| Fraud Score | Risk | Description |
| ≥ 75 | Suspicious | Exhibits patterns associated with malicious links. |
| ≥ 90 | High Risk | Strong confidence the URL is malicious. |
| 100 and Phishing = "true" or Malware = "true" | Fraudulent | Confirmed malware or phishing activity in the past 24-48 hours. |
URLs marked with Suspicious = "true" indicate domains with a high chance for being involved in abusive behavior.
The Malicious URL Scanner API returns many data points so your business logic can make the best decisions for your audience. Analyzing the overall Risk Score is usually the best way to determine domain reputation and the overall scoring confidence level. When this value is 100, there is 100% confirmed phishing, malware, or similar abuse activity. You can identify URLs with the suspicious data point or by analyzing Risk Scores 30 - 80. URLs or domains with Risk Scores >= 85 are suspicious and likely to be poor reputation domains or malicious URLs.
| Field | Description | Possible Values | ||||||||||||
| unsafe | Is this domain suspected of being unsafe due to phishing, malware, spamming, or abusive behavior? View the confidence level by analyzing the "risk_score". | boolean | ||||||||||||
| domain | The domain name of the final destination URL of the scanned link after following all redirects. This value will display subdomains. | string | ||||||||||||
| root_domain | The parent domain is used to identify the root level domain of the final destination URL. This value excludes subdomains. | string | ||||||||||||
| ip_address | The IP address corresponding to the server of the domain name. | string | ||||||||||||
| country_code | The country corresponding to the server's IP address. | string | ||||||||||||
| language_code | The 2-letter ISO code corresponding to the content's language on this URL/domain. | String (2-letter ISO code) | ||||||||||||
| server | The server banner of the domain's IP address. For example: "nginx/1.16.0". The value will be "N/A" if unavailable. | string | ||||||||||||
| content_type | MIME type of URL's content. For example, "text/html; charset=UTF-8". The value will be "N/A" if unavailable. | string | ||||||||||||
| risk_score | The IPQS risk score which estimates the confidence level for malicious URL detection. Risk Scores 85+ are high risk, while Risk Scores = 100 are confirmed as accurate. | integer, 0 - 100 | ||||||||||||
| status_code | HTTP Status Code of the URL's response. This value should be "200" for a valid website. Value is "0" if the URL is unreachable. | integer | ||||||||||||
| page_size | Total number of bytes to download the URL's content. Value is "0" if the URL is unreachable. | integer | ||||||||||||
| domain_rank | Estimated popularity rank of website globally. Value is "0" if the domain is unranked or has low traffic. | integer | ||||||||||||
| dns_valid | The domain of the URL has valid DNS records. | boolean | ||||||||||||
| suspicious | Is this URL suspected of being malicious or used for phishing or abuse? Use in conjunction with the "risk_score" as a confidence level. | boolean | ||||||||||||
| phishing | Is this URL associated with malicious phishing behavior? | boolean | ||||||||||||
| malware | Is this URL associated with malware or viruses? | boolean | ||||||||||||
| parking | Is the domain of this URL currently parked with a for-sale notice? | boolean | ||||||||||||
| spamming | Is the domain of this URL associated with email SPAM or abusive email addresses? | boolean | ||||||||||||
| adult | Is this URL or domain hosting dating or adult content? | boolean | ||||||||||||
| category | Website classification and category related to the content and industry of the site. Over 70 categories are available including "Video Streaming", "Trackers", "Gaming", "Privacy", "Advertising", "Hacking", "Malicious", "Phishing", etc. The value will be "N/A" if unknown. | string | ||||||||||||
| domain_trust | Risk classification of the URL's domain based on past abuse issues and positive behavior signals. Values include: "trusted", "positive", "neutral", "suspicious", "malicious", or "not rated". | string | ||||||||||||
| page_title | Returns the URL's title meta tag as text. | string | ||||||||||||
| short_link_redirect | Indicates if a URL shortener was found in the link or the URL's path was redirected. | boolean | ||||||||||||
| hosted_content | Identifies free content hosting services like Weebly, Blogspot, and others more prone to hosting malicious content by abusive users. These sites are typically suspended very quickly and serve content on a subdomain of a popular website. Cybercriminals favor these sites since the overall domain reputation will be high. | boolean | ||||||||||||
| risky_tld | Signals that the domain belongs to a risky TLD extension frequently associated with malware, scams, or phishing. | boolean | ||||||||||||
| spf_record | Confirms if the domain has a proper SPF DNS record. | boolean | ||||||||||||
| dmarc_record | Confirms if the domain has a proper DMARC DNS record. | boolean | ||||||||||||
| technologies | Comma separated list of technologies found on the URL, such as WordPress, Shopify, Cloudflare, Google Analytics, Google Ads, and similar popular services. | array | ||||||||||||
| domain_age | An object containing fields related to when the domain was registered. |
|
||||||||||||
| redirected | Does the URL redirect to another domain when loaded in a browser? | boolean | ||||||||||||
| mx_records | List of MX records associated with the URL's domain name. | array | ||||||||||||
| a_records | List of A records associated with the URL's domain name. | array | ||||||||||||
| ns_records | List of NS records associated with the URL's domain name. | array | ||||||||||||
| scanned_url | Original URL, which was analyzed for malware, phishing, abuse, etc., before any redirections. | string | ||||||||||||
| final_url | Destination URL after all redirections during our real-time link scan. | string | ||||||||||||
| message | A generic status message, either "success" or an error notice. | string | ||||||||||||
| success | Was the request successful? | boolean | ||||||||||||
| request_id | A unique identifier for this request that can be used to look up the request details or send a postback conversion notice. | string | ||||||||||||
| errors | An array of errors that occurred while attempting to process this request. | array of strings |