A New Way to Pinpoint Dangerous Infrastructure


DomainTools’ prioritized list of active, high-risk domains, Domain Hotlist delivers predictive insights that organizations can use to proactively identify threats and defend their networks.

Find Threats Before They Find You

Take your defense to the next level by identifying threats live in-market before they have an opportunity to wreak havoc on your network. Domain Hotlist delivers predictive insights to identify high-risk domains before they’re ever identified in actual attacks. Supported by machine learning built on nearly two decades of historical data in the industry’s most comprehensive repository of DNS and infrastructure data, the Domain Hotlist leverages DomainTools Risk Scores to predict and identify domains likely registered with malicious intent. By combining predictive risk assessment with observations of pDNS activity, Domain Hotlist surfaces the most relevant, highest-risk domains—empowering organizations to proactively identify, prioritize, block, and action potential threats.

Domain Hotlist Description

Domain Hotlist is a list of domains, appearing in ranked order, with the most concerning domains at the top. For each domain, the Domain Hotlist displays both domain names and Domain Risk Score component scores (Phishing, Malware, Spam, and Proximity) that are identified as “active” based on observations of pDNS traffic. The list is generated daily, providing the most current scores for active domains each day.

Domain Risk Score Components

The risk assessment component of Domain Hotlist is enabled by Domain Risk Score. Drawing upon data points from more than 330 million current Internet domains, Domain Risk Score predicts how likely a domain is to be malicious, often before it is weaponized. The score comes from two distinct algorithms: Proximity and Threat Profile.

  1. Proximity evaluates the likelihood a domain may be part of an attack campaign by analyzing how closely connected it is to other known-bad domains.
  2. Threat Profile leverages machine learning to model how closely the domain’s intrinsic properties resemble those of others used for spam, phishing, or malware.

By combining predictive risk assessment with observations of pDNS activity, Domain Hotlist surfaces the most relevant, highest-risk domains—empowering organizations to proactively identify, prioritize, block, and action potential threats.

Domain Hotlist Contents

In summary, Domain Hotlist will conform to the following requirements:

  • The Domain Hotlist will publish once daily
  • Hotlist will contain domains that are
    • Associated with pDNS activity 1 day ago
    • And Threat Profile Scores 90 and above
    • Or with Proximity Scores of 70 and above
  • Domains in the list will be sorted based on a scoring algorithm, with the domains with the highest malicious potential ranked first
    • Ranking is based on a weighted summation of all known risk scores and domain age
      • Weights are different for each risk score component, with phishing and malware having the most weight, as they tend to pose the most risk for a site visitor, followed by proximity, followed by spam
      • Domain age is also used as a factor, with younger domains being given a higher ranking
  • “Zero-listed” domains will never appear on the Domain Hotlist
  • The list will be variable in size based on the domains that fit the criteria each day
    • Size cannot be guaranteed or bounded. Current expectations are that the list is between 500k and 1M entries. It has been as small as 380k entries and as large as 1.1M entries
    • Domains will be rescored each day and placed on the list according to the list’s filtering parameters and rankings
  • Domains may not be scored by all algorithms; if no score was generated for a specific algorithm, a “\N” will be listed instead

Domain Hotlist will be available in a tab-separated CSV file, containing the following information in the order displayed below:

DomainPhishing ScoreMalware ScoreSpam ScoreProximity Score

File Notes

  • One domain will be listed per line, along with the individual phishing, malware, and spam scores
    • One score of phish, malware, or spam scores will be 90+ OR proximity will be 70+
    • A missing score will have ‘\N’; domains are guaranteed to have at least one score meeting the inclusion criteria
    • All scores are between 0 and 99
  • The format of the file will be as follows:
    • domain_name <tab> phish_score <tab> malware_score <tab> spam_score <tab> proximity_score <newline>
    • <newline> is a Unix-based newline character (“LF”, a.k.a. “\n”)
    • The table above would be: example.com 99 63 09 57
    • International domain names and TLDs are punycode-encoded, e.g. “münich[.]com” would be listed as “xn--mnich-kva[.]com”
    • No column headers will be included in the file

Domain Hotlist File Acquisition

Domain Hotlist is available for daily download, directly from a transfer box managed by DomainTools, as a gzip-compressed, tab-separated CSV.

To gain access to the Domain Hotlist file, you will need to provide DomainTools with the following information:

  • A customer email address
  • One or more customer-owned IP addresses from which all pull requests will be made
  • A SSH public key generated and owned by the requesting customer. An RSA key of 2048 bits or higher is preferred.

The connections to the transfer box are done via SFTP using SSH and your key. DomainTools will add a configuration to allow access to our transfer boxes using a provided username and SSH key from the given IP addresses.

The Domain Hotlist file is processed each day, and requests should be made after 4:00 p.m. PDT, once daily.