Spamhaus Intelligence API (SIA)

  • Home
  • Spamhaus Intelligence API (SIA)

Spamhaus Intelligence API (SIA)

Spamhaus’ leading global threat intelligence is now available via API. 

Spamhaus is an independent cyber research organization. Their data feeds are currently used to protect 3 Billion+ mailboxes globally.  Offering a wealth of  real-time threat data-sets designed to be enhanced your network security posture and threat research.

This easy-to-consume API easily delivers Spamhaus Threat Intelligence. Now use SIA to access data for integration, incident response, online real time risk assessment, monitoring trends and more..

IP Reputation Data

Key Features

  • Access to over 20 different fields per infected IP.
  • Includes historical and real-time data.
  • Ability to query IP addresses or networks
  • User friendly format for easy deployment
  • The API format makes this data easy to access and consume.

*NEW* Domain Reputation Data

Latest release of Spamhaus Domain Blocklist (DBL) available March 2023! 

  • 12 API calls for enhanced meta-data 
  • Information on every domain in Spamhaus research database
  • Easy-to-consume data via API

Spamhaus API technology makes the data simple to integrate across multiple applications, without downloading the entire data set.

API ‘GET response’ now available

Data Included

The following data feeds are now available through the Spamhaus Intelligence API (SIA). More coming soon!

*NEW* – Domain Reputation Data (DBL 2.0)

Access to every domain and related meta data contained in Spamhaus’ research database

  • 12 API calls for further investigation. 
  • Variety of API calls to tailor data for specific use

Enhanced, actionable meta-data including:

  • High Level Domain Data
  • Reputation Dimensions: Insight into which category is affecting domains’ reputation. 
  • Domain Contexts: Where domain was seen 
  • Domain Listing Data: Information on which blocklist domain is included in and length of listing
  • Domain Senders: Sending IP addresses of domain
  • Nameserver Reputation: Reputation of name servers hosting domain
  • Clusters: Related domains based on authentication, registration and infrastructure information. 
  • And More!

Latest version available March 2023!  Sign up for free 30 day trial

Extended eXploits Blocklist (eXBL)

The eXBL dataset lists IP addresses belonging to devices that are showing signs of compromise. This can include traffic from the Internet of Things (IoT) devices alongside more traditional spam. 

IP addresses involved in the following activity may be included in the eXBL:

  • Malware, trojan, or worm infections
  • Devices controlled by botnets command and controllers (C&Cs)
  • Third-party exploits, such as open proxies.

Metadata in the eXBL includes; timestamp of the last connection, the botnet’s name controlling infected nodes, the IP address and port number of the command and control server for some connections, the countries where compromised devices are located, and the type of malware used to exploit devices.

Approximate Size: Averages 4 million listings / > 75,000 new listings added per day

Extended Botnet Controller List (eBCL)

The eBCL dataset lists single IPv4 addresses known to host botnet command and controller servers (C&Cs). These botnet C&Cs are used by cybercriminals to control infected computers (bots). No legitimate internet users should connect with these IP addresses. 

Metadata included in the eBCL

  • the bot name associated with the detected activity
  • the destination port of the traffic that triggered the detection or where the identified C2 service has been observed running
  • binary files observed information referring to the specific C2 instance.

*Historical data is also available.

Approximate Size: Averages several thousand botcc’s, updated daily

Extended CSS Blocklist (eCSS)

The eCSS dataset is focused on SMTP traffic, targeting spam and other low-reputation sources. 

The following activities may result in an eCSS listing:

  • Bulk unsolicited messages
  •  Unhygienic email lists
  • Compromised accounts, webforms, or CMS sending malicious content

Metadata in the eXBL includes

  • Timestamp of the first seen date and last connection
  • HELO string used in the SMTP session triggering the detection
  • Geolocation of the IP address.

Increased protection for SonicWall, Palo Alto, and other firewall and network layer devises.

Approximate Size: Averages 300,000 – 1.5m listings, with 285,000 new listings added per day

Start your free trial.

Design the best set of data feeds to meet your needs!

Experience improved cybersecurity and stop phishing emails, ransomware, malware, and other cyber threats. Sign up for your free consultation and receive an in-depth technical deep dive and a 30-day free trial.