IPv6-First

IPv6 threat intelligence that does not copy an IPv4 mindset

vspam separates exact IPv6 host evidence from prefix-level neighborhood evidence so operators can block the bad host without turning an entire /64 or /48 into collateral damage.

The result is better mail-operator safety, better abuse triage, and more useful provider context for cloud, hosting, ISP, and mobile allocations where sparse observations are normal.

How vspam handles IPv6

Exact host intelligence

Exact /128 evidence is the strongest basis for direct blocking. vspam treats exact hosts as distinct from their surrounding allocation.

Prefix neighborhood context

Daily /64, /56, and /48 rollups help identify recurring abuse neighborhoods without turning every neighboring address into a malicious host.

ASN and provider overlap

Hosting and provider context help identify whether activity is novel inside a historically trusted ASN or part of a chronically noisy environment.

Sparse-history safety

Fresh IPv6 observations should default toward uncertainty, not guilt. Prefix evidence is capped so large allocations do not become giant false-positive blast zones.

Primary IPv6 feed families

IPv6 exact-host malicious

Use for direct blocking when you need confident, exact-address enforcement.

IPv6 prefix watch

Use for analyst review, rate shaping, routing policy, or local scoring. This is not intended as a blanket drop list by default.

Where to use it

Feed catalog

See which IPv6 exports are direct-block versus watch/context feeds and inspect their explicit thresholds.

Firewall integrations

Apply exact-host lists conservatively and keep prefix-watch outputs in a separate policy or triage path.

Methodology

Read the scoring and confidence rationale behind exact-host and prefix handling.