vspam.org vs PhishTank
PhishTank (operated by Cisco Talos) is one of the oldest community-driven phishing URL databases. vspam.org is a newer platform focused on mail server integration with DNSBL, STIX/TAXII feeds, and a trust-tier reputation system. Both rely on community reporting, but differ significantly in scope, data formats, and integration options.
Feature Comparison
| Feature | vspam.org | PhishTank |
|---|---|---|
| IOC Types | URLs, domains, IPs, emails | URLs only |
| DNSBL Integration | Native RPZ zone files | Not available |
| STIX 2.1 Feeds | Yes (STIX, CSV, JSON, TXT) | No (XML/JSON only) |
| TAXII 2.1 Server | Yes | No |
| API Rate Limits | 500–10,000/hr by tier | Unspecified (throttled) |
| Community Voting | Trust-weighted (1x–8x) | Simple majority |
| False Positive Rate | 0.003% (measured) | Not published |
| Mail Agent | Yes (vspam-agent for Postfix) | No |
| Open Source | AGPL-3.0 | No |
| Data License | CC0 (non-commercial) | Free for non-commercial |
| IP Reputation | Yes (IP RBL) | No |
| Email Sender Check | Yes | No |
vspam.org strengths
- Covers 4 IOC types vs PhishTank's URL-only focus
- Native DNSBL integration for real-time mail server blocking
- STIX 2.1 and TAXII 2.1 for SIEM/SOAR integration
- Trust-tier voting reduces false positives (0.003% measured rate)
- Open source — audit the code, self-host if needed
- Dedicated mail policy agent with local caching
PhishTank strengths
- Larger historical database (15+ years of phishing URLs)
- Backed by Cisco Talos — enterprise credibility and resources
- Wider ecosystem integration (many tools already support PhishTank)
- Browser extension for end-user URL checking
- Established reputation in the security community
When to Use Each
Choose vspam.org
Choose vspam.org if you need multi-IOC-type coverage (domains, IPs, emails — not just URLs), DNSBL integration for mail servers, STIX/TAXII feeds for your SIEM, or an open-source solution you can audit and self-host.
Choose PhishTank
Choose PhishTank if you primarily need URL-only phishing checks, want the largest historical URL database, or need integration with tools that already support PhishTank's API format.
Verdict
For mail server operators and security teams needing comprehensive threat coverage beyond URLs, vspam.org offers broader IOC types, native DNSBL, and modern feed formats. PhishTank remains strong for URL-focused phishing detection with its deep historical database. Many teams use both for maximum coverage — our feed correlation study found only 34% overlap in email-based IOCs.