Suspicious Domain Score Calculator

Score domains fast with inputs and pattern clues. See factor points instantly for clear decisions. Export results, share findings, and improve your browsing hygiene.

Calculator inputs

Fill what you know. Leave unknown fields as “Unknown” for safer triage.

Only letters, digits, dots, and hyphens are accepted.
Use WHOIS tools to estimate age if needed.
Set based on your threat intel context.
“Yes” means valid certificate and no warnings.
Privacy can be legitimate; treat as weak signal.
Use your internal experience or industry references.
DNSSEC presence can reduce spoofing risk.
No MX can suggest parking or throwaway use.
Helps prevent spoofed emails using similar domains.
Low popularity can imply disposable infrastructure.
Count redirects to the final landing page.
Enter count from your sources (0 if none).
Use your abuse history for the network provider.
Higher is better. Leave blank if unknown.
“Yes” if changes occurred within the last week.
Parked pages can later switch to abuse.
Set “Yes” for typosquats or lookalikes.
Optional; may be blocked on some hosts.
Clear result
Input tips
  • Paste a full URL to auto-extract the host portion.
  • Unknown inputs still work; the score reflects uncertainty.
  • Check for “xn--” and brand lookalikes before trusting links.

Formula used

The calculator uses a weighted, additive risk model. Each factor contributes points, then the total is clamped to a 0–100 scale.

Score = clamp( Σ(weighted factor points), 0, 100 )
Categories: 0–24 Low · 25–49 Medium · 50–74 High · 75–100 Critical.

Domain-string patterns (length, digits, hyphens, subdomains, punycode, phishing keywords) add additional points because they often appear in mass-generated or lookalike domains.

How to use this calculator

  1. Enter the domain or paste the URL you received.
  2. Fill known signals from WHOIS, email headers, and browsing checks.
  3. Click Calculate score to see the result above the form.
  4. Review the breakdown to spot which signals drive the score.
  5. Export CSV or PDF to share with your team or ticketing flow.

Example data table

These examples are synthetic and for learning. Your environment and threat model may differ.

Domain Age (days) HTTPS Reports Score Category
secure-login-example.com 12 no 2 100 Critical
updates-support.help 90 unknown 1 100 Critical
mycompany.com 4500 yes 0 5 Low
xn--paypa1-9za.com 22 yes 3 100 Critical
store.example.co 800 yes 0 13 Low
Tip: Use “Load example” to populate the form with a realistic scenario.

FAQs

1) Is a high score proof that a domain is malicious?

No. The score is a heuristic estimate from signals and patterns. A legitimate domain can score higher, and a malicious domain can score lower. Always validate context, content, and independent intel sources.

2) Why does a new domain increase the score so much?

Attackers often register domains shortly before campaigns to avoid takedowns and reputation buildup. Very new domains are a common trait in phishing, malware delivery, and scam infrastructure.

3) What does “punycode” mean and why is it risky?

Punycode (often shown as “xn--”) encodes international characters. It can be abused for lookalike “homograph” names that resemble trusted brands. Treat it as a strong warning sign.

4) Are WHOIS privacy services always suspicious?

No. Many legitimate owners use privacy to reduce spam and harassment. It is only a weak signal here, and it matters more when combined with other red flags like brand mimicry or bad reputation.

5) Should I enable the live DNS check option?

Enable it only if your hosting allows DNS lookups. It provides a best-effort hint about records, but it cannot guarantee correctness. Use it to supplement, not replace, your normal investigation steps.

6) Why do keywords like “login” or “verify” affect the score?

Credential theft often uses convincing URLs with action words. These keywords are not inherently bad, but they appear frequently in phishing domains, especially when combined with unusual TLDs or extra subdomains.

7) What score should trigger blocking in my environment?

That depends on your tolerance for false positives. Many teams start reviewing at Medium, blocking at High, and urgently blocking at Critical. Calibrate weights based on your incident history and intel feeds.

8) Can I change how the score is calculated?

Yes. Adjust the point values inside the compute_score() function to match your policies. You can also add new factors like certificate age, passive DNS history, or URL path analysis if you have data.

Related Calculators

Domain Reputation Score CalculatorPhishing Domain Risk CalculatorMalicious Domain Detection CalculatorDDoS DNS Exposure CalculatorDomain Blacklist Check CalculatorDNSSEC Validation Status CalculatorLookalike Domain Risk CalculatorExpired Domain Risk CalculatorDomain Abuse Risk CalculatorDNS Tunnel Detection Calculator

Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.