Threat Intelligence Services: IP Reputation Intelligence

The continuing growth of botnets brings a new challenge for applications and  systems — to ensure that the host you are transacting with really is ‘trustworthy’  and not compromised by malware. 

Cyren’s IP Reputation Intelligence feed provides information on hosts discovered in the last 24 hours that are infected by malware and used as ‘zombies’ by botnets. Data describing bad IP addresses and types of malicious activities detected is provided by the Cyren GlobalView™ Threat Intelligence Cloud. This document describes the IP Reputation Intelligence feed and its data format. 


The service delivers data from the GlobalView threat intelligence network regarding identified, recently active zombie host computers. IP addresses can be compared to the known “bad IP” records in the data, and if there is a match, accompanying data describes the types and frequency of malicious activity known to have originated from that host. Cyren’s partners use the IP Reputation Intelligence feed to:

  • Prevent fraudulent activities
  • Decrease bot user registration
  • Hinder Dynamic Denial of Service (DDoS) attacks
  • Supplement Advanced Persistent Threats (APT) detection

Why Use Cyren’s IP Reputation Intelligence?

  • Unique Intelligence — the IP Reputation Intelligence feed is powered by the GlobalView cloud, Cyren’s global threat intelligence platform. GlobalView examines 25+ billion transactions per day to build unique insight into current and emerging security threats.
  • The latest data — the service lists only those infected hosts that have been active within the last 24 hours.
  • Easy to implement — the service is designed to be up and running quickly, and is easily integrated with partner applications via SDK, or as a text data feed.
  • Partnership — our business is built on empowering our partners with detection capabilities that lead the market, consume minimal resources, and are easy to integrate. All backed by a dedicated technical and commercial partner support model.

How It Works

Every 24 hours a full dataset of all active zombies is delivered, including types of activity. Incremental updates are provided every 10 minutes.

IP reputation intelligence feed data format

Action + / - / = Add / Delete / Modify a recording
IP IP address (IPv4 format) IP address of zombie with leading zeroes as needed
First-Seen YYYY-MM-DD-HH:mm:ss First detection time (UTC)
Last-Seen YYYY-MM-DD-HH:mm:ss Most recent detection time (UTC)
Intensity unsigned number (0.. 10) Active zombie intensity level. A lower number indicates relatively less malicious spam activity; a high number indicates a zombie host with a high level of spam activity
Class text Bad IP category: C1 = Dynamic | C2 = Static
Risk unsigned number (0.. 100) Ratio between malicious and valid activity
Country Country code (2 letters) Country of Zombie orgin
Last updated: 06 April 2018