Methodology
vspam.org is designed as operator-grade reputation with community input. The core scoring path is deterministic and explainable: domain-first for phishing, IPv6-first for infrastructure, and ASN-aware for provider context.
Community reports, trust tiers, votes, and delist requests still matter, but they do not act alone. Blocking feeds, watch feeds, and context feeds are intentionally separated so operators can map each output to the right enforcement or investigation workflow.
Core principles
Domain-first phishing intelligence
Phishing URLs are collapsed to canonical domains at ingest. Short-lived path, redirect, and form signals are retained only as enrichment evidence.
IPv6-first infrastructure logic
Exact IPv6 hosts are scored separately from /64, /56, and /48 neighborhood context to avoid blanket overlisting across large allocations.
ASN-aware reputation
ASN reputation is a supporting signal that helps prioritize investigation and contextualize abuse density without becoming a sole blocking authority.
Community input, not community-only
Reporter trust, voting, and delist workflows influence review and confidence, but deterministic evidence and historical context carry the main detection load.
Scoring flow
Canonicalize the artifact
Normalize the submission into the artifact we actually score. Domains are first-class phishing artifacts. IPv4, IPv6 exact hosts, email indicators, and ASNs retain their native forms.
Enrich and observe
Collect DNS, registrar, hosting, ASN, redirect, brand, and related infrastructure context. Observations are stored so repeated sightings improve score quality over time.
Apply deterministic scoring
Combine direct evidence, historical observations, domain history, reporter quality, IPv6 neighborhood evidence, and ASN context into an explainable score and confidence value.
Review ambiguous cases
Community votes, manual review, and delist handling resolve low-confidence or disputed cases. Review affects publication state and future trust, not just a single report row.
Publish by feed policy
Each feed family declares its publication thresholds, artifact scope, and recommended action so operators can separate block decisions from watch and context signals.
Publication policy by feed family
Publication thresholds and recommended actions are exposed in the feed catalog and export metadata. The table below describes the intended use of the main operator-facing families.
| Feed family | Primary evidence | Recommended action |
|---|---|---|
| Domain high-confidence phishing | Strong deterministic score, corroborating domain history, and enough confidence for direct enforcement. | Direct block or active quarantine. |
| IPv6 exact-host malicious | Exact /128 evidence plus bounded infrastructure context. Neighbor signals can help, but they do not outweigh weak direct evidence. | Direct block of the exact host only. |
| IPv6 prefix watch | Elevated /64, /56, or /48 neighborhood risk, sparse exact-host history, or recurring abuse patterns within a larger allocation. | Investigate, prioritize review, or use as a local policy hint. Not a blanket blocklist by default. |
| ASN reputation | Recent abuse density, recovery behavior, and historical provider context derived from scored artifacts and enrichment. | Use for prioritization, routing policy, throttling, or analyst context. Do not block solely on ASN reputation. |
| Policy and context feeds | Operator-tunable policy inputs, deltas, or context datasets that are intentionally separate from threat verdict feeds. | Use according to your own local policy and change control process. |
Confidence, review, and appeals
Confidence is separate from score
High score with low confidence should not be treated the same as high score with broad corroboration. vspam uses score and confidence together to decide whether an artifact belongs in a blocking, watch, or context feed.
Review remains visible
Reporter trust and community review remain part of the product because operators need a path for human correction, consensus building, and post-publication refinement.
Delist is part of data quality
Appeals and delist requests are treated as first-class quality signals. They matter both for the current listing decision and for future trust in the same reporter, artifact, prefix, or ASN.
Use the right surface
If you are integrating vspam into mail or abuse operations, start with feed metadata and recommended actions rather than assuming every export is a direct blocklist.