Integrations
Connect vspam.org to your infrastructure using the DNSBL, REST API, or threat feeds. Configuration snippets are provided for the most common mail servers and security tools. If you are designing policy around feeds, start with our pages on domain reputation, IPv6 intelligence, and ASN reputation.
Prefer canonical phishing domains and exact IPv4 or IPv6 hosts for enforcement. These are the cleanest publication surfaces for SMTP and firewall policy.
Treat IPv6 prefix watch and ASN reputation as triage and policy-tuning signals unless you have stronger direct evidence for a host or domain.
Feed thresholds, delist handling, and false-positive trends are public. Check status, statistics, and delist policy before broad rollout.
Recommended: vspam-agent
Lightweight Go daemon with local caching, fail-open design, and automatic threat reporting. Supports Postfix natively and any MTA via HTTP check API (Exim, OpenSMTPD, Sendmail, etc.).
Firewall & Network Devices
Plain-text blocklists for Palo Alto, FortiGate, pfSense, Juniper SRX, iptables, MikroTik, and more.
vspam-agent (Recommended)
The agent provides native Postfix policy delegation and an HTTP check API on 127.0.0.1:10046 for all other MTAs. Enable with http_enabled: true in agent.yml.
# vspam-agent speaks Postfix policy delegation natively
smtpd_recipient_restrictions =
...
check_policy_service unix:/var/run/vspam/agent.sock# In acl_check_rcpt or acl_check_data — queries vspam-agent HTTP API
deny
set acl_m_vspam = ${readsocket{inet:127.0.0.1:10046} {GET /check?sender_domain=${domain:$sender_address} &client_ip=$sender_host_address HTTP/1.0\r\n\r\n}{5s}{}{}}
condition = ${if match{$acl_m_vspam}{"malicious.*true"}}
message = 550 Sender blocked by vspam.org#!/bin/sh
# /usr/local/libexec/vspam-filter.sh
RESULT=$(curl -sf "http://127.0.0.1:10046/check?sender_domain=$1&client_ip=$2")
if echo "$RESULT" | grep -q '"malicious":true'; then
echo "reject"
else
echo "accept"
fi# Query the vspam-agent HTTP check API from any script or MTA
curl -s "http://127.0.0.1:10046/check?sender_domain=example.com&client_ip=1.2.3.4"
# → {"malicious":false,"action":"allow"}
# → {"malicious":true,"reason":"...","action":"reject"}Mail Servers (DNSBL)
smtpd_recipient_restrictions =
...
reject_rbl_client dnsbl.vspam.orgdeny
dnslists = dnsbl.vspam.org
message = Rejected: listed on vspam.org DNSBLrbls {
vspam {
symbol = "RBL_VSPAM";
rbl = "dnsbl.vspam.org";
ipv6 = true;
}
}header RCVD_IN_VSPAM eval:check_rbl('vspam', 'dnsbl.vspam.org.')
describe RCVD_IN_VSPAM Listed on vspam.org DNSBL
score RCVD_IN_VSPAM 3.0dnl Add vspam.org DNSBL
FEATURE(`dnsbl', `dnsbl.vspam.org', `"550 Rejected: listed on vspam.org"')dnl; vspam.org DNSBL for Haraka (Node.js MTA)
zones=dnsbl.vspam.org
[dnsbl.vspam.org]
reject=true
msg=Rejected: listed on vspam.org DNSBL# Add vspam.org to Amavis RBL checks
@rbl_maps = (
'127.0.0.2' => 'Listed on vspam.org DNSBL',
);
$rbl_domain = 'dnsbl.vspam.org';Security Tools
Auto-report banned IPs to vspam.org when Fail2Ban triggers an action.
# /etc/fail2ban/action.d/vspam.conf
[Definition]
actionban = curl -s -X POST https://api.vspam.org/api/v1/reports \
-H "X-API-Key: <YOUR_KEY>" \
-H "Content-Type: application/json" \
-d '{"ioc_type":"ip","ioc_value":"<ip>","category":"spam","evidence":"Fail2Ban: <name> jail"}'Pull operator-focused feeds such as exact IPv6 hosts, phishing domains, or IPv6 prefix watchlists and apply them directly to your firewall ruleset.
# Download and apply IPv6 exact-host blocklist
curl -s -H "X-API-Key: <KEY>" https://api.vspam.org/api/v1/feeds/ipv6-exact-host-malicious/csv \
| tail -n +2 | cut -d',' -f2 | grep ':' \
| while read ip; do iptables -A INPUT -s "$ip" -j DROP; doneThreat Feeds
Pull operator-focused feeds for phishing domains, exact IPv6 hosts, IPv6 prefix watch, and ASN abuse density in structured formats for OpenCTI, MISP, SIEM, or custom pipelines. CSV, JSON, and plain-text downloads are public. STIX and MISP are Pro, and TAXII is Enterprise.
GET /api/v1/feeds/stixGET /api/v1/feeds/mispGET /api/v1/feeds/domain-high-confidence-phish/csvGET /api/v1/feeds/ipv6-exact-host-malicious/jsonGET /api/v1/feeds/ipv6-prefix-watch/txtGET /api/v1/feeds/asn-high-abuse-density/jsonGET /taxii2/Use block feeds for direct enforcement, watch feeds for escalation and guardrails, and context feeds for correlation and prioritization. The methodology and publication thresholds are visible in the feed catalog.
API Quick Start
Common curl examples — replace <KEY> with your API key from the account page.
# Check an IP
curl https://api.vspam.org/api/v1/rbl/check?ip=192.0.2.1
# Check a phishing domain
curl "https://api.vspam.org/api/v1/public/operator-lookup?type=domain&value=login-paypa1.com"
# Check ASN reputation context
curl "https://api.vspam.org/api/v1/public/operator-lookup?type=asn&value=AS13335"
# Search reports
curl https://api.vspam.org/api/v1/public/reports?q=example.com
# Submit a phishing report (URLs normalize to canonical domains at ingest)
curl -X POST https://api.vspam.org/api/v1/reports \
-H "X-API-Key: <KEY>" \
-d '{"ioc_type":"url","ioc_value":"https://phish.example.com","category":"phishing"}'SDK Examples
Query the vspam.org API from your application. Replace <KEY> with your API key.
import requests
API = "https://api.vspam.org/api/v1"
KEY = "<KEY>"
# Check a phishing domain
domain_lookup = requests.get(
f"{API}/public/operator-lookup",
params={"type": "domain", "value": "login-paypa1.com"},
)
print(domain_lookup.json())
# Check an exact IPv6 host
ipv6_lookup = requests.get(
f"{API}/rbl/check",
params={"ip": "2001:db8::42"},
)
print(ipv6_lookup.json())
# Submit a report
requests.post(f"{API}/reports",
headers={"X-API-Key": KEY},
json={"ioc_type": "url",
"ioc_value": "https://phish.example.com",
"category": "phishing"})package main
import (
"fmt"
"io"
"net/http"
)
func main() {
domainResp, _ := http.Get(
"https://api.vspam.org/api/v1/public/operator-lookup?type=domain&value=login-paypa1.com")
defer domainResp.Body.Close()
domainBody, _ := io.ReadAll(domainResp.Body)
fmt.Println(string(domainBody))
ipResp, _ := http.Get(
"https://api.vspam.org/api/v1/rbl/check?ip=2001:db8::42")
defer ipResp.Body.Close()
ipBody, _ := io.ReadAll(ipResp.Body)
fmt.Println(string(ipBody))
}const API = "https://api.vspam.org/api/v1";
const KEY = "<KEY>";
// Check a canonical domain
const domainRes = await fetch(
`${API}/public/operator-lookup?type=domain&value=login-paypa1.com`);
console.log(await domainRes.json());
// Check an exact IPv6 host
const ipv6Res = await fetch(
`${API}/rbl/check?ip=2001:db8::42`);
console.log(await ipv6Res.json());
// Submit a report
await fetch(`${API}/reports`, {
method: "POST",
headers: {
"X-API-Key": KEY,
"Content-Type": "application/json",
},
body: JSON.stringify({
ioc_type: "domain",
ioc_value: "phish.example.com",
category: "phishing",
}),
});$api = "https://api.vspam.org/api/v1"
# Check a phishing domain
Invoke-RestMethod "$api/public/operator-lookup?type=domain&value=login-paypa1.com"
# Check an exact IPv4 or IPv6 host
Invoke-RestMethod "$api/rbl/check?ip=192.0.2.1"
# Submit a report
$headers = @{ "X-API-Key" = "<KEY>" }
$body = @{
ioc_type = "ip"
ioc_value = "185.234.72.19"
category = "spam"
} | ConvertTo-Json
Invoke-RestMethod "$api/reports" `
-Method Post -Headers $headers `
-Body $body -ContentType "application/json"Need help? Check the API documentation or FAQ. For SIEM and threat intel platform guides, see SIEM Integrations and Threat Intel Platforms.