Loading feeds...
About vspam.org threat feeds
vspam.org publishes operator-grade feeds built around phishing domains, exact IPv6 hosts, IPv6 neighborhood watchlists, ASN reputation, and policy/context lists. Some feeds export confirmed report artifacts directly, while newer operator families are derived from recent aggregate behavior such as abusive IPv6 prefixes or high-abuse ASNs. The feed catalog now surfaces explicit publication thresholds and recommended operator action so direct-block feeds are easy to distinguish from watchlists and reputation signals.
Available formats
- STIX 2.1 — structured bundles for SIEM and TAXII workflows.
- CSV — artifact/value exports for scripting, ETL, and bulk review.
- JSON — machine-readable feed records for API-driven ingestion.
- Plain text — one artifact per line for firewalls, MTAs, and blocklist consumers.
Feed families
- Threat — direct confirmed artifacts such as phishing domains and exact IPv6 hosts.
- Reputation — higher-level infrastructure signals such as ASN abuse density.
- Policy — operational deny or drop lists.
- Context — supporting infrastructure intelligence that should inform analysts more than auto-blockers.
How to use them safely
- Direct block feeds include explicit thresholds for exact artifacts such as phishing domains or exact IPv6 hosts.
- Investigate feeds such as IPv6 prefix watchlists should tune analyst workflows, not trigger blanket allocation-wide blocking.
- Reputation feeds such as ASN abuse density should influence scoring and prioritization rather than act as a sole enforcement signal.
Licensing
Feeds are free for non-commercial use under CC0. Commercial redistribution requires a commercial license. For automated feed consumption, see the API documentation or connect via TAXII 2.1.