URLVoid: How To Detect Malicious Websites And Verify Safety

I keep URLVoid pinned in a tab next to my password manager. Not because it’s the most thorough threat intelligence platform on the internet, but because it’s the fastest second opinion I’ve found when something on a webpage smells off — a redirect chain that doesn’t add up, a “shipment tracking page” emailed from a courier I never ordered from, a domain that almost looks like my bank but spells it with a Cyrillic “а.”

After running probably 2,000 scans through it over the past few years — phishing reports from family, suspicious affiliate links, sketchy “free download” mirrors, the usual menagerie — I’ve formed pretty strong opinions on what it’s good for, what it quietly lies to you about, and where it should never be your only line of defense. Here’s the working knowledge.

Table of Contents

What URLVoid Actually Is

URLVoid is a free meta-scanner — a website reputation checker and URL safety analyzer — run by NoVirusThanks, online since late 2010. You drop in a domain name, and it queries 30+ third-party reputation engines, DNS-based blacklists (DNSBLs), and threat intelligence feeds in parallel — Google Safe Browsing, BitDefender, Spamhaus DBL, PhishTank, MyWOT, Sucuri SiteCheck, Avira, OpenPhish, SURBL, and others — then aggregates the verdicts onto a single safety report.

The site itself doesn’t perform malware detection or sandbox analysis. It just asks everyone else and prints the answers. That distinction matters more than the marketing copy lets on, and I’ll come back to it.

Per the company’s own about page, they’ve analyzed 50+ million unique websites to date. The API is no longer hosted on urlvoid.com — it migrated to APIVoid’s Domain Reputation API and is paid. The web UI stays free for manual lookups, with a soft limit: you can only re-scan a given host every 15 minutes.

Worth knowing upfront: URLVoid is a domain reputation tool, not a real-time URL scanner. If you want to know whether a specific file on a specific path is malware, this is the wrong instrument. If you want to know whether a domain has a history of phishing, malvertising, command-and-control activity, or fraud — that’s exactly its lane.

How I Actually Use It (The Three-Minute Workflow)

There’s a sequence I run through whenever I’m suspicious of a hyperlink. It takes under three minutes and has saved me from credential theft at least twice:

Hover and copy. Don’t click. Right-click, copy link address. If it’s in an email, view the raw message source — I’ve caught hidden tracking redirects, URL shorteners, and open-redirect abuse this way that the visible anchor text never revealed.
Strip to the bare domain. URLVoid only scans at the host level, not the full URL path. So https://login.paypaI-secure.com/verify?id=xyz becomes paypaI-secure.com. Look at that capital “I” replacing the lowercase “l” — that’s a classic homograph attack (also called a typosquatting or IDN spoofing trick), and it’s exactly the kind of visual deception the eye misses but the WHOIS record will expose.
Paste into URLVoid. Hit “Scan Website.” Read the safety report top to bottom.

The report has far more useful information than people give it credit for, and the engine verdicts are often the least useful part of it.

Reading a URLVoid Safety Report the Right Way

When the scan loads, you get a stack of sections. Here’s the order I read them in, and why:

Detection ratio (top). Something like 0/36 or 5/36. Skim it, don’t worship it. A clean ratio doesn’t mean safe — it means “no engine has caught up yet.” A dirty ratio (3 or more hits) almost always means something is wrong, but which engines flagged it tells you what kind of wrong. Spamhaus + Google Safe Browsing = active malware distribution or live phishing. MyWOT alone = could just be community grumbling about a low-trust merchant.

Website Information. HTTP status code, server response headers, page title, content type, server software. If the title is blank or gibberish and the server returns 200 OK, that’s usually a parked domain, a freshly stood-up landing page, or a cloaked phishing kit. Disposable scam infrastructure tends to look exactly this way.

Server Details. IP address, reverse DNS (PTR record), ASN, hosting provider, geolocation, ISP. Here’s where the forensic gold is. A site claiming to be a US bank but resolving to an autonomous system in a jurisdiction known for bulletproof hosting? That’s your answer, and no blacklist hit was needed to get it.

Domain Registration. Creation date, expiration date, last update, registrar, name servers. This is the field I check first on any “your-bank-name-secure-portal.com” lookalike. Legitimate financial institutions don’t register fresh domains every Tuesday. If the creation date is “2 days ago” and the site is asking for login credentials, walk away. In my own informal sampling, well over 80% of confirmed phishing domains I’ve checked were registered within the previous 30 days — what threat researchers call “newly registered domains” (NRDs), and they’re statistically overrepresented in abuse data.

Blocklist Engines (bottom). The individual engine verdicts. Click any “Detected” entry and you’re forwarded to the actual engine’s report — that’s where you get the reason for the flag (malware host, phishing page, spam source, fraudulent shop, browser hijacker, etc.). The “Detected/Clean” tiles by themselves are evidence, not proof.

The “domain age + hosting ASN + registrar” trio is, in my experience, far more diagnostically reliable than the raw detection ratio.

A Real Pattern I See Constantly

A friend forwarded me what looked like a USPS delivery notification last winter. The visible anchor text said usps.com/redelivery. The actual href was usps-trackcenter[.]top/r/4ab9c.

URLVoid gave it 1/36 — only one engine had it on a blocklist. On the detection ratio alone, you’d shrug. But the report also showed:

Domain registered 4 days earlier (textbook NRD)
Registrar based in a country with no nexus to the United States Postal Service
IP address in a hosting netblock previously associated with smishing campaigns and phishing kits
.top TLD — statistically one of the most abused gTLDs in any given quarter according to most threat intel reports

That’s four independent indicators of compromise before the engines even caught up. Two days later the same domain was sitting at 11/36. The lesson: reputation engines are reactive. The metadata — WHOIS, DNS, hosting fingerprint — is what you read while you’re waiting for them to wake up. This is the difference between signature-based and heuristic analysis, and on a fresh threat the heuristics are usually all you have.

Where URLVoid Gets It Wrong

I’m going to be honest about the failure modes, because pretending a tool is perfect is how people get phished.

It only scans the host, not the URL path. A compromised WordPress site at legitimate-blog.com/wp-content/uploads/payload.exe will read clean if the rest of the domain isn’t blacklisted yet. URLVoid has zero visibility into what’s hosted at that path. For path-level checks and live page behavior, you need VirusTotal’s URL scanner or urlscan.io — the latter actually loads the page inside a sandboxed headless browser and shows you the DOM, the network requests, the JavaScript that fires, and any drive-by download attempts. URLVoid does none of that.

It’s lag-prone on zero-day threats. Reputation feeds update on cycles ranging from minutes to days. A phishing campaign launched an hour ago will read 0/36 across the board. I’ve watched a domain I personally reported to PhishTank take 36 hours to propagate across the rest of the blocklist ecosystem.

False positives happen and URLVoid won’t fix them for you. The FAQ is blunt about this: “URLVoid is not responsible for false positive detections… All the false positive issues should be addressed directly with the company or individual that owns the scanning engine.” If your legitimate website gets flagged by, say, MyWOT due to a competitor brigading the rating, or by an IP-based blacklist because you share shared hosting with a spammer, you have to chase down each engine’s removal process individually. URLVoid is a window into the data, not an arbiter of it.

MyWOT skews noisy. It’s crowdsourced and user-rated. URLVoid mitigates this slightly — per their own FAQ, they only read the trustworthiness field and ignore user comments, specifically to avoid flagging adult sites as “dangerous.” But community-driven reputation is still community-driven reputation, with all the bias that implies.

No HTTPS / TLS certificate analysis. URLVoid won’t tell you the cert issuer, validity period, or whether it’s a Let’s Encrypt cert issued 20 minutes ago to a domain that just appeared. For SSL/TLS forensics, use the browser’s own certificate viewer or a dedicated tool like crt.sh.

The free service has anti-abuse rate limiting. Automate it with a script and you’ll get IP-banned. If you need bulk lookups for a SOC playbook or a SIEM integration, you need the paid APIVoid API, not the free web UI.

URLVoid vs VirusTotal vs urlscan.io: When to Use Which

People treat these tools as interchangeable. They aren’t. Here’s how I split the workload:

URLVoid — fast domain reputation lookup, WHOIS context, blocklist aggregation. Use it as the first triage step.
VirusTotal — broader engine coverage (70+ scanners), scans full URLs and uploaded files, retains community comments and detection history. Use it when you need depth, file analysis, or a historical view.
urlscan.io — dynamic analysis. Loads the page in an isolated sandbox, captures screenshots, records every HTTP request and JavaScript execution. Use it when you need to know what the page actually does without exposing your own machine.
Google Safe Browsing Transparency Report — authoritative single-source check for whether Chrome, Firefox, and Safari will block the site for users.

The smart move is to layer them. URLVoid for the metadata picture, urlscan.io for behavior, VirusTotal for the long-tail engine coverage.

What URLVoid Is Genuinely Best At

Cutting through the caveats, there’s a clear set of tasks where URLVoid outperforms heavier tools:

Triaging suspicious emails fast. Paste, scan, decide in under 60 seconds.
Vetting unknown e-commerce stores before entering payment details — the domain-age + registrar combo catches fly-by-night scam shops that mimic well-known brands.
Checking lookalike domains for homograph attacks, typosquatting, and combosquatting (paypal-billing.com, amaz0n-support.net, and friends).
Light OSINT during basic incident response or fraud investigation — getting a quick reputational snapshot of a domain you’ve encountered in logs.
Teaching non-technical family members to verify links. The interface is simple enough that a parent can use it. That alone makes it valuable in a way that VirusTotal’s denser UI sometimes isn’t.

Practical Habits That Make Any URL Scanner More Useful

Tools don’t replace judgment. A few habits that have served me well:

Trust the WHOIS, not the website. A polished-looking site means a designer was paid. The domain age and registrar are far harder to fake than the visual presentation.
Cross-reference with the brand’s real domain. If “Wells Fargo” is supposedly emailing you from anything other than wellsfargo.com, it isn’t Wells Fargo. Brand-impersonation phishing depends entirely on you not checking this.
Watch for the cheap TLDs. I’m not saying .xyz, .top, .click, .tk and similar are always bad — plenty of legitimate sites use them. But they are statistically overrepresented in phishing and malware abuse reports. Treat them as a yellow flag, not a red one.
Re-scan after 24 hours. If a domain was 0/36 yesterday and is 6/36 today, your instinct to be suspicious was correct, and the engines just caught up.

FAQ

Is URLVoid free to use?

The web interface at urlvoid.com is free for manual lookups. The API moved to APIVoid and is paid. Per the official FAQ, you also cannot integrate URLVoid into commercial services or resell its data — that’s an explicit licensing restriction tied to the underlying third-party engines.

Can URLVoid detect a brand-new phishing site?

Often, no — not from the detection ratio alone. Blocklist engines are reactive and take time to propagate. But the WHOIS data, domain age, and hosting geolocation in the report will frequently expose a fresh phishing site even when zero engines have flagged it. Read the metadata, not just the score.

How accurate is URLVoid compared to VirusTotal?

They’re complementary rather than competing. URLVoid aggregates ~30+ domain reputation engines and DNSBLs; VirusTotal aggregates 70+ engines plus file scanning and a much larger community/historical dataset. For domain-level reputation, URLVoid is faster and cleaner. For depth, breadth, file analysis, and URL-path scanning, VirusTotal wins.

Does URLVoid scan the full URL or just the domain?

Just the host. If you paste a full URL with a path and query string, it strips down to the domain before scanning. Anything path-specific — a malicious page on an otherwise-clean site — needs urlscan.io or VirusTotal.

My site shows up as detected on URLVoid. How do I get it removed?

You don’t remove it from URLVoid — URLVoid only mirrors what the underlying engines report. You have to contact each engine that flagged you directly and go through their respective removal or whitelist process. Google Safe Browsing, Sucuri, Spamhaus, MyWOT, and so on each have their own appeals procedure. URLVoid will reflect the change once the source updates.

Is URLVoid safe to use? Can the site I’m scanning see that I checked it?

URLVoid is safe to use — you’re not visiting the suspect site, you’re querying reputation databases about it. However, per their terms, URLs you submit may be shared with security partners and the list of submitted hostnames may be sold (the detections themselves are not). For genuinely sensitive investigations, use a tool with stricter privacy guarantees or a paid enterprise threat intelligence platform.

What’s a good detection ratio threshold to consider a site dangerous?

There’s no universal cutoff, but my rough rule: 0–1 detections plus clean metadata = probably fine; 2 detections plus suspicious metadata (new domain, weird hosting) = avoid; 3+ detections from reputable engines (Google Safe Browsing, Spamhaus, Sucuri) = treat as confirmed malicious. Always weight the quality of the engines flagging it over the raw count.