Extended DBL (eDBL)

This is the domain reputation data as seen and built by Spamhaus systems, and on top of which the DBL is generated. Each domain in the system is associated with an indication of its reputation, as well as a number of metadata providing context for both the domain and its reputation. Records are composed by the following fields:

• domain The domain name the reputation record is referred to. Always provided.

• reputation The reputation Spamhaus systems associate with the given domain. Possible values are

  • malicious

  • bad

  • neutral

  • good

  • great

• registrar The registrar the given domain is being managed through, as available in registration data. If the information is not available for any reason, the field will be missing. Given how most registrar names appear slightly different in various contexts, the name reported here is being normalized by Spamhaus for consistency’s sake.

• date_created The UNIX timestamp representing the date and time at which the domain was registered, as extracted from registration data. If such extraction is not possible, the field witll be missing.

• first_seen The UNIX timestamp representing the first the domain has been seen in use by Spamhaus, independently of the context.

• last_seen The UNIX timestamp representing the last time the domain has been seen in use by Spamhaus, independently of the context.

• type If the domain has been identified as the vector of some threat or behavior, this represents what that is. As such, the field would be missing entirely if no specific behavior or threat is associated with it. Possible values are:

  • phish

  • malware

  • botnetcc

  • snowshoe

  • redirector

  • adware

  • sinkhole

• senders It’s an array of entries, each one containing an ip field representing an IP address and a last_seen timestamp, providing information about where and when the domain has been observed in spamtrap data (if any).

• trusted_tld It’s a boolean value (so either true or false) describing whether the TLD the domain is part of restricts registrations to verified and limited entities. Examples are .gov, .mil, .bank etc.

• corporate_registrar It’s a boolean value (so either true or false) describing if the registrar in use is a “corporate-type”, like “MarkMonitor”, “ComLaude”, “CSC” and so on.

• history It’s an array of entries, enumerating all the reputation changes the domain has been going through ever since monitored. Each entry is composed by three fields:

  • from_reputation the reputation value before the given change

  • to_reputation the reputation value the domain moved to

  • time the UNIX timestamp representing when the reputation change took place

• ns It’s an array of entries, enumerating the hostnames that have been indicated as nameserver delegations for the given domain. Note that this information is taken by the parent domain (in most cases, the TLD), and as such can be subject to forgery, as in “a domain is pointing the delegation to a host that is not really providing namserver services for that domain or at all”. Each array entry is composed of three fields:

  • hostname The hostname indicated as the target of the NS delegation

  • first_seen The UNIX timestamp representing when the delegation has been observed for the first time

  • last_seen The UNIX timestamp representing when the delegation has been observed for the last time

  • reputation The reputation associated with the given nameserver, calculated by weighting the average reputation of the domains pointing to it