Malicious URL Scanner API Documentation

URL Scanner API for Malicious URLs

IPQualityScore's Malicious URL Scanner API scans links in real-time to detect suspicious URLs. Accurately identify phishing links, malware URLs and viruses, parked domains, and suspicious URLs with real-time risk scores. Industry leading phishing detection and domain reputation provide better signals for more accurate decision making.

Scan URLs for malware to detect poor reputation domains, suspicious links, and phishing URLs with a real-time API that can be integrated directly into your site, SOAR, or other third party software. Accurately check URLs for malware without false-positives or missed hit rates. Take URL intelligence a step further with parking domain detection and support to identify domains used for email spam. Easily enhance your SIEM/SOAR platform intelligence with our URL Threat Scanning API. Classify websites with over 70 website categories for easier analysis of unknown sites.


Malicious URL Scanner Use Cases
  • Phishing URL Detection — Detect malicious URLs used for phishing campaigns and misleading advertising.
  • Malicious URL Scanning — Identify URLs used for malware and viruses with live threat intelligence feeds that detect zero-day phishing links and suspicious behavior.
  • Parked Domain Detection — Detect parked domains and easily classify parked domains via API such as ParkingCrew, Sedo, Bodis, Skenzo, ParkLogic, Rook Media, Voodoo, and recognition for all types of parked domains.
  • Telecom Abuse — Screen text messages, SMS, and user messages in real-time to detect phishing, malicious links, affiliate spam, and other abuse.
  • Filter Email Spammer Domains — Sift through suspicious emails with detection for domains confirmed as sending email SPAM. Further validate SPAM with real-time email threat scoring.
  • Abusive Domains - Block emails from disposable email services and throwaway accounts. Pair with IP reputation checks for deeper insight.

Malicious URL Checker API

Detect malicious sites with live URL scanning via on-demand API requests. Simply call our API from your SOAR, backend, or other third party service to retrieve accurate risk scores. Detect scam sites, phishing, malware, and low reputation domains used for fraudulent behavior. Parked domain detection is also supported. The API only requires a valid URL and will perform over 20 data points in return to summarize the risk level associated with the URL or domain.

Phishing Detection API

Stop phishing with real-time protection against malicious URLs. Detect zero-day phishing links and newly setup domains, even before other services have had a chance to analyze the URL. The IPQS machine learning phishing detection API ensures any threat will be accurately classified. Use the "phishing" boolean data point and "risk_score" to identify confirmed phishing links. Additionally, classify domains and URLs into website categories such as "search engine", "ecommerce", "business", etc. Accurately detect phishing domains and malicious URLs.

Domain Reputation API

Analyze domain risk scores in real-time with deep insights from the IPQS domain reputation API. Accurately identify newly created domains and malicious domains associated with high risk behavior such as phishing links, spam, fake accounts, or hosting malware. Receive over 25 data points for any domain with intelligent data that improves real-time decision making. Access the best blacklists and machine learning technology that makes it challenging for bad actors to operate online.

Parked Domain Detection API

Quickly check parked domains and placeholder websites, common patterns for malicious websites and links. Lookup parked domains in real-time to verify if the domain name is currently pointed to a popular parked domain service such as Sedo, ParkingCrew, and many others. Machine learning models also detect private parking domain networks and custom landing pages.

Private Key
Please login or create a free account to access your API Key.

NOTE: Do not share this key with anyone. It's like a password and can be used to make queries using our API.

Request URLs

The URLs below can be used to fetch the result using cURL or another utility in most languages. Please see the usage example at the bottom of the page. Simply replace "URL_HERE" with the URL to scan.

JSON:
XML:

JSON Example Requests
API Lookup with URL Encoded Link
The API can accept a domain or full URL link - please URL encode the link.

JSON Success Response Example

NOTE: For a description of each field listed above please consult the response documentation below.


XML Success Response Example

NOTE: For a description of each field listed above please consult the response documentation below.


JSON Error Response Examples

Example errors that you may encounter when accessing our API due to an exhausted credit balance or an invalid URL.


Additional Request Parameters

Custom tracking variables (such as "userID", "transactionID") established in your account settings can be passed with each API request. This allows our reporting tools to filter by specific users, products, campaigns, transactions, etc. so that you can easily match up records with your own system to identify fraudulent activity.

Field Description Possible Values
strictness How strict should we scan this URL? Stricter checks may provide a higher false-positive rate. We recommend defaulting to level "0", the lowest strictness setting, and increasing to "1" or "2" depending on your levels of abuse. integer (0-2)
fast When enabled, the API will provide quicker response times using lighter checks and analysis. This setting defaults to false. boolean, string (true or false)
timeout Maximum number of seconds to perform live page scanning and follow redirects. If your implementation requirements do not need an immediate response, we recommend bumping this value to 5. Default value is 2 seconds. integer (1-10)

Additional Request Options

Due to the nature of platform requirements or frameworks it may be necessary to request IPQS API endpoints without passing the API key in the URL. As an alternative, IPQS allows the API key to be passed via GET, POST, or Headers. These requests use the following endpoints:

JSON:
XML:
Method Value Example
GET key ?key=YOUR_API_KEY_HERE&url=https%3A%2F%2Fgoogle.com
POST key key=YOUR_API_KEY_HERE&url=https%3A%2F%2Fgoogle.com
Header IPQS-KEY (Additional parameters passed as either GET or POST) IPQS-KEY: YOUR_API_KEY_HERE


Response Field Definitions
Quick Notes
  • Risk Scores >= 75 - suspicious - usually due to patterns associated with malicious links.
  • Suspicious URLs marked with Suspicious = "true" will indicate domains with a high chance for being involved in abusive behavior.
  • Risk Scores >= 90 - high risk - strong confidence the URL is malicious.
  • Risk Scores = 100 AND Phishing = "true" OR Malware = "true" - indicates confirmed malware or phishing activity in the past 24-48 hours.
Further Details on URL Scanning API Results

The Malicious URL Scanner API returns many data points so your business logic can make the best decisions for your audience. Analyzing the overall Risk Score is usually the best way to determine domain reputation and the overall scoring confidence level. When this value is 100, there is 100% confirmed activity of phishing, malware, or similar abuse. Suspicious URLs can be identified with the "suspicious" data point, or by analyzing Risk Scores 30 - 80. URLs or domains with Risk Scores >= 85 are suspicious and likely to be a poor reputation domain or malicious URL.

Risk Scores >=90 have been classified by our deep machine learning as suspected of phishing, malware activity, or similar type of abuse. Risk Scores = 100 will provide confirmation the URL is accurately classified as a malicious link.

We recommend blocking or flagging a URL as malicious using a combination of the "risk_score", "phishing", "malware", "suspicious", "parking", and "spamming" variables.

Field Description Possible Values
unsafe Is this domain suspected of being unsafe due to phishing, malware, spamming, or abusive behavior? View the confidence level by analyzing the "risk_score". boolean
domain Domain name of the final destination URL of the scanned link, after following all redirects. This value will display sub domains. string
root_domain Parent domain to identify the root level domain of the final destination URL. This value excludes sub domains. string
ip_address The IP address corresponding to the server of the domain name. string
country_code The country corresponding to the server's IP address. string
language_code The 2-letter ISO code corresponding to the content's language on this URL/domain. String (2-letter ISO code)
server The server banner of the domain's IP address. For example: "nginx/1.16.0". Value will be "N/A" if unavailable. string
content_type MIME type of URL's content. For example "text/html; charset=UTF-8". Value will be "N/A" if unavailable. string
risk_score The IPQS risk score which estimates the confidence level for malicious URL detection. Risk Scores 85+ are high risk, while Risk Scores = 100 are confirmed as accurate. integer, 0 - 100
status_code HTTP Status Code of the URL's response. This value should be "200" for a valid website. Value is "0" if URL is unreachable. integer
page_size Total number of bytes to download the URL's content. Value is "0" if URL is unreachable. integer
domain_rank Estimated popularity rank of website globally. Value is "0" if the domain is unranked or has low traffic. integer
dns_valid The domain of the URL has valid DNS records. boolean
suspicious Is this URL suspected of being malicious or used for phishing or abuse? Use in conjunction with the "risk_score" as a confidence level. boolean
phishing Is this URL associated with malicious phishing behavior? boolean
malware Is this URL associated with malware or viruses? boolean
parking Is the domain of this URL currently parked with a for sale notice? boolean
spamming Is the domain of this URL associated with email SPAM or abusive email addresses? boolean
adult Is this URL or domain hosting dating or adult content? boolean
category Website classification and category related to the content and industry of the site. Over 70 categories are available including "Video Streaming", "Trackers", "Gaming", "Privacy", "Advertising", "Hacking", "Malicious", "Phishing", etc. The value will be "N/A" if unknown. string
domain_trust Risk classification of the URL's domain based on past abuse issues and positive behavior signals. Values include: "trusted", "positive", "neutral", "suspicious", "malicious", or "not rated". string
page_title Returns the URL's title meta tag as text. string
short_link_redirect Indicates if a URL shortener was found in the link or redirect of the URL's path. boolean
hosted_content Identifies free content hosting services like Weebly, Blogspot, and others which are more prone to hosting malicious content by abusive users. These sites are typically suspended very quickly and serve content on a sub domain of a popular website. Cybercriminals favor these sites since the overall domain reputation will be high. boolean
risky_tld Signals that the domain belongs to a risky TLD extension frequently associated with malware, scams, or phishing. boolean
spf_record Confirms if the domain has a proper SPF DNS record. boolean
dmarc_record Confirms if the domain has a proper DMARC DNS record. boolean
technologies Comma separated list of technologies found on the URL, such as WordPress, Shopify, Cloudflare, Google Analytics, Google Ads, and similar popular services. array
domain_age
Field Description Possible Values
human A human description of when this domain was registered. (Ex: 3 months ago) string or null
timestamp The unix time since epoch when this domain was first registered. (Ex: 1568061634) integer
iso The time this domain was registered in ISO8601 format (Ex: 2019-09-09T16:40:34-04:00) string
object
redirected Does the URL redirect to another domain when loaded in a browser? boolean
mx_records List of MX records associated with the URL's domain name. array
a_records List of A records associated with the URL's domain name. array
ns_records List of NS records associated with the URL's domain name. array
message A generic status message, either success or some form of an error notice. string
success Was the request successful? boolean
request_id A unique identifier for this request that can be used to lookup the request details or send a postback conversion notice. string
errors Array of errors which occurred while attempting to process this request. array of strings
Example Code