Description:
Feature Summary
We can significantly improve the accuracy of our Sender Verifier and email scanning tools by checking domain metadata in real-time.
Phishing attacks and malicious links frequently use newly registered domains (often less than 30 days old) to bypass spam filters before they get blocklisted. By implementing domain age checks and threat intelligence queries, we can identify and flag suspicious senders or links much more reliably.
Proposed Scope of Integration
- Domain Analyzer Module: domain_checker.py
- Email Scanner Pipeline: email_scanner.py
Suggested Implementation Plan
-
Implement WHOIS Domain Age Checks:
Use a Python WHOIS lookup client (like python-whois) to fetch the registration date (creation_date) of the sender's domain. If the domain is under 30 days old, increase the risk score significantly.
-
Threat Intelligence API Integration:
Integrate an external security API (such as Google Safe Browsing API, VirusTotal, or WHOIS JSON API) to scan domains for blacklisting status and threat classifications.
Example Implementation in domain_checker.py:
import whois
from datetime import datetime, timezone
def check_domain_age(domain):
try:
domain_info = whois.whois(domain)
creation_date = domain_info.creation_date
# Handle list format creation_dates returned by some WHOIS servers
if isinstance(creation_date, list):
creation_date = creation_date[0]
if creation_date:
age_days = (datetime.now() - creation_date.replace(tzinfo=None)).days
return age_days
except Exception:
pass
return None # Return None if WHOIS lookup fails
- Risk Scoring Adjustment:
- If domain age < 30 days: Add
30 points to the risk score.
- If domain is flagged on a blacklisting service: Set the risk score to
100 (High Risk) immediately.
Description:
Feature Summary
We can significantly improve the accuracy of our Sender Verifier and email scanning tools by checking domain metadata in real-time.
Phishing attacks and malicious links frequently use newly registered domains (often less than 30 days old) to bypass spam filters before they get blocklisted. By implementing domain age checks and threat intelligence queries, we can identify and flag suspicious senders or links much more reliably.
Proposed Scope of Integration
Suggested Implementation Plan
Implement WHOIS Domain Age Checks:
Use a Python WHOIS lookup client (like
python-whois) to fetch the registration date (creation_date) of the sender's domain. If the domain is under 30 days old, increase the risk score significantly.Threat Intelligence API Integration:
Integrate an external security API (such as Google Safe Browsing API, VirusTotal, or WHOIS JSON API) to scan domains for blacklisting status and threat classifications.
Example Implementation in
domain_checker.py:30points to the risk score.100(High Risk) immediately.