NAV navbar

What is Auth0 Signals

Introduction

The Auth0’s Anomaly Detection engine detects malicious login traffic. This engine helps protect our customers from automated attacks, such as credential stuffing.

The engine consumes an unparalleled number of risk signals, such as IP address, email, and domain reputation, plus other signals like breached password detection to understand a source’s risk level.

We refer to this data as Auth0 Signals and make much of it freely available to everyone via API to help you combat automated attacks with adaptive authentication.

What resources are listed?

Several different types of resources will grow in time:

Where are the API endpoints servers deployed?

Multiple servers are deployed worldwide in different Cloud regions, scaling up and down automatically to handle peaks and valleys usage. The secure endpoint is:

When the client performs a request to this endpoint, thanks to DNS Anycast and latency-based resolution, the closest server available will serve the query.

How to use the API

We have developed the API to be simple, minimalistic, and fast. We have followed a Keep it Simple (KISS) approach, with several different ways to access the data.

To use the API, the user needs an API KEY or TOKEN that will pass along the request. Users need to sign up to get it.

This API KEY restricts the API. The access is limited to 40000 API requests per day. If the user exceeds that limit in 24 hours, the service will return a 429 HTTP status code. If the users need to make more requests, they should consider contacting us and tell us why they need a higher quota. It is possible to know in real-time the quota consumed daily from the Main page.

There is also an ANONYMOUS PLAN. The platform applies this plan if a developer does not pass any API TOKEN when making a request. So any user can test the API before signing up!

The Main page

It is necessary for any user to register in the Signals site. By registering on this site, the users have access to the Main page. This page allows users to know the consumption and the number of pending requests in the current 24 hours cycle.

Authentication

To authorize with a header parameter, use this code:

# With shell, the user can just pass the correct header with each request
curl "https://signals.api.auth0.com" -H "X-Auth-Token: UUID"

To authorize with a query string parameter, use this code:

# With shell, the user can just pass the correct header with each request
curl "https://signals.api.auth0.com/?token=UUID"

Make sure to replace UUID with a valid API KEY.

Auth0 Signals uses an API KEY to allow access to the API. Users need to sign up to get one.

Auth0 Signals expects an API KEY in all API requests made. It can be included as a header or as a query string parameter.

X-Auth-Token: UUID

IP Reputation Analytics

Get full IP address reputation info

Full IP address reputation performs several checks against the IP address given, returning several individual scores per each check, and a global score to summarize them all. The checks are:

These three checks (IP address blacklist, Domain blacklist, and IP address historical blacklist) are summarized and returned as a global score for the IP address. The possible values are:

This API call also returns detailed information about the IP address from different sources:

$ curl -H "Accept: application/json" -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/v2.0/ip/<IP>"

The response can be:

{
    "fullip": {
        "geo": { ... },
        "hostname": "abts-tn-static-035.5.165.122.airtelbroadband.in",
        "baddomain": {
            "domain": {
                "blacklist": [],
                "blacklist_mx": [],
                "blacklist_ns": [],
                "mx": [],
                "ns": [],
                "score": 0
            },
            "ip": {
                "address": "",
                "blacklist": "",
                "is_quarantined": false,
                "score": 0
            },
            "source_ip": {
                "address": "71.152.251.222",
                "blacklist": [],
                "is_quarantined": false,
                "score": 0
            },
            "score": 0
        },
        "badip": {
            "score": 0,
            "blacklists": []
        },
        "history": {
            "score": -1,
            "activity": [
                {
                    "ip": "122.165.5.35",
                    "timestamp": 1537000113218,
                    "command": "rem",
                    "blacklists": "",
                    "blacklist_change": "UCEPROTECT-LEVEL1"
                },
                ...
            ],
            "score_1day": false,
            "score_7days": false,
            "score_30days": true,
            "score_90days": true,
            "score_180days": true,
            "score_1year": true
        },
        "score": -1,
        "whois": { ... }
    }
}

HTTP Request

GET https://signals.api.auth0.com/v2.0/ip/<IP>

Header Parameters

Parameter Mandatory Description
X-Auth-Token Yes API KEY of the owner.

QueryString Parameters

Parameter Mandatory Description
token Yes API KEY of the owner.
timestamp No UNIX time in seconds to filter the search in the database. If ignored, then the current UNIX time is taken.
page No Page number to paginate the result. Always start at 1. If ignored, then search for page one.
items No The number of items per page. It can be in the range of 5 to 200. If ignored, then return five items.
callback No Function to invoke when using JSONP model.

URL Parameters

Parameter Description
IP The IP to look up in the system.

Response

The status code of the response will be a 200 HTTP code if everything is ok and it will also return the following JSON structure.:

Parameter Description
fullip 'FullIP' JSON object containing all the information gathered from the different sources.

Check if an IP belongs to any abusers' blacklist

Auth0 Signals tracks multiple abuse blacklists and consolidates them in a single database that any user can look up with our minimalist API.

$ curl -i -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/badip/<IP>"

The response can be:

HTTP/1.1 200 OK
CONTENT-TYPE: text/plain; charset=utf-8
CONTENT-LENGTH: 7
DATE: X
SERVER: Python/3.5 aiohttp/0.21.6

or

HTTP/1.1 404 Not Found
CONTENT-TYPE: text/plain; charset=utf-8
CONTENT-LENGTH: 18
DATE: X
SERVER: Python/3.5 aiohttp/0.21.6

This endpoint returns if the IP belongs to any list with the HTTP status code in the response.

HTTP Request

GET https://signals.api.auth0.com/badip/<IP>

Header Parameters

Parameter Mandatory Description
X-Auth-Token No API KEY of the owner.

QueryString Parameters

Parameter Mandatory Description
token No API KEY of the owner.
callback No Function to invoke when using JSONP model.

URL Parameters

Parameter Description
IP The IP to look up in the system.

Response

The response can be a 200 or 404 HTTP code if everything is correct:

Get all blacklists an IP belongs to

$ curl -H "Accept: application/json" -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/badip/<IP>"

The response can be:

{
    "blacklists": ["STOPFORUMSPAM-180", "STOPFORUMSPAM-30", "STOPFORUMSPAM-7", "STOPFORUMSPAM-365", "STOPFORUMSPAM-90"]
}

or

Resource Not found

If any developer wants to know what blacklists contain the IP passed as an argument, They need to pass to curl an extra argument with information about the Content-type as application/json:

HTTP Request

GET https://signals.api.auth0.com/badip/<IP>

Header Parameters

Parameter Mandatory Description
X-Auth-Token No API KEY of the owner.
Accept Yes application/json

QueryString Parameters

Parameter Mandatory Description
token No API KEY of the owner.
callback No Function to invoke when using JSONP model.

URL Parameters

Parameter Description
IP The IP to look up in the system.

Response

The status code of the response can be a 200 or 404 HTTP code if everything is ok, but it will also return the following JSON structure if status code is 200:

Parameter Description
blacklists Array with a list with the Identifiers of each blacklist.

Get all abusers' blacklist a set of IP belong to (Bulk request)

$ curl -H "Accept: application/json" -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/badip_batch/<IP1>,<IP2>...<IPn>"

The response can be:

{
    "response": [
        {
            "ip": "8.8.8.8",
            "blacklists": []
        },
        {
            "ip": "212.231.122.12",
            "blacklists": []
        },
        {
            "ip": "1.2.3.4",
            "blacklists": ["STOPFORUMSPAM-180", "STOPFORUMSPAM-30", "STOPFORUMSPAM-7", "STOPFORUMSPAM-365", "STOPFORUMSPAM-90"]
        }
    ]
}

Developers can save time and rate-limit restrictions if they pass a list of comma-separated IP in the QueryString. They will get the blacklists for each IP in the response. If the IP is not well-formed, it will return nothing for that IP but will perform the lookup for the rest of the valid IP addresses.

HTTP Request

GET https://signals.api.auth0.com/badip_batch/<IP>

Header Parameters

Parameter Mandatory Description
X-Auth-Token No API KEY of the owner.
Accept No application/json

QueryString Parameters

Parameter Mandatory Description
token No API KEY of the owner.
callback No Function to invoke when using JSONP model.

URL Parameters

Parameter Description
IP1,IP2,...IPn The comma separated list of IP to look up in the system.

Response

The status code of the response can be an HTTP 200 if everything is correct, but it will also return the following JSON structure:

Parameter Description
response Array with a list with the blacklists for each IP.

Email verification

Email Verification implements an algorithm that assigns a risk score to the email address based on several tests performed by the service:

These checks are summarized and returned as a global score for the Email addresses. The possible values are:

This API call also returns detailed information about the Email address that can be relevant for a customized risk assessment algorithm:

All this information is in a response with a JSON structure containing the 'Email' object.

Check if an email scores a negative or neutral score.

Check a "clean" email

$ curl -i -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/bademail/support@auth0.com"

The response:

HTTP/1.1 404 Not Found
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 24 Nov 2017 15:42:53 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 18
Connection: keep-alive

Check a "bad" email

$ curl -i -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/bademail/test@mailinator.com"
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Fri, 24 Nov 2017 15:43:55 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 809
Connection: keep-alive
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff

This endpoint returns in the HTTP status code of the response if the email has a neutral or a negative score. A negative score means that the email has been classified as 'bad' by the algorithm.

HTTP Request

GET https://signals.api.auth0.com/bademail/<EMAIL>

Header Parameters

Parameter Mandatory Description
X-Auth-Token No API Key of the owner.

QueryString Parameters

Parameter Mandatory Description
alias No If 'True', the service will allow email aliases using the '+' sign. If 'False' then the service will not allow email aliases and will return a 400 - Bad Request error. The default value is 'False', so if no parameter found the service will assume that email aliases are not allowed.
callback No Function to invoke when using JSONP model.
timeout No Number of seconds before the process give up testing the email server. If timeout is 0, then the email server testing is fully ignored. If timeout is not passed in the query string or negative the default timeout is 20 seconds. If the timeout is greater than 60 seconds the value is ignored and the timeout is set to 60 seconds.
token No API Key of the owner.
source_ip No Modify the client's source IP address in the scoring algorithm. For example, a user can pass in this parameter the IP address of the user's original connection. Doing it then the scoring algorithm will use the IP address as another signal to flag the email address.

URL Parameters

Parameter Description
EMAIL The Email name to look up in the system.

Response

The response can be a 200 or 404 HTTP code if everything is correct:

Get individual scores of an email

Get all information from a "clean" email

$ curl -H "Accept: application/json" -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/bademail/ceo@auth0.com"

The response can be:

{
   "response":{
      "score":0,
      "address":{
         "score":0,
         "is_role":false,
         "is_well_formed":true
      },
      "ip":{
         "score":0,
         "is_quarantined":false,
         "address":"52.218.49.2",
         "blacklist":[

         ]
      },
      "smtp":{
         "exist_mx":true,
         "score":0,
         "exist_address":false,
         "exist_catchall":false,
         "graylisted":false,
         "timedout":false
      },
      "freemail":{
         "score":0,
         "is_freemail":false
      },
      "domain":{
         "score":0,
         "blacklist_ns":[

         ],
         "mx":[
            "aspmx.l.google.com",
            "aspmx2.googlemail.com",
            "aspmx3.googlemail.com",
            "alt1.aspmx.l.google.com",
            "alt2.aspmx.l.google.com"
         ],
         "blacklist_mx":[

         ],
         "blacklist":[

         ],
         "ns":[
            "ns-1395.awsdns-46.org.",
            "ns-1635.awsdns-12.co.uk.",
            "ns-213.awsdns-26.com.",
            "ns-614.awsdns-12.net."
         ]
      },
      "email":{
         "score":0,
         "blacklist":[

         ]
      },
      "source_ip":{
         "score":0,
         "is_quarantined":false,
         "address":"2.137.249.73",
         "blacklist":[

         ]
      },
      "disposable":{
         "score":0,
         "is_disposable":false
      }
   },
   "type":"bademail"
}

Get all information from a "bad" email

$ curl -H "Accept: application/json" -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/bademail/test@mailinator.com"

The response can be:

{
   "response":{
      "score":-3,
      "address":{
         "score":0,
         "is_role":false,
         "is_well_formed":true
      },
      "ip":{
         "score":0,
         "is_quarantined":false,
         "address":"104.25.199.31",
         "blacklist":[

         ]
      },
      "smtp":{
         "exist_mx":true,
         "score":0,
         "exist_address":false,
         "exist_catchall":false,
         "graylisted":false,
         "timedout":false
      },
      "freemail":{
         "score":0,
         "is_freemail":false
      },
      "domain":{
         "score":-1,
         "blacklist_ns":[

         ],
         "mx":[
            "mail2.mailinator.com",
            "mail.mailinator.com"
         ],
         "blacklist_mx":[

         ],
         "blacklist":[
            "IVOLO-DED",
            "DEA"
         ],
         "ns":[
            "betty.ns.cloudflare.com.",
            "james.ns.cloudflare.com."
         ]
      },
      "email":{
         "score":-1,
         "blacklist":[
            "STOPFORUMSPAM-90",
            "STOPFORUMSPAM-180",
            "STOPFORUMSPAM-365"
         ]
      },
      "source_ip":{
         "score":0,
         "is_quarantined":false,
         "address":"2.137.249.73",
         "blacklist":[

         ]
      },
      "disposable":{
         "score":-1,
         "is_disposable":true
      }
   },
   "type":"bademail"
}

This endpoint returns a full JSON structure with individual details about the score of the different domains, IP, SMTP, and other parameters analyzed by the algorithm. The request always returns the status code 200 (HTTP OK) no matter if the domain is clean or bad.

HTTP Request

GET https://signals.api.auth0.com/bademail/<EMAIL>

Header Parameters

Parameter Mandatory Description
X-Auth-Token No API Key of the owner.
Accept Yes application/json

QueryString Parameters

Parameter Mandatory Description
alias No If 'True', the service will allow email aliases using the '+' sign. If 'False' then the service will not allow email aliases and will return a 400 - Bad Request error. The default value is 'False', so if no paremeter found the service will assume that email aliases are not allowed.
callback No Function to invoke when using JSONP model.
timeout No Number of seconds before the process give up testing the email server. If timeout is 0, then the email server testing is fully ignored. If timeout is not passed in the query string or negative the default timeout is 20 seconds. If the timeout is greater than 60 seconds the value is ignored and the timeout is set to 60 seconds.
token No API Key of the owner.
source_ip No Modify the client's source IP address in the scoring algorithm. For example, a user can pass in this parameter the IP address of the user's original connection. Doing it then the scoring algorithm will use the IP address as another signal to flag the email address.

URL Parameters

Parameter Description
EMAIL The Email name to look up in the system.

Response

The status code of the response is 200 (HTTP OK) if everything was correct, but it will also return the following JSON:

Parameter Description
response JSON structure containing the 'Email' object.
type String describing the response type: bademail

Get all the scores of a set of emails (Bulk requests)

Get all information from a set of emails

$ curl -H "Accept: application/json" -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/bademail_batch/test@example.com,test@auth0.com,test@mailinator.com"

The response can be:

{
    "response": [
        {
            "email": "test@example.com",
            "scoring": {
                "score": 0,
                "smtp": {
                    "score": 0,
                    "exist_address": false,
                    "exist_mx": true,
                    "exist_catchall": false,
                    "graylisted":false,
                    "timedout":false
                },
                "domain": {
                    "score": 0,
                    "blacklist_ns": [],
                    "ns": [
                        "alex.ns.cloudflare.com.",
                        "pam.ns.cloudflare.com."
                    ],
                    "mx": [
                        "aspmx.l.google.com",
                        "alt2.aspmx.l.google.com",
                        "alt4.aspmx.l.google.com",
                        "alt1.aspmx.l.google.com",
                        "alt3.aspmx.l.google.com"
                    ],
                    "blacklist_mx": [],
                    "blacklist": []
                },
                "freemail": {
                    "score": 0,
                    "is_freemail": false
                },
                "ip": {
                    "score": 0,
                    "address": "104.18.44.187",
                    "is_quarantined": false,
                    "blacklist": []
                },
                "source_ip": {
                    "score": 0,
                    "address": "127.0.0.1",
                    "is_quarantined": false,
                    "blacklist": []
                },
                "disposable": {
                    "score": 0,
                    "is_disposable": false
                },
                "email": {
                    "score": 0,
                    "blacklist": []
                },
                "address": {
                    "score": 0,
                    "is_role": false,
                    "is_well_formed": true
                }
            }
        },
        {
            "email": "test@auth0.com",
            "scoring": {
                "score": 0,
                "smtp": {
                    "score": 0,
                    "exist_address": false,
                    "exist_mx": true,
                    "exist_catchall": false,
                    "graylisted":false,
                    "timedout":false
                },
                "domain": {
                    "score": 0,
                    "blacklist_ns": [],
                    "ns": [
                        "alex.ns.cloudflare.com.",
                        "pam.ns.cloudflare.com."
                    ],
                    "mx": [
                        "aspmx.l.google.com",
                        "aspmx2.googlemail.com",
                        "aspmx3.googlemail.com",
                        "alt1.aspmx.l.google.com",
                        "alt2.aspmx.l.google.com"
                    ],
                    "blacklist_mx": [],
                    "blacklist": []
                },
                "freemail": {
                    "score": 0,
                    "is_freemail": false
                },
                "ip": {
                    "score": 0,
                    "address": "104.31.77.225",
                    "is_quarantined": false,
                    "blacklist": []
                },
                "source_ip": {
                    "score": 0,
                    "address": "127.0.0.1",
                    "is_quarantined": false,
                    "blacklist": []
                },
                "disposable": {
                    "score": 0,
                    "is_disposable": false
                },
                "email": {
                    "score": 0,
                    "blacklist": []
                },
                "address": {
                    "score": 0,
                    "is_role": false,
                    "is_well_formed": true
                }
            }
        },
        {
            "email": "test@mailinator.com",
            "scoring": {
                "score": -2,
                "smtp": {
                    "score": 1,
                    "exist_address": true,
                    "exist_mx": true,
                    "exist_catchall": false,
                    "graylisted":false,
                    "timedout":false
                },
                "domain": {
                    "score": -1,
                    "blacklist_ns": [],
                    "ns": [
                        "betty.ns.cloudflare.com.",
                        "james.ns.cloudflare.com."
                    ],
                    "mx": [
                        "mail2.mailinator.com",
                        "mail.mailinator.com"
                    ],
                    "blacklist_mx": [],
                    "blacklist": [
                        "MARTENSON-DED",
                        "DEA",
                        "IVOLO-DED"
                    ]
                },
                "freemail": {
                    "score": 0,
                    "is_freemail": false
                },
                "ip": {
                    "score": 0,
                    "address": "104.25.198.31",
                    "is_quarantined": false,
                    "blacklist": []
                },
                "source_ip": {
                    "score": 0,
                    "address": "127.0.0.1",
                    "is_quarantined": false,
                    "blacklist": []
                },
                "disposable": {
                    "score": -1,
                    "is_disposable": true
                },
                "email": {
                    "score": -1,
                    "blacklist": [
                        "STOPFORUMSPAM-365",
                        "STOPFORUMSPAM-180"
                    ]
                },
                "address": {
                    "score": 0,
                    "is_role": false,
                    "is_well_formed": true
                }
            }
        }
    ]
}

Developers can save time and rate-limit restrictions if they pass a list of comma-separated Emails in the QueryString. They will get the scoring and full JSON structure for each Email in the response. If the Email is not well-formed, it will return nothing for that Email, but will perform the lookup for the rest of the valid emails:

HTTP Request

GET https://signals.api.auth0.com/bademail_batch/<EMAIL1>,<EMAIL2>,...,<EMAILn>

Header Parameters

Parameter Mandatory Description
X-Auth-Token No API Key of the owner.
Accept No application/json

QueryString Parameters

Parameter Mandatory Description
alias No If 'True', the service will allow email aliases using the '+' sign. If 'False' then the service will not allow email aliases and will return a 400 - Bad Request error. The default value is 'False', so if no paremeter found the service will assume that email aliases are not allowed.
callback No Function to invoke when using JSONP model.
timeout No Number of seconds before the process give up testing the email server. If timeout is 0, then the email server testing is fully ignored. If timeout is not passed in the query string or negative the default timeout is 20 seconds. If the timeout is greater than 60 seconds the value is ignored and the timeout is set to 60 seconds.
token No API Key of the owner.
source_ip No Modify the client's source IP address in the scoring algorithm. For example, a user can pass in this parameter the IP address of the user's original connection. Doing it then the scoring algorithm will use the IP address as another signal to flag the email address.

URL Parameters

Parameter Description
EMAIL1,EMAIL2,...,EMAILn The list of Emails to lookup in the system.

Response

The status code of the response is 200 (HTTP OK) if everything was correct, but it will also return the following JSON:

Parameter Description
response JSON structure containing a list of JSON structures with the email address and the 'Email' object.

Metadata information

Metadata services allow developers to access information about Auth0 Signals service blacklists, databases, and repositories.

Metadata services can return information as:

This API request will always return a JSON structure with the information and a 200 HTTP code if the list was in the database. If not, then it will return a 404 HTTP code as usual.

List of all blackists by type.

Get the list of blacklists type badip:

$ curl -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/metadata/badip/lists"

The response can be:

{
    "NIXSPAM-IP": {
        "group": "abuse",
        "refresh": "Every 15 minutes",
        "last_update": "1543164604",
        "visibility": "Public",
        "site": "http://www.nixspam.org",
        "type": "badip",
        "description": "The iX blacklist is made of over 500,000 automatically generated entries per day without distinguishing open proxies from relays, dialup gateways, and so on. After 12 hours the IP address will be removed if there is no new spam from there.",
        "source": "NiX Spam IP DNSBL and blacklist",
        "name": "NiX Spam IP blacklist",
        "count": "40645",
        "problem": "It lists any active address instantly whilst removing older entries. That's the idea of the iX blacklist.",
        "enabled": "True"
    },
    ...
    ,
    "ZEUS-BADIP-IP": {
        "group": "abuse",
        "refresh": "Every 60 minutes",
        "last_update": "1543163417",
        "visibility": "Public",
        "site": "https://zeustracker.abuse.ch",
        "type": "badip",
        "description": "ZeuS Tracker offers various IP-blocklists that contains known ZeuS Command&Control server (C&C) assocaited with the ZeuS crimeware. ZeuS Tracker offers blocklists in various formats and for different purposes.",
        "source": "ZEUS-BADIP-IP Blacklist - IP of ZeuS Command&Control",
        "name": "ZEUS-BADIP-IP Blacklist - IP of ZeuS Command&Control",
        "count": "107",
        "problem": "This blocklists only includes IPv4 addresses that are used by the ZeuS trojan. It is the recommened blocklist if you want to block only ZeuS IPs. It excludes IP addresses that ZeuS Tracker believes to be hijacked (level 2) or belong to a free web hosting provider (level 3). Hence the false postive rate should be much lower compared to the standard ZeuS Standard IP blocklist.",
        "enabled": "True"
    }
}

Get the list of blacklists type baddomain:

$ curl -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/metadata/baddomain/lists"

The response can be:

{
    "FREEMAIL": {
        "group": "anonymizer",
        "refresh": "Everyday",
        "last_update": "1543164938",
        "visibility": "Public",
        "site": "",
        "type": "baddomain",
        "description": "Free email services give users the ability to send and receive emails plus more services like a calendar, instant messaging and mobile apps for your smartphone, among other features that can be beneficial for individuals. These services can be free of charge or advertised supported, and this is what makes them suitable for users that want to hide their identity using multiple free email accounts.",
        "source": "Several sources.",
        "name": "Free Email Providers blacklist",
        "count": "4317",
        "problem": "Free email can be used to mask the identities of abusers, but free email users cannot be classified as abusers by default. Still, some companies reject to accept free email addresses when registering.",
        "enabled": "True"
    },
    ...
    ,
    "ETHERSCAMDB-DOMAINS": {
        "group": "anonymizer",
        "refresh": "Everyday",
        "last_update": "1543118542",
        "visibility": "Public",
        "site": "https://etherscamdb.info",
        "type": "baddomain",
        "description": "Ethereum Scam Database or EtherScamDB is an open source project and website that combines all the information that's available. It also has an easy to use reporting function and add them to the database.",
        "source": "Github EtherScamDB account.",
        "name": "Ethereum Scam Database Domain blacklist",
        "count": "6059",
        "problem": "There is a lot of bad guys out there that will try to steal your cryptocurrencies using fake domains. This list will help you to avoid them.",
        "enabled": "True"
    }
}

Get the list of blacklists type bademail:

$ curl -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/metadata/bademail/lists"

The response can be:

{
    "STOPFORUMSPAM-90": {
        "group": "abuse",
        "refresh": "Every day",
        "last_update": "1543115919",
        "visibility": "Public",
        "site": "http://www.stopforumspam.com",
        "type": "bademail",
        "description": "StopForumSpamprovide lists of spammers that persist in abusing forums and blogs with their scams, ripoffs, exploits and other annoyances*. They provide these lists so that you don't have to endure the never ending job of having to moderate, filter and delete their rubbish. Stop Forum Spam is one of the biggest and more detailed list of abusers.",
        "source": "StopForumSpam 90 days Email blacklist",
        "name": "StopForumSpam Email 90d",
        "count": "574535",
        "problem": "Emails in this list includes new entries in the main list in the last 90 days.",
        "enabled": "True"
    },
    ...
    ,
    "STOPFORUMSPAM-7": {
        "group": "abuse",
        "refresh": "Every day",
        "last_update": "1543115779",
        "visibility": "Public",
        "site": "http://www.stopforumspam.com",
        "type": "bademail",
        "description": "StopForumSpamprovide lists of spammers that persist in abusing forums and blogs with their scams, ripoffs, exploits and other annoyances*. They provide these lists so that you don't have to endure the never ending job of having to moderate, filter and delete their rubbish. Stop Forum Spam is one of the biggest and more detailed list of abusers.",
        "source": "StopForumSpam 7 days Email blacklist",
        "name": "StopForumSpam Email 7d",
        "count": "56253",
        "problem": "Emails in this list includes new entries in the main list in the last 7 days.",
        "enabled": "True"
    }
}

This endpoint returns a JSON structure with a list of blacklist objects information indexed by the list Id. The request always returns the status code 200 (HTTP OK).

HTTP Request

GET https://signals.api.auth0.com/metadata/<BLACKLIST_TYPE>/lists

Header Parameters

Parameter Mandatory Description
X-Auth-Token No API Key of the owner.

QueryString Parameters

Parameter Mandatory Description
token No API Key of the owner.
callback No Function to invoke when using JSONP model.

URL Parameters

Parameter Description
BLACKLIST_TYPE The blacklist type: badip, baddomain or bademail.

Response

The status code of the response is 200 (HTTP OK) if everything was correct, but it will also return a JSON with a list of blacklist Id names and its 'blacklist' object.

Get full details of a blacklist

Get the details of a blacklist by type badip and blacklist id:

$ curl -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/metadata/badip/lists/NIXSPAM-IP"

The response can be:

{
        "group": "abuse",
        "refresh": "Every 15 minutes",
        "last_update": "1543164604",
        "visibility": "Public",
        "site": "http://www.nixspam.org",
        "type": "badip",
        "description": "The iX blacklist is made of over 500,000 automatically generated entries per day without distinguishing open proxies from relays, dialup gateways, and so on. After 12 hours the IP address will be removed if there is no new spam from there.",
        "source": "NiX Spam IP DNSBL and blacklist",
        "name": "NiX Spam IP blacklist",
        "count": "40645",
        "problem": "It lists any active address instantly whilst removing older entries. That's the idea of the iX blacklist.",
        "enabled": "True"
}

Get the details of a blacklist by type baddomain and blacklist id:

$ curl -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/metadata/baddomain/lists/FREEMAIL"

The response can be:

{
        "group": "anonymizer",
        "refresh": "Everyday",
        "last_update": "1543164938",
        "visibility": "Public",
        "site": "",
        "type": "baddomain",
        "description": "Free email services give users the ability to send and receive emails plus more services like a calendar, instant messaging and mobile apps for your smartphone, among other features that can be beneficial for individuals. These services can be free of charge or advertised supported, and this is what makes them suitable for users that want to hide their identity using multiple free email accounts.",
        "source": "Several sources.",
        "name": "Free Email Providers blacklist",
        "count": "4317",
        "problem": "Free email can be used to mask the identities of abusers, but free email users cannot be classified as abusers by default. Still, some companies reject to accept free email addresses when registering.",
        "enabled": "True"
}

Get the details of a blacklist by type bademail and blacklist id:

$ curl -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/metadata/bademail/lists/STOPFORUMSPAM-90"

The response can be:

{
        "group": "abuse",
        "refresh": "Every day",
        "last_update": "1543115919",
        "visibility": "Public",
        "site": "http://www.stopforumspam.com",
        "type": "bademail",
        "description": "StopForumSpamprovide lists of spammers that persist in abusing forums and blogs with their scams, ripoffs, exploits and other annoyances*. They provide these lists so that you don't have to endure the never ending job of having to moderate, filter and delete their rubbish. Stop Forum Spam is one of the biggest and more detailed list of abusers.",
        "source": "StopForumSpam 90 days Email blacklist",
        "name": "StopForumSpam Email 90d",
        "count": "574535",
        "problem": "Emails in this list includes new entries in the main list in the last 90 days.",
        "enabled": "True"
}

This endpoint returns a JSON structure with a list of blacklist objects information indexed by the list Id. The request always returns the status code 200 (HTTP OK).

HTTP Request

GET https://signals.api.auth0.com/metadata/<BLACKLIST_TYPE>/lists/<BLACKLIST_ID>

Header Parameters

Parameter Mandatory Description
X-Auth-Token No API Key of the owner.

QueryString Parameters

Parameter Mandatory Description
token No API Key of the owner.
callback No Function to invoke when using JSONP model.

URL Parameters

Parameter Description
BLACKLIST_TYPE The blacklist type: badip, baddomain or bademail.
BLACKLIST_ID The alphanumeric blacklist id.

Response

The status code of the response is 200 (HTTP OK) if everything was correct, but it will also return a JSON with a list of blacklist Id names and its 'blacklist' object.

Account information

Account information services allow developers to get read-only figures about the existing quota, the active blacklists, and the services' configuration.

A developer can obtain the following information:

This API request will always return a JSON structure with the information and a 200 HTTP code if the API TOKEN belongs to an active user. If not, then it will return a:

Get the current number of hits and TTL.

Get the current number of hits and TTL:

$ curl -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/v2.0/account/quota"

The response can be:

{
    "hits": 70876, 
    "ttl": 2628
}

This endpoint returns a JSON structure with the number of hits consumed in the current 24 hour period and the Time to Live until the quota restarts after these 24 hours. The request always returns the status code 200 (HTTP OK).

HTTP Request

GET https://signals.api.auth0.com/v2.0/account/quota

Header Parameters

Parameter Mandatory Description
X-Auth-Token Yes API Key of the owner.

QueryString Parameters

Parameter Mandatory Description
token Yes API Key of the owner.

Response

The status code of the response is 200 (HTTP OK) if everything was correct, but it will also return a JSON with a 'hits' and 'ttl' objects. 'ttl' is measured in seconds.

Get the active blacklists.

Get the active blacklists:

$ curl -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/v2.0/account/blacklists"

The response can be:

{ 
   "ip_addresses":[ 
      "ALIENVAULT-REPUTATION",
      "BBCAN177-MS1",
      "BBCAN177-MS3",
      "BLOCKLISTNET-UA",
      "BOTSCOUT-1D",
      "BOTSCOUT-30D",
      "BOTSCOUT-7D",
      "BOTSCOUT-LATEST",
      "BRUTEFORCEBLOCKER",
      "CLEANTALK-ORG-1D",
      "CLEANTALK-ORG-30D",
      "CLEANTALK-ORG-7D",
      "CLEANTALK-ORG-LATEST",
      "DEA-IP",
      "EXPRESSVPN-EXIT-IP",
      "FAIL2BAN-APACHE",
      "FAIL2BAN-BOTS",
      "FAIL2BAN-BRUTEFORCELOGIN",
      "FAIL2BAN-FTP",
      "FAIL2BAN-IMAP",
      "FAIL2BAN-IRCBOT",
      "FAIL2BAN-MAIL",
      "FAIL2BAN-SIP",
      "FAIL2BAN-SSH",
      "FAIL2BAN-STRONGIPS",
      "IDCLOACK-COM-1D",
      "IDCLOACK-COM-30D",
      "IDCLOACK-COM-7D",
      "IDCLOACK-COM-LATEST",
      "IPVANISHVPN-EXIT-IP",
      "IVOLO-DED-IP",
      "LISINGE-DED-IP",
      "MARTENSON-DED-IP",
      "NIXSPAM-IP",
      "NORDVPN-EXIT-IP",
      "SPYS-ONE-1D",
      "SPYS-ONE-30D",
      "SPYS-ONE-7D",
      "SPYS-ONE-LATEST",
      "SSLBL-IP",
      "STOPFORUMSPAM-1",
      "STOPFORUMSPAM-30",
      "STOPFORUMSPAM-7",
      "STOPFORUMSPAM-90",
      "TOP100-LATEST-IP",
      "TOR",
      "TOR-BLUTMAGIE-FULL",
      "UCEPROTECT-BACKSCATTERER",
      "UCEPROTECT-LEVEL1",
      "ZEUS-BADIP-IP",
      "ZEUS-STANDARD-IP"
   ],
   "domains":[ 
      "AA419-ORG-1D-DOMAINS",
      "AA419-ORG-30D",
      "AA419-ORG-LATEST-DOMAINS",
      "COINBLOCKER-7D-DOMAINS",
      "COINBLOCKER-LATEST-DOMAINS",
      "DEA",
      "EAL-DOMAINS",
      "ETHERSCAMDB-DOMAINS",
      "ISC-DOMAINS-HIGH",
      "ISC-DOMAINS-MEDIUM",
      "IVOLO-DED",
      "LISINGE-DED",
      "MALWAREDOMAINS-COM",
      "MARTENSON-DED",
      "METAMASK-DOMAINS",
      "RANSOMWARE-ABUSE-CH",
      "SBLACK-HOSTS-DOMAINS",
      "SQUIDBLACKLIST-MALICIOUS-DOMAINS"
   ]
}

This endpoint returns a JSON structure with two lists of strings: the list of active blacklists of IP addresses and the list of active blacklists of domains. The request always returns the status code 200 (HTTP OK).

HTTP Request

GET https://signals.api.auth0.com/v2.0/account/blacklists

Header Parameters

Parameter Mandatory Description
X-Auth-Token Yes API Key of the owner.

QueryString Parameters

Parameter Mandatory Description
token Yes API Key of the owner.

Response

The status code of the response is 200 (HTTP OK) if everything was correct, but it will also return a JSON with an 'ip_address' array of strings and 'domains' array of strings.

Get the config information.

Get the config information:

$ curl -H "X-Auth-Token: UUID" -X GET "https://signals.api.auth0.com/v2.0/account/config"

The response can be:

{
    "config": "{}", 
    "restriction": "None", 
    "restriction_values": ""
}

This endpoint returns a JSON structure with three values: a dictionary with internal configuration parameters (if any), the type of access restriction to the API (None, IP or Header), and the values depending on the restriction type (IP addresses or domains). The request always returns the status code 200 (HTTP OK).

HTTP Request

GET https://signals.api.auth0.com/v2.0/account/config

Header Parameters

Parameter Mandatory Description
X-Auth-Token Yes API Key of the owner.

QueryString Parameters

Parameter Mandatory Description
token Yes API Key of the owner.

Response

The status code of the response would be 200 (HTTP OK) if everything were correct. However, it will also return a JSON with a 'config' dictionary, the 'restriction' string with three possible values: None, IP or Header, and the 'restriction_values' with the list of the IP addresses or domains to allow access, depending on the restriction type chosen.

Objects

IP

The ip score contains the information of looking up the IP in the blacklists.

Parameter Description
score Number describing the result of the algorithm. Negative means 'suspicious' or 'bad' IP. Neutral or positive means it's a 'clean' IP.
blacklist Array containing the blacklists where the IP was found.

domain

The domain object contains the information used in the scoring algorithm.

Parameter Description
score Number describing the result of the algorithm. Negative means 'suspicious' or 'bad' domain. Neutral or positivo means it's a 'clean' domain.
domain JSON structure containing the 'domainname score' object as result of the analysis of the domains.
ip JSON structure containing the 'ip score' object as result of the analysis of the IP of the domain.
source_ip JSON structure containing the 'ip score' object as result of the analysis of the IP origin of the request.

email

The email object contains the information used in the scoring algorithm.

Parameter Description
score Number describing the result of the algorithm. Negative means 'suspicious' or 'bad' domain. Neutral or positive means it's a 'clean' domain.
domain JSON structure containing the 'domainname score' object as result of the analysis of the domains.
ip JSON structure containing the 'ip score' object as result of the analysis of the IP of the domain.
source_ip JSON structure containing the 'ip score' object as result of the analysis of the IP origin of the request.
address JSON structure containing the 'address score' object as result of the analysis of the email.
smtp JSON structure containing the 'smtp score' object as result of the analysis of the email service.
freemail JSON structure containing the 'freemail score' object as result of the analysis of the email provider.
email JSON structure containing the 'email-blacklist score' object as result of the look up in the email blacklists.
disposable JSON structure containing the 'disposable score' object as result of the analysis of the email provider.

geoip

The geoip object contains the information used in Geolocation of an IP.

Parameter Description
longitude Longitude where the IP has been found
latitude Latitude where the IP has been found
hostname Name of the host resolved from the IP
address IPv4 or IPv6 address of the request
continent 2 letter code of the continent.
country ISO 3166-1 Country code.
region Name of the region, by default the english translation in 'region_names'.
city Name of the city, by default the english translation in 'city_names'.
postal Postal code or Zip code
time_zone Time zone of the location
accuracy_radius The approximate radius in kilometers around the latitude and longitude for the geographical entity. -1 if unknown.
continent_geoname_id Id of the continent in the geonames.org database. -1 if the continent cannot be geolocated.
country_geoname_id Id of the country in the geonames.org database. -1 if the country cannot be geolocated.
region_geoname_id Id of the region in the geonames.org database. -1 if the region cannot be geolocated.
city_geoname_id Id of the city in the geonames.org database. -1 if the city cannot be geolocated.
continent_names JSON structure containing the different names of the continent in different languages. Languages are in ISO 639-1. Empty if continent cannot be geolocated.
country_names JSON structure containing the different names of the country in different languages. Languages are in ISO 639-1. Empty if country cannot be geolocated.
region_names JSON structure containing the different names of the region in different languages. Languages are in ISO 639-1. Empty if region cannot be geolocated.
city_names JSON structure containing the different names of the city in different languages. Languages are in ISO 639-1. Empty if city cannot be geolocated.
as JSON structure containing the 'as' object.

as

The AS object contains the information of Autonmous System

Parameter Description
asn AS number
name name of the AS
country ISO 3166-1 Country code
networks Array with the lists of networks of the AS obtained from BGP tables.

asv2

The AS object contains the information of Autonmous System for the v2.0 of the API endpoint.

Parameter Description
asn AS number
name name of the AS
asn_description Full description of the AS
asn_date Date when the AS was registered
asn_registry Local registry that maintains the AS information.
country ISO 3166-1 Country code
networks Array with the lists of networks of the AS obtained from BGP tables.
networks_v4 Array with the lists of ipv4 cidr information. See AS_NETWORK object.
networks_v6 Array with the lists of ipv6 cidr information. See AS_NETWORK object.

as-network

The AS object that contains the information of the CIDR block and the maintainer.

Parameter Description
cidr IPv4 or IPv6 prefix of a block managed by the AS.
description Human readable description of the object.
maintainer Who is the maintainer of the object. It can reference other AS or itself.
updated Who made the last change and when.

domainname score

The domainname score contains the information of testing different subdomains of the main root domain: NS records, MX records and domain blacklists.

Parameter Description
score Number describing the result of the algorithm. Negative means 'suspicious' or 'bad' domain. Neutral or positive means it's a 'clean' domain.
blacklist_ns Array containing the blacklists where the NS domains were found.
blacklist_mx Array containing the blacklists where the MX domains were found.
blacklist Array containing the blacklists where the domain was found.
mx Array with the hosts found in the MX records.
ns Array with the hosts found in the NS records.

ip score

The ip score contains the information of looking up the IP in the blacklists.

Parameter Description
score Number describing the result of the algorithm. Negative means 'suspicious' or 'bad' IP. Neutral or positive means it's a 'clean' IP.
blacklist Array containing the blacklists where the IP was found.
is_quarantined If the IP has been added by the user to the quarantine lists.
address IPv4 or IPv6 resolved.

address score

The address score contains the information of checking the format of the email.

Parameter Description
score Number describing the result of the algorithm. Negative means 'suspicious' or 'bad' email. Neutral or positive means it's a 'clean' email.
is_role The email has the format of a role-based-address. It's not common to allow registration with role-based-addresses.
is_well_formed The email is compliant or not with the standards and could cause issues in some systems.

smtp score

The smtp score contains the information obtained after testing the remote inbox where the email is hosted.

Parameter Description
score Number describing the result of the algorithm. Negative means 'suspicious' or 'bad' email. Neutral or positive means it's a 'clean' email.
exist_mx The SMTP service is reachable using the hosts in the MX records.
exist_address The SMTP service recognizes the email address.
exist_catchall The SMTP service implements a catch-all email feature.
graylisted The SMTP service implements a graylisting feature, so the data in this object should be analyzed before considering it valid.
timedout The SMTP service timed out before completing all the tests. Hence, the data in this object should be considered not valid.

freemail score

The freemail score contains the information of looking up the domain in the lists of Free Email Service Providers.

Parameter Description
score Number describing the result of the algorithm. Negative means 'suspicious' or 'bad' domain. Neutral or positive means it's a 'clean' domain.
is_freemail The domain has been found in any Free Email Service Provider list.

disposable score

The disposable score contains the information of looking up the domain in the lists of Disposable Email Addresses Providers.

Parameter Description
score Number describing the result of the algorithm. Negative means 'suspicious' or 'bad' domain. Neutral or positive means it's a 'clean' domain.
is_disposable The domain has been found in any Disposable Email Address Providers list.

email score

The email score contains the information of looking up the email in the blacklists.

Parameter Description
score Number describing the result of the algorithm. Negative means 'suspicious' or 'bad' email. Neutral or positive means it's a 'clean' email.
blacklist Array containing the blacklists where the email was found.

transaction ip

The transaction ip object contains information about what action was performed on the blacklists/blacklists in the database.

Parameter Description
timestamp The UNIX time in seconds when the transaction was performed.
command 'add' or 'rem'. Type of transaction in the database: ADD to the blacklist or REMove of the blacklist.
ip IP address of the transaction
blacklist_change Blackist added or removed thanks to the transaction.
blacklists List of blacklists after the execution of the command and the blacklist change.

transaction domain

The transaction domain object contains information about what action was performed on the blacklists in the database.

Parameter Description
timestamp The UNIX time in seconds when the transaction was performed.
command 'add' or 'rem'. Type of transaction in the database: ADD to the blacklist or REMove of the blacklist.
domain Domain of the transaction
blacklist_change Blackist added or removed thanks to the transaction.
blacklists List of blacklists after the execution of the command and the blacklist change.

transaction email

The transaction email object contains information about what action was performed on the blacklists in the database.

Parameter Description
timestamp The UNIX time in seconds when the transaction was performed.
command 'add' or 'rem'. Type of transaction in the database: ADD to the blacklist or REMove of the blacklist.
email Email of the transaction
blacklist_change Blackist added or removed thanks to the transaction.
blacklists List of blacklists after the execution of the command and the blacklist change.

whois

Contains many nested lists and objects, detailed below.

Parameter Description
query The IP address
asn Globally unique identifier used for routing information exchange with Autonomous Systems.
asn_cidr Network routing block assigned to an ASN.
asn_country_code ASN assigned country code in ISO 3166-1 format.
asn_date ASN allocation date in ISO 8601 format.
asn_registry ASN assigned regional internet registry.
asn_description The ASN description
network The assigned network for an IP address. May be a parent or child network. See Network object.
entities list of object names referenced by an RIR network. Map these to the objects keys.
objects The objects (entities) referenced by an RIR network or by other entities (depending on depth parameter). Keys are the object names with values as Object.

whois network

The parameters mapped to the network in the objects list within the whois object.

Parameter Description
cidr Network routing block an IP address belongs to.
country Country code registered with the RIR in ISO 3166-1 format.
end_address The last IP address in a network block.
events List of events. See Events object.
handle Unique identifier for a registered object.
ip_version IP protocol version (v4 or v6) of an IP address.
links HTTP/HTTPS links provided for an RIR object.
name The identifier assigned to the network registration for an IP address.
notices List of notice objects. See Notices object.
parent_handle Unique identifier for the parent network of a registered network.
remarks List of remark (notice) dictionaries. See Notices object.
start_address The first IP address in a network block.
status List indicating the state of a registered object.
type The RIR classification of a registered network.

whois object

The parameters mapped to the object (entity) in the objects list within the whois.

Parameter Description
contact Contact information registered with an RIR object. See Object Contact.
entities List of object names referenced by an RIR object. Map these to other objects keys.
events List of event dictionaries. See Events object.
events_actor List of event (no actor) dictionaries. See Events object.
handle Unique identifier for a registered object.
links List of HTTP/HTTPS links provided for an RIR object.
notices List of notice dictionaries. See Notices object.
remarks List of remark (notice) dictionaries. See Notices object.
roles List of roles assigned to a registered object.
status List indicating the state of a registered object.

whois object contact

The contact information registered to an RIR object. This is the contact key contained in Object.

Parameter Description
address List of contact postal address dictionaries. Contains key type and value.
email List of contact email address dictionaries. Contains key type and value.
kind The contact information kind (individual, group, org).
name The contact name.
phone List of contact phone number dictionaries. Contains key type and value.
role The contact’s role.
title The contact’s position or job title.

whois event

Common to lists of events in the registry.

Parameter Description
action The reason for an event.
timestamp The date an event occured in ISO 8601 format.
actor The identifier for an event initiator (if any).

whois notice

Information contained in notices and remarks.

Parameter Description
title The title/header for a notice.
description The description/body of a notice.
links list of HTTP/HTTPS links provided for a notice.

fullip

Information gathered from different sources to describe the reputation of the IP Address.

Parameter Description
geo IP Geolocation object as described in GeoIP
hostname String with the name of a hostname result of a reverse DNS lookup on the IP Address.
baddomain The Domain object contains the information obtained in the scoring algorithm of the hostname.
badip The IP object contains the information obtained in the scoring algorithm of the IP address.
history List of transactions as objects History IP in the IP address blacklist database and the scoring.
whois Full WHOIS information as described in the object WHOIS
score Number describing the result of summarizing each individual scores.

history ip

List of transactions in the blacklist database and the scoring based on when it was inserted.

Parameter Description
score Number describing the result of the algorithm. Negative means the IP was add to any blacklist in the specified time range.
activity List of Transaction IP objects with the activity in the database.
score_1day True if the IP was added in any blacklist in the last 24 hours.
score_7days True if the IP was added in any blacklist in the last 7 days.
score_30days True if the IP was added in any blacklist in the last 30 days.
score_90days True if the IP was added in any blacklist in the last 90 days.
score_180days True if the IP was added in any blacklist in the last 180 days.
score_1year True if the IP was added in any blacklist in the last 365 days.

blacklist

Details about a given blacklist.

Parameter Description
group Sub-group to classify the blacklists.
refresh How often the list is updated. It's a human readable text.
last_update When was the last time the blacklist was updated. Expressed in seconds since 00:00:00 UTC, 1 January 1970 (Unix Time).
visibility If this list is Public or Private.
site The website or internet endpoint where the list was obtained.
type Blacklist type: badip, baddomain or bademail.
description A human readable description of what is this list and its purpose.
source Generic name of the data source.
name Human readable name of the list.
count Number of items in the list.
problem A human readable description of why a user should use the list.
enabled Internal information. Should always be Enabled for end users.

blackliststats

Statistics of the blacklists.

Parameter Description
badip A blackliststatsinfo object with the number of items and lists of type badip.
baddomain A blackliststatsinfo object with the number of items and lists of type baddomain.
bademail A blackliststatsinfo object with the number of items and lists of type bademail.

blackliststatsinfo

Information detail of the blacklists statistics.

Parameter Description
items Number of items in the chosen type.
lists Number of lists in the chosen type.

last_badip_log

Number of IP addresses processed in the last hour, 24 hours and 7 days.

Parameter Description
last_hour An integer with the number of IP addresses processed in the last 60 minutes.
last_24_hours An integer with the number of IP addresses processed in the last 24 hours.
last_7_days An integer with the number of IP addresses processed in the last 7 days.