RegCheck: A Real-Time Approach for Flagging Potentially Malicious Domain Name Registrations

Miscreants use domain names for malicious purposes such as phishing websites or fake webshops. Reactive approaches such as blocklists play an important role in fighting such abuse but have limitations, namely that the domains are typically only included in such a list _after abuse has been reported_ (e.g., there may already be some victims). We propose RegCheck, a system designed to _proactively_ flag suspicious domains at registration time. The core of RegCheck is a machine learning classifier that assesses the risk that the domain name will be used for malicious purposes based on characteristics known at the time of registration. Based on this assessment, it flags some registrations and requires them to undergo additional verification prior to the domain name being activated. The system has been developed collaboratively between SIDN (.nl) and DNS Belgium (.be) and has been deployed as a real-time system at the .be registry since March 2024. Since its deployment, the registry has witnessed a decrease in the number of .be domain name registrations that have been revoked for breaching the terms and conditions, indicating a decline in the number of active malicious registrations.

This talk will be based on the ACM KDD 2025 paper "RegCheck: A Real-Time Approach for Flagging Potentially Malicious Domain Name Registrations".