Extended XBL (eXBL)¶
It’s the metadata-enriched version of the XBL list, and as such focused on compromised indicators obtained by behavioral heuristics. Each record is composed by the following fields:
ipaddressIt’s the IP identified as the source of the bot-generated traffic. Always provided.
botnameThe name associated with the bot which activity has been detected; “unknown” if the detection can’t be clearly associated with a specific bot. Always provided.
seenThe Unix timestamp of the last detected event for the given IP and the given botname. Always provided.
firstseenIt’s the Unix timestamp of the first detection event for this IP+botname combination. It will match the value of seen if it’s the first sighting of this type on this IP. It’s reset whenever the given combination has seen no activity for at least a month. Always provided.
listedIt’s the Unix timestamp of when the entry reached our database. It’s usually very close to the value of
seenunless when the data is coming from batched processes. Always provided.
valid_untilIt’s the Unix timestamp of when the given entry will be considered “expired” from our dataset. Always provided.
detectionHuman-readable form, briefly describing how the data was collected; appears only when the heuristic can involve multiple ways of collecting such data.
ruleIt’s an internal ID pointing to the rule operating the detection. Detections operated by different means or rules will show different IDs, even when they refer to the same detection. Always provided.
dstipDestination IP of the traffic that triggered the detection; not always disclosed/available.
dstportDestination port of the traffic that triggered the detection; not always disclosed/available.
heloWhen the detection is operated from SMTP traffic, it’s the HELO string used in the SMTP session triggering the detection.
helosSpecific to MPD detections only: it’s an array enumerating all the HELO strings involved in the detection of the behavior; appears only in records for the MPD heuristic.
heuristicIt’s the heuristic applied to generate the detection, and as such has a limited number of possible values.
asnIt’s the Autonomous System announcing the IP; obtained from routeviews data mostly.
latGeographic Latitude of the IP; only provided when geolocation data is available.
lonGeographic Longitude of the IP; only provided when geolocation data is available.
ccThe ISO Country Code of the nation where the IP resides; only provided when geolocation data is available.
protocolIP protocol of the traffic triggering the detection. Usually either UDP or TCP.
srcipSource IP of the traffic triggering the detection. Except in very strange corner cases, it matches the argument of the listing.
srcportSource port of the traffic triggering the detection, when it’s operated based on a single TCP/UDP session. Not always available.
subjectSpecific to detections operated on SMTP traffic, and therefore limited to the heuristics “SPAMBOT”, “IMPERSONATE” and “SMTPAUTH”. It’s the subject line (in the original encoding) for the message that triggered the detection.
uriSpecific to the “SINKHOLE” heuristic, and to HTTP sinkholes detections only; it’s the URI of the HTTP request triggering the listing. Not always available.
useragentSpecific to the “SINKHOLE” heuristic, and to HTTP sinkholes detections only; it’s the User-Agent header of the HTTP request triggering the listing. Not always available.
domainMostly specific to the “SINKHOLE” heuristic, and to HTTP sinkholes in particular; it’s the domain/hostname the traffic triggering the detection is reaching, or -in other words- the sinkhole’d domain. Often obtained from the “host” header of the HTTP request triggering the listing. Not always available.