Extended CSS (eCSS)
This is the metadata-enriched version of the CSS, a list of public IP addresses that are involved in sending low-reputation email.
The CSS is normally published as integral part of the Spamhaus Blocklist (SBL) for general consumption through DNSBLs. However, its enriched version is also distributed as a single JSON file containing all the listings live at the time of the file generation or can be queried through the API as CSS
dataset, where historical data is also available. In both of these last two cases, the record format is exactly the same.
Each record is composed by the following fields:
ipaddress
The IP address identified as the source of the bot-generated traffic. Always provided.seen
The Unix timestamp (rounded to the minute) of the last detected event for the given IP and the given botname. Always provided.firstseen
Unix timestamp (rounded to the minute) of the first detection event for this IP+botname combination. This will match the value ofseen
if it’s the first sighting of this type on this particular IP. Always provided.listed
The Unix timestamp (rounded to the minute) of when the entry reached our database. Usually, this is very close to the value ofseen
unless when the data is coming from batched processes. Always provided.valid_until
Unix timestamp (rounded to the minute) of when the given entry will be considered “expired” from our dataset. Always provided.dstport
The destination port of the traffic that triggered the detection. It’s usually port 25, which is also the implicit value when the field is not present.asn
The Autonomous System Number (ASN) announcing the IP; predominantly obtained from routeviews data.lat
Geographic latitude of the IP. Only provided when geolocation data is available.lon
Geographic longitude of the IP. Only provided when geolocation data is available.cc
The ISO Country Code of the nation where the IP resides. Only provided when geolocation data is available.protocol
IP protocol of the traffic triggering the detection. Usually TCP, which is also the implicit value when the field is not present.domain
The domain the listed IP is (or pretends to be) related with, when available. Usually simply extracted from the HELO/EHLO string in use in the traffic generating or contributing to the listing.helo
The HELO/EHLO string used in the traffic contributing to the listing.srcport
The source port for the traffic generating the listing, when available.heuristic
The heuristic that has been contributing to the listing decision.rule
The rule ID that contributed to the listing decision. Value is strictly an internal reference to Spamhaus systems. The only reason why it’s provided is as a backreference to the logic responsible for the listing that can be a useful reference for Spamhaus engineers and researchers.subject
An example Subject line for messages that contributed to the listing. Not always available or published.