The DomainTools Intelligence Report: What It Is and Why It Matters
The episode centers around DomainTools’ first-ever DomainTools Intelligence (DTI) Year in Review report. Daniel Schwalbe explains that the 37-page document aims to shed light on new domain trends, DNS-based abuse patterns, and risk scoring insights drawn from 106 million new domains observed in 2024.
“It was a bit of a challenge… anybody who’s ever written a scientific paper knows it can get pretty hairy. What to keep in, what not to include.” – Daniel Schwalbe
The report aims to be a living foundation for annual research, drawing feedback from peers across the DNS threat community to improve methodology, transparency, and collaborative value.
What Counts as a Domain? Definitions Matter
One of the first critiques discussed was around how domains were classified. Raymond Dijkxhoorn noted that counting an entire platform like Blogspot as a single domain can miss the nuance of subdomain-based abuse.
“There should be another version of the public suffix list… a kind of effective second-level domain suffix list.” – Peter Lowe
The panel agreed that relying solely on the Public Suffix List presents limitations. Many services sell second-level domains (e.g., it.com, za.com) that are abused via subdomains, and custom curation is often needed to make sense of them.
Risk Scoring Is Art and Science (and Often Contested)
The panelists explored how domain scoring works, and why false positives and false negatives remain a persistent challenge.
“We score every active domain every day on a zero to 100 scale… but we don’t get that feedback loop.” – Daniel Schwalbe
The DomainTools system uses machine learning to evaluate factors like malware signals, phishing history, network proximity, and domain behavior. But without customer-side telemetry, it’s difficult to know how many high-risk scores translate into actual blocks or damage prevention.
Peter Lowe noted how useful it would be to publish false positive rates, but acknowledged few companies are willing to do so.
Subdomains and the Real Source of Abuse
A significant insight shared by Raymond and echoed by others: most active campaigns rely on abuse via subdomains, not the root domain.
“The majority of toll scams are not being made out of toll-something in the main domain… it’s the left-hand subdomain that tells you what campaign it actually is.” – Raymond Dijkxhoorn
This raises challenges in detection and attribution. Especially for campaigns using techniques like TDS (Traffic Direction Systems), phishing kits as a service, or IP-based cloaking that serve different content depending on user-agent, cookies, or geolocation.
The Aging Game: Domains Are Outliving Detection Windows
The conversation also touched on how many attackers are aging their domains — registering them and letting them sit dormant to bypass “new domain” detection filters.
“They know that everything over 90 days is fun to use… most of the security industry is not even looking at it anymore.” – Raymond Dijkxhoorn
Campaigns like the “4PM Gang,” tracked by Raymond’s team, were shown to repurpose aftermarket domains with solid reputations to distribute SMS scams and phishing kits — entirely outside the 24-hour windows many defenders rely on.
The Frustration of Sharing (and the Legal Fog of GDPR)
Perhaps the most animated part of the episode centered on the lack of information sharing in the threat intel industry, particularly due to legal and privacy fears.
“I can’t believe in 2025 we’re still trying to figure this out… we always say we should do better, but then we don’t.” – Daniel Schwalbe
Peter Lowe recalled discussions with legal advisors who block even vetted third-party sharing. Renee Burton and Raymond argued for more trusted systems of data exchange, especially for indicators tied to domain infrastructure abuse that law enforcement may not be tracking in real time.
Is Transparency Hurting Detection?
Finally, the group tackled a controversial topic: should threat reports be public if adversaries are learning from them too?
Renee Burton made the case for transparency:
“We never share the one critical signal… but if we know multiple ways to track an actor, sharing some of it actually confirms their behavior and helps us watch them evolve.”
The consensus was that open-source threat intel reports still do more good than harm — as long as critical methods remain protected.
Key Takeaways
- DNS-based threats are still scaling, with over 106 million new domains observed in
2024. - Subdomain abuse, not just domain-level abuse, is the real threat vector for phishing and
scams. - Public suffix lists are not enough, effective second-level domain logic is often needed.
- Attackers are aging domains and exploiting short detection windows.
- Collaboration is still hampered by legal barriers, privacy fears, and industry inertia.
- There’s urgent need for trusted, bidirectional threat sharing not just data hoarding.