URL Blacklist Status Lookup

{{ viewResult.liveHitCount }} live hits {{ viewResult.completedChecks }} completed checks Local {{ viewResult.localSignalScore }} / 100

Target URL:

Enter one HTTP(S) URL or host, such as https://example.org/login.

Lookup preset:

Choose Custom to keep your target; presets can be edited before checking.

Google Safe Browsing:

Leave off for SURBL-only or local-signal triage.

SURBL exact host:

Example checked host: login.mail.example.org.

SURBL root-domain candidate:

For login.mail.example.org, also checks example.org.

Strict HTTPS review:

Turn on when non-HTTPS links should trigger stronger review.

Public-history window:

Choose 7, 30, 90, or 365 days for host and apex urlscan links.

Timeout budget:

Range: 1500-15000 ms in 500 ms steps; raise for slow sources.

Source	Scope	Verdict	Evidence	Checked	Open	Copy
{{ row.source }}	{{ row.scope }}	{{ row.verdict }}	{{ row.evidence }}	{{ row.checked }}

Area	Signal	Guidance
Recommendation	{{ viewResult.primaryDisplay }}	{{ viewResult.recommendation }}
Live coverage	{{ viewResult.completedChecks }} completed	{{ viewResult.statusText }} {{ viewResult.liveHitCount }} live hits; {{ viewResult.accessLimitedCount }} access-limited; apex {{ viewResult.rootDomainCandidate }}.
Local signal posture	{{ viewResult.localSignalTier }}	{{ viewResult.coverageLead }} Score {{ viewResult.localSignalScore }} / 100 with {{ viewResult.signalCount }} triggered signals.

Field	Value	Copy
{{ row.label }}	{{ row.value }}

Signal	Weight	Why it fired	Copy
{{ row.label }}	{{ row.weight }}	{{ row.detail }}
No local risk signals fired for the normalized URL string.

Scope	What ran	What it tells you	Blind spot	Copy
{{ row.scope }}	{{ row.checks }}	{{ row.insight }}	{{ row.blindSpot }}

Follow-up	Scope	Why open it	Open	Copy
{{ row.label }}	{{ row.scope }}	{{ row.note }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Suspicious links are rarely judged by the visible domain alone. A link in a password-reset email, invoice message, cloud-share notice, wallet alert, or help-desk ticket can carry risk in the scheme, subdomain, path, query string, redirect target, or encoded text. Reputation checks are useful because they turn that messy string into scoped evidence before anyone opens it in a normal browser.

Blacklist status has more than one scope. One service may classify the exact URL, another may list a hostname, and a domain-oriented list may report a broader parent domain. Those scopes can disagree without anyone being wrong. A single compromised login path can be unsafe while the homepage is quiet, and a parent-domain listing can matter even when the nested subdomain has not been seen separately.

URL reputation scopes and interpretation mistakes
Scope	What it means	Common mistake
Exact URL	The scheme, host, path, and query string as one web destination.	Using one clean path to clear every sibling path.
Host	The hostname a browser would contact.	Assuming a subdomain and its parent have the same reputation.
Root-domain candidate	A parent-domain guess for domain-oriented checks.	Treating a heuristic suffix split as final ownership evidence.
URL string	Structural clues such as plain HTTP, credentials, ports, lure words, redirects, and encoding.	Reading local string clues as a live blacklist hit.

Reputation data also ages. New phishing pages can spread before public lists catch up, and cleaned sites can retain stale warnings until rescans and removal workflows finish. Disabled sources, access-limited DNS answers, resolver problems, and timeouts reduce coverage without proving the link is clear.

Blacklist status is strongest as a triage signal. A hit can justify blocking, sandboxing, preserving evidence, or escalating to a managed security stack. A quiet result can lower priority for low-risk links, but account, payment, identity, and wallet workflows still need independent confirmation.

How to Use This Tool:

Start with the most complete web URL you have. A host-only value is accepted, but path and query details often explain why one link is riskier than another page on the same site.

Paste one HTTP or HTTPS value into Target URL. If you paste only a host, the checker adds an HTTPS scheme before parsing. Empty, malformed, hostless, or non-web values show an error instead of running a lookup.
Use Lookup preset only for a harmless sample shape. Custom keeps your own target, and presets can be edited before Check Status runs.
Open Advanced and choose the live sources. Google Safe Browsing checks the exact normalized URL, while SURBL exact host and SURBL root-domain candidate check domain-oriented reputation scopes.
Turn on Strict HTTPS review when plain HTTP should count more strongly, especially for login, recovery, payment, or wallet links.
Set Public-history window to 7, 30, 90, or 365 days for prepared urlscan follow-up searches. Raise Timeout budget only when live source rows regularly return Error or Partial.
Run Check Status. The summary reports Current reputation, live hits, completed checks, and the Local signal score.
Read Triage Guidance first, then confirm the evidence in Source Verdict Table, URL Context Fields, Triggered Signals, Coverage Matrix, and Follow-up Links.

Interpreting Results:

The headline verdict is ordered conservatively. Listed wins when an enabled live source reports an unsafe or listed result. Limited means a SURBL path returned an access-limited answer. Review means live sources were quiet but the local URL-shape score reached the high band. Partial means at least one live check failed. No Listing appears only when enabled live sources were quiet and the local score stayed below the high-review threshold.

URL blacklist verdict cues and follow-up actions
Output cue	Read it as	Follow-up
`Listed` or `Unsafe`	An enabled public source found a reputation hit.	Preserve the exact string, avoid direct browsing, and verify in a sandbox or managed reputation service.
`Limited` or `Access limited`	The SURBL query path was restricted, not clear.	Retry later, use an allowed resolver, or confirm with another reputation source.
`Local signal score` of `50 / 100` or higher	The URL shape deserves manual review even without a live listing.	Open `Triggered Signals` and confirm each risky feature before lowering priority.
`No Listing`	No enabled live source listed the target during this run.	Check `Coverage Matrix` before treating the result as enough for sensitive links.

Always carry the checked scope with the verdict. An exact-URL warning, host listing, parent-domain listing, local string warning, timeout, and skipped source support different incident notes and different next actions.

Technical Details:

URL reputation checks combine live source verdicts with local normalization and string review. A bare host is parsed as HTTPS, only HTTP and HTTPS schemes are accepted, and the normalized URL supplies the scheme, host, default or explicit port, path depth, query keys, encoded octets, and host classification used by the local review.

Domain-oriented checks need a parent-domain candidate. The checker recognizes several common multi-label suffixes, including examples such as co.uk, com.au, and com.my, but it is not a complete public-suffix database. Unusual suffixes, delegated subdomains, and managed customer subdomains should be confirmed before a parent-domain result becomes final evidence.

Lookup Core

URL reputation lookup core checks
Check	Scope	What it can prove	What it cannot prove
Google Safe Browsing	Exact normalized URL	Whether public Safe Browsing status marks that URL clear, unsafe, or needing review.	A clean row for one URL does not clear redirects, sibling paths, or later content changes.
SURBL exact host	Submitted hostname	Whether SURBL Multi reports a domain listing for the exact host.	IP-literal hosts are skipped because this SURBL path is domain oriented.
SURBL root-domain candidate	Parent-domain guess	Whether a broader domain candidate is listed when the host is nested.	The candidate may be too broad or too narrow on uncommon suffixes.
Local string review	Normalized URL string	Whether structural clues justify manual review.	String clues never prove current page content, redirect behavior, or attacker intent.

SURBL Multi uses DNS-style answers. A response of 127.0.0.1 means the query path is access-limited and should be treated as inconclusive. Other 127.0.0.x answers are decoded as bitmask categories, so one answer can identify more than one list category.

SURBL Multi bitmask categories
Bit	Code	Category label
`4`	`DM`	Disposable mail domain
`8`	`PH`	Phishing site
`16`	`MW`	Malware site
`32`	`CT`	Click-tracker domain
`64`	`ABUSE`	Spam or abuse site
`128`	`CR`	Cracked site

Formula Core

The local score is a capped weighted sum. It is a review score, not a probability, confidence level, or public blacklist verdict.

S = \min (100, \sum_{i = 1}^{n} w_{i})

S is Local signal score, and each w is the weight for one triggered signal. Plain HTTP, embedded user information, punycode, IP-literal hosts, private or special-use names, documentation hostnames, non-default ports, credential-lure terms, redirect parameters, heavy percent encoding, long URLs, deep subdomains, deep paths, digit-heavy hostnames, and long query strings can add weight.

Local URL signal score bands
Score range	Local tier	Effect on triage
`0-19`	Low local signal load	Live source rows carry most of the decision value.
`20-49`	Review local signal load	Triggered signals should be read before a quiet live result is trusted.
`50-100`	High local signal load	The headline can become `Review` even when no live source lists the URL.

Final triage follows this order: live unsafe or listed results first, access-limited SURBL results second, high local score third, live-source errors fourth, and No Listing only after those stronger conditions are absent.

Privacy and Accuracy Notes:

Live reputation checks contact external services from the browser. When Google Safe Browsing is enabled, the exact normalized URL is sent for public Safe Browsing status. SURBL checks resolve domain-style lookup names through Google Public DNS. Follow-up Links open third-party investigation pages in a new tab.

Avoid pasting confidential, single-use, customer-specific, or access-token-bearing URLs unless that exposure is acceptable for the investigation. Public reputation data can lag fresh abuse, stale listings can remain after cleanup, and skipped or failed sources reduce coverage. Record the checked scope, source coverage, and timestamp when the result becomes evidence.

Worked Examples:

Known documentation host. A sample such as example.org/login is useful for learning the output layout. URL Context Fields should show Documentation hostname, and Triggered Signals can include credential-lure wording from the path. Do not treat a reserved example domain as evidence about a real organization.

High local review link. A plain HTTP login or wallet-reset URL with embedded user information, redirect parameters, and percent encoding can move Local signal score into the high band when Strict HTTPS review is enabled. The headline can become Review even if live sources are quiet.

Deep subdomain triage. A host such as edge.campaign.mail.example.org can make SURBL exact host and SURBL root-domain candidate answer different questions. Compare Scope in Source Verdict Table before deciding whether the risk belongs to the nested host or the parent-domain candidate.

Unsupported protocol. A non-web value stops with Only http:// and https:// URLs are supported. Use an HTTP or HTTPS URL for this checker, or handle non-web destinations with a protocol-specific review process.

FAQ:

Does No Listing mean the URL is safe?

No. No Listing means the enabled live sources did not list the target during this run and Local signal score stayed below the high-review threshold.

Why can exact host and root-domain checks disagree?

A deep subdomain can have different reputation from its parent domain. Use the Scope column to see whether the evidence applies to the submitted hostname or the broader parent-domain candidate.

Why are IP address hosts skipped for SURBL?

The SURBL path used here is domain oriented. IP-literal URLs still receive local string review, but SURBL host and root-domain checks do not apply to them.

What should I do with Access limited?

Treat it as inconclusive. The SURBL query path was restricted, so retry later, use an allowed resolver, or confirm with a separate reputation source before closing the case.

Can I check a hostname without typing a scheme?

Yes. A value such as example.org is parsed after an HTTPS scheme is added. Use a full URL when the path or query string is part of the risk.

Glossary:

Exact URL: The complete normalized web URL string, including scheme, host, path, and query.
Host: The hostname contacted by a browser, such as login.example.org.
Root-domain candidate: The parent-domain guess used for broader SURBL review.
SURBL: A domain-oriented reputation list that can report phishing, malware, spam, abuse, and related categories.
Safe Browsing: Google reputation data used for exact-URL status when the option is enabled.
Local signal score: A 0 to 100 weighted score based on URL structure.
Access-limited: An inconclusive SURBL response indicating the query path is restricted.

References:

Google Safe Browsing, Google.
Safe Browsing FAQs, Google Transparency Report Help Center.
SURBL Lists, SURBL.
JSON API for DNS over HTTPS, Google Public DNS, last updated 2024-09-03 UTC.
How to get a hostname from a URL in PHP, Simplified Guide.
How to follow HTTP redirects with cURL, Simplified Guide.