What’s a suspicious domain?

The question came up on slack and I started bullet pointing what would make a domain suspicious. Seemed like a reasonable blog post. In no particular order, some features that make a domain suspicious to spam filters.

Domain is used in…

  • … mail users complain about
  • … mail users delete without reading
  • … mail sent in bulk through the ISP (example: Censorship, Email and Politics)
  • … phishing mail
  • … malware dissemination

It’s not just the mail the domain is present in. There are other things that lead to suspicion for domains, too.

Domain …

  • is located on a network with a bad reputation
  • is newly registered
  • has network connections to bad domains (like nameservers, etc)
  • is a cousin domain to some regular domain
  • has a name pattern like snowshoers use
  • has network connections to individuals with bad reputations
  • has network connections to sources of bad traffic
  • is sent through a MTA with bad behaviour (holding open idle connections, retrying too frequently, etc)

While we talk a lot about permission and user engagement and those are crucial for getting to the inbox. But there are lots of other signals that go into mail delivery, some of them will override even the best domain reputation (example: Fun with spam filters). Knowing what the other signals are means a better overall understanding of delivery and the ability to integrate deliverability into business goals and KPIs.

 

Yeah… don’t do that
Automated link checking getting more sophisticated

Related Posts

Flush your DNS cache (again)

This time it appears that DNS for major websites, including the NY Times, has been compromised. Attackers put in DNS entries that redirected visitors to a malware site. The compromise has been fixed and the fake DNS entries corrected.
However, people may still have the old data in their DNS caches and security experts are suggesting everyone flush their DNS cache to make sure the fake data is gone.
The Washington Post has an article explaining DNS hijacking.

Read More

Reputation is in the eye of the beholder

A few years ago reputation was generally recognised as one thing. If a sending reputation or IP reputation was good in one place it was likely good in other places. Different entities mostly reputation using the same set of signals albeit slightly tweaked to meet their own needs. More recently there is a divergence in how reputation is measured, meaning delivery can be vastly different across entities.

Read More

GDPR and Whois data

For folks who aren’t following the discussion about whois records and GDPR compliance there’s a decent summary at vice.com: What Is Going to Happen With Whois?

Read More