How I got banned from using Threat Intel APIs?

milann shrestha
3 min readDec 14, 2018

Cyber Threat Intelligence uses its analytics to provide the information of potentials and recent attacks on any organizations that has its subscription. Helping the organization finding their most common threat possibilities (APTs and C&C) are supposed to be its motive. This creates the scenario for any security analyst to report the organization and help to be aware of it.

I am currently working on a project for automating the threat detection on any network. Since the project is to demonstrate just the prototype, anyone would try to use Intel that provides free APIs. That’s what I did.

I wrote a simple python script that runs through API, sitting on my college’s learning zone. The Intel service provider used some ‘cool’ technique for threat detection that brought me down to use it for my project. And of course for free.

The running script broke my intention when it behaved like the Intel just did a prank to me when I test my program on my bed room. Both the malicious and non malicious queries for testing purpose resulted with same error code (-5) which refers to invalid email address. I did some changes into the script but the results same. Depressed with it, I thought of changing the facilitator but the ‘cool’ technique pulled me over again. So, I returned back to my college next morning. I tried to run, it ran exactly how it should. Magic Happened Overnight. I continued my project development, adding some more attractive features. The day was done. I became no surprise when I faced same problem when I’m home.

I doubt the facilitator for having limitations but not including it on the API documentation which I went through it several times that work night.

After several research on what might have happen to this case, I mailed the Intel guy. The response what the quicker than anything on ADSL internet (pun intended).

My request for full documentation for API it provided.

After few discussion I came to realize that there was nothing magical or curse on my home network. It was all static and DHCP thing. The networks on larger organization including my college’s network usually subscribe to enterprise services from ISPs, getting static IP but the home user are likely to get dynamic IP, that changes throughout the time.

How I conclude this issue was, the static IP I got when I was home was blacklisted even though I hadn’t abuse any policies that Intel has shortlisted. Maybe the Intel manager had suspect someone that had my IP previously (due to DHCP) queried the API and got the IP banned. These never happened on my college network. And the illogical fool myself found it curse and had to stressed out for no reason.

Suggesting some addition to API documentation.

So, I gave some feed back to the Intel guy, so the other illogical fool like me will not get stressed and chose different service despite of containing ‘cool’ techniques for threat detection.



milann shrestha

security researcher / threat intel / osint / analyst / anti phishing