Towards the end of 2022, Spamhaus released a beta API that provided access to information relating to every domain that researchers observe. This API provided an overview of a domain's reputation and its associated resources. Having listened to the feedback from beta testers, which was along the lines of "It's OK, but we want more insight," our development team went into overdrive to produce an API that meets (and hopefully exceeds) expectations.

What’s new in beta 2.0?

Everything! Well, almost. This API is now broken up into several different calls, allowing users to tailor the insight they query based on their individual use cases and requirements. Each part of the API focuses on a different aspect of the signal available, as detailed below:

Reputation Dimensions

We’re sharing the various dimensions (scores) that your domain’s reputation score is composed of – giving you insight into what dimension may be dragging your reputation score down, so you can take constructive steps to improve your domain’s reputation. The following areas have a score attached to them:

  • smtp: reputation in the SMTP area.
  • identity: reputation of the domain’s identity, for example, the owner and registrar.
  • infra: reputation of the infrastructure of the domain, for example, nameservers and hosts.
  • malware: reputation of the domain as affected by malware, bots, and distribution of such threats.
  • human: the human reputation for a domain. This dimension represents the viewpoint of Spamhaus researchers about the domain.
  • 3rdparty: the reputation score trusted third parties provide relating to the domain.

Context

For those of you who want to know where the domain has been observed, the context is provided, listing all places the domains have been sighted, for example, in a dkim header.

Tags

These are used to tag certain types of behaviors, including the type of abuse associated with a domain, e.g., phishing, or what type of domain it is, e.g., a redirector. Multiple tags can be associated with a domain, giving the user a broad picture. Here’s a list of the tags used by our researchers:

  • phish | domain is used in phishing attacks
  • scam | domain is used in fraud
  • malware | domain is used in malware distribution
  • redirector | domain is used as a URL shortener or redirector
  • botnetcc | domain is used for botnet command and control
  • spam | domain is used in spam
  • snowshoe | domain is used in snowshoe spam
  • botnet | domain is used in botnet spam
  • freehost | domain offers free hosting services
  • shared | domain offers shared services
  • compromised | domain has been compromised
  • adware | domain is used by adware
  • dga | domain is a DGA
  • freemail | domain offers freemail services
  • disposable | domain offers disposable services
  • abused | domain is being abused by third parties
  • corporate | validated domain used for corporate uses only
  • dyndns | domain is used to provide dyndns services
  • shortener | URL shortener service
  • cdn | this domain hosts a CDN
  • hailstorm | domain is involved in hailstorm operations
  • isp | domain used for provider customer endpoints

Listed domains

To establish if a domain is listed on a blocklist, you can query the Domain Listings API. This will advise if the domain is listed, the timestamp of when it was listed, and the listing expiry date.

Clusters

These Cluster hashes are used to correlate domains to patterns of behavior across the following two areas:

  • Auth – relating to patterns in behavior associated with authentication patterns relating to email.
  • Infra – relating to patterns in domain registration – when and how it was registered and the infrastructure it is using.

Note: This is available to users with Extended Access and must be used cautiously. Clustering is not an exact science but merely indicates potential associations between domains, and further investigations must always be undertaken before assuming all returned domains are associated.

Hostnames

Spamhaus tries to minimize the impact and the reach of a listing on a blocklist or Response Policy Zone, and, when possible, we list hostnames rather than domains. Within SIA, there is now an API call that returns hostnames that are (or have been) listed for a specific domain in the recent past, including timestamps.

Malware

This API call outlines the malware associated with the domain (if any).

Additional intelligence

Various resources relating to the domains are being made available, from sending IP addresses to nameservers (NS) and A Records. Timestamps and the number of domains served by these resources are also provided.

Technical documentation

To get a complete technical overview of the beta 2.0 API, read our technical documentation.

Find out more and sign-up

This second beta phase is due to run from Wednesday, March 15th, to Tuesday, May 30th. As always, we will request those testing provide feedback via online surveys or a one-to-one interview with a trusted third party. To get access to beta 2.0, please complete this form.

Related Products

Spamhaus Intelligence API (SIA)

Spamhaus Intelligence API (SIA) contains context-rich metadata relating to IP and domain reputation. Integrate this data with your applications to enhance existing data feeds, or consume as an independent data source.

In this easy-to-consume format, SIA can be used for threat detection and investigation, risk scoring, customer vetting, validation and much more.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in

Resources

Mailkit and Omnivery keep email services secure with Spamhaus Intelligence API

5 June 2023

Case Study

Email security is integral to Mailkit's operations. To ensure they continue to be “the ones who know how to deliver” they’re using rich domain reputation data via the Spamhaus Intelligence API to vet potential customers.

A treasure trove of data: using domain reputation in practice

14 February 2023

Blog

Domain data is rich with insight with such a variety of ways to take advantage of the data. In this blog, we introduce how it is used by defenders, network administrators, email administrators, and email senders.

A new dataset is available via the Spamhaus Intelligence API

30 June 2021

News

Spamhaus has released the extended CSS Blocklist (CSS) and made it available via our API service. This provides users with additional insights relating to compromised and malicious IP addresses.