Extended DBL (eDBL)
This is the domain reputation data as seen and built by Spamhaus systems, and on top of which the DBL is generated. Each domain in the system is associated with an indication of its reputation, as well as a number of metadata providing context for both the domain and its reputation. Records are composed by the following fields:
domain
The domain name the reputation record is referred to. Always provided.reputation
The reputation Spamhaus systems associate with the given domain. Possible values aremalicious
bad
neutral
good
great
registrar
The registrar the given domain is being managed through, as available in registration data. If the information is not available for any reason, the field will be missing. Given how most registrar names appear slightly different in various contexts, the name reported here is being normalized by Spamhaus for consistency’s sake.date_created
The UNIX timestamp representing the date and time at which the domain was registered, as extracted from registration data. If such extraction is not possible, the field witll be missing.first_seen
The UNIX timestamp representing the first the domain has been seen in use by Spamhaus, independently of the context.last_seen
The UNIX timestamp representing the last time the domain has been seen in use by Spamhaus, independently of the context.type
If the domain has been identified as the vector of some threat or behavior, this represents what that is. As such, the field would be missing entirely if no specific behavior or threat is associated with it. Possible values are:phish
malware
botnetcc
snowshoe
redirector
adware
sinkhole
senders
It’s an array of entries, each one containing anip
field representing an IP address and alast_seen
timestamp, providing information about where and when the domain has been observed in spamtrap data (if any).trusted_tld
It’s a boolean value (so eithertrue
orfalse
) describing whether the TLD the domain is part of restricts registrations to verified and limited entities. Examples are.gov
,.mil
,.bank
etc.corporate_registrar
It’s a boolean value (so eithertrue
orfalse
) describing if the registrar in use is a “corporate-type”, like “MarkMonitor”, “ComLaude”, “CSC” and so on.history
It’s an array of entries, enumerating all the reputation changes the domain has been going through ever since monitored. Each entry is composed by three fields:from_reputation
the reputation value before the given changeto_reputation
the reputation value the domain moved totime
the UNIX timestamp representing when the reputation change took place
ns
It’s an array of entries, enumerating the hostnames that have been indicated as nameserver delegations for the given domain. Note that this information is taken by the parent domain (in most cases, the TLD), and as such can be subject to forgery, as in “a domain is pointing the delegation to a host that is not really providing namserver services for that domain or at all”. Each array entry is composed of three fields:hostname
The hostname indicated as the target of the NS delegationfirst_seen
The UNIX timestamp representing when the delegation has been observed for the first timelast_seen
The UNIX timestamp representing when the delegation has been observed for the last timereputation
The reputation associated with the given nameserver, calculated by weighting the average reputation of the domains pointing to it