Domain reputation data
TLD List
Users of the Spamhaus Intelligence API (SIA) should make queries using domain names, and therefore, you need to have the complete list of what we consider a TLD.
To fetch our TLD list, call the TLD endpoint:
Method: GET
Url: /api/intel/v2/domains/tld
Parameters: none
Output:
An array of strings containing the full list of TLDs, as defined by Spamhaus.
[
"it",
"com",
"net",
"co.uk",
"ca",
...
]
In this case, the following would be valid domains:
example.it
example.com
example.net
example.co.uk
example.ca
While the following would not be valid:
www.example.it
www.example.com
www.example.net
www.example.co.uk
www.example.ca
Domain - General
This API is useful for fetching generic information about the domain and its total reputation score.
Method: GET
Url: /api/intel/v2/byobject/domain/{DOMAIN}
Parameters: none
Output:
{
"domain": "example.com",
"last-seen": 1248469080,
"tags": [
"isp",
"dyndns"
],
"abused": true,
"deactivated-ts": 1248479080,
"clusters": {
"auth": "ein2aiS3ohng1Eiqu9shaiz0ethe5Afe",
"infra": "ein2aiS3ohng1Eiqu9shaiz0ethe5Afe"
},
"whois": {
"created": 808358400,
"expires": 808358400,
"registrar": "RESERVED-Internet Assigned Numbers Authority"
},
"score": -4.3
}
The attributes in the response are as follows:
domain: the domain name queried.
last-seen: the unix timestamp of the last time our automation or our researchers observed the domain.
tags: multiple tags can be attributed to a domain. These can be related to abuse associated with the domain, what type of domain it is or what it hosts, e.g., “phishing” or “redirector”.
abused: where the value returned is “true” this indicates the legitimate domain has been compromised.
deactivated-ts: The UNIX timestamp, if available, when the domain delegation disappeared from the root zone, either because the domain has expired or has been suspended from the registrar.
clusters: hashes that correlate multiple domains that share similar patterns; including email authentication and registration/infrastructure.
whois
created - the date the domain was registered
expires - the date the domain is due to expire
registrar - the domain’s registrar
score - this is the value of all the reputation dimensions combined. Zero is the neutral point, the higher the positive number; the greater the positive reputation of the domain, and conversely, the higher the negative score, the greater the negative reputation.
Tag list
The full list of tags that can be associated with a domain can be fetched, together with a description, from the tags endpoint.
Method: GET
Url: /api/intel/v2/domains/tags
Parameters: none
Output:
[
{
"tag": "abused",
"description": "domain is being abused by third parties"
},
{
"tag": "adware",
"description": "domain is used by adware"
},
{
"tag": "botnet",
"description": "domain is used in botnet spam"
},
{
"tag": "botnetcc",
"description": "domain is used for botnet command and control"
},
{
"tag": "cdn",
"description": "this domain hosts a CDN"
},
{
"tag": "compromised",
"description": "domain has been compromised"
},
...
... (more here...)
...
]
Reputation Dimensions
Spamhaus assesses the reputation of each domain across several dimensions
. Each dimension
is a container which we associate signals with. For example, if we receive a signal indicating a bot infection, we will modify the malware
dimension while if we have signals relating to the emails sent by the domain reaching our spamtraps, we will alter the smtp
dimension.
The main supported dimensions
are:
smtp: Reputation in the SMTP area
identity: Reputation of the identity of the domain. (Owner, registrar and more)
infra: Reputation of the infrastructure of the domain. (NS, hosts, etc.)
malware: Reputation of the domain affected by malware, bots and the distribution of such threats
human: The human reputation for a domain, accounting for operations and false positive fallouts. This dimension represents the opinion of Spamhaus researchers about the domain.
3rdparty: Third parties reputation signals are added to this dimension.
Method: GET
Url: /api/intel/v2/byobject/domain/{DOMAIN}/dimensions
Parameters: none
Output:
{
"human":25,
"identity":5,
"infra":15,
"malware":-5,
"smtp":0
}
Each dimension provides a score, contributing to the overall domain score in the Domain API call.
To retrieve the full list of supported dimensions, you can use the Dimension List
API method shown below.
Dimension List
This call fetches all the dimensions available via the API and a short description.
Method: GET
Url: /api/intel/v2/domains/dimensions
Parameters: none
Output:
[
{
"dimension": "3rdparty",
"description": "Third parties reputation signals are added to this dimension"
},
{
"dimension": "human",
"description": "The human reputation for a domain, taking into account operations and false positive fallouts"
},
{
"dimension": "identity",
"description": "Reputation of the identity of the domain (Owner, registrar and more)"
},
{
"dimension": "infra",
"description": "Reputation of the infrastructure of the domain (NS, hosts, ...)"
},
{
"dimension": "malware",
"description": "Reputation of the domain as affected by malware, bots and distribution of such threats"
},
{
"dimension": "smtp",
"description": "Reputation in the SMTP area"
},
{
"dimension": "web",
"description": "Reputation of the web part of the domain: the sites and their behaviour"
}
]
Domain Contexts
A context indicates where the domain was observed within the signals we receive and analyze.
Method: GET
Url: /api/intel/v2/byobject/domain/{DOMAIN}/contexts
Parameters: none
Output:
[
{"context":"zrd", "last-seen":1675610582},
{"context":"osint", "last-seen":1675770476},
{"context":"dkim-header"," "last-seen":1675014698},
{"context":"tlscert", "last-seen":1675763213},
{"context":"webscraper", "last-seen":1670886248},
{"context":"helo", "last-seen":1675770972},
{"context":"mailbody", "last-seen":1675759750},
{"context":"mailsample", "last-seen":1675760006}
]
Context List
This call fetches all the contexts available via the API, along with a short description.
Method: GET
Url: /api/intel/v2/domains/contexts
Parameters: none
Output:
[
{
"context": "dkim-header",
"description": "The domain has been used in a DKIM header in a mail sample"
},
{
"context": "dkim_d",
"description": "DKIM d= field"
},
{
"context": "dnsblquery",
"description": "The domain has been seen in a dnsbl query"
},
{
"context": "helo",
"description": "The domain has been seen in a SMTP HELO/EHLO command"
},
{
"context": "mailbody",
"description": "The domain has been used in a link in the content of an email"
},
{
"context": "mailsample",
"description": "The domain has been observed in a mail sample"
},
{
"context": "osint",
"description": "The domain has been discovered researching open data"
},
{
"context": "pdns",
"description": "The domain has been seen in a passive-dns query"
},
{
"context": "redirect",
"description": "The domain has been detected following an HTTP redirect"
},
{
"context": "sandbox",
"description": "The domain has been seen in a malware sandbox"
},
{
"context": "sms",
"description": "The domain has been observed inside an SMS"
},
{
"context": "tlscert",
"description": "The domain has been seen in the TLS certificate"
},
{
"context": "webscraper",
"description": "The domain has been detected by a webscraper"
},
{
"context": "zone",
"description": "The domain has been seen in a zone file"
},
{
"context": "zrd",
"description": "The domain has been seen through Zero Reputation Domain (ZRD)"
}
]
Domain Listing
This details if the domain is currently listed in a Spamhaus DNSBL. It also provides the timestamp it was listed and the timestamp of when the listing will expire (subject to the listing not being renewed).
Method: GET
Url: /api/intel/v2/byobject/domain/{DOMAIN}/listing
Parameters: none
{
"ts":1675771080,
"is-listed": true,
"listed-until": 1677067092
}
If the domain is not listed, this will return "is_listed": false
Domain Senders
This API call fetches information relating to the IP addresses that have been seen sending emails for the domain.
The score is a reputation value, similar to the one associated with the domain, but refers to the reputation of the sender’s IP address. It is important to remember that the IP addresses returned by this API call will cover a broad range of reputation, from very good to exceptionally poor and the sender’s IP reputation may not be strictly related to the domain itself.
Method: GET
Url: /api/intel/v2/byobject/domain/{DOMAIN}/senders
Parameters: none
Output:
[
{
"ip": "209.85.214.198",
"last-seen": 1675596360,
"helo": null,
"score": -4
},
{
"ip": "2a00:1450:4864:20::22a",
"last-seen": 1675595956,
"helo": "mail-lj1-x22a.google.com",
"score": 8
}
]
No more than 50 IP addresses will be listed.
Nameserver Reputation
This API call delivers a list of nameservers operating as authoritatives for this domain, including current and historical ones. If they change, we will include them in the output context and timestamps relating to the previous ones. Only the last 15 nameservers are listed in this API call.
The reputation score
of a nameserver is the average reputation of the domains for which the NS is authoritative, while the counter
shows the total number of domains served by such NS.
Method: GET
Url: /api/intel/v2/byobject/domain/{DOMAIN}/ns
Parameters: none
Output:
[
{
"ns":"ns-1361.awsdns-42.org",
"last-seen":1675771053,
"score":2.8,
"counter":2172
},
{
"ns":"ns-1889.awsdns-44.co.uk",
"last-seen":1675771053,
"score":2.7,
"counter":2310
}
]
A Records reputation
A records are the A (or AAAA) records to which the domain or www.domain resolves to.
The reputation score
of an entry is the average reputation of the domains served by this IP address, while the counter
shows the total number of domains served by such ip address.
Method: GET
Url: /api/intel/v2/byobject/domain/{DOMAIN}/a
Parameters: none
Output:
{
"ip":"2a01:488:42:1000:50ed:8219:ff8d:f33f",
"last-seen":1675771053,
"score":2.8,
"counter":2172
},
{
"ip":"38.54.112.21",
"last-seen":1675771053,
"score":2.7,
"counter":2310
},
Hostnames listed
Spamhaus tries to minimize the impact and reach of a listing, and, where possible, we list hostnames rather than domains.
This API call will list, if available, the hostnames that are (or have been) listed for a specific domain in the recent past.
Method: GET
Url: /api/intel/v2/byobject/domain/{DOMAIN}/hostnames
Parameters: none
[
{
"hostname":"2-floor.dyndns.org",
"ts":1674277159,
"is-listed":"true",
"listed-until":1674542157,
"abused":false
},
{
"hostname":"astaredp.dyndns.org",
"ts":1674213650,
"is-listed":"true",
"listed-until":1674472858,
"abused":false
},
{
"hostname":"elchecancun.dyndns.org",
"ts":1674264863,
"is-listed":"true",
"listed-until":1674524098,
"abused":false
}
]
The list is limited to 50 elements.
Malware (hashes and urls)
Method: GET
Url: /api/intel/v2/byobject/domain/{DOMAIN}/malware/hashes
Parameters: none
Output:
[
{
"type": "sha256",
"hash": "d685319e95ac1bb62ec778345656832efa6b7f99c267d33915b043acab151271",
"botname": "win.zxxz",
"ts": 1675771053
},
{
"type": "sha256",
"hash": "d685319e95ac1bb62ec778345656832efa6b7f99c267d33915b043acab151271",
"botname": "win.zxxz",
"ts": 1675771053
},
{
"type": "sha256",
"hash": "d685319e95ac1bb62ec778345656832efa6b7f99c267d33915b043acab151271",
"botname": "win.zxxz",
"ts": 1675771053
},
... more of these
]
Method: GET
Url: /api/intel/v2/byobject/domain/{DOMAIN}/malware/urls
Parameters: none
Output:
[
{
"url": "https://tecni-soft.com/ACCESORIOS/Xqp/",
"botname": "win.zxxz",
"ts": 1675771053
},
{
"url": "https://tecni-soft.com/ACCESORIOS/Xqp/",
"botname": "win.zxxz",
"ts": 1675771053
},
{
"url": "https://tecni-soft.com/ACCESORIOS/Xqp/",
"botname": "win.zxxz",
"ts": 1675771053
},
... more of these
]
Hashes and URLs arrays are limited to the latest 25 elements.
Clusters [extended access only]
Spamhaus uses cluster hashes to correlate related domains across certain areas:
Auth - relates to patterns in email authentication.
Infra - relates to patterns in domain registration and infrastructure.
Please note: This is not a definitive list, and some domains returned in the query may not be related. This should be purely used as a signal, a potential identifier for further investigation. When you look up a cluster starting from a bad domain, it does not necessarily mean that all domains share the same bad reputation.
Method: GET
Url: /api/intel/v2/byobject/hash/infra/{hash-string}
Parameters: none
Method: GET
Url: /api/intel/v2/byobject/hash/auth/{hash-string}
Parameters: none
For both these methods, you should use the hash that is returned in the cluster object in the Domain - General API call.
Not every domain queried will return a cluster hash, and sometimes a hash may expose only one domain.
Output:
[
"domain1",
"domain2",
"domain3"
...
]
This API is only available to users with Extended Access. If you require access to this specific API, please discuss with your commercial contact at Spamhaus.