Advanced Threat Feeds

Spamhaus Advanced Threat Feeds

You need real-time threat intelligence so you can stay ahead of the curve when it comes to detecting cyber threats and avoiding a cyberattack. Spamhaus Advanced Threat Datafeeds offer cyber threat intelligence that’s updated every 60 seconds.

What are the Spamhaus Advanced Threat Feeds?

Spamhaus’s Advanced Threat Datafeeds — Botcc, eXBL, and Passive DNS — provide the most current, detailed, and actionable intelligence on botnets, infected hosts, and related metadata. This highly valuable and actionable threat intelligence data improves your defenses and helps address malicious activity.

Benefits of the Spamhaus Advanced Threat Feeds

Organizations can mitigate risks posed by phishing emails, malware domains, botnets, and other cyber threats with the liva data from the Spamhaus Advanced Threat Datafeeds.

To combat these emerging threats, Spamhaus security researchers are constantly analyzing spam traffic, domains, IP addresses, and malware. They identify malicious host sites, locations of C&C servers, network relationships between malicious DNS and cybercriminal operations, and network connections between C&C servers and botnets.

The continuously-updated datastream from Spamhaus provides system administrators, network managers, and security practitioners with the origins and severity of the latest cybercriminal campaigns, as well as the ability to implement stronger network security by blocking malicious email and IP traffic before they can do any harm.

Botcc Feed

The Spamhaus Botnet Command and Control (C&C) list is an advisory “drop all traffic” list consisting of single IPv4 addresses. The feed does not contain any subnets or CIDR prefixes longer than /32. 

The servers on these IP addresses host botnet C&C nodes. Botnet C&C nodes are servers that control the individual malware-infected computers (bots) that together form a botnet. Bots regularly contact botnet C&C nodes to allow the malware on the bots to transfer stolen data to the C&C node for delivery to the botnet’s owner. It also allows the bots to obtain instructions for what they are to do next. 

Once a botnet contacts a C&C node, it receives instructions to send spam, host spammed web sites, attack other hosts on the internet, and provide name service (DNS) for the domains used in those attacks.

An IP address is listed on the Botnet C&C list when it meets the following criteria:

  • The server hosted at the IP address is used to control computers that are infected with malware.
  • The server hosted at the IP address is operated with malicious intent, meaning the server is operated by cybercriminals.
  • The file containing IPs is found to contain Botnet C&C controllers and has three fields: IP, Botnet Name, and Base64 encoded free text field giving further information. The text field provides detailed information from the SBL and includes rich information and details supporting the nature of the botcc entry.

eXBL (enhanced XBL)

eXBL is a comprehensive and detailed list of infected hosts, and this datafeed is designed to identify bot traffic:

  • It has 6 to 8 million entries and is highly accurate
  • It’s updated approximately every 30 minutes
  • It lists items that are single IPs (/32s)
  • It offers an extensive, accurate list of bot-infected machines
  • It includes rich metadata
    • IP
    • ASN
    • CIDR allocation
    • Country
    • Domain
    • Timestamp
    • Bot name

Spamhaus Passive DNS

Passive DNS collects and analyzes inter-server DNS messages, which are stored in a database where they can be indexed and queried 

Spamhaus Passive DNS delivers insight on DNS traffic by collecting a tremendous volume of DNS query information. Spamhaus DNS traffic provides excellent insight into cyber threats as many of the DNS queries point to malicious activity. 

Spamhaus Passive DNS is very robust with more than 2B records per day, including host IP addresses, NS domains, CNames, MXrecords, and much more.

Ready to learn more about how Spamhaus advanced threat feeds can benefit your business?