What’s a suspicious domain?

The question came up on slack and I started bullet pointing what would make a domain suspicious. Seemed like a reasonable blog post. In no particular order, some features that make a domain suspicious to spam filters.

Domain is used in…

  • … mail users complain about
  • … mail users delete without reading
  • … mail sent in bulk through the ISP (example: Censorship, Email and Politics)
  • … phishing mail
  • … malware dissemination

It’s not just the mail the domain is present in. There are other things that lead to suspicion for domains, too.

Domain …

  • is located on a network with a bad reputation
  • is newly registered
  • has network connections to bad domains (like nameservers, etc)
  • is a cousin domain to some regular domain
  • has a name pattern like snowshoers use
  • has network connections to individuals with bad reputations
  • has network connections to sources of bad traffic
  • is sent through a MTA with bad behaviour (holding open idle connections, retrying too frequently, etc)

While we talk a lot about permission and user engagement and those are crucial for getting to the inbox. But there are lots of other signals that go into mail delivery, some of them will override even the best domain reputation (example: Fun with spam filters). Knowing what the other signals are means a better overall understanding of delivery and the ability to integrate deliverability into business goals and KPIs.

 

Related Posts

Filtering by gestalt

One of those $5.00 words I learned in the lab was gestalt. We were studying fetal alcohol syndrome (FAS) and, at the time, there were no consistent measurements or numbers that would drive a diagnosis of FAS. Diagnosis was by gestalt – that is by the patient looking like someone who had FAS.
It’s a funny word to say, it’s a funny word to hear. But it’s a useful term to describe the future of spam filtering. And I think we need to get used to thinking about filtering acting on more than just the individual parts of an email.

Filtering is not just IP reputation or domain reputation. It’s about the whole message. It’s mail from this IP with this authentication containing these URLs.  Earlier this year, I wrote an article about Gmail filtering. The quote demonstrates the sum of the parts, but I didn’t really call it out at the time.

Read More

Company responsibility and compliance

I blogged a few times recently about Zoho and their issues with malicious actors abusing their platform. They asked me to post the following statement from their CEO Sridhar Vembu.

Read More

Complaints, contacts and consequences

Yesterday the CRM system Zoho suffered an unexpected outage when their registrar, TierraNet suspended their domain. According to TechCrunch, Zoho’s CEO says there was no notification to the company and that the company had only 3 complaints about phishing.

Read More