Skip to content

Phishing intelligence for the open Internet

Community-driven threat reports. Query URLs, domains, IPs, and email addresses against a live collaborative database.

View live threat map →
Submit ReportSign Up / Log InAPI Documentation

Integrate & Protect

Download AgentPostfix / rspamdFirewall FeedsThreat FeedsREST APIThreat MapGetting Started
DNSBL Query
dig example.com.dnsbl.vspam.org A +short
REST API Lookup
curl api.vspam.org/api/v1/lookup/<sha256>
Postfix Integration
check_policy_service inet:127.0.0.1:10045

Latest Research

All publications →
VSPAM-2026-012Mar 17, 2026

Phishing Websites, Spam Domains & IP Abuse: Research Analysis & Threat Intelligence Report 2025–2026

Comprehensive research analysis covering phishing website trends, spam domain registration patterns, and IP address abuse across 2025–2026. This report examines the evolving threat landscape, infrastructure abuse patterns, and provides actionable threat intelligence for mail operators and security teams.

phishingspam-domainsip-abusethreat-intelligence

Top Contributors This Week

Join the Community

Help protect the open Internet. Report phishing, verify threats, or contribute as a volunteer researcher.

Get InvolvedSubmit a Report

What is vspam.org?

vspam.org is a free, community-driven phishing intelligence clearinghouse. Mail operators, sysadmins, and security researchers submit and verify indicators of compromise (IOCs) — phishing URLs, malicious domains, command-and-control IPs, and spoofed email addresses. Every report is community-reviewed and confirmed before publication.

Confirmed threats are published to a real-time DNS blocklist (DNSBL) that mail servers can query during SMTP transactions, a REST API for automated lookups, and STIX/TAXII feeds for integration with SIEMs and threat intelligence platforms. The platform processes reports across four IOC types: URLs, domains, IP addresses, and email addresses.

How it works

  1. Submit — Report phishing URLs, suspicious domains, C2 IPs, or spoofed emails with evidence and source headers.
  2. Verify — Community members vote to confirm or dispute each report. Trust tiers weight votes by reporter reputation.
  3. Block — Confirmed IOCs are promoted to the DNSBL zone, API feeds, and STIX bundles within minutes.
  4. Query — Look up any indicator via the search bar, REST API, DNS query, or the mail policy agent.

Integration options

  • DNSBL — Query dnsbl.vspam.org from Postfix, Exim, or any MTA that supports DNS blocklists.
  • REST API — Programmatic access to reports, IOC lookups, voting, and statistics at api.vspam.org/api/v1/.
  • STIX/TAXII — Standards-based threat intelligence feeds for automated ingestion by SIEMs and TIPs.
  • Mail Agent — Lightweight Go sidecar that checks IOCs during SMTP policy evaluation with local BoltDB caching.