URL Abuse

How to use the service?

The service is an online web service (which you can find here) where any user can submit a link. You will need javascript enabled to access the page and the content is delivered when available via AJAX. How to interpret the data?

There are 4 different color codes used in the URL Abuse application: which you can find here:

  • Red means there are strong evidences the submission is a malicious link (e.g. an infected website, a known phishing website)
  • Yellow means there are some evidences the submission is a potential malicious link (e.g. some A/V detected the link as being malicious)
  • Green means the link is known to be safe (or currently not detected as malicious)
  • Blue means there is additional information

What does the service do?

URL Abuse performs multiple tests in order to review the security:

  • Redirect link analysis (where are the redirections pointing to and reviewing each entry)
  • Checking each link against various security black lists (like VirusTotal and Google SafeBrowsing) and EU Phishing Initiative
  • Review the current known associated DNS entries using CIRCL Passive DNS
  • Review the current known associated SSL certificate using CIRCL Passive SSL
  • Review the classification of the ISP hosting the links via CIRCL BGP Ranking

Where are the URLs submitted?

As URL Abuse performs multiple tests as described above, URLs are submitted to different CIRCL services but also external services like VirusTotal or EU Phishing Initiative. CIRCL uses the URLs to improve classification of malicious URLs or passive DNS data. If the URLs are sent to CIRCL via the “Send report to CIRCL”, CIRCL will review the maliciousness level of the URL and notify owner or/and hosting companies of the URLs to review the security and proceed to a clean-up if required. What kind of information is kept when the URL is reported?

When you click on “Send report to CIRCL”, the following information is kept from the submission:

  • The source IP address (IPv4 or IPv6 address) of the submitter
  • and, obviously, the URL submitted

The submitter should also review the URL to ensure that no personally identifiable information is included.

IP addresses from anonymity networks (e.g. Tor) are allowed to use the service.

Contributing to URL Abuse

The architecture of the URL Abuse software is modular. So you can contribute easily additional modules or expand the interface to your own needs.

URL Abuse source code is available on GitHub.

Provided by