Domain reputation data

TLD List

Users of the Spamhaus Intelligence API (SIA) should make queries using domain names, and therefore, you need to have the complete list of what we consider a TLD.

To fetch our TLD list, call the TLD endpoint:

  • Method: GET

  • Url: /api/intel/v2/domains/tld

  • Parameters: none

Output:

An array of strings containing the full list of TLDs, as defined by Spamhaus.

[
    "it",
    "com",
    "net",
    "co.uk",
    "ca",
    ...
]

In this case, the following would be valid domains:

  • example.it

  • example.com

  • example.net

  • example.co.uk

  • example.ca

While the following would not be valid:

  • www.example.it

  • www.example.com

  • www.example.net

  • www.example.co.uk

  • www.example.ca

Domain - General

This API is useful for fetching generic information about the domain and its total reputation score.

  • Method: GET

  • Url: /api/intel/v2/byobject/domain/{DOMAIN}

  • Parameters: none

Output:

{
    "domain": "example.com",
    "last-seen": 1248469080,
    "tags": [
        "isp",
        "dyndns"
    ],
    "abused": true,
    "deactivated-ts": 1248479080,
    "clusters": {
        "auth": "ein2aiS3ohng1Eiqu9shaiz0ethe5Afe",
        "infra": "ein2aiS3ohng1Eiqu9shaiz0ethe5Afe"
    },
    "whois": {
        "created": 808358400,
        "expires": 808358400,
        "registrar": "RESERVED-Internet Assigned Numbers Authority"
    },
    "score": -4.3
}

The attributes in the response are as follows:

  • domain: the domain name queried.

  • last-seen: the unix timestamp of the last time our automation or our researchers observed the domain.

  • tags: multiple tags can be attributed to a domain. These can be related to abuse associated with the domain, what type of domain it is or what it hosts, e.g., “phishing” or “redirector”.

  • abused: where the value returned is “true” this indicates the legitimate domain has been compromised.

  • deactivated-ts: The UNIX timestamp, if available, when the domain delegation disappeared from the root zone, either because the domain has expired or has been suspended from the registrar.

  • clusters: hashes that correlate multiple domains that share similar patterns; including email authentication and registration/infrastructure.

  • whois

    • created - the date the domain was registered

    • expires - the date the domain is due to expire

    • registrar - the domain’s registrar

  • score - this is the value of all the reputation dimensions combined. Zero is the neutral point, the higher the positive number; the greater the positive reputation of the domain, and conversely, the higher the negative score, the greater the negative reputation.

Tag list

The full list of tags that can be associated with a domain can be fetched, together with a description, from the tags endpoint.

  • Method: GET

  • Url: /api/intel/v2/domains/tags

  • Parameters: none

Output:

[
  {
    "tag": "abused",
    "description": "domain is being abused by third parties"
  },
  {
    "tag": "adware",
    "description": "domain is used by adware"
  },
  {
    "tag": "botnet",
    "description": "domain is used in botnet spam"
  },
  {
    "tag": "botnetcc",
    "description": "domain is used for botnet command and control"
  },
  {
    "tag": "cdn",
    "description": "this domain hosts a CDN"
  },
  {
    "tag": "compromised",
    "description": "domain has been compromised"
  },
  ...
  ... (more here...)
  ...
]

Reputation Dimensions

Spamhaus assesses the reputation of each domain across several dimensions. Each dimension is a container which we associate signals with. For example, if we receive a signal indicating a bot infection, we will modify the malware dimension while if we have signals relating to the emails sent by the domain reaching our spamtraps, we will alter the smtp dimension.

The main supported dimensions are:

  • SMTP: Automated scoring based on rules applied to the signal extracted from global email metadata shared by first and third party partners.

  • Identity: Automated scoring based on rules applied to various sources of domain-related data. Examples of what our systems and associated rules focus on to establish an identity score are:

    • email authentication;

    • encryption configurations.

  • Infra: Automated scoring applied to various sources of domain-related data. Examples of what our systems and associated rules focus on to establish the infrastructure score are:

    • the domain’s associated name servers;

    • domain host. In cases where the hosting network’s IP reputation is deemed so poor that it is listed in the drop datasets, this may also adversely affect the domain’s infra score.

  • Malware: Automated scoring based on intelligence from various first and third-party partner feeds, including abuse.ch data. The scores are derived from associations between the domain and malware content across many different scenarios. Examples of associations include:

    • domains associated with malware files distribution which may be malicious URLs;

    • botnet infrastructure.

  • Human: Scoring based on any manual investigations our research team may have undertaken that are associated with the domain. Human-based interventions are used when automation is not possible, such as understanding adversaries’ tactics, tools, and procedures (TTPs). The research team uses multiple tools and techniques to investigate and score a domain.


  • Method: GET

  • Url: /api/intel/v2/byobject/domain/{DOMAIN}/dimensions

  • Parameters: none

Output:

{
    "human":25,
    "identity":5,
    "infra":15,
    "malware":-5,
    "smtp":0
}

Each dimension provides a score, contributing to the overall domain score in the Domain API call.

To retrieve the full list of supported dimensions, you can use the Dimension List API method shown below.

Dimension List

This call fetches all the dimensions available via the API and a short description.

  • Method: GET

  • Url: /api/intel/v2/domains/dimensions

  • Parameters: none

Output:

[
  {
    "dimension": "human",
    "description": "The human reputation for a domain, taking into account operations and false positive fallouts"
  },
  {
    "dimension": "identity",
    "description": "Reputation of the identity of the domain (Owner, registrar and more)"
  },
  {
    "dimension": "infra",
    "description": "Reputation of the infrastructure of the domain (NS, hosts, ...)"
  },
  {
    "dimension": "malware",
    "description": "Reputation of the domain as affected by malware, bots and distribution of such threats"
  },
  {
    "dimension": "smtp",
    "description": "Reputation in the SMTP area"
  }
]

Domain Contexts

A context indicates where the domain was observed within the signals we receive and analyze.

  • Method: GET

  • Url: /api/intel/v2/byobject/domain/{DOMAIN}/contexts

  • Parameters: none

Output:

[
    {"context":"zrd",           "last-seen":1675610582},
    {"context":"osint",         "last-seen":1675770476},
    {"context":"dkim-header","  "last-seen":1675014698},
    {"context":"tlscert",       "last-seen":1675763213},
    {"context":"webscraper",    "last-seen":1670886248},
    {"context":"helo",          "last-seen":1675770972},
    {"context":"mailbody",      "last-seen":1675759750},
    {"context":"mailsample",    "last-seen":1675760006}
]

Context List

This call fetches all the contexts available via the API, along with a short description.

  • Method: GET

  • Url: /api/intel/v2/domains/contexts

  • Parameters: none

Output:

[
  {
    "context": "dkim-header",
    "description": "The domain has been used in a DKIM header in a mail sample"
  },
  {
    "context": "dkim_d",
    "description": "DKIM d= field"
  },
  {
    "context": "dnsblquery",
    "description": "The domain has been seen in a dnsbl query"
  },
  {
    "context": "helo",
    "description": "The domain has been seen in a SMTP HELO/EHLO command"
  },
  {
    "context": "mailbody",
      "description": "The domain has been used in a link in the content of an email"
  },
  {
    "context": "mailsample",
    "description": "The domain has been observed in a mail sample"
  },
  {
    "context": "osint",
    "description": "The domain has been discovered researching open data"
  },
  {
    "context": "pdns",
    "description": "The domain has been seen in a passive-dns query"
  },
  {
    "context": "redirect",
    "description": "The domain has been detected following an HTTP redirect"
  },
  {
    "context": "sandbox",
    "description": "The domain has been seen in a malware sandbox"
  },
  {
    "context": "sms",
    "description": "The domain has been observed inside an SMS"
  },
  {
    "context": "tlscert",
    "description": "The domain has been seen in the TLS certificate"
  },
  {
    "context": "webscraper",
    "description": "The domain has been detected by a webscraper"
  },
  {
    "context": "zone",
    "description": "The domain has been seen in a zone file"
  },
  {
    "context": "zrd",
    "description": "The domain has been seen through Zero Reputation Domain (ZRD)"
  }
]

Domain Listing

This details if the domain is currently listed in a Spamhaus DNSBL. It also provides the timestamp it was listed and the timestamp of when the listing will expire (subject to the listing not being renewed). If the domain shows unlisted, i.e., "is-listed": false, the correlating timestamp indicates when the domain was last evaluated.

  • Method: GET

  • Url: /api/intel/v2/byobject/domain/{DOMAIN}/listing

  • Parameters: none

{
    "ts":1675771080,
    "is-listed": true,
    "listed-until": 1677067092
}

If the domain is not listed, this will return "is_listed": false

Domain Senders

This API call fetches information relating to the IP addresses that have been seen sending emails for the domain.

The score is a reputation value, similar to the one associated with the domain, but refers to the reputation of the sender’s IP address. It is important to remember that the IP addresses returned by this API call will cover a broad range of reputation, from very good to exceptionally poor and the sender’s IP reputation may not be strictly related to the domain itself.

  • Method: GET

  • Url: /api/intel/v2/byobject/domain/{DOMAIN}/senders

  • Parameters: none

Output:

[
  {
    "ip": "209.85.214.198",
    "last-seen": 1675596360,
    "helo": null,
    "score": -4
  },
  {
    "ip": "2a00:1450:4864:20::22a",
    "last-seen": 1675595956,
    "helo": "mail-lj1-x22a.google.com",
    "score": 8
  }
]

No more than 50 IP addresses will be listed.

Nameserver Reputation

This API call delivers a list of nameservers operating as authoritatives for this domain, including current and historical ones. If they change, we will include them in the output context and timestamps relating to the previous ones. Only the last 15 nameservers are listed in this API call.

The reputation score of a nameserver is the average reputation of the domains for which the NS is authoritative, while the counter shows the total number of domains served by such NS.

  • Method: GET

  • Url: /api/intel/v2/byobject/domain/{DOMAIN}/ns

  • Parameters: none

Output:

[
    {
        "ns":"ns-1361.awsdns-42.org",
        "last-seen":1675771053,
        "score":2.8,
        "counter":2172
    },
    {
        "ns":"ns-1889.awsdns-44.co.uk",
        "last-seen":1675771053,
        "score":2.7,
        "counter":2310
    }
]

A Records reputation

A records are the A (or AAAA) records to which the domain or www.domain resolves to.

The reputation score of an entry is the average reputation of the domains served by this IP address, while the counter shows the total number of domains served by such ip address.

  • Method: GET

  • Url: /api/intel/v2/byobject/domain/{DOMAIN}/a

  • Parameters: none

Output:

    {
        "ip":"2a01:488:42:1000:50ed:8219:ff8d:f33f",
        "last-seen":1675771053,
        "score":2.8,
        "counter":2172
    },
    {
        "ip":"38.54.112.21",
        "last-seen":1675771053,
        "score":2.7,
        "counter":2310
    },

Hostnames listed

Spamhaus tries to minimize the impact and reach of a listing, and, where possible, we list hostnames rather than domains.

This API call will list, if available, the hostnames that are (or have been) listed for a specific domain in the recent past.

  • Method: GET

  • Url: /api/intel/v2/byobject/domain/{DOMAIN}/hostnames

  • Parameters: none

[
    {
        "hostname":"2-floor.dyndns.org",
        "ts":1674277159,
        "is-listed":"true",
        "listed-until":1674542157,
        "abused":false
    },
      {
        "hostname":"astaredp.dyndns.org",
        "ts":1674213650,
        "is-listed":"true",
        "listed-until":1674472858,
        "abused":false
    },
      {
        "hostname":"elchecancun.dyndns.org",
        "ts":1674264863,
        "is-listed":"true",
        "listed-until":1674524098,
        "abused":false
    }
]

The list is limited to 50 elements.

Malware (hashes and urls)

  • Method: GET

  • Url: /api/intel/v2/byobject/domain/{DOMAIN}/malware/hashes

  • Parameters: none

Output:

[
    {
        "type": "sha256",
        "hash": "d685319e95ac1bb62ec778345656832efa6b7f99c267d33915b043acab151271",
        "botname": "win.zxxz",
        "ts": 1675771053
    },
    {
        "type": "sha256",
        "hash": "d685319e95ac1bb62ec778345656832efa6b7f99c267d33915b043acab151271",
        "botname": "win.zxxz",
        "ts": 1675771053
    },
    {
        "type": "sha256",
        "hash": "d685319e95ac1bb62ec778345656832efa6b7f99c267d33915b043acab151271",
        "botname": "win.zxxz",
        "ts": 1675771053
    },
    ... more of these   
]
  • Method: GET

  • Url: /api/intel/v2/byobject/domain/{DOMAIN}/malware/urls

  • Parameters: none

Output:

[
    {
        "url": "https://tecni-soft.com/ACCESORIOS/Xqp/",
        "botname": "win.zxxz",
        "ts": 1675771053
    },
    {
        "url": "https://tecni-soft.com/ACCESORIOS/Xqp/",
        "botname": "win.zxxz",
        "ts": 1675771053
    },
    {
        "url": "https://tecni-soft.com/ACCESORIOS/Xqp/",
        "botname": "win.zxxz",
        "ts": 1675771053
    },
    ... more of these   
]

Hashes and URLs arrays are limited to the latest 25 elements.

Clusters [extended access only]

Spamhaus uses cluster hashes to correlate related domains across certain areas:

Auth - relates to patterns in email authentication.

Infra - relates to patterns in domain registration and infrastructure.

Please note: This is not a definitive list, and some domains returned in the query may not be related. This should be purely used as a signal, a potential identifier for further investigation. When you look up a cluster starting from a bad domain, it does not necessarily mean that all domains share the same bad reputation.

  • Method: GET

  • Url: /api/intel/v2/byobject/hash/infra/{hash-string}

  • Parameters: none

  • Method: GET

  • Url: /api/intel/v2/byobject/hash/auth/{hash-string}

  • Parameters: none

For both these methods, you should use the hash that is returned in the cluster object in the Domain - General API call.

Not every domain queried will return a cluster hash, and sometimes a hash may expose only one domain.

Output:

[
    "domain1",
    "domain2",
    "domain3"
    ...
]

This API is only available to users with Extended Access. If you require access to this specific API, please discuss with your commercial contact at Spamhaus.