Phishing intelligence for the open Internet
Operator-grade reputation for canonical phishing domains, exact IPv4 and IPv6 hosts, IPv6 watch surfaces, ASNs, and related mail abuse signals.
Operator trust layer
Built to explain why something is listed
vspam is designed for operators who need enforcement confidence, not just raw submissions. The platform separates direct-block evidence from watch/context signals and makes corrections visible.
Deterministic first
Scores come from explicit evidence, history, thresholds, and confidence. LLM review stays secondary.
Read methodologyIPv6-safe publication
Exact hosts, prefixes, ASNs, and domains are separated so broad context does not become blanket blocking.
See IPv6 logicPublication history
Feed publication and suppression events are recorded so operators can inspect listing lifecycle changes.
Browse feedsCorrection loop
Delist requests, false positives, and trust signals are part of data quality, not an afterthought.
Appeal policyIntegrate & Protect
dig example.com.dnsbl.vspam.org A +shortcurl "api.vspam.org/api/v1/public/operator-lookup?value=example.com"curl "api.vspam.org/api/v1/rbl/check?ip=2001:db8::25"Latest Research
All publications →Trends in Spam, Phishing, Spoofing, Malware & DNS Abuse
April 2026 monthly research brief covering the email, identity, and DNS threat landscape, with a focus on the operationalization of generative AI across the attack chain. The report synthesizes cross-cutting AI-driven trends across phishing, malware, ransomware, email authentication and spoofing, DNS abuse, and major incidents.
Top Contributors This Week
Join the Community
Help protect the open Internet. Report phishing, verify threats, or contribute as a volunteer researcher.
What is vspam.org?
vspam.org is an operator-grade phishing and abuse reputation platform for mail operators, sysadmins, and security researchers. We score domains, IPv4 and IPv6 infrastructure, ASNs, and related email indicators using deterministic enrichment, historical evidence, and community input.
The platform is domain-first for phishing, IPv6-first for infrastructure, and ASN-aware for provider context. URL submissions are collapsed to canonical domains at ingest while short-lived path and redirect evidence is retained for enrichment. High-confidence outputs are published as score-aware feeds, API lookups, DNSBL integrations, and operator workflows.
Trust depends on correction quality too. vspam publishes feed thresholds, keeps delist and false-positive handling visible, and treats IPv6 prefix and ASN signals as contextual surfaces unless direct evidence supports stronger action.
How it works
- Normalize — URL submissions are collapsed to canonical domains, while exact IP and IPv6 host reports preserve infrastructure precision.
- Enrich — DNS, WHOIS, hosting, brand, redirect, and historical context are gathered for each submission.
- Score — Deterministic scoring combines direct evidence, reporter history, domain signals, ASN context, and IPv6 exact-host versus prefix evidence.
- Review — Community votes, manual review, and delist handling help reduce false positives and refine publication state.
- Publish — Domains and exact hosts can be exported for blocking, while IPv6 prefix and ASN feeds are published as watch or reputation context by default.
Core intelligence surfaces
Integration options
- DNSBL — Query
dnsbl.vspam.orgfrom Postfix, Exim, or any MTA that supports DNS blocklists for fast SMTP-time checks. - REST API — Programmatic access to reports, score-aware lookups, feed metadata, voting, and statistics at
api.vspam.org/api/v1/. - Feeds — Domain, IPv6 exact-host, IPv6 prefix watch, ASN reputation, and policy/context feeds with explicit publication thresholds.
- Mail Agent — Lightweight Go sidecar that checks IOCs during SMTP policy evaluation with local BoltDB caching and API or DNSBL lookups.