Abusix Mail Intelligence and Queries
Abusix Mail Intelligence is charged based on usage: the number of queries/lookups made into our service. We chose this approach as this is what we can directly measure from your systems using your API/query key.
How do you know how many queries you will make?
We’ll explain the process:
You can use Abusix Mail Intelligence to look up many different items: IP addresses, domain names, email addresses, short URLs, drive URLs, cryptocurrency wallet addresses, etc.
These different lookup items will have very different signal-to-noise ratios, e.g., the spread of how many lookups will yield a positive (spam result) versus the total number of lookups made.
Additionally, some mail systems will only be able to utilize IP lookups because they don’t support the other lookup types.
IP addresses will have the best signal-to-noise ratio (and the highest overall effectiveness).
These lookups are done once for each connection made to the email server. So, as a rule of thumb, if you get 10,000 connections to your email server daily, you’ll make more or less 10,000 queries per day for every DNSBL list you query.
Domains lookups will have a considerably smaller signal-to-noise ratio because a single email message can contain multiple domains.
You’ll find them, for example, in the email addresses, message headers (e.g., DKIM-Signature, Message-ID, etc.), and in every URL within the message.
Every message could require lots of lookups.
The number of these lookups for “bad” domains is much smaller.
However, the overall effectiveness of domain lookups for things like Phishing and Malware remains high, which is why these lookups are worthwhile.
There are also some implementation-specific things:
Most vendors will have a hard limit on the number of domain lookups per message to limit the possibility of someone stuffing the message with thousands of domains to overload it or to try and avoid detection.
The other Lookup Items
The other list types we offer, like email addresses, short and drive URLs, and cryptocurrency wallets, have a signal-to-noise ratio somewhere between IPs and domains, as queries only happen if one of these is detected in a message.
And a simple diagram showing a typical conversation with an email server and where each lookup is done:
For very large providers, we also offer per-mailbox pricing instead.
We only do this for bigger accounts that receive our data via rsync because we cannot measure usage in this setup.
Unfortunately, we cannot monitor mailbox counts. This has to be self-reported each year.
So what do we mean by mailbox?
A single mailbox could have multiple email addresses (e.g., aliases).
These addresses could use different domains, but they all go to the same mailbox, which might be shared with one or more users.