The Danger of New Domains

  • Home
  • The Danger of New Domains

Cybersecurity professionals often advise filtering of newly registered domains, but why? 

Newly registered domains are rarely used for legitimate traffic within 24 hours of registration.

Cybercriminals often cycle through new domains to evade filters. Traditional blocklist are based on domains’ historical reputation.  As a result, cybercriminals often use new domains (without any reputation) hoping victims fall prey before their domain can be listed and filtered.

Millions of new domains are registered every month. Spamhaus’ domain update for Q1 2023 reported nearly 18 million newly registered or newly observed domains in the first 3 months of the year.

Source:  Spamhaus Quarterly Domain Reputation Update Q1 2023

“70% of newly registered domains are either malicious’, ‘suspicious’ or ‘not safe for work'”, estimates Palo Alto Network researcher. (Source).

According to the 2022 Phishing Landscape Report, one of the largest indicators of maliciously registered domains is the age of the domain, stating “the older the domain name, the higher the likelihood it is legitimate.”

It is recommended to protect your users from new, unknown domains until researchers establish the domains are not associated with phishing, botnet activity, ransomware activities, etc. Waiting to block until domain reputation can be established as malicious may be too late, and can allow threats to enter your system.

Zero Reputation Domains

Spamhaus researchers developed their Zero Reputation Domain (ZRD) blocklist, to mitigate cybercrime using newly registered domains. ZRD can be used in email filtering or DNS firewall to prevent users from connecting with these potential threats.

In a Spamhaus customer pilot for a UK-based email security service provider, ZRD provided much needed incremental coverage.  During a 24-hour period, the ESSP made nearly a million queries to the ZRD blocklist, in addition to their existing blocklists. In the pilot, ZRD identified 30,0000 domains, 76% of malicious domains were identified solely using their list of zero reputation domains.


SURBL is another leading independent cyber research organization and has created a service for to identify new domains.  SURBL FRESH is a continuously updated feed of newly registered or previously dormant domains.  SURBL’s data sharing relationships with registrars and the ICANN community allow to list domains before they can be used maliciously.

Organizations can use this data feed to enforce policy decisions and block, quarantine or walled garden these new domains to best protect their users.

If and when the domain is determined to be malicious, it will be removed from Fresh within 72 hours and will be added to their domain threat intelligence feed, SURBL Multi.

Contact us for more information on data feeds of new domains.