Specifications | Threat Intelligence Data Feeds | WhoisXML API

Specifications

This data feed subscription is licensed to you or your organization only, you may not resell or relicense the data without explicit written permission from Whois API LLC. Any violation will be prosecuted to the fullest extent of the law.

There are 10 different types of data in the daily export. Each data feed is published daily at 3 AM UTC.

1. Malicious IPv4/IPv6 address data feeds

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
malicious-ips.v4.csv.gz 5.5MB 32MB 1,004,672
malicious-ips.v4.jsonl.gz 6.2MB 67MB 1,004,672
malicious-ips.v6.csv.gz 5.6MB 39MB 1,009,224
malicious-ips.v6.jsonl.gz 6.3MB 74MB 1,009,224

Output format

ip,threatType,lastSeen
203.0.113.1,malware,1678372385
2001:0db8:85a3::8a2e:0370:7334,spam,1678372385
...

Output parameters

ip
IoC: IPv4 and IPv6 addresses. IPv6 feed also contains IPv4 addresses represented in the IPv6 notation.
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
lastSeen
UNIX timestamp when the activity was detected last time.

2. Malicious domain name data feed

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
malicious-domains.csv.gz 39MB 286MB 6,957,036
malicious-domains.jsonl.gz 42MB 558MB 6,957,036

Output format

domainName,threatType,lastSeen
example.com,malware,1678372385
example.org,spam,1678372385
...

Output parameters

domainName
IoC: domain name.
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
lastSeen
UNIX timestamp when the activity was detected last time.

3. Malicious URL data feed

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
malicious-urls.csv.gz 42MB 116MB 1,073,285
malicious-urls.jsonl.gz 44MB 165MB 1,073,285

Output format

url,host,threatType,lastSeen
"example.com/wp-admin.php?hack_me=1”,”example.com”,malware,1678372385
"/bad_path/bad_file.php”,””,malware,1678372385
...

Output parameters

url
IoC: URL. It might be absolute (https://example.com/files/badfile.php) or relative (/files/badfile.php). Relative URLs do not have a corresponding domainName field.
host
Domain name or IP for absolute URLs.
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
lastSeen
UNIX timestamp when the activity was detected last time.

4. Malicious file hash data feed

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
malicious-file-hashes.csv.gz 13MB 35MB 639,141
malicious-file-hashes.jsonl.gz 13MB 64MB 639,141

Output format

hash,algo,threatType,lastSeen
1118d9c97f4ababe8ffcecef0946bcc8,md5,malware,1678372385
930619bc49c9836d26a3a2b75a3db93934d26fcb,sha1,malware,1678372385
...

Output parameters

hash
IoC: file's checksum. The hashing algorithm is determined by the algorithm field.
algo
The algorithm used to generate the value in the hash field: md5 or sha1.
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
lastSeen
UNIX timestamp when the activity was detected last time.

5. Hosts files

A denylist in the hosts file format containing malicious domain names mapped to 0.0.0.0, to block access to them. Compatible with most operating systems. The denylist contains the IoCs active the day before the export.

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
hosts.gz 34MB 211MB 6,813,347

Output format

...
0.0.0.0 example.com
0.0.0.0 example.org
...

6. Nginx ngx_http_access_module compatible IPv4/IPv6 denylists in CIDR notation

A list containing IPv4 and IPv6 ranges in CIDR notation formatted for the ngx_http_access_module. The file can be used in Nginx configuration to block malicious IP addresses. The denylist contains the IoCs active the day before the export.

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
nginx-access.v4.gz 5.1MB 30MB 1,352,895
nginx-access.v6.gz 5.6MB 44MB 1,499,909

Output format

...
deny 203.0.113.1;
deny 2001:0db8:85a3::8a2e:0370:7334;
...

7. Raw IPv4/IPv6 denylists

A plain text denylist containing IPv4/IPv6 addresses to block. Can be used in web server or firewall configuration. The denylist contains the IoCs active the day before the export.

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
deny-ips.v4.gz 3.1MB 13MB 929,017
deny-ips.v6.gz 3.4MB 19MB 933,565

Output format

...
203.0.113.1
2001:0db8:85a3::8a2e:0370:7334
...

8. Raw domain denylist

A plain text file containing domains to block. Can be used in web server or firewall configuration. The denylist contains the IoCs active the day before the export.

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
deny-domains.gz 32MB 159MB 6,813,347

Output format

...
example.com
example.org
...

9. Raw CIDR denylist

A plain text denylist containing IP address ranges in CIDR notation to block. Can be used in web server or firewall configuration. The denylist contains all the active IoCs for the last 24 hours.

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
deny-cidrs.v4.gz 4.6MB 23MB 1,352,895
deny-cidrs.v6.gz 5.5MB 36MB 1,499,909

Output format

...
deny 1.0.0.0/32;
deny 1.0.1.21/32;
...

10. Malicious IPv4/IPv6 ranges in CIDR notation data feeds

A plain text denylist containing IP address ranges in CIDR notation to block. Can be used in web server or firewall configuration.

Average file sizes

Filename suffix Avg. gzipped file size Avg. unpacked file size Records
malicious-cidrs.v4.csv.gz 9.5MB 64MB 1,853,752
malicious-cidrs.v4.jsonl.gz 11MB 133MB 1,853,752
malicious-cidrs.v6.csv.gz 11MB 83MB 2,000,874
malicious-cidrs.v6.jsonl.gz 12MB 158MB 2,000,874

Output format

cidr,threatType,lastSeen
1.0.0.0/32,attack,1678412656
1.0.1.21/32,attack,1678360646
...

Output parameters

cidr
IoC: IPv4 and IPv6 ranges in CIDR notation. IPv6 feed also contains IPv4 ranges represented in the IPv6 notation.
threatType
The threat type associated with the IoC. One of the following: attack, botnet, c2, malware, phishing, spam, suspicious, tor, generic.
lastSeen
UNIX timestamp when the activity was detected last time.

Downloading via HTTPS

Downloading via FTP

Downloading via FTPs

Read more about the FTPS connection: https://en.wikipedia.org/wiki/FTPS.

Our FTP server supports explicit FTP over TLS encryption. You may configure your FTP client to use explicit FTP over TLS encryption for secure communications.

Our FTPS server is accessed using the same paths and API keys as a regular FTP server, the instructions for which are described above. To connect via FTPS, select the "Require explicit FTP over TLS" encryption option in your FTP client, if it supports it. FileZilla configuration example:

explicit FTP over TLS encryption