Custom Scoring Bands

New Portal Tabs on Email and Domain

On the Email Risk Analysis page in the portal are new tabs for Emaildomain Activity (top 100 emaildomains over the last 30 days) and Emaildomain New Activity (top 100 emaildomains first seen in last 5 days, over the last 30 days). The Domain Risk Analysis page adds Domain New Activity (top 100 domains first seen in last 5 days, over the last 30 days). All Top List areas now include a copy button to quickly copy the data to the clipboard.

Embedded Link Risk Checking

The vetting API now supports a new input of link for testing a URI/URL embedded in emails or text for possible spam, phishing and other risks. Use fully qualified URLs for the actual source link (Do NOT use links that are created in your system for tracking clicks and such as our service will click those) such as https://www.example.com/webpage.html for links embedded in messages asking users to click. Possible Hits under Domain area: Link Cracked Sites, Link Malware Sites, Link Click Tracker, Link Disposable Domain, Link Abuse Domain, Link Phishing Domain. Default scoring for each of these is -50. Adjust scoring in the portal. While the link is listed in the Domain area along with the domain value, tagging is just for Domain.

New Risk Hits and Tests

• Local Reverse Name: checks the email local for reverse of name, such as email= smithpeter@ and name= Peter Smith
• SPF Suspect: the SPF of the emaildomain is suspect and has some risk
• SPF High Risk: the SPF of the emaildomain is high risk

These three tests are all set to score zero for current clients. Please update scoring to your risk levels.

Portal Details Adds New Information

• IP details are listed in the Additional Information area
• Under the Fingerprint value we now show the device OS and browser information (also included in the JSON response)
• Duplicate address now show an address hash with count making it easy to find all leads using the same address
• GeoIP location values show counts and are clickable to search for all API calls from that GeoIP (we are working on tuning this feature)
• Data Reports search supports multiple items seperated by a |. As an example, select Type of Email and search for bill|jim|peter returns all emails starting with bill, jim, or peter.

Score Profile

Score Profile API and the score profile download adds a count column for hits of each test for the last 30 days

Combo Scoring Enhancements

Combo scoring is helping many clients tag high risk users with advanced and customized rules. In version 6.3, the system now supports up to 250 Combo Scoring rules per API key. Input values rules can be set to = or != (not equal) data points. In addition to the * wildcard, we also support multiple OR items separated by a |. As an example, to create a rule where input value of country is France, or Germany, or the United States, just set input value of Country = fr|de|us. All check points are case insensitive.

As a reminder, all filters and values must hit to trigger scoring. The combo names and details are listed in the JSON response and in the Portal. Make sure to click Update or Add in Combo Area when creating rules, and when finished with all editing, click Save Settings to save and apply Combo Scoring rules.

New GeoIPCountry option in Value Filter

GeoIPCountry is the two-letter country code based on the IP address vs. the API call value country. To score on IPs from Afghanistan, use GeoIPCountry = af

Combo Scoring Reporting is now available in the Portal and Score Profile Download

A new Combo Scoring page is available in the main navigation menu. It is now easy to view all combo scoring hit counts and quickly drill down to view the data. Combo Scoring has also been added to Data Reports filters so you can create report filters for combo scoring. When you download your scoring profile, combo scoring items will also be included.

Alerts and Alert API Improvements

Two new features for Alerts: Alert IDs with a new list function call and Alert Threshold.

• The portal will now list the Alert ID on the Alert page. This is the unique ID for the Alert. The API response will also include alert_id for each alert. The Alert API list function supports a new option of id=alert_id. This call returns up to 500 Alerts, starting at the alert_id. The option returns all alerts and marks any unsent as sent. Increase the alert_id for paging. See Alert API.
• In API Key Settings, the Alerts tab has a new Create Alert Threshold setting. Alerts are created by default on all API calls that score better than -100 and where the risk score exceeds the Alert Score Threshold. Create Alert Threshold can be configured from -1 to -5,000. As an example, if you want to get Alerts for API calls that score better than -400, set the Create Alert Threshold at -400.

Unlock Users

Admins can now unlock accounts in the portal. Accounts are locked after several incorrect username/password login attempts. Locked users will have a lock icon in the right column of the user lists. Select Unlock User in the options menu.

Tag API Reports - New Filter

Tag API now supports a user filter. For example, a GET to return a list of all IPs that are tagged Bad by portal user 'name@example.com':
https://feed-api.ehawk.net/tag/list/?apikey=your_apikey&type=ip&reason=bad&user=name@example.com

Combo Scoring

You can now combine multiple risk hits and data points as a Combo Score. For example, score API calls from Mexico AND using emaildomain of outlook.com as -45. Combo Scoring supports a maximum of three risk hits names using Filters and/or input values. All filters and values must hit to trigger the scoring. Scoring impact is based on the Combo Score and hits are listed in the JSON response as well as the Portal details. Combo Scoring is an option in the Score Profile of each API key. Currently each API key can have a max of 25 Combo Scoring items.

New Activity Unique Tracking for Addresses

Addresses used by multiple emails are now tracked and reported in the Activity Unique area.

Domain Web IP High Risk

New data point looking at the Web IP of the domain and the server risk levels, i.e. also hosting hosting high risk domains, disposable emails, and phishing domains, etc.

Current clients have scoring set to zero for Domain Web IP High Risk and Activity Unique Tracking for Addresses, but we recommend reviewing these hits and setting scoring to match your risk profiles.

New scoring option for Risk Hits

Ability to set any risk score as -5,000 or +5,000.

Portal Improvements

Additional filter options for reporting on tag hits, search when adding filters, easier to read colors in Dark mode, and SSO Sign-in Option in User Settings. If you would like to use SSO for portal logins, email support@ehawk.net.

Portal6

Updates include Session Expire configuration (30 minutes up to 8 hours), additional Tag hit filters in Data Reports, and some bug fixes. Portal6 will replace the old portal by the end of February 2024 and viewed at portal.ehawk.net endpoint.

Improved IP Traffic Scoring

Updated algorithm for better tracking, especially with IPv6. Traffic Risk scores the quality of data in real time on IP networks:

• IP Traffic Risk Level 1: Some traffic from this IP is associated with high-risk emails, names, phones, etc. (Default Score -10)
• IP Traffic Risk Level 2: A high percentage of traffic from this IP is associated with high-risk emails, names, phones, etc. (Default Score -25)
• IP Traffic Risk Level 3: The majority of traffic from this IP is associated with high-risk emails, names, phones, etc. (Default Score -50)

Risk levels are based on non-IP data and do not include any IP risk factors such as bots or proxies that are scored separately. Scoring for all current clients is set at Zero for all three levels. Please review the results in the portal and adjust your Score Profiles for your API keys to score these results.

IP Traffic Scoring

This new test/label scores IP traffic quality with the following results:

• IP Traffic Risk Level 1: Some traffic from this IP is associated with high-risk emails, names, phones, etc. (Default Score -10)
• IP Traffic Risk Level 2: A high percentage of traffic from this IP is associated with high-risk emails, names, phones, etc. (Default Score -25)
• IP Traffic Risk Level 3: The majority of traffic from this IP is associated with high-risk emails, names, phones, etc. (Default Score -50)

Risk levels are based on non-IP data and do not include any IP risk factors such as bots or proxies that are scored separately. Scoring for all current clients is set at Zero for all three levels. Please review the results in the portal and adjust your Score Profiles for your API keys to score these results.

Talon 6.04

The new and improved Talon v 6.04 (improved speed, simplified calling, support for more browsers and plug-ins) is ready. Please email support@ehawk.net for instructions. We will be migrating all clients to use 6.x over the coming months.

Version 5.19 includes some bug fixes, additional pattern tests, speed improvements, and infrastructure updates to support end of year product enhancements.

New Tag Features

Added two new tag types: Always Bad and ABA as well as support for wildcards

• Tag Always Bad is a new option that subtracts 5,000 points so the total score will always be -100 or less
• Tag wildcards: You can now use wildacrd (*) values in tags for email, emaildomain, domains, phone, and name, where '*' = any character or characters. As an example: j*@example.com would tag jim@example.com, jjj@example.com, etc. These wildcard tags must be added using the Tag API.
• ABA Tags: Bank routing number (ABA) in the US can now be added through the Tag API. These tags will check against API inputs values of 'routing_number'.

Activity: Phone has 2-5+ Names

Added tracking for phones with multiple names in Activity Unique area. For exiting customers, score has been set to zero. But we highly recommend adjusting these scores to meet your risk levels. Phones with multiple names are highy supecious.

Moving Period Search

Emails with moving periods (for example jim.smith@gmail,com, ji.msmith@gmail.com, jimsm.ith@googlemail.com) are all the same email, because several email systems ignore periods. EHAWK currently marks these as Email: Moving Periods. Now when you click on an email link in the Portal Data Reports detail all the emails associated with the moving period are displayed.

High Velocity Phones

Phones that have multiple emails and/or multiple names are added to the High Velocity Phone DB. If you would like to revive alerts on these phones, make sure to set the score in Community: High Velocity Phone to score worse than your Alert Threshold.

Alert Reviewed Tracking

The Alerts page in the portal now includes a new column 'Reviewed' for manually keeping track of portal users acting on the Alerts. When the checkbox is clicked, it will change to a green box and a mouse rollover will show the username name and timestamp.

Please also read Best Practices, Suggestions, Hints.

Improved revet=true Reporting

revet=true is used to skip activity tracking and counting when calling our API. Previously the call would not increment any counters as well as skip all activity reporting. With 5.17 the service continues to skip counter increments, but now returns the current activity state in the JSON and scoring. This is a more accurate analysis of the data and should help track activity status.

New DNS in JSON response for domain and emaildomain

Two new areas of information in the JSON response include NS, MX, and MX IP for emaildomain and domains. This data will be incorporated into the Portal views and analysis later this year.
As an example:

{
"domain" : {
    "source":"ehawk.net",
    "ns":"pns104.cloudns.net.",
    "mx":"aspmx3.googlemail.com.",
    "mx_ip":"142.250.150.27"
}

Bug fixes include properly displaying Alert Notice email(s) and correcting filter options for Alerts in portal.

Release focused on bug fixes, performance, and getting the codebase ready for 2022 features.

Rotating API Keys

Periodically rotating keys is a good security policy. To make this easier, we added the ability to either relace API keys in the portal and invalidate the old key immediately or generate a new key and keep the old key valid for 24 hours, giving you time to update keys in your code and making the switch to the new key easier.

Apple New OS Information

Apple will release iOS 15 soon. The new OS has two new features that can impact E-HAWK scoring: Private Relay and Hide My Email.

• Private relay generates a different IP from the end user, like a VPN, that is routed through Apple IP exit points. We have Added a new label/test 'iCloud Private Relay Proxy" to indicate if the IP is part of Apple's iCloud Private Relay network.
• Because the Private Relay IP can be from a different location, Geo Location Delta can also be impacted. Apple always keeps the same country but our tests have shown the IP can be up to 2,000 miles away from the user address. So we recommend reviewing scoring for Geo Delta 2,000 and below. The Geo location for City and State in our JSON will also be impacted by these private relay IPs.
• Hide My Email allows users to create an iCloud email that forwards email to the users real and specified account. This will not impact our system, but can cause issues down the line if the temporary email is deleted and users cannot get password resets or any emails from your systems.

New IP Information

We have added ASN, Netblock and RIR information to the JSON response under the IP array. These map the IP Owners, IP ranges and country locations. While not yet shown in the portal, this information will be used in future AI and also might add value to your data analysis.

Security

Based on all the data breaches from other platforms and the increased security challenges, we highly recommend turning on 2FA for your E-HAWK accounts. Admins can require this for all users in Account-> Users and Setting button at the top of the page.

Also fixed some bugs such as searching for Transaction ID and other small issues

For existing clients, both tests will score zero until you have a chance to review the data and adjust the score as you see fit.

New Tests and Labels

We have split out some meta labels with email checks. New responses/tests now include:

• Invalid TLD hits when the emaildomain has an invalid TLD (top-level domain), such as domain.tdi. Default score is -25. We recommend a score that matches Undeliverable for your API keys, as the email is not deliverable, but we skip the deliverable check to save time.
• Undeliverable Timeout hits when the SMTP server does not respond to our mailbox request call. Default score is -1. On average this represents about .003 of all API calls, so many clients will never see it. But it means we could not test if the email is deliverable.

For existing clients, both tests will score zero until you have a chance to review the data and adjust the score as you see fit.

Risk Hit Spike Alarms on Dashboard

Replacing the old Area Activity charts on the Dashboard is a new Spikes area. If our service detects a significant spike for specific risk hit, the alarm is listed on the dashboard with links to easily view the data. As an example, if E-HAWK monitors detect a big increase in Disposable Emails, a Spike Alarm is created. The portal displays current alarms (last 24 hours) and all alarms for the last seven days that have a score profile of -25 or worse.

Report Download Enhancements

Download reports have moved to a background process. Report limits have been increased from 5k to 50k rows. On the Data Reports page in the Portal you will see a new Report Queue table when requesting a report. When the report is ready click on the download link in the queue table. Reports will be listed in the queue for two hours. Large data sets can take several minutes to process.

Campaign IP Blocklist API

This new API is designed for companies driving traffic via web campaigns. The API provides a list of IPs per campaign to block thus reducing click and lead fraud for your campaigns in real-time. When sending campaign_id with Vetting API calls, E-HAWK tracks campaign performance in real-time. If you are using any ad platform that supports IPs blocking per campaign, use this API to get a list of all IPs to add to campaign blocklists in platforms such as Google, Bing, and others. This will block these bad IPs from getting campaign traffic.

Obfuscate API

Use the Obfuscate API to replace all personal data with 'Data Obfuscated'. When calling with a transaction ID the API will replace IP, email, name, street, city, state, postalcode, and phone with 'Data Obfuscated'. Use this API when GDPR and other privacy laws require the obfuscation of personal information for a transaction.

Column Sorting on Data Reports Page

Click on any column name in the Data Reports page to sort. One click for ascending and two clicks for descending sorts. The sorting column will have a sort icon to the right with an order indicator. For example, to sort by IP click the IP column name.

Added Tests for Domains with No Web IP

Some domains just have MX records, but no IP in DNS. In this case the site is not viewable and the new test 'Domain: No Web IP' will hit. Scoring for current clients is set to zero.

Added settings to restrict Portal download of data. You can now turn off for all users or only allow admins to download data. Bug fixes include fixing lead source charts counts, timezone charts for our Australian users, and removing scoring data in JSON error responses.

With our rapid growth in usage, 5.11 was focused on upgrades to our backend infrastructure, code, and learning engines. We expect improved performance in API response times and the updated code positions us well for the many enhancements planed for 2021.

Lead Source Sub IDs

Added full support for sub IDs for lead sources. Just send lead_source=source name plus sub_id=subID when calling the API. Reporting as well as the Lead Source API will now include sub ID information. In addition, on the Lead Source Portal we added a Group button to easily rollup Lead Sources and all their Sub IDs.

Mandate 2FA for Portal Users

On the Users page in the portal, click on Settings and you can require Two Factor Authentication for all users in your account. We recommend turning this on for extra security.

Added Tests for Free Domains

In both emaildomain and domain checks, we added a test for domains from free services such as .ga and .tk. Hits are returned as Email: Free Domains and Domain: Free Domain. Default score is -5, but we recommend cranking that up a bit.

Added Dynamic DNS Checks

Domain checks includes Dynamic DNS tests for DDNS services such as proxydns.com. Default score is -10. These services are often used for home web sites and would typically not be used by corporate systems.

New chart view added to the Data Reports area

Click on the Chart Icon to quickly find out what specific risk hits impacted scores. Chart shows Risk Hits, Score Impact, Grouped by Risk Level. This chart can help you quickly identify why filtered lists of data are scoring bad or good. Give it a try and let us know what you think.

Added Campaign and Lead Source Report API

The API empowers users to get real-time reports on performance by Lead Source and Campaign. Easy to connect into Google Sheets or Excel to monitor lead source and campaign results. This replaces any emailed reports on performance. You can get more info using the API and view live data in an excel, gSheet, or any program that parses JSON to create tables.

Security

Enhanced with IP ACLs to limit IPs that can call our APIs. IP ACLs limit inbound traffic to our api and feed-api endpoints. By default, our endpoints accept traffic from most IPs. By adding your IPs to this list, you restrict all endpoint access to only those IPs on ACL list. The ACL supports individual IPv4 entries as well as v4/24 CIDR blocks. To access, click on Account->Settings. If the ACL IPs are set and call from other IPs hit our endpoints, the JSON response code will be -6 with the error description of IP not in ACL.

Other Features

Added new cache times to both repeat and unique from 5 minutes to 12 hours. These settings are per API key.

All portal users will be asked to check their profile data every six months. Please make sure to update any wrong info. Admins can also add a phone number for text alerts on downtown and security issues from E-HAWK.

New Portal page of Account->Settings where you can manage the account main and technical contacts as well as get quick links to security settings. We will be adding Subscription info and credit card payments to the page in a future release.

We updated the look and feel of www.ehawk.net, created a new section for API docs (we now have 8 APIs) and simplified adding a ticket to our support system in the portal.

Version 5.7 adds new Email: Suspect Pattern test for emails that have bot like addresses. Default score is -5. Review your results and modify scoring as needed. The release also includes many backend updates for our portal such as updated charting, icons, and JS speed improvements.