Towards the end of 2022, Spamhaus released a beta API that provided access to information relating to every domain that researchers observe. This API provided an overview of a domain's reputation and its associated resources. Having listened to the feedback from beta testers, which was along the lines of "It's OK, but we want more insight," our development team went into overdrive to produce an API that meets (and hopefully exceeds) expectations.

What’s new in beta 2.0?

Everything! Well, almost. This API is now broken up into several different calls, allowing users to tailor the insight they query based on their individual use cases and requirements. Each part of the API focuses on a different aspect of the signal available, as detailed below:

Reputation Dimensions

We’re sharing the various dimensions (scores) that your domain’s reputation score is composed of – giving you insight into what dimension may be dragging your reputation score down, so you can take constructive steps to improve your domain’s reputation. The following areas have a score attached to them:

  • smtp: reputation in the SMTP area.
  • identity: reputation of the domain’s identity, for example, the owner and registrar.
  • infra: reputation of the infrastructure of the domain, for example, nameservers and hosts.
  • malware: reputation of the domain as affected by malware, bots, and distribution of such threats.
  • human: the human reputation for a domain. This dimension represents the viewpoint of Spamhaus researchers about the domain.
  • 3rdparty: the reputation score trusted third parties provide relating to the domain.

Context

For those of you who want to know where the domain has been observed, the context is provided, listing all places the domains have been sighted, for example, in a dkim header.

Tags

These are used to tag certain types of behaviors, including the type of abuse associated with a domain, e.g., phishing, or what type of domain it is, e.g., a redirector. Multiple tags can be associated with a domain, giving the user a broad picture. Here’s a list of the tags used by our researchers:

  • phish | domain is used in phishing attacks
  • scam | domain is used in fraud
  • malware | domain is used in malware distribution
  • redirector | domain is used as a URL shortener or redirector
  • botnetcc | domain is used for botnet command and control
  • spam | domain is used in spam
  • snowshoe | domain is used in snowshoe spam
  • botnet | domain is used in botnet spam
  • freehost | domain offers free hosting services
  • shared | domain offers shared services
  • compromised | domain has been compromised
  • adware | domain is used by adware
  • dga | domain is a DGA
  • freemail | domain offers freemail services
  • disposable | domain offers disposable services
  • abused | domain is being abused by third parties
  • corporate | validated domain used for corporate uses only
  • dyndns | domain is used to provide dyndns services
  • shortener | URL shortener service
  • cdn | this domain hosts a CDN
  • hailstorm | domain is involved in hailstorm operations
  • isp | domain used for provider customer endpoints

Listed domains

To establish if a domain is listed on a blocklist, you can query the Domain Listings API. This will advise if the domain is listed, the timestamp of when it was listed, and the listing expiry date.

Clusters

These Cluster hashes are used to correlate domains to patterns of behavior across the following two areas:

  • Auth – relating to patterns in behavior associated with authentication patterns relating to email.
  • Infra – relating to patterns in domain registration – when and how it was registered and the infrastructure it is using.

Note: This is available to users with Extended Access and must be used cautiously. Clustering is not an exact science but merely indicates potential associations between domains, and further investigations must always be undertaken before assuming all returned domains are associated.

Hostnames

Spamhaus tries to minimize the impact and the reach of a listing on a blocklist or Response Policy Zone, and, when possible, we list hostnames rather than domains. Within SIA, there is now an API call that returns hostnames that are (or have been) listed for a specific domain in the recent past, including timestamps.

Malware

This API call outlines the malware associated with the domain (if any).

Additional intelligence

Various resources relating to the domains are being made available, from sending IP addresses to nameservers (NS) and A Records. Timestamps and the number of domains served by these resources are also provided.

Technical documentation

To get a complete technical overview of the beta 2.0 API, read our technical documentation.

Find out more and sign-up

This second beta phase is due to run from Wednesday, March 15th, to Wednesday, May 10th. As always, we will request those testing provide feedback via online surveys or a one-to-one interview with a trusted third party. To get access to beta 2.0, please complete this form.

Related Products

Spamhaus Intelligence API (SIA)

This API provides access to multiple datasets containing metadata relating to compromised IP addresses. These IP addresses may be exhibiting compromised behavior, including malware, worm, and trojan infections, and SMTP-specific traffic emitting spam, or cybercriminals are using them to control infected computers – botnet command & controllers.

The breadth of data available via an easily consumable API provides security developers with scores of opportunities.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in

Resources

A treasure trove of data: using domain reputation in practice

14 February 2023

Blog

Domain data is rich with insight with such a variety of ways to take advantage of the data. In this blog, we introduce how it is used by defenders, network administrators, email administrators, and email senders.

A new dataset is available via the Spamhaus Intelligence API

30 June 2021

News

Spamhaus has released the extended CSS Blocklist (CSS) and made it available via our API service. This provides users with additional insights relating to compromised and malicious IP addresses.

Red Sift increases customers’ insight and productivity with Spamhaus Intelligence API

23 March 2021

Case Study

Global cybersecurity software company, Red Sift, use the Spamhaus Intelligence API to free up time for their customers while providing important insight on why an IP is blocked.