How do blocklists detect phishing URLs?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

A phishing email lands in someone's inbox, they click a link, and their bank credentials are gone in seconds. The only thing standing between that click and the theft is a blocklist query that happens in milliseconds. So how do those blocklists actually know a URL is malicious?

It starts with reports. Security researchers, automated crawlers, browser telemetry, and user submissions all feed into blocklist databases. When you click "report phishing" in Gmail or Outlook, that signal goes somewhere real. Organizations like the Anti-Phishing Working Group (APWG) pool reports from thousands of sources and share feeds with blocklist providers.

Once a suspicious URL comes in, the detection pipeline kicks off several things at once. Automated crawlers visit the URL and look for phishing kit signatures, fake login pages, and brand impersonation indicators. Domain analysis runs in parallel, checking things like how recently the domain was registered (brand-new domains are a red flag), whether the registrant matches known phishing infrastructure, and whether the URL structure mimics a trusted brand. A URL like "paypa1-secure-login.net" triggers pattern matching almost immediately.

Blocklist providers like Spamhaus and Google Safe Browsing maintain live databases that email filters and browsers query in real time. The query itself is a simple DNS lookup: the filter hashes the URL, checks the blocklist, and gets back a clean or flagged result before the email even reaches the inbox. This happens in under a second for every message that passes through a modern mail server.

The lag time is the uncomfortable part. Phishing campaigns often launch, collect credentials, and move on within hours. The window between a URL going live and appearing on a blocklist can be anywhere from a few minutes (for well-resourced providers with live crawlers) to several hours (for smaller feeds). Attackers know this, which is why many phishing URLs rotate through fresh domains or use URL shorteners to stay ahead of blocklists a little longer.

Removal matters too. When a phishing site goes down or the domain expires, blocklist providers clean it out to avoid false positives. A legitimate sender whose domain briefly got hijacked and then secured shouldn't stay flagged forever. (That said, appealing a false positive can take longer than you'd hope.)

So the key blocklist sources most email providers rely on include Google Safe Browsing, SURBL, PhishTank, and Spamhaus DBL. Most enterprise mail filters query several of these simultaneously, so a URL flagged on even one of them gets blocked across the whole stack.

If you're worried your domain has ended up on one of these lists for the wrong reasons, you can run a quick check with our free Blocklist Checker. If something looks wrong, our SOS hotline is free and we'll help you figure out the next step.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Trace the blocklist pipeline

Walk me through the full blocklist pipeline for phishing URL detection. Who submits reports, how fast do URLs get added, how do email filters query blocklists in real time, and what's the realistic lag window between a phishing campaign launching and being blocked? Also, what happens when a legitimate domain gets flagged by mistake?

Edit the yellow boxes, then send to the AI of your choice.