Extended CSS (eCSS)

This is the metadata-enriched version of the CSS, a list of public IP addresses that are involved in sending low-reputation email.
The CSS is normally published as integral part of the Spamhaus Blocklist (SBL) for general consumption through DNSBLs. However, its enriched version is also distributed as a single JSON file containing all the listings live at the time of the file generation or can be queried through the API as CSS dataset, where historical data is also available. In both of these last two cases, the record format is exactly the same.
Each record is composed by the following fields:

  • ipaddress The IP address identified as the source of the bot-generated traffic. Always provided.

  • seen The Unix timestamp (rounded to the minute) of the last detected event for the given IP and the given botname. Always provided.

  • firstseen Unix timestamp (rounded to the minute) of the first detection event for this IP+botname combination. This will match the value of seen if it’s the first sighting of this type on this particular IP. Always provided.

  • listed The Unix timestamp (rounded to the minute) of when the entry reached our database. Usually, this is very close to the value of seen unless when the data is coming from batched processes. Always provided.

  • valid_until Unix timestamp (rounded to the minute) of when the given entry will be considered “expired” from our dataset. Always provided.

  • dstport The destination port of the traffic that triggered the detection. It’s usually port 25, which is also the implicit value when the field is not present.

  • asn The Autonomous System Number (ASN) announcing the IP; predominantly obtained from routeviews data.

  • lat Geographic latitude of the IP. Only provided when geolocation data is available.

  • lon Geographic longitude of the IP. Only provided when geolocation data is available.

  • cc The ISO Country Code of the nation where the IP resides. Only provided when geolocation data is available.

  • protocol IP protocol of the traffic triggering the detection. Usually TCP, which is also the implicit value when the field is not present.

  • domain The domain the listed IP is (or pretends to be) related with, when available. Usually simply extracted from the HELO/EHLO string in use in the traffic generating or contributing to the listing.

  • helo The HELO/EHLO string used in the traffic contributing to the listing.

  • srcport The source port for the traffic generating the listing, when available.

  • heuristic The heuristic that has been contributing to the listing decision.

  • rule The rule ID that contributed to the listing decision. Value is strictly an internal reference to Spamhaus systems. The only reason why it’s provided is as a backreference to the logic responsible for the listing that can be a useful reference for Spamhaus engineers and researchers.

  • subject An example Subject line for messages that contributed to the listing. Not always available or published.