dnsbl.io

Abuse / Phishing / Spam Reporting API

Central reporting endpoint for phishing URLs, spam emails, malware domains, and compromised infrastructure. Supports ARF and X-ARF formats for automated abuse reporting from major email providers.

Supported Report Types

Phishing URLs

Report malicious URLs used for credential theft, fake login pages, and social engineering attacks.

Spam Emails

Submit full RFC822 email messages with headers for spam source identification and blocklist updates.

Malware Domains

Report domains hosting malware, exploit kits, command and control servers, and malicious downloads.

Compromised IPs

Report compromised mail relays, open proxies, and hijacked infrastructure used for abuse.

File Hashes

Submit MD5, SHA1, SHA256 hashes of malicious files for threat intelligence correlation.

Other Indicators

Report email addresses, Bitcoin wallets, phone numbers, and other indicators of compromise.

Standard Reporting API

POST /api/abuse/report
Submit abuse reports in JSON format

Request Headers

Authorization: Bearer YOUR_API_KEY
Content-Type: application/json

Request Body

{
  "report_type": "phishing",
  "indicator_type": "url",
  "indicator_value": "https://evil-phishing-site.example.com/login",
  "description": "Fake banking login page targeting customers",
  "severity": "high",
  "evidence": "Full page HTML or screenshot URL",
  "metadata": {
    "target_brand": "Example Bank",
    "discovered_date": "2025-01-15T10:30:00Z",
    "reported_by": "security@company.com"
  }
}

Field Specifications

report_typephishing | spam | malware | compromised | other
indicator_typeip | domain | url | email | hash
severitylow | medium | high | critical

Response

{
  "success": true,
  "report_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "status": "pending",
  "message": "Report submitted for verification",
  "estimated_processing_time": "15 minutes"
}

ARF / X-ARF Format Support

POST /api/abuse/arf
Accept Abuse Reporting Format (ARF) messages from email providers

ARF Message Structure

Content-Type: multipart/report; report-type=feedback-report;
  boundary="----=_Part_12345"

------=_Part_12345
Content-Type: text/plain; charset="UTF-8"

This is an abuse report from Gmail.

------=_Part_12345
Content-Type: message/feedback-report

Feedback-Type: abuse
User-Agent: Gmail-FBL/1.0
Version: 1
Original-Mail-From: spammer@evil.example
Arrival-Date: Mon, 15 Jan 2025 10:30:00 +0000
Source-IP: 192.0.2.100
Reported-Domain: evil.example

------=_Part_12345
Content-Type: message/rfc822

[Original spam message headers and body]

------=_Part_12345--

X-ARF Extended Format

{
  "Schema-URL": "http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json",
  "Reported-From": "security@example.com",
  "Category": "abuse",
  "Report-Type": "login-attack",
  "Report-ID": "12345678901234567890",
  "Date": "2025-01-15T10:30:00+00:00",
  "Source": "192.0.2.100",
  "Source-Type": "ip-address",
  "Attachment": "text",
  "Service": "ssh",
  "Port": 22,
  "Destination": "203.0.113.50"
}

Supported Feedback Types

abuseGeneral abuse complaints
fraudPhishing and financial fraud
virusMalware distribution
not-spamFalse positive reports
Email Provider Integration
Configure ARF forwarding from major providers

Gmail / Google Workspace

Forward feedback loop reports to: arf@dnsbl.io

Microsoft 365 / Outlook.com

Configure JMRP (Junk Mail Reporting Program) with endpoint: https://api.dnsbl.io/abuse/arf

Custom Mail Server

# Postfix configuration
# Forward ARF reports to dnsbl.io
/etc/postfix/main.cf:
  transport_maps = hash:/etc/postfix/transport

/etc/postfix/transport:
  abuse-reports@yourdomain.com  smtp:api.dnsbl.io:25

Report Processing Pipeline

1

Validation

Verify report format, check required fields, validate indicator syntax (IP, domain, URL, hash).

2

Normalization

Extract indicators from evidence, normalize IPv6 addresses, canonicalize URLs, compute hashes.

3

Reputation Scoring

Check reporter reputation, correlate with existing reports, calculate confidence score.

4

Threat Intelligence Integration

Feed verified indicators into DNSBL zones, update TAXII/STIX feeds, trigger automated responses.

5

Notification

Send confirmation to reporter, notify affected parties, publish to community feeds.

Rate Limits & Processing

This service is completely free for all users. API keys are provided to cybersecurity professionals for advanced features and automated abuse reporting.

Rate Limits

  • • 5,000 reports per day
  • • 50 requests per minute
  • • Automated processing for verified reporters
  • • 15-minute average processing time

If you require higher limits for large-scale abuse reporting operations, please contact us to discuss your use case.