Spamhaus

Advance Threat Feeds


Spamhaus Advanced Threat Datafeeds: threat intelligence updated every 60 seconds.

- Botcc 

- eXBL

- Passive DNS

Spamhaus has released several new thread feeds:...this data is very current, detailed, and actionable intelligence on bot-nets, infected hosts, and related meta data - making this highly valuable and actionable.  This advanced threat data can be a great source of cutting edge intelligence to improve your defenses and help address malicious activity.


Spamhaus Advanced Security Threat Feeds provide live data to help organizations mitigate risks posed by botnets, phishing, and malware. To combat these emerging threats, Spamhaus security researchers are constantly analyzing spam traffic, domains, IP addresses, and malware to identify malicious host sites, locations of C&C servers, network relationships between malicious DNS and cybercriminal operations and network connections between C&C servers and botnet nodes

Spamhaus continuously updated datastream provides system administrators, network managers, and security practitiioners with context on the origins and severity of the latest cybercriminal campaigns and the ability to block harmful email and IP traffic at the network edge, before it can do any harm


1 - Botcc Feed:

The Spamhaus Botnet Command and Control (C&C) list is an advisory "drop all traffic" list consisting of single IPv4 addresses. The feed does not contain any subnets or CIDR prefixes longer than /32. The servers on these IP addresses host botnet C&C nodes. Botnet C&C nodes are servers that control the individual malware-infected computers (bots) that together form a botnet. Bots regularly contact botnet C&C nodes so that the malware on the bots can transfer stolen data to the C&C node for delivery to the botnet's owner, and to obtain instructions for what they are to do next. Once a botnet contacts a C&C node, it receives instructions to send spam, host spammed web sites, attack other hosts on the internet, and provide name service (DNS) for the domains used in those attacks.

Listing criteria 

An IP address is listed on the Botnet C&C list when it meets the following criteria:

  • The server hosted at this IP address is used to control computers that are infected with malware.
  • The server hosted at this IP address is operated with this intent (In other words, the server is operated by cybercriminals).

The file contains IPs found to contain Botnet C&C controllers and has three fields:

  • IP, Botnet Name, base64 encoded free text field giving further information.  
  • The text field provides detailed info from the SBL, and includes rich information and details supporting nature of the botcc entry.

2 - eXBL (enhanced XBL)

A comprehensive and detailed list of Infected Hosts. 

This datafeed is designed to identify bot traffic:

  • 6-8 million entries
  • highly accurate
  • updated every 30 minutes, or less
  • listed items are single IP’s (/32’s)
  • Extensive, accurate, list of Bot Infected machines
  • Includes rich meta data:
    - IP,
    - ASN,
    - CIDR allocation
    - Country
    - Domain
    - Timestamp
    - Botname

3- Spamhaus Passive DNS:

Passive DNS is a technique where inter-server DNS messages are captured by sensors and forwarded to a collection point for analysis.  After being processed, individual DNS records are stored in a database where they can be indexed and queried 

Spamhaus Passive DNS collects tremendous volumes of dns query information – to deliver insight on dns traffic.  Note that Spamhaus dns traffic tends to provide excellent visibility into badness… as many of the dns queries indicate undesired actvitity.

Spamhaus Passive DNS 

  • very robust, over 2B records/day, excellent visibility into ‘Badness’ on the net
  • Includes Host IP, NS domain, CName, MXrecord (plus much more…)

Questions that can be answered using a Passive DNS Database 

  • Where did this domain name point to in the past? 
  • What domain names are hosted by a given nameserver? 
  • What domain names point into a given IP network? 
  • What subdomains exist below a certain domain name? 

Passive DNS – Tool to Find the Badness