party exploits such as open proxies.

Meanwhile, the CSS focuses on port-25-based detections, i.e., SMTP traffic. This dataset contains IPV4 and IPV6 addresses that are sending bulk unsolicited email, IPs we observe to be sending email with poor marketing list hygiene [] or sending out spam as a result of webforms or CMS like WordPress being compromised.

Finally, there’s the BCL; this small but perfectly formed dataset packs a punch. Containing only single IPV4 addresses, this dataset highlights IP addresses under the direct control of miscreants using them to host botnet C&CS.

How can this pooled intelligence assist you?

Combining this data provides you with a rounded 360 view of any issues relating to an IP address*. Where the research team has listed an IP, detailed metadata is returned, including the timestamp of the listing, the destination IP address of the connection that triggered the detection, the associated bot name, and the geolocation, among many more [].

This rich data provides a deeper (and clearer) understanding of events, helping speed up mitigation. Additionally, the context the intelligence provides around a listing can help automate reporting, as Red Sift discovered [].

Increased performance

Not only have our developers been busy, but so have our engineers. They have made numerous enhancements to ensure the infrastructure scales automatically according to the load and dramatically reduces latency. Delivering replies with very low latency enables customers to optimize and scale their code.

Want to trial the data?

If you haven’t trialed the data yet, or have been waiting for this functionality and would like to trial the data again there are two options:

  1. A free 30-day trial. Sign-up [] to get free access to SIA at the Enterprise level, providing you with up to 250,000 queries for the month and up to 150 queries per second.
  2. A developer license. Sign up [] and get the opportunity to experiment and build with SIA for six months, with up to 5,000 queries per month.

We welcome your feedback on this service as we continually look to provide further intelligence to help you overcome your security-based challenges.


*Please note that the Spamhaus Blocklist (SBL) will be available in 2023, however, the CSS component of the SBL is already included in SIA.

Related products

Spamhaus Intelligence API (SIA)

This API provides access to multiple datasets containing metadata relating to compromised IP addresses. These IP addresses may be exhibiting compromised behavior, including malware, worm, and trojan infections, and SMTP-specific traffic emitting spam, or cybercriminals are using them to control infected computers – botnet command & controllers.

The breadth of data available via an easily consumable API provides security developers with scores of opportunities.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in


Additional protection with an expanding CSS dataset

2 November 2022

Blog News

As of Wednesday, November 9th, the CSS dataset will start to grow. We anticipate the addition of 1.5 million listings over the next 4-6 months; that's approximately a 100% increase! Find out why and the impact to you in this blog.

New beta release | Rich domain reputation data via API – register now

14 September 2022

Blog News

Discover the rich domain-related data points available via this easy-to-consume API and how you can become one of only 30 beta testers.

The Extended Botnet Controller List is now available via the Spamhaus Intelligence API

25 January 2022


The breadth of reputation data available via the Spamhaus intelligence API is increasing - the extended Botnet Controller List is now included.