Documentation

DOWNLOAD

Overview          4

Authentication          5

API key          5

IP authentication          5

Checking authentication          5

API Overview          6

REST Query formats          6

URLs          6

DNS Query          6

Score calculation          7

Test Cases          8

IP Addresses          8

Domains          8

URLs          8

Data Sources          9

Error handling          10

Error codes          10

REST Queries          11

HTTP          11

Text          12

JSON          13

Multiple items          14

JSONX          15

Query Score          16

Propagation Score          16

Extended element          17

Subnets          17

Zones          18

FQDN Queries          18

DNSWL data format          19

DNS API          20

DNS Lookup access          20

DNS query          20

Providers, sources and return codes          22

Virtual Appliance          24

Support Inquiries          24

V1.8

Technical Documentation

July 2018


Overview          4

Authentication          5

API key          5

IP authentication          5

Checking authentication          5

API Overview          6

REST Query formats          6

URLs          6

DNS Query          6

Score calculation          7

Test Cases          8

IP Addresses          8

Domains          8

URLs          8

Data Sources          9

Error handling          10

Error codes          10

REST Queries          11

HTTP          11

Text          12

JSON          13

Multiple items          14

JSONX          15

Query Score          16

Propagation Score          16

Extended element          17

Subnets          17

Zones          18

FQDN Queries          18

DNSWL data format          19

DNS API          20

DNS Lookup access          20

DNS query          20

Providers, sources and return codes          22

Virtual Appliance          24

Support Inquiries          24


O verview

Zetascan was created to facilitate the real-time lookup of IP, Domain and URL threat data into various applications and services.  Currently there are dozens of various domain, IP and URL data-feeds available to developers. Many of these feeds are available free of charge and others have a paywall if certain query levels are exceeded. This abundance of data has created its own set of problems with trying to incorporate multiple data feed into a solution:

  • Many different formats and feeds and scoring values;
  • The overlap between data feed providers in the content listed (IPs & URIs), and
  • The absence of normalized metadata related to the IPs or Domains.

Our clients and partners asked if we could build a solution that would reduce the complexity related to accessing and using threat data.  Zetascan now offers multiple methods for querying a vast array of threat data with a modern API’s to enable fast integration into virtually any application or service.

To start, sign-up for a developer key by sending an email to test@zetascan.com . Once you account is activated, just add Zetascan into your web-apps and mobile applications. A free trial for 5,000 API queries per day is available for a two month period.

Possible uses of Zetascan are fraud prevention, blocking malicious probes, blog spam filtering, DNS RPZ scanning, DDOS Botnet prevention, and general safeguarding of web sites and applications. The threat data can be used in both open source and commercial resolvers, firewalls, mail servers, routers or combination UTM devices.

Multiple technology partners are developing plug-ins for e-commerce (Prestashop, Magento, WooCommerce), content (Wordpress, Magento, Wix), firewalls (PFSense, Monowall), NAC (PacketFence), Routers (Mikrotik), with many more to come. For additive anti-spam protection, you can integrate Zetascan with SpamAssassin, rSpamD or other spam filters via DNS, as well as with many third party plugins.  Developers can use one of four available API calls over HTTP/HTTPS.

A new section of Zetascan.com website will start to list these plugins and deployment guides as they become available.


Authentication

Authentication to Zetascan can be provided via an API key, or by specifying your servers' static IP address.

API key

Make sure to replace YOURAPIKEY with your API key.

To query Zetascan an API key can be specified as an argument.  If you don’t have an API key - just Sign-up  and receive a key instantly.

Zetascan uses API keys to allow access to the service, and expects the API key to be included in all requests, if IP authentication is not provided.

curl http://api.zetascan.com/v2/check/jsonx/1.192.3.153?key= YOURAPIKEY

Zetascan only accepts the API key using SSL/ HTTPS . If using the HTTP interface without SSL, IP authentication must be used.

IP authentication

Alternatively, authentication to Zetascan can be allowed by providing your servers' IP address via the Zetascan dashboard.

Checking authentication

We provide a simple method to check if your requests will be allowed from a given IP or with your API key. You'll get either 'Authorized' or 'Not Authorized'.

curl http://api.zetascan.com/v2/check/auth?key= YOURAPIKEY

or, to check an IP address:

curl http://api.zetascan.com/v2/check/auth


API Overview

REST Query formats

Query end-points include 4 formatting options:

https://api.zetascan.com/v2/check/http/

https://api.zetascan.com/v2/check/text/

https://api.zetascan.com/v2/check/json/

https://api.zetascan.com/v2/check/jsonx/

You can issue requests to our endpoints from virtually any operating system or programming language. REST queries are extremely fast and provide the richest set of information about an item.

Each client has a unique API access key, generated by the system. You need to provide this key, if querying from an unregistered IP address.

There are four types of REST queries:

HTTP  - response is returned in HTTP headers

Text  - clear text response (comma, semicolon and space delimited)

JSON  - JSON-formatted document

JSONx  - JSON-formatted document with additional (eXtended) data about items.

The type of desired query is passed in the HTTP request. The version of the API is now v2. We are constantly adding new features to the API, and will increase the API version number on major new releases. You can use the latest version (recommended), or stick with a previous one as we maintain backward compatibility.

URLs

The above endpoints can be used to check URLs by adding /url/{encodedURL}.
For example to check for
http://baddomain.org/do/not/go/there, send the following request:

http://api.zetascan.com/v2/check/json/url/http%3A%2F%2Fbaddomain.org%2Fdo%2Fnot%2Fgo%2Fthere

Note: You can omit the protocol (http://), and also the “www.” in the URL.

DNS Query

DNS Queries  are another fast and effective way to query Zetascan.  Using DNS TXT Queries you can get the same response as with a REST Text request.  DNS is perfect way to integrate Zetascan with anti-spam filters. We support and rbldnsd-like response format with option for A, AAAA and TXT queries.  Simply add Zetascan to the list of RBLs used by your mail server.


Score calculation

Zetascan provides two scoring mechanisms to grade an IP or domain-name for abuse, anti-spam measures and trustworthiness.

A negative score, like -0.1, means that an item was matched on a known trusted white-list.

If a score is 0, the item is not found within Zetascan and can be considered neutral.

A score between 0 - 1.0 is a rating on the specified domain or IP address.  Scores above 0.35 should be considered as bad, spammy or fraudulent.

Reference the  data sources  chapter for more information on feeds used to calculate the scores.

webscore

Webscore is returned by all query methods, except DNS A and AAAA queries. It is used to determine a score for integrating your web-application, mobile-app or protecting your application infrastructure.

score

Score is also returned by all query methods, and it used to check a specified IP or domain-name for anti-spam abuse via SMTP, useful for MTA and spam-filters. This score takes into consideration email abuse, and uses a different algorithm from the 'webscore' key.


Test Points

IP Addresses

We provide four IPv4 and four IPv6 addresses, which will always return the same answers. Use these for testing and development:

127.9.9.1 - returning as if found in Abusix and Return Path

127.9.9.2 - returning as if in nszDYN

127.9.9.3 - returning as if in nszSBL subnet (127.9.9.3/32)

127.9.9.4 - good IP, found in DNSWL

::1, ::2, ::3, ::4 - returning as above for IPv6

127.0.0.2 - will always return 127.0.0.2 when queried over DNS, this is to maintain compatibility with systems that periodically check is DNSBLs are live by checking for a response to this lookup.

Domains

We provide two testing domains:
baddomain.org - returns as if found in domain BL's: nszUBL and all URIBL
okdomain.org - returns as if found in White List(s).        

URLs

The following item can be used to test URLs. It must be URL encoded:

http://baddomain.org/do/not/go/there

The full query (JSON) is:
http://api.zetascan.com/v2/check/json/url/http%3A%2F%2Fbaddomain.org%2Fdo%2Fnot%2Fgo%2Fthere


Data Sources

Currently we derive our results from more than 15 providers, including:

  • Abusix – real-time threat detection – both IP’s & domains
  • Return Path - IP addresses and Domains White Lists
  • Return Path - IP addresses Black List
  • URIBL - different levels of Domain Black Lists and a Domain White List
  • DNSWL - IP addresses White List
  • Vade Secure - Domains Black List – mostly phishing
  • Vade Secure – URL Black List
  • GBUDB – IP Black List
  • Tor Nodes – Tor exit points
  • Junk Mail Filter – IP of known spam sources
  • Lashback – Unsubscribe Spam
  • Manitu.de, and many others .

We also apply internal algorithms for de-duplicating, normalizing and scoring each item in our database, providing a seamless and reliable API endpoint for your application.

Zetascan queries are answered extremely fast, and expect no longer then 10 milliseconds for a query reply. However, network latency can affect performance.

A Z etascan   virtual appliance  is also available for on-premises installation for super-fast access. Please contact us  for details about that option.

All our sources are updated in real time, with intervals ranging from 5 seconds to several minutes, depending on the threat data supplier.  Some suppliers also offer us real-time streams, ensuring that you are always accessing the most accurate threat information without the traditional latency of the old rbldnsd/rsync models utilized by other providers.


Error handling

When querying Zetascan, the following HTTP status codes and error codes will be returned if the query or authentication failed.  Each query format (Text, HTTP, JSON/JSONx) will embed any error messages in the returned data.
Specific examples on handling errors is provided for each query format example.

Error codes

1 - HTTP 404 - Invalid request - the REST path was wrong, e.g. /v2/check/gson/domain.com (gson instead of json). It appears in the message body and in the x-zetascan-error header. This is the only error that appears like that, others appear in the specified format as per the documentation.
2 - HTTP 404 - Missing IP/Domain argument
3 - HTTP 404 - Failed to parse query item
4 - HTTP 403 - HTTPS required to supply API key
5 - HTTP 403 - Not authorized (request to invalid host, route, port or method, or API method not supported)
6 - HTTP 403 - Not authorized (request from invalid IP address or with an invalid key)
7 - HTTP 403 - Wrong API Key supplied
8 - HTTP 404 - HTTP GET request required for queries
9 - HTTP 403 - Query limit exceeded

REST HTTP API (error returned in headers):
x-zetascan-errorCode: 6
x-zetascan-errorMessage: Not authorized
x-zetascan-status: forbidden


REST TEXT API (error returned in response body):

error:Not_authorized;6


REST JSON/JSONX API (error returned as JSON):
{"error": 
  {"message": "Not authorized",
  "errorCode": 6}
}


REST Queries

HTTP

HTTP returns a very simple response - found or not, via HTTP response code.
If found, the response will be 200 (OK).
If the item is not present in any black-list/white-list, then the answer will be 204 (No Content).

Additional information about the item is found in the response headers.
This API method is very fast and easy to parse from any browser or application.

HTTP Header

Description

x-zetascan-items

The argument used to query Zetascan

x-zetascan-score

The score returned for the query, used for MTA and SMTP anti-spam measures

x-zetascan-webscore

The score returned for the query, used for Web and application anti-abuse. Note the differences between web-score and score, see the score calculation for more information.

x-zetascan-sources

A list of sources the query is obtained from, delimited by a semicolon. See the  source references  for more information.

x-zetascan-time

Epoch time of response for the query

x-zetascan-wl

A list of sources matched if the query is listed in a white-list.

x-zetascan-status

Returns "success", otherwise "forbidden" or "error"

x-zetascan-fromParent

True if item is subdomain of a malicious domain and only the parent was found.

x-zetascan-errorCode

Error code

x-zetascan-errorMessage

Error message


Example:
curl -i https://api.zetascan.com/v2/check/http/127.9.9.4?key=YOURAPIKEY

Response (Zetascan headers only):
HTTP/1.1 200 OK
x-zetascan-items: 127.9.9.4
x-zetascan-status: success
x-zetascan-score: -0.1
x-zetascan-sources: DNSWL
x-zetascan-wl: null
x-zetascan-time: 1525095600
x-zetascan-webscore: -0.1
x-zetascan-fromParent: null


Text

TEXT returns  space-separated blocks of information about the lists where the item is found.

Text example - replace 'baddomain.com' with your query - IP or domain:

curl https://api.zetascan.com/v2/check/text/baddomain.org?key=YOURAPIKEY
Response:
baddomain.org:true,false,,1,1,gold,red,grey,black,nszubl

Format

Items are separated by space. The format for each item is:
item;parent:bool,bool,wldata,score,webscore,source

Where:

  • item or item;parent is the item from the request, or the item and its parent domain ( see FQDN below ).
  • the first bool is true, if found in any black or white list.
  • the second bool is true, if found in any white list.
  • wldata contains the data from the white list (if preent)
  • score, returns the score used for MTA/anti-spam abuse.
  • webscore, the returned score for web/application abuse.
  • sources, a comma-separated list of sources where the item was found.

Error handling

If an error occurs using the text query, the data returned will contain the item, the string 'error', an error message and a specific error-code.

Example authentication error:
127.9.9.1:error:Wrong_API_Key;7

Malformed query:
127.a.b.4:error:Failed_to_parse_query's_item;3


JSON

This type of query will return a JSON response including if the item is found on a black-list/white-list, score, sources, etc. Refer to the table below for each field explanation.

Example JSON return string:

{
   "results":[{
       "item":"baddomain.org",
       "found":true,
       "score":1,
       "webscore":0.6,
       "fromSubnet":false,
       "sources":
           ["shDBL","ubGrey","ubGold","ubRed","ubBlack"],
       "wl":false,
       "wldata":"",
       "lastModified":1500972200
       }],
   "executionTime":1,
   "status":"success"
}

The query will return a JSON response including if the item is found on a black-list/white-list, score, sources, etc. Refer to the table below for each field explanation.

 The `found` key will be true, if the item is hit in a black-list or white-list. Test the `wl` condition if the item is contained within a white-list.  
If the score or webscore value is > 0 and `wl` false, the item is contained within a black-list.

Key

Description

item

Query value (IP or domain)

found

True/False if matched in a white-list/black-list.

score

Score between a negative decimal number like -0.2 to 1.0 for MTA/Anti-spam abuse. See  score information

webscore

Score between a negative decimal number to 1.0 for Web/application abuse.

fromSubnet

Will be true, if the IP address was found in a subnet (PBL, SBL)

sources

Black-Lists matched from Zetascan. See list information.

wl

If the item matches a white-list.

wldata

White-Lists matched from Zetascan.  See list  information.

executionTime

ExecutionTime

success

Success or failure

Error Handling
If an error occurred, the JSON response will return an error code, message and status within the JSON object.

Malformed query example:
curl https://api.zetascan.com/v2/check/json/malformedquery?key=YOURAPIKEY

Response:

{"results":
   [{"item":"malformedquery",
     "error":{
       "message":"Failed to parse query's item",
       "errorCode":3
       }
   }],
   ...
}

Multiple items

You can send multiple items in a single request by passing a comma-separated list of IPs or domains. This will speed up the overall time for answering your query.

The JSON format, will contain a response for each query within the results array.

curl http://api.zetascan.com/v2/check/json/127.9.9.1,127.9.9.2

Response:
{"results":
   [{
   "item":"127.9.9.1",
   ...
   },{
   "item":"127.9.9.2",
   ...
   }],
"executionTime":1,
"status":"success"
}


JSONX

JSONx will return also a JSON document, extended with additional information about the last known activity of an fraudulent IP address. The JSONx format only supports IP addresses and not domain queries.

 Use JSONx if you require extended information regarding the queried host. Note that this format may require slightly more time for processing at the server and in the client, due to the rich information it provides.

If you don’t need the extra information in this format, always prefer one of the other formats.

JSONx response

Responses include additional information about an IP address with fraudulent activity.
This information is found in the 'extended' field.
The 'extended' element contains information about the type of malicious activity and is also reserved for future use

"extended": {
     "class": "botnet"
},
"queryScore": 2.83,
"propagationScore": 0.8,
"subnets": [{"subnet": "95.42.0.0/16","sources": ["nszDYN"]}]
   

The JSONx format will always return `extended` element, regardless if additional information is available.

Note: queryScore, propagationScore and subnets may not be present in the response, if no data is available.


Query Score

JSONX response also contains a queryScore parameter.  This shows a floating number, which is affected in real time by the number of queries for that item.  The higher the number, the bigger the probability that malicious activity is performed from this domain or IP at the moment.

"queryScore": 2.83

Propagation Score

This key shows a number up to 1, showing the speed of detection of the item across different providers. It also indicates that the IP or domain are currently sending spam or are been detected as malware.

“propagationScore”: 0.8


Extended element

This element contains information about the type (class) of the threat.

In a future release it may include additional information, such as IP address, ASN and CIDR, when it was first detected and when was the last activity from this IP address. The possible categories are:

Parameter

Description

botnet

Botnet

noauth

No Authentication

noauth+botnet

Combination of the above

pristine

Known spam sources

pristine+noauth+botnet

Combination of the above

pristine+noauth

Combination of the above

suspect_attachments

Suspicious attachment

suspect_attachments+botnet

Combination of the above

suspect_attachments+noauth

Combination of the above

suspect_attachments+noauth+botnet

Combination of the above

suspect_attachments+pristine+noauth

Combination of the above

suspect_attachments+pristine+noauth+botnet

Combination of the above

suspect_attachments+pristine+botnet

Combination of the above

Subnets

This element lists all the subnets where an item is found.
"subnets": [
    {
    "subnet": "95.42.0.0/16",
    "sources": ["nszDYN"]
    }]


Zones


Zetascan provides four zones, which group together results from several trusted providers.

These are:

  • combined – includes IP Black Lists and dynamically assigned IP addresses (which sh ould  never send email directly).  This zone is combination of black and dynamic zones.
  • black –  IP Black Lists
  • dblack – Domain Black Lists
  • dynamic - dynamically assigned IP addresses and IPs that should not be connecting directly to MXs .
  • white – returns items, found in white lists. NOTE: using this zone may sometimes also return items, found on both white and black lists.

To filter the results from Zetascan by zones, add a ‘zone={zone}’ parameter to the REST queries, e.g.:
https://api.zetascan.com/v2/check/jsonx/127.9.9.1?zone=combined

{ " results ":  [{ " item ":  "127.9.9.1" ," found ":  true ," score ":  1 ," webscore ":  0.7 ," fromSubnet ":  false ," sources ":  [ "absx" , "rpbl" ] ," wl ":  false ," wldata ":  "" ," lastModified ":  1531477800 ," lastModifiedUTC ":  "2018-07-13 13:30:00" }] ," executionTime ":  2 ," status ":  "success" }

See below  how to query zones via DNS.

FQDN Queries


We now support sub-domains (FQDN queries). Some Black Lists and White Lists have sub-domains listed.  If the item is not a direct hit, we will check the parent domain. For example:

https://api.zetascan.com/v2/check/{json/jsonx/http/text}/test.baddomain.org

Check the fromParent key with JSON / JSONx, the x-zetascan-fromParent header with HTTP and the item part in a TEXT query, where the parent will appear separated by semicolon.

{"results":[
  {"item":"test.baddomain.org",
  "found":true,
  "score":1,
  "webscore":0.6,
  "fromSubnet":false,
  "sources":["shDBL","ubGrey","ubGold","ubRed","ubBlack"],
  "wl":false,
  "wldata":"",
  "lastModified":1500970900,
  "fromParent":"baddomain.org"}],
  "executionTime":1,
"status":"success"}

DNSWL data format

The White List data can have two formats:

"wldata":"1004" or "wldata":"med;domain.com;id". 1004 is a special case of so-called auto-promoted IP addresses. Their reputation is based on automatic detection.

The second format has 3 parts: ranking, domain and ID.

  • Ranking can be low, med or high;
  • Domain is the registered DNS name of the IP address owner;
  • ID can be used to find out more information about the organization at https://www.dnswl.org/s/?s=ID

Note:  "wldata" field will have empty string or may be missing, if "wl" is false.


DNS API

Zetascan provides an rbldns-type service that combines the information from all the sources we aggregate.   This can be used for abuse protection.
Multiple query formats are supported, with DNS type records A (ipv4), AAAA (ipv6) and TXT returned

IMPORTANT NOTE:  you should only use the zones  endpoints for MTA/SMTP software and Anti-spam lookups otherwise White List results will cause the message to be rejected unless your software can be configured to only act on specific responses.

DNS Lookup access

Zetascan provides lookup access for a domain or IP address against the *.{APIKEY}.api.zetascan.com FQDN.

 Your API-key must be provided as part of the domain-name query.

DNS query

Domain query:

dig A baddomain.org.{key}.api.zetascan.com

IPv4 query (213.189.1.4), note the  IP must be reversed :

dig TXT 4.1.189.213.{key}.api.zetascan.com

IPv6 query, note the  IP must be reversed and expanded :

dig AAAA 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.b.a.9.8.7.6.5.4.3.2.1.{key}.api.zetascan.com

Using the domain query will access your ISP or specified name-server as the resolver. This method may cache results, and performance will vary depending on the upline nameserver.

TXT format

When querying for the DNS TXT type, if the domain/IP is matched, extended information will be returned for the query.

Query:
dig +short 4.9.9.127.{key}.api.zetascan.com
Returned response:
"127.9.9.4:true,true,10;med;zetascan.com;99999,-0.1,-0.1,dnswl"

The response will be the same format as the  REST TEXT Query .

A/AAAA formats
See the providers table below for possible response codes.

DNS query with zones
To query
zones , add the zone name between the key and the DNS host name:
dig +short 1.9.9.127.{key}.combined.api.zetascan.com
dig +short baddomain.org.{key}.dblack.api.zetascan.com


Response codes for DNS Zone queries are:
127.0.0.2 - Black-listed IP Address
127.0.0.11 - Dynamically assigned (Policy) IP address
127.0.1.2 - Black-listed domains
127.0.2.1 - White-listed domains and IP’s

Providers, sources and return codes

The table lists all Zetascan Providers and Sources with their abbreviation and codes for HTTP/Text, JSON/JSONx and DNS (A/AAAA) queries. Items in Red are Black Lists, while items in Green are White Lists.

Provider

Source

HTTP/Text

Json/JsonX

DNS A

DNS AAAA

Score

URIBL

Gold

GOLD

ubGold

127.1.0.2

2002::0001:0000:0002

0.15

URIBL

Red

RED

ubRed

127.1.0.4

2002::0001:0000:0004

0.1

URIBL

Grey

GREY

ubGrey

127.1.0.3

2002::0001:0000:0003

0.05

URIBL

Black

BLACK

ubBlack

127.1.0.1

2002::0001:0000:0001

0.4

URIBL

White

WHITE

ubWhite

127.1.0.5

2002::0001:0000:0005

-0.1

Return Path

White list

RPWL

rpWL

127.3.0.1

2001::0003:0000:0001

-0.6

Vade Secure

Domains

VADE

vade

127.4.0.1

2002::0004:0000:0001

0.8

Vade Secure

URLs

VADE

vade

127.4.0.2

2002::0004:0000:0002

0.8

Lashback

Lashback

Lback

lBack

127.5.0.1

2002::0005:0000:0001

0.5

UceProtect

BackScatterer

UPBS

upBS

127.6.0.1

2002::0006:0000:0001

0.4

UceProtect

White

UPWL

upWL

127.6.0.2

2002::0006:0000:0002

-0.1

UceProtect

Dns1

UPBL1

upBL1

127.6.0.3

2002::0006:0000:0003

0.3

UceProtect

Dns2

UPBL2

upBL2

127.6.0.4

2002::0006:0000:0004

0.2

UceProtect

Dns3

UPBL3

upBL3

127.6.0.5

2002::0006:0000:0005

0.1

InterServer

IPBL

ISBL

isBL

127.7.0.1

2002::0007:0000:0001

0.3

DNSWL*

DNSWL

DNSWL

dnsWL

127.8.x.x

2001::0008:xxxx:xxxx

-0.2

nsZones

Dyn (Public)

NSZDYN

nszDYN

127.9.0.1

2002::0009:0000:0001

0.2

nsZones

SBL

NSZSBL

nszSBL

127.9.0.2

2002::0009:0000:0002

0.4

nsZones

UBL

NSZUBL

nszUBL

127.9.0.3

2002::0009:0000:0003

0.3

nsZones

White

NSZWL

nszWL

127.9.0.4

2002::0009:0000:0004

-0.1

Torlist

Tor nodes

TOR

tor

127.10.0.1

2002::0010:0000:0001

0.4

Abusix

Real time IP BL

ABSX

absx

127.11.0.1

2002::0011:0000:0001

0.7

Threatwave

Real time IP BL

TW

tw

127.11.0.2

2002::0011:0000:0002

0.4

Abusix

Abusix2

ABSX2

absx2

127.11.0.3

2002::0011:0000:0003

0.7

Junkmail Filter

JMF

JMF

jmf

127.12.0.1

2002::0012:0000:0001

0.5

PSBL

PSBL

PSBL

psbl

127.13.0.1

2002::0013:0000:0001

0.3

Manitu

Manitu

MAN

man

127.14.0.1

2002::0014:0000:0001

0.4

Abuse.ch

Feudo Bad IP

ABCF

abcf

127.15.0.1

2002::0015:0000:0001

0.6

Abuse.ch

Feudo Domain

ABCF

abcf

127.15.1.1

2002::0015:0001:0001

0.6

Abuse.ch

Feudo IP

ABCF

abcf

127.15.2.1

2002::0015:0002:0001

0.6

Abuse.ch

Ransom domains

ABCR

abcr

127.15.3.1

2002::0015:0003:0001

0.6

Abuse.ch

Ransom IPs

ABCR

abcr

127.15.4.1

2002::0015:0004:0001

0.6

Abuse.ch

Ransom URL

ABCZ

abcf

127.15.5.1

2002::0015:0005:0001

0.6

Abuse.ch

Zeus Domains

ABCZ

abcf

127.15.6.1

2002::0015:0006:0001

0.6

Abuse.ch

Zeus IPs

ABCZ

abcz

127.15.7.1

2002::0015:0007:0001

0.6

GBUDB

IP BL

GBU

Gbu

127.16.0.1

2002::0016:0000:0001

0.4

Return Path

IP BL

RPBL

Rpbl

127.17.0.1

2002::0017:0000:0001

0.5

0Spam

0spam

0spam

0spam

127.18.0.1

2002::0018:0000:0001

0.4


* See the tables below for more information about return codes for DNSWL and Return Path.


127.8.x.x - DNSWL (IP White List)

Parameter        Description
127.8.x.1        None, auto-discovered
127.8.x.2        Low ranking
127.8.x.3        Medium ranking
127.8.x.4        High ranking

Where the third digit (x) means the type of industry:
Parameter        Description
2                Financial services
3                Email Service Providers
4                Organizations (both for-profit [i.e. companies] and non-profit)
5                Service/network providers
6                Personal/private servers
7                Travel/leisure industry
8                Public sector/governments
9                Media and Tech companies
10                Some special cases
11                Education, academic
12                Healthcare
13                Manufacturing/Industrial
14                Retail/Wholesale/Services
15                Email Marketing Providers
20                Added through Self Service without specific category

Virtual Appliance


Zetascan also now offers a Virtual Appliance (Dockerized version of Zetascan) for installation on premises to speed up response time by eliminating network latency. With this appliance, you will get very high speed and reliability.

The requirements for the host are Debian / Ubuntu Linux, at least 16GB RAM, 100 GB disk space.

Please contact us for more details and pricing.

Support Inquiries

support@zetascan.com