Advanced Threat Feeds

  • Home
  • Advanced Threat Feeds

Spamhaus Advanced Threat Feeds

Real-time threat intelligence helps you stay ahead of the curve when it comes to detecting cyber threats and avoiding a cyberattack. Spamhaus Advanced Threat Datafeeds offer cyber threat intelligence that’s updated every 60 seconds.

Advanced Threat Feeds From Spamhaus

Spamhaus’s Advanced Threat Datafeeds — Botcc, eXBL, eDBL, eCSS and Passive DNS — provide the most current, detailed, and actionable intelligence on botnets, infected hosts, and related metadata. This highly valuable and actionable threat intelligence data improves your defenses and helps address malicious activity.

Benefits of the Spamhaus Advanced Threat Feeds

Organizations can mitigate risks posed by phishing emails, malware domains, botnets, and other cyber threats with the liva data from the Spamhaus Advanced Threat Datafeeds. To combat these emerging threats, Spamhaus security researchers are constantly analyzing spam traffic, domains, IP addresses, and malware. They identify malicious host sites, locations of C&C servers, network relationships between malicious DNS and cybercriminal operations, and network connections between C&C servers and botnets. The continuously-updated datastream from Spamhaus provides system administrators, network managers, and security practitioners with the origins and severity of the latest cybercriminal campaigns, as well as the ability to implement stronger network security by blocking malicious email and IP traffic before they can do any harm.

Botnet Command & Control Feeds

The Spamhaus Botnet Command and Control (C&C) list is an advisory “drop all traffic” list consisting of single IPv4 addresses. The feed does not contain any subnets or CIDR prefixes longer than /32. 

The servers on these IP addresses host botnet C&C nodes. Botnet C&C nodes are servers that control the individual malware-infected computers (bots) that together form a botnet. Bots regularly contact botnet C&C nodes to allow the malware on the bots to transfer stolen data to the C&C node for delivery to the botnet’s owner. It also allows the bots to obtain instructions for what they are to do next. 

Once a botnet contacts a C&C node, it receives instructions to send spam, host spammed web sites, attack other hosts on the internet, and provide name service (DNS) for the domains used in those attacks.

An IP address is listed on the Botnet C&C list when it meets the following criteria:

  • The server hosted at the IP address is used to control computers that are infected with malware.
  • The server hosted at the IP address is operated with malicious intent, meaning the server is operated by cybercriminals.
  • The file containing IPs is found to contain Botnet C&C controllers and has three fields: IP, Botnet Name, and Base64 encoded free text field giving further information. The text field provides detailed information from the SBL and includes rich information and details supporting the nature of the botcc entry.
 

Dedicated Botnet Controller List (BCL Ded) contains IP addresses that are:

  • Botnet C&C infrastructure on dedicated host
  • Used exclusively for Botnet control

Compromised Botnet Controller List contains single IPv4 addresses that are:

  • Hosting Botnet Command & Control Servers
  • Used to control bots (infected devices)
  • Hosting Botnet Command & Control Servers
  • Available as JSON file or via Spamhaus Intelligence API
  • Includes the following data fields: Source IP address of bot generated traffic, bot name, UNIX timestamp of first and last seen activity, valid until, destination port, ASN, latitude / longitude when available, IP protocol, domains observed in use, array of samples (md5hash, sha256hash, time stamp sample was observed)
  • Approx. # of Entries: 300 – 2,000
  • New entries per day: 25 – 50

Extended exploits Blocklist - eXBL

eXBL is a comprehensive and detailed list of infected hosts, and this datafeed is designed to identify bot traffic:

  • Approx. # of Entries: 6 – 8 Million
  • New entries per day: ~75,000
  • Real-time updates: Entries added and removed approximately every 30 minutes
  • List of single IPs (/32s)
  • Extensive, accurate list of bot-infected machines
  • Rich metadata includes: IP, ASN, CIDR allocation, Country, Domain, Timestamp, Bot name

Extended Domain Blocklist - EDBL

Metadata enriched version of Domain Blocklist (DBL).  Additional information on domains observed to be engaged in malicious activity, 

  • Domain reputation and meta data
  • Available vis Spamhaus Intelligence API
  • Find domains reputation: Great, Good, Neutral, Bad, Malicious
  • Identify domain threat type: Phish, malware, botnet command & controller, snowshoe spammer, redirector, adware, or sinkhole
  • Rich metadata includes: Spamhaus domain score, UNIX time stamp of first observed and last seen, associated IP addresses, registrar, date created, threat type, and more.

Extended CSS - eCSS

List of IP address known to send low reputation email, plus enriched metadata. 

  • IP addresses observed sending mass, unsolicited email
  • Approx. # of Listings: 300,000 – 1.5 M listings 
  • New entries per day: ~285,000
  • Available as JSON file or via Spamhaus Intelligence API
  • Rich metadata: Source IP address of bot generated traffic, UNIX timestamp of first detection and listing, ASN, latitude / longitude when available, IP protocol, domain associated with listed IP, HELO string, source port, hueristic, rule ID of listing decision, example subject

Spamhaus Passive DNS

Passive DNS collects and analyzes inter-server DNS messages, which are stored in a database where they can be indexed and queried 

Spamhaus Passive DNS delivers insight on DNS traffic by collecting a tremendous volume of DNS query information. Spamhaus DNS traffic provides excellent insight into cyber threats as many of the DNS queries point to malicious activity. 

Spamhaus Passive DNS is extremely robust with more than 2B records per day, including host IP addresses, NS domains, CNames, MXrecords, and much more.

Start your free trial.

Design the best set of data feeds to meet your needs!


Experience improved cybersecurity and stop phishing emails, ransomware, malware, and other cyber threats. Sign up for your free consultation and receive an in-depth technical deep dive and a 30-day free trial.