Malicious URL Scanner API Documentation

URL Scanner API for Malicious URLs

IPQualityScore's Malicious URL Scanner API scans links in real-time to detect suspicious URLs. Accurately identify phishing links, malware URLs and viruses, parked domains, and suspicious URLs with real-time risk scores. Industry leading phishing detection and domain reputation provide better signals for more accurate decision making.

Scan URLs for malware to detect poor reputation domains, suspicious links, and phishing URLs with a real-time API that can be integrated directly into your site, SOAR, or other third party software. Accurately check URLs for malware without false-positives or missed hit rates. Take URL intelligence a step further with parking domain detection and support to identify domains used for email spam. Easily enhance your SIEM/SOAR platform intelligence with our URL Threat Scanning API. Classify websites with over 70 website categories for easier analysis of unknown sites.

Malicious URL Scanner Use Cases

Phishing URL Detection — Detect malicious URLs used for phishing campaigns and misleading advertising.
Malicious URL Scanning — Identify URLs used for malware and viruses with live threat intelligence feeds that detect zero-day phishing links and suspicious behavior.
Parked Domain Detection — Detect parked domains and easily classify parked domains via API such as ParkingCrew, Sedo, Bodis, Skenzo, ParkLogic, Rook Media, Voodoo, and recognition for all types of parked domains.
Telecom Abuse — Screen text messages, SMS, and user messages in real-time to detect phishing, malicious links, affiliate spam, and other abuse.
Filter Email Spammer Domains — Sift through suspicious emails with detection for domains confirmed as sending email SPAM. Further validate SPAM with real-time email threat scoring.
Abusive Domains - Block emails from disposable email services and throwaway accounts. Pair with IP reputation checks for deeper insight.

Malicious URL Checker API

Detect malicious sites with live URL scanning via on-demand API requests. Simply call our API from your SOAR, backend, or other third party service to retrieve accurate risk scores. Detect scam sites, phishing, malware, and low reputation domains used for fraudulent behavior. Parked domain detection is also supported. The API only requires a valid URL and will perform over 20 data points in return to summarize the risk level associated with the URL or domain.

Phishing Detection API

Stop phishing with real-time protection against malicious URLs. Detect zero-day phishing links and newly setup domains, even before other services have had a chance to analyze the URL. The IPQS machine learning phishing detection API ensures any threat will be accurately classified. Use the "phishing" boolean data point and "risk_score" to identify confirmed phishing links. Additionally, classify domains and URLs into website categories such as "search engine", "ecommerce", "business", etc. Accurately detect phishing domains and malicious URLs.

Domain Reputation API

Analyze domain risk scores in real-time with deep insights from the IPQS domain reputation API. Accurately identify newly created domains and malicious domains associated with high risk behavior such as phishing links, spam, fake accounts, or hosting malware. Receive over 25 data points for any domain with intelligent data that improves real-time decision making. Access the best blacklists and machine learning technology that makes it challenging for bad actors to operate online.

Parked Domain Detection API

Quickly check parked domains and placeholder websites, common patterns for malicious websites and links. Lookup parked domains in real-time to verify if the domain name is currently pointed to a popular parked domain service such as Sedo, ParkingCrew, and many others. Machine learning models also detect private parking domain networks and custom landing pages.

Private Key

Please login or create a free account to access your API Key.

NOTE: Do not share this key with anyone. It's like a password and can be used to make queries using our API.

Request URLs

The URLs below can be used to fetch the result using cURL or another utility in most languages. Please see the usage example at the bottom of the page. Simply replace "URL_HERE" with the URL to scan.

JSON:

XML:

JSON Example Requests

API Lookup with URL Encoded Link
The API can accept a domain or full URL link - please URL encode the link.

JSON Success Response Example

{
	"message": "Success.",
	"success": true,
	"unsafe": false,
	"domain": "google.com",
	"root_domain": "google.com",
	"ip_address": "172.217.7.206",
	"country_code": "US",
	"language_code": "EN",
	"server": "nginx",
	"content_type": "text\/html; charset=UTF-8",
	"status_code": 200,
	"page_size": 68553,
	"domain_rank": 1,
	"dns_valid": true,
	"parking": false,
	"spamming": false,
	"malware": false,
	"phishing": false,
	"suspicious": false,
	"domain_trust":"trusted",
	"short_link_redirect":false,
	"hosted_content":false,
	"page_title":"Google",
	"risky_tld":false,
	"spf_record":true,
	"dmarc_record":true,
	"technologies":["Google Tag Manager","Google Ads","WordPress","Shopify","Cloudflare"],
	"a_records":["172.67.151.40","104.21.72.140"],
	"mx_records":["us-smtp-inbound-1.mimecast.com", "aspmx.l.google.com"],
	"ns_records":["finley.ns.cloudflare.com","melinda.ns.cloudflare.com"],
	"adult": false,
	"risk_score": 0,
	"domain_age": {
		"human":"26 years ago",
		"timestamp":874296000,
		"iso":"1997-09-15T00:00:00-04:00"
	},
	"category": "Search Engine",
	"redirected": false,
	"scanned_url": "http:\/\/google.com",
	"final_url": "http:\/\/google.com",
	"request_id": "4ZGSfWu9RDf3oH"
}

NOTE: For a description of each field listed above please consult the response documentation below.

XML Success Response Example

<result>
	<message>Success.</message>
	<success>true</success>
	<unsafe>false</unsafe>
	<domain>google.com</domain>
	<ip_address>172.217.7.206</ip_address>
	<server>nginx</server>
	<country_code>US</country_code>
	<language_code>EN</language_code>
	<content_type>text/html; charset=UTF-8</content_type>
	<status_code>200</status_code>
	<page_size>68553</page_size>
	<domain_rank>1</domain_rank>
	<dns_valid>true</dns_valid>
	<parking>false</parking>
	<spamming>false</spamming>
	<malware>false</malware>
	<phishing>false</phishing>
	<suspicious>false</suspicious>
	<domain_trust>trusted</domain_trust>
	<short_link_redirect>false</short_link_redirect>
	<hosted_content>false</hosted_content>
	<short_link_redirect>false</short_link_redirect>
	<page_title>Google</page_title>
	<risky_tld>false</risky_tld>
	<spf_record>false</spf_record>
	<dmarc_record>false</dmarc_record>
	<adult>false</adult>
	<risk_score>0</risk_score>
	<technologies>["Google Tag Manager","Google Ads","WordPress","Shopify","Cloudflare"]</technologies>
	<domain_age>
		<human>3 months ago</human>
		<timestamp>1568061634</timestamp>
		<iso>2019-09-09T16:40:34-04:00</iso>
	</domain_age>
	<category>Search Engine</category>
	<redirected>false</redirected>
	<request_id>0tt6tE</request_id>
</result>

NOTE: For a description of each field listed above please consult the response documentation below.

JSON Error Response Examples

Example errors that you may encounter when accessing our API due to an exhausted credit balance or an invalid URL.

{
	"success":false,
	"message":"You have insufficient credits to make this query. Please contact IPQualityScore support if this error persists.",
	"request_id":"4OTORR352FU0p"
}

Additional Request Parameters

Custom tracking variables (such as "userID", "transactionID") established in your account settings can be passed with each API request. This allows our reporting tools to filter by specific users, products, campaigns, transactions, etc. so that you can easily match up records with your own system to identify fraudulent activity.

Field	Description	Possible Values
strictness	How strict should we scan this URL? Stricter checks may provide a higher false-positive rate. We recommend defaulting to level "0", the lowest strictness setting, and increasing to "1" or "2" depending on your levels of abuse.	integer (0-2)
fast	When enabled, the API will provide quicker response times using lighter checks and analysis. This setting defaults to false.	boolean, string (true or false)
timeout	Maximum number of seconds to perform live page scanning and follow redirects. If your implementation requirements do not need an immediate response, we recommend bumping this value to 5. Default value is 2 seconds.	integer (1-10)

Additional Request Options

Due to the nature of platform requirements or frameworks it may be necessary to request IPQS API endpoints without passing the API key in the URL. As an alternative, IPQS allows the API key to be passed via GET, POST, or Headers. These requests use the following endpoints:

JSON:

XML:

Method	Value	Example
GET	key	?key=YOUR_API_KEY_HERE&url=https%3A%2F%2Fgoogle.com
POST	key	key=YOUR_API_KEY_HERE&url=https%3A%2F%2Fgoogle.com
Header	IPQS-KEY (Additional parameters passed as either GET or POST)	IPQS-KEY: YOUR_API_KEY_HERE

Response Field Definitions

Quick Notes

Risk Scores >= 75 - suspicious - usually due to patterns associated with malicious links.
Suspicious URLs marked with Suspicious = "true" will indicate domains with a high chance for being involved in abusive behavior.
Risk Scores >= 90 - high risk - strong confidence the URL is malicious.
Risk Scores = 100 AND Phishing = "true" OR Malware = "true" - indicates confirmed malware or phishing activity in the past 24-48 hours.

Further Details on URL Scanning API Results

The Malicious URL Scanner API returns many data points so your business logic can make the best decisions for your audience. Analyzing the overall Risk Score is usually the best way to determine domain reputation and the overall scoring confidence level. When this value is 100, there is 100% confirmed activity of phishing, malware, or similar abuse. Suspicious URLs can be identified with the "suspicious" data point, or by analyzing Risk Scores 30 - 80. URLs or domains with Risk Scores >= 85 are suspicious and likely to be a poor reputation domain or malicious URL.

Risk Scores >=90 have been classified by our deep machine learning as suspected of phishing, malware activity, or similar type of abuse. Risk Scores = 100 will provide confirmation the URL is accurately classified as a malicious link.

We recommend blocking or flagging a URL as malicious using a combination of the "risk_score", "phishing", "malware", "suspicious", "parking", and "spamming" variables.

Field

Description

Possible Values

unsafe

Is this domain suspected of being unsafe due to phishing, malware, spamming, or abusive behavior? View the confidence level by analyzing the "risk_score".

boolean

domain

Domain name of the final destination URL of the scanned link, after following all redirects. This value will display sub domains.

string

root_domain

Parent domain to identify the root level domain of the final destination URL. This value excludes sub domains.

string

ip_address

The IP address corresponding to the server of the domain name.

string

country_code

The country corresponding to the server's IP address.

string

language_code

The 2-letter ISO code corresponding to the content's language on this URL/domain.

String (2-letter ISO code)

server

The server banner of the domain's IP address. For example: "nginx/1.16.0". Value will be "N/A" if unavailable.

string

content_type

MIME type of URL's content. For example "text/html; charset=UTF-8". Value will be "N/A" if unavailable.

string

risk_score

The IPQS risk score which estimates the confidence level for malicious URL detection. Risk Scores 85+ are high risk, while Risk Scores = 100 are confirmed as accurate.

integer, 0 - 100

status_code

HTTP Status Code of the URL's response. This value should be "200" for a valid website. Value is "0" if URL is unreachable.

integer

page_size

Total number of bytes to download the URL's content. Value is "0" if URL is unreachable.

integer

domain_rank

Estimated popularity rank of website globally. Value is "0" if the domain is unranked or has low traffic.

integer

dns_valid

The domain of the URL has valid DNS records.

boolean

suspicious

Is this URL suspected of being malicious or used for phishing or abuse? Use in conjunction with the "risk_score" as a confidence level.

boolean

phishing

Is this URL associated with malicious phishing behavior?

boolean

malware

Is this URL associated with malware or viruses?

boolean

parking

Is the domain of this URL currently parked with a for sale notice?

boolean

spamming

Is the domain of this URL associated with email SPAM or abusive email addresses?

boolean

adult

Is this URL or domain hosting dating or adult content?

boolean

<textarea class="code">
// Your API Key.
$key = 'YOUR_API_KEY_HERE';

/*
* URL to scan - URL Encoded in cURL function below.
*/
$URL = 'https://www.google.com';

// Adjustable strictness level from 0 to 2. 0 is the least strict and recommended for most use cases. Higher strictness levels can increase false-positives.
$strictness = 0;

// Create parameters array.
$parameters = array(
	'strictness' => $strictness
);

// Format Parameters
$formatted_parameters = http_build_query($parameters);

// Create API URL
$url = sprintf(
	'https://www.ipqualityscore.com/api/json/url/%s/%s?%s',
	$key,
	urlencode($URL),
	$formatted_parameters
);

// Fetch The Result
$timeout = 5;

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, $timeout);

$json = curl_exec($curl);
curl_close($curl);

// Decode the result into an array.
$result = json_decode($json, true);

// Check to see if our query was successful.
if(isset($result['success']) && $result['success'] === true){
	// NOTICE: If you want to use one of the examples below, remove
	// any lines containing /*, */ and *-, then remove * from any of the
	// the remaining lines.

	/*
	*- Example 1: Identify suspicious URLs regardless of Risk Score
	* 
	* if($result['suspicious'] === true){
	*	// flag suspicious URL
	* }
	*/
	
	/*
	*- Example 2: We'd like to block all malicious URLs suspected of being used for phishing or malware
	*
	* if($result['phishing'] === true || $result['malware'] === true || $result['risk_score'] > 85){
	*	// flag high risk URLs likely to be malicious
	* }
	*/
	
	/*
	*- Example 3: We'd like to block all links on parked domains
	*
	* if($result['parking'] === true){
	*	// flag parked domains
	* }
	*/
	
	/*
	* If you are confused with these examples or simply have a use case
	* not covered here, please feel free to contact IPQualityScore's support
	* team. We'll craft a custom piece of code to meet your requirements.
	*/
}

import json
import requests
import urllib

# You may need to install Requests pip
# python -m pip install requests

class IPQS:
    key = 'YOUR_API_KEY_HERE'
    def malicious_url_scanner_api(self, url: str, vars: dict = {}) -> dict:
        url = 'https://www.ipqualityscore.com/api/json/url/%s/%s' % (self.key, urllib.parse.quote_plus(url))
        x = requests.get(url, params = vars)
        print(x.text)
        return (json.loads(x.text))

if __name__ == "__main__":        
    """
    URL to scan - URL Encoded in cURL function below.
    """
    URL = 'https://www.google.com'

    #Adjustable strictness level from 0 to 2. 0 is the least strict and recommended for most use cases. Higher strictness levels can increase false-positives.
    strictness = 0

    #custom feilds
    additional_params = {
        'strictness' : strictness
    }

    ipqs = IPQS()
    result = ipqs.malicious_url_scanner_api(URL, additional_params)

    if 'success' in result and result['success'] == True:
        print(result)
        """
        NOTICE: If you want to use one of the examples below, remove
        any lines containing /*, */ and *-, then remove * from any of the
        the remaining lines.
        """
        
        """
        - Example 1: Identify suspicious URLs regardless of Risk Score
        
        if result['suspicious'] == True:
        # flag suspicious URL
        }
        """
        
        """
        - Example 2: We'd like to block all malicious URLs suspected of being used for phishing or malware
        
        if result['phishing'] == True or result['malware'] === True or result['risk_score'] > 85):
            # flag high risk URLs likely to be malicious
        }
        """
        
        """
        - Example 3: We'd like to block all links on parked domains
        
        if result['parking'] == True:
        	# flag parked domains
        }
        """
        
        """
        If you are confused with these examples or simply have a use case
        not covered here, please feel free to contact IPQualityScore's support
        team. We'll craft a custom piece of code to meet your requirements.
        """