Security Tools

Malware Hash Lookup — DNSBL IP & Domain Scan

DNSBL malware and spam scan on IP or domain query — malware-ip action backend

How to Use This Tool

Enter a public IPv4 address or domain name in the query field.
Domains resolve to current A record IPv4 with resolvedFrom metadata.
Parallel DNSBL queries run against primary and extended blocklist zones.
Listed zones tag true; malwareListHits filters spam and exploit-oriented names.
Geolocation adds hosting, VPN, proxy, org, and country for resolved IP.
Review malwareListed, malwareListHits, recommendation, and lists array.

About This Tool

Analysts searching malware hash lookup often want file digest reputation from VirusTotal-style feeds — but the missing-tool handler routes this slug to the malware-ip API action with query field accepting IPv4 or domain, resolving hostnames to A records before DNSBL zone queries. VSPIC malware hash lookup runs that backend: parallel DNSBL lookups emphasizing malware and spam publishers, returning query, ip, resolvedFrom, malwareListed boolean, listedCount, lists array, malwareListHits zone names, hosting, proxy, vpn flags, org, country, summary, and recommendation text.

Frame results as network indicator blocklist context — not MD5 or SHA256 file hash verification. When logs contain file digests, compute hashes locally and use dedicated file reputation services; when indicators are C2 IPs or drop-zone domains, this malware-ip backend matches the handler. Identical JSON to malware-ip-checker and botnet-detection pages.

Common use cases

•Check if a VPN or proxy is detected on your connection
•Validate SSL certificates before launch
•Scan for email addresses in known breaches

Why use VSPIC for ?

Fast DNSBL-oriented screen for malware infrastructure indicators.
malwareListHits highlights Spamhaus, DroneBL, and related zones.
Accepts IPv4 or domain with automatic DNS resolution.
Hosting, VPN, and proxy flags explain infrastructure context.
Per-list breakdown with query hostnames for delisting tickets.
Free instant lookup — no account required.

Hash lookup intent versus malware-ip backend

File hash reputation services map MD5, SHA1, or SHA256 digests to sandbox verdicts. Our handler matches malware in slug to malware-ip action — IP and domain DNSBL scanning, not digest databases.

Use this page when your indicator is network-based. Document the distinction in runbooks to prevent analysts pasting file hashes into the query field expecting VT-style results.

malwareListHits versus listedCount

listedCount counts every DNSBL hit across queried zones. malwareListHits narrows to zones whose names match spamhaus, dronebl, backscatter, barracuda, and blocklist patterns — subset most correlated with malware and spam drone activity.

malwareListed true when at least one malware-oriented zone returned positive at query time.

Domain input and resolution

Paste hostnames from mail headers or sandbox network captures. resolvedFrom links original query to scanned IPv4. CDN-fronted domains resolve to edge pools whose listing may differ from origin.

Prefer direct IPv4 when logs already contain the abusive server address.

Infrastructure context fields

hosting true indicates datacenter allocation — botnets cluster on compromised hosting but legitimate APIs also egress from hosting networks. vpn and proxy true suggest anonymizer paths.

Combine org and country with listing data for abuse desk narrative.

Relationship to malware-ip-checker

Both call action malware-ip with identical JSON. malware-ip-checker uses canonical SEO; malware-hash-lookup targets hash lookup search vocabulary with honest IP-domain scope.

API: GET /ip-tools/api/extended?action=malware-ip&query=example.com

Incident response workflow

Run after sandbox reports unknown egress IP, when mail bounces cite blocklist rejection, and before allowing new vendor endpoints through firewall rules.

Export JSON with malwareListHits names for provider abuse tickets.

Delisting and remediation

recommendation text nudges listed addresses toward patching and formal delisting. Each list maintainer publishes different removal procedures.

Delisting takes time — rerun after removal to confirm clean status.

File hash workflows elsewhere

Compute file digests with desktop sha256sum or PowerShell Get-FileHash, then query authorized file reputation platforms.

Pair network malware-ip results with file sandbox when both indicator types appear in same incident.

Important notes & limitations

Handler expects IP or domain query — not file hash hex strings.
DNSBL listing is not proof of active infection — investigate logs.
Clean result does not guarantee uncompromised hosts.
Point-in-time DNS answers — status changes during campaigns.
Does not include composite fraudScore — use ip-reputation-checker for that.

Frequently Asked Questions

Yes. VSPIC offers this malware hash lookup at no cost with no account required. Results load in real time.

We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.

Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.

The query field expects IPv4 or domain. File hash reputation is not this malware-ip backend.

malware-ip with the query parameter.

DNSBL zone names filtered toward malware and spam publishers — Spamhaus, DroneBL, and similar.

Same API and JSON. Different landing page SEO for hash lookup terminology.

This scans network indicators, not files. Clean DNSBL does not certify file safety.

Yes. Domains resolve to IPv4 before DNSBL queries with resolvedFrom shown.

Next step for your check

Continue with malware ip checker on VSPIC.

Malware IP Checker

Related Tools

Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.

Browse all tools Comparison guides

Trusted by Users Who Value Privacy

Always Free

No premium plan ever

100% Private

Files processed in browser

Instant Results

Convert in seconds

Works Everywhere

Any device, any OS