Threat Feed Lookup — IP & Domain Threat Brief
One-shot threat brief from reputation, Spamhaus, phishing, and blocklist feeds
How to Use This Tool
- Enter an IPv4 address, domain, or hostname in the query field.
- Valid public domain labels trigger the domain threat brief path.
- Domain path runs phishing analysis, domain DNSBL, IP resolution, and email DNS.
- IPv4 or non-domain input triggers IP reputation plus Spamhaus merge.
- Resolved domain IPv4 embeds malware-ip output as ipThreat when available.
- Review type, summary, and nested signal objects for block or monitor decisions.
About This Tool
SOC analysts and abuse desks need consolidated threat context when indicators arrive from mailing lists, ISAC feeds, or user reports — not five separate tool tabs. VSPIC threat feed lookup calls the threat-intel action with your query, auto-detects domain versus IP input, and assembles a tailored brief: domain path returns phishing heuristics, domain DNSBL on DBL URIBL ZRD, resolved IPv4, embedded ipThreat from malware-ip when A records exist, and SPF DMARC flags; IP path merges reputation fraudScore, detection cards, and per-zone Spamhaus results.
The type field distinguishes domain versus ip responses with different object shapes and a summary sentence for ticket titles. This aggregator trades depth for triage speed — drill into dedicated tools after the brief flags escalation.
Common use cases
- •Check if a VPN or proxy is detected on your connection
- •Validate SSL certificates before launch
- •Scan for email addresses in known breaches
Why use VSPIC for ?
- Single lookup aggregates multiple threat feed signals.
- Automatic domain versus IP detection with tailored brief shape.
- Phishing heuristics plus DNSBL for domain indicators.
- fraudScore plus Spamhaus zones for IP indicators.
- emailAuth SPF and DMARC flags on domain briefs.
- Free instant OSINT-style summary for authorized triage.
Why threat feed aggregation matters
Feed subscribers paste indicators into lookup before sandbox detonation or firewall block commits. Aggregated briefs correlate phishing score, DNSBL status, and Spamhaus listing in one JSON view — reducing mean time to triage during campaign surges.
Aggregation does not replace analyst judgment. Conflicting signals — clean Spamhaus with high phishing score on typosquat — require contextual notes in escalation tickets.
Domain threat brief composition
Domain path returns phishing object with riskScore, riskLevel, and signals from hostname heuristics. dnsbl array shows DBL URIBL ZRD listing status. resolvedIp captures first IPv4 when present. ipThreat embeds malware-ip output including malwareListHits and infrastructure flags.
emailAuth summarizes SPF and DMARC presence — authentication gaps compound distrust on suspicious hostnames.
IP threat brief composition
IP path merges handleReputation output — fraudScore, riskLevel, detections for DNSBL VPN proxy hosting botnet, listedOn, blacklists — with handleSpamhaus per-zone zen SBL XBL PBL results. summary synthesizes fraud score and Spamhaus listed status in one sentence.
Follow malware-ip-checker when you need malwareListHits emphasis without fraud score noise.
Relationship to threat-intelligence-lookup
Both pages call action threat-intel with identical JSON. threat-intelligence-lookup uses threat intelligence SEO vocabulary; threat-feed-lookup targets operators searching threat feed terminology from mailing lists and ISAC workflows.
API consumers use threat-intel with query, ip, or domain parameters interchangeably.
Phishing plus blocklist correlation
High phishing riskScore with DNSBL listing strongly suggests active campaign infrastructure. Medium phishing with clean DNSBL may indicate parked reconnaissance. Low phishing with DNSBL hit may reflect compromised legitimate sites.
Document signal combinations in tickets rather than relying on summary alone.
ipThreat and CDN blind spots
When domain resolves to IPv4, ipThreat adds malware-oriented DNSBL context for that address. CDN domains may show edge IP threat data unrelated to origin abuse.
Cross-check origin-ip-finder when accurate ipThreat matters for takedown behind proxies.
SOC and SOAR integration
Feed lookup JSON into SOAR enrichment steps during concurrent indicator processing. Archive brief JSON with ticket closure for metrics on indicator classes over time.
Recheck at incident milestones — threat actors rotate infrastructure within hours.
API action threat-intel
GET /ip-tools/api/extended?action=threat-intel&query=example.com or query=8.8.8.8. Parse type, summary, and nested objects. Branch on type domain versus ip in automation logic.
Individual actions like reputation and spamhaus remain available when brief payload size is excessive.
Authorized use
Threat feed lookup on third-party indicators must align with organizational policy and law. Queries use public DNS and data APIs — not intrusive port scanning.
Do not use briefs for discriminatory user profiling or automated punishment without review.
Important notes & limitations
- Aggregator breadth trades depth — use dedicated tools for delisting detail.
- Domain path uses first IPv4 A record only for ipThreat context.
- Heuristic and DNSBL signals are not definitive verdicts.
- Point-in-time snapshot — recheck during active campaigns.
- Authorized investigation only — not for harassment or profiling.
Frequently Asked Questions
Yes. VSPIC offers this threat feed lookup at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
No. It aggregates key signals for speed. Use dedicated tools for deep analysis and delisting workflows.
Valid public domain labels use domain brief. Bare IPv4 addresses use IP brief with reputation and Spamhaus.
Same threat-intel API and JSON. This page targets threat feed vocabulary; threat-intelligence-lookup targets threat intelligence terminology.
When an A record IPv4 resolves, malware-ip checker output embeds — DNSBL hits and hosting context.
Yes. IP brief merges reputation results with per-zone Spamhaus lookup output.
threat-intel with the query parameter.
Next step for your check
Continue with threat intelligence lookup on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
Threat Intelligence Lookup
Aggregate IP or domain threat brief — reputation, Spamhaus, phishing, DNSBL
Use Free →Malware IP Checker
DNSBL malware and spam blacklist scan with hosting and proxy context
Use Free →Spamhaus Lookup
Query zen, SBL, XBL, and PBL Spamhaus DNSBL zones for any IPv4
Use Free →Domain Reputation Checker
Domain trust score from WHOIS age, SPF, DMARC, and DNSBL signals
Use Free →SSL Checker
Validate SSL/TLS certificates and expiration dates
Use Free →Blacklist Checker
Check if an IP is listed on spam and abuse blacklists
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS