Domain-First

Domain reputation built for phishing operations

vspam treats domains as the main long-term phishing artifact. Raw URL submissions are normalized into canonical domains, then scored with DNS, registrar, hosting, ASN, brand, and historical evidence that operators can actually explain and act on.

That keeps feeds compact enough for real use, while still preserving just enough short-lived redirect and path evidence to distinguish real phishing pages from noisy but benign domains.

What goes into domain scoring

Canonical domain ingest from raw submissions, including URL collapse for long-term phishing scoring.

Domain age, registrar, DNS record patterns, hosting ASN overlap, and targeted-brand context.

Short-lived URL-derived evidence such as redirect behavior and path keywords without turning raw URLs into permanent feed artifacts.

Historical observations and delist outcomes so one bad report does not permanently define a domain.

Operator use cases

Direct blocking

Use high-confidence phishing domain feeds for SMTP-time blocking, quarantine, or browser and proxy policy.

Triage and review

Use domain scoring and confidence together to separate strong phishing infrastructure from newly observed but weakly corroborated domains.

Investigation pivoting

Pivot from a domain into linked IPv6 and IPv4 infrastructure, related ASNs, redirect targets, and targeted-brand context.

Recommended feeds and surfaces

Domain feeds

Start with high-confidence phishing domains and read the publication thresholds before using them as a direct blocklist.

Lookup and review

Inspect score, confidence, and reasons for individual domains before promoting them into local policy.

Methodology

See how domain evidence combines with IPv6 and ASN context in the scoring model.