URL Blacklist Status Lookup
Lookup online URL blacklist status across Safe Browsing, SURBL, and local URL signals to triage suspicious links and investigation next steps.{{ result.summaryTitle }}
Recommendation
{{ result.primaryDisplay }}Live coverage
{{ result.completedChecks }} completedLocal signal posture
{{ result.localSignalTier }}| Field | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} |
| Signal | Weight | Why it fired | Copy |
|---|---|---|---|
| {{ row.label }} | {{ row.weight }} | {{ row.detail }} | |
| No local risk signals fired for the normalized URL string. | |||
| Scope | What ran | What it tells you | Blind spot | Copy |
|---|---|---|---|---|
| {{ row.scope }} | {{ row.checks }} | {{ row.insight }} | {{ row.blindSpot }} |
By copying or publishing this embed code, you are responsible for how the tool appears and is used on your website.
- The embedded tool is provided for general informational and utility purposes only. It is not professional, legal, financial, medical, safety, or compliance advice.
- Results depend on the inputs, browser behavior, available data sources, and the current version of the tool. Review important results before relying on them.
- You are responsible for the surrounding page context, labels, instructions, privacy notices, accessibility, and any laws or policies that apply to your website.
- Do not embed the tool in a misleading, unlawful, harmful, or security-sensitive context.
- Simplified Tools may update, limit, suspend, or remove tools and embed behavior without prior notice.
- Analytics, network requests, cookies, browser storage, third-party services, and query parameters may apply depending on the tool and the embedding page.
If these terms do not work for your use case, do not embed the tool.
Introduction:
URL reputation checks combine live list lookups with careful reading of the URL string. A clean result from one source does not prove a link is safe, and a listed host may need confirmation before action. The useful result is a triage view that separates exact-URL coverage, host reputation, root-domain reputation, and local risk signals.
Suspicious links often hide risk in the scheme, hostname, path, query string, redirect parameters, punycode, non-default ports, or deep subdomains. Public reputation sources add another view, but they can lag new campaigns or return limited access from some query paths.
Reputation output should guide handling, not replace security policy. Unexpected login, payment, password reset, invoice, or wallet links should still be opened only in an approved sandbox or investigation workflow.
Technical Details:
The lookup normalizes an HTTP or HTTPS URL, prepending HTTPS when no scheme is supplied. It extracts the hostname, root-domain candidate, port, path depth, query keys, encoded octets, and host class. It then runs enabled live checks and a local string review.
Google Safe Browsing is checked at exact-URL scope through the public Transparency Report status endpoint. SURBL checks the exact host and root-domain candidate through DNS lookups under multi.surbl.org. The local pass scores URL properties such as non-HTTPS transport, userinfo, punycode, private or special-use hosts, non-default ports, credential-lure terms, redirect parameters, heavy percent encoding, long URLs, deep subdomains, deep paths, digit-heavy hostnames, and long queries.
| Source | Scope | Important limit |
|---|---|---|
| Google Safe Browsing | Exact normalized URL | A clear exact URL does not clear sibling paths or future changes. |
| SURBL exact host | Hostname as entered | Domain-oriented, so IP literals are skipped. |
| SURBL root candidate | Heuristic parent domain | Uncommon suffixes may need manual registrable-domain confirmation. |
| Local signal pass | URL string | Flags suspicious structure but cannot prove malicious content. |
SURBL A records encode list membership in the last octet. For example, phishing and abuse categories are represented by bitmask values. A response of 127.0.0.1 means the query path is access-limited and should not be treated as a listing or a clear result.
The tool prepares follow-up links for Google Transparency Report, URLVoid, urlscan host and apex searches, and Sucuri SiteCheck. Those links are investigation aids, not live verdicts inside the result.
Everyday Use & Decision Guide:
Use the homepage, login path, plain HTTP, punycode, and deep subdomain presets to see how each signal behaves, then replace the preset with the link you need to triage. Keep Google Safe Browsing and both SURBL scopes enabled for a first pass unless you have a reason to narrow the run.
- Treat
ListedorUnsafeas a stop signal until confirmed in your managed tools. - Treat
Access limitedas unknown, not clear. - Use
Triggered Signalsto explain why a clean live-list result still needs review. - Use the public-history window to prepare urlscan follow-up searches for the last 7, 30, 90, or 365 days.
Do not open a suspicious link directly just because the headline says no listing. The result only covers the enabled sources and the current normalized URL.
Step-by-Step Guide:
- Paste a full URL, hostname, or path-like URL into the target field.
- Choose a preset only if you want to load a sample pattern.
- Open Advanced to enable or disable Google Safe Browsing, exact-host SURBL, root-domain SURBL, strict HTTPS review, timeout, and history window.
- Run the lookup and read
Source Verdict Tablebefore the local signal score. - Use
Coverage MatrixandFollow-up Linksfor manual confirmation.
If the input is not HTTP or HTTPS, correct the scheme. Other protocols are not supported by this lookup.
Interpreting Results:
No Listing means enabled live sources did not report a listing and the local score did not force a stronger warning. It does not mean safe. Review means the string itself carries enough suspicious structure to slow down. Partial means at least one live source failed.
The best verification cue is source agreement. If Safe Browsing, SURBL host, SURBL root, and local signals all point the same way, confidence rises. If they disagree, preserve the URL and use the follow-up links or your security stack.
Worked Examples:
A normal homepage such as https://example.org/ should produce documentation-host local signals and clear or skipped public-list rows. That is a reminder that reserved example domains are not useful reputation targets.
A password reset link over plain HTTP with next= in the query can show no live listing while still triggering non-HTTPS, credential-lure, and redirect-parameter signals. The practical result is review-needed until the destination is verified.
A deep campaign subdomain may be clear at exact-host scope while the root-domain candidate has a SURBL listing, or the reverse. Read the scope column before deciding whether the risk belongs to the full URL, host, or parent domain.
FAQ:
Does no listing mean the URL is safe?
No. It means the enabled sources did not return a live hit for the checked scope at that time.
Why are IP addresses skipped for SURBL?
SURBL is domain-oriented. IP-literal hosts do not fit that lookup path, so local signals and other follow-up checks matter more.
What should I do with access-limited SURBL output?
Treat it as inconclusive. Re-run through an allowed resolver or use the prepared follow-up links before closing the case.
Glossary:
- Exact URL
- The full normalized URL string, including path and query.
- Root-domain candidate
- The parent-domain guess used for broader reputation lookup.
- Local signal score
- A static score based on URL structure, not a live blacklist result.