vspam.org vs URLhaus
URLhaus is a project by abuse.ch focused on collecting and sharing malicious URLs used for malware distribution. vspam.org focuses on phishing-specific IOCs with community voting and DNSBL integration. Both provide free threat feeds, but target different threat categories.
Feature Comparison
| Feature | vspam.org | URLhaus |
|---|---|---|
| Primary Focus | Phishing (URLs, domains, IPs, emails) | Malware distribution URLs |
| IOC Types | URLs, domains, IPs, emails | URLs, payloads (malware samples) |
| DNSBL | Yes (native RPZ) | No |
| Feed Formats | STIX 2.1, CSV, JSON, TXT, TAXII | CSV, JSON, API |
| Community Voting | Trust-weighted system | No (curator-verified) |
| Malware Samples | No | Yes (payload hosting via MalwareBazaar) |
| API | REST with JWT/API key auth | REST (no auth required) |
| Open Source | AGPL-3.0 | No (data is CC0) |
| Mail Agent | Yes | No |
| Update Frequency | Real-time + 15-min feed refresh | Real-time |
vspam.org strengths
- Phishing-specific intelligence (credential harvesting, BEC, brand impersonation)
- 4 IOC types vs URLhaus's URL + payload focus
- Native DNSBL for mail server integration
- Trust-weighted community voting for quality control
- TAXII 2.1 server for automated SIEM ingestion
- Dedicated mail agent with local caching
URLhaus strengths
- Malware payload collection (actual malware samples via MalwareBazaar)
- No authentication required for API access
- Strong focus on malware distribution infrastructure
- Integrated with ThreatFox, MalwareBazaar, and Feodo Tracker ecosystem
- Established contributor community for malware URLs
When to Use Each
Choose vspam.org
Choose vspam.org if your primary concern is phishing protection for mail servers, you need DNSBL integration, or you want to check domains, IPs, and email addresses in addition to URLs.
Choose URLhaus
Choose URLhaus if your primary concern is malware distribution URLs, you need actual malware samples for analysis, or you want integration with the abuse.ch threat intelligence ecosystem (ThreatFox, MalwareBazaar).
Verdict
These platforms target different threat categories with minimal overlap. vspam.org focuses on phishing and email-borne threats with DNSBL integration, while URLhaus focuses on malware distribution infrastructure. Our feed correlation study found only 18.3% overlap in URL IOCs. Using both provides comprehensive coverage across phishing and malware vectors.