Glossary

Cybersecurity & Threat Intelligence Terms

Definitions for technical terms used across the vspam.org platform, research publications, and API documentation. Terms are cross-referenced where related concepts exist.

A

APWG: Anti-Phishing Working Group. An international coalition of industry, government, and law enforcement agencies focused on unifying the global response to cybercrime, particularly phishing.See also: Phishing

B

BEC: Business Email Compromise. A type of social engineering attack where an attacker impersonates a trusted business contact (CEO, vendor, partner) to trick victims into transferring funds or revealing sensitive information.See also: Phishing
Blocklist: A list of known malicious indicators (IPs, domains, URLs, email addresses) used by mail servers, firewalls, and security tools to automatically block or flag suspicious traffic. Also called a blacklist or denylist.See also: DNSBL, RBL
BoltDB: An embedded key-value database written in Go. Used by the vspam-agent for local caching of IOC lookup results, enabling fast repeat checks without network round-trips.

C

C2: Command and Control. The infrastructure (servers, domains, protocols) that attackers use to communicate with and control compromised systems (bots). C2 servers issue commands to malware and receive stolen data.See also: IOC
Confidence Score: A numeric value (0–100) assigned to each IOC in the vspam.org database, representing the platform's certainty that the indicator is truly malicious. Calculated from reporter trust tier, number of confirming votes, and corroborating evidence.See also: IOC, Trust Tier

D

DNSBL: DNS-based Blocklist. A blocklist published via the DNS protocol, allowing mail servers to check sender IPs or domains in real-time during SMTP transactions. Mail servers query a special DNS zone (e.g., dnsbl.vspam.org) and receive an answer indicating whether the queried entity is listed.See also: RBL, RPZ

F

False Positive: When a legitimate sender, domain, or URL is incorrectly classified as malicious. False positives in a DNSBL can cause legitimate email to be blocked. vspam.org uses trust-weighted voting to minimize false positive rates (measured at 0.003%).See also: DNSBL, Trust Tier

I

IOC: Indicator of Compromise. A piece of forensic evidence that identifies potentially malicious activity. In the context of vspam.org, IOCs include phishing URLs, malicious domains, abusive IP addresses, and spam sender email addresses. Each IOC is stored as a SHA-256 hash for privacy-preserving lookups.See also: STIX

M

MISP: Malware Information Sharing Platform. An open-source threat intelligence platform for sharing, storing, and correlating IOCs. vspam.org threat feeds can be ingested by MISP instances via STIX/TAXII.See also: STIX, TAXII

P

Phishing: A social engineering attack that uses fraudulent emails, websites, or messages to trick victims into revealing sensitive information (credentials, financial data) or installing malware. Spear phishing targets specific individuals; whaling targets executives.See also: BEC, Quishing

Q

Quishing: QR-code phishing. An attack that embeds malicious URLs in QR codes, typically distributed via email or physical media, to bypass traditional URL-scanning defenses and redirect victims to credential-harvesting pages.See also: Phishing

R

RBL: Real-time Blocklist (or Real-time Blackhole List). A type of DNSBL specifically focused on IP addresses that are sources of spam or abuse. Mail servers query the RBL during SMTP connections to decide whether to accept or reject mail from a given IP.See also: DNSBL
RPZ: Response Policy Zone. A DNS mechanism that allows DNS resolvers to override responses for specific domains, effectively blocking resolution of known-malicious domains at the DNS layer. vspam.org publishes RPZ zone files for integration with PowerDNS, BIND, and Unbound.See also: DNSBL

S

STIX: Structured Threat Information Expression. A standardized language (currently version 2.1) for describing cyber threat intelligence in a machine-readable JSON format. STIX bundles contain indicators, threat actors, attack patterns, and relationships between them.See also: TAXII, IOC

T

TAXII: Trusted Automated Exchange of Intelligence Information. A transport protocol for sharing STIX-formatted threat intelligence over HTTPS. TAXII defines discovery, collection, and polling APIs that allow automated feed consumption. vspam.org exposes a TAXII 2.1 server.See also: STIX
Trust Tier: A reputation level assigned to vspam.org reporters based on their submission history and accuracy. Four tiers exist: Newcomer (1x vote weight), Trusted (2x), Verified (4x), and Core (8x). Higher tiers require sustained accurate reporting and earn additional platform privileges.See also: Confidence Score

X

XARF: Extended Abuse Reporting Format. A standardized JSON-based format for submitting abuse reports to hosting providers and ISPs. XARF reports include structured metadata about the abuse event, improving automated processing and response times compared to free-text email reports.

Missing a term? Let us know and we'll add it. For platform-specific documentation, see the API docs, FAQ, or Getting Started guide.