Independent research on internet spam, phishing, abuse, and malware. Our reports are published weekly and include original data analysis, trend identification, and actionable intelligence drawn from the vspam.org community-verified threat database.
All publications are released under CC BY 4.0. Citation format: vspam.org Research Team. (2026). [Title]. vspam.org, [Report No.].
Analysis of 47,000+ confirmed phishing URLs from January–March 2026 reveals a significant shift toward cloud-hosted credential harvesting pages. This report examines hosting provider distribution, domain registration patterns, and the increasing use of legitimate SaaS platforms as phishing infrastructure.
Key Findings▸▾
01.73% of confirmed phishing URLs in Q1 2026 were hosted on cloud platforms (up from 58% in Q4 2025)
02.Average time-to-takedown decreased to 18.4 hours for major providers, but long-tail hosting providers average 96+ hours
03.Credential harvesting pages targeting financial services accounted for 41% of all confirmed reports
04.New pattern identified: phishing kits using legitimate form-builder SaaS to bypass URL reputation checks
05.Domain registrars with bulk registration APIs showed 3.2x higher rates of phishing domain registration
The DNSBL Effectiveness Study: Measuring Real-World Impact of Community-Driven Blocklists
vspam.org Research Team — Primary Investigator
A controlled study measuring the effectiveness of the vspam.org DNSBL feed across 2,400 participating mail servers over 60 days. We analyze false positive rates, detection latency, and the impact of trust-tier weighted voting on blocklist accuracy.
Key Findings▸▾
01.DNSBL feed blocked 94.7% of phishing emails within 2 hours of community confirmation
02.False positive rate measured at 0.003% across 2,400 participating mail servers
03.Trust-tier weighted voting reduced false confirmations by 67% compared to simple majority voting
Abuse Notification Response Times: A Cross-Provider Analysis of Takedown Effectiveness
vspam.org Research Team — Primary Investigator
Comprehensive analysis of abuse notification response times across 180+ hosting providers. We measure time-to-acknowledgment, time-to-takedown, and identify which provider characteristics correlate with faster response to phishing abuse reports.
Threat Intelligence Feed Correlation: Mapping Overlap Between Public Phishing Data Sources
vspam.org Research Team — Primary Investigator
Cross-referencing vspam.org confirmed IOCs against PhishTank, OpenPhish, URLhaus, and APWG feeds to measure unique coverage and identify blind spots in the collective phishing intelligence ecosystem.
Key Findings▸▾
01.vspam.org contributed 18.3% unique IOCs not found in any other analyzed public feed
02.Combined coverage of all 5 feeds reached 89% of known active phishing URLs (sampled via honeypots)
03.Email-based phishing IOCs had the lowest cross-feed overlap (34%), indicating significant blind spots
04.Average lag between first appearance in any feed and propagation to all feeds: 6.8 hours
05.Domain-based IOCs showed highest correlation (72% overlap) across all analyzed feeds
Weekly summary of notable phishing campaigns, newly observed tactics, and community reporting trends. This week features a spike in QR-code phishing targeting corporate Microsoft 365 accounts and a new phishing kit distributed via Telegram channels.
Reports are published weekly. Data is sourced from the vspam.org community-verified threat database. For questions about methodology or data access, contact research@vspam.org.