Most Parked Domains Now Serving Malicious Content

I just checked. At least it's not answering on 25 to receive all that free typo mail. Same for gmali.com. But they could spoof the gmail login page. Not finding out.

    PORT     STATE SERVICE
    80/tcp   open  http
    443/tcp  open  https
    8080/tcp open  http-proxy

    $ dig MX gmai.com +short
    1 mail.h-email.net.

    $ nmap -p 25,587 mail.h-email.net
    Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-18 16:31 UTC
    Nmap scan report for mail.h-email.net (165.227.159.144)
    Host is up (0.093s latency).
    Other addresses for mail.h-email.net (not scanned): 91.107.214.206 165.227.156.49 167.235.143.33 5.75.171.74 5.161.194.135 178.62.199.248 5.161.98.212 162.55.164.116 49.13.4.90
    rDNS record for 165.227.159.144: mail2.h-email.net

    PORT    STATE SERVICE
    25/tcp  open  smtp
    587/tcp open  submission

Indeed, this is a common practice in the broader data. It seems the linked article is filtering to resolvable+hosted domains, a subset of overall domain parking.

The m3aawg has a parked domain guide - https://www.m3aawg.org/sites/default/files/m3aawg_parked_dom...

A possible explanation why typos for major sites are sparsely registered could be that the domain industry has put a lot of focus the last decade on addressing malicious registrations, and many registrars that focus on the market segment of large companies sell products that monitor for malicious registrations with legal response in case one pops up. It is also seems that bulk registrars has gotten better filters to reduce malicious registrations, which is a service some security companies offer to registrars. In theory it should be quite more difficult today for a malicious actor to go to a major registrar and buy an obvious trademark infringing domain.

Domain/trademark monitoring also directly compete with defensive registrations. Often it is a question if you want to pay the lawyers/monitoring service, a large number of registration/renewal fees, or both.

> Interestingly, the typo space on major sites is actually very sparsely registered (2% at edit distance 1)

It seems to me that "edit distance 1" still describes some very implausible typos.

>Interestingly, the typo space on major sites is actually very sparsely registered (2% at edit distance 1), meaning that typosquatting may actually be underexploited.

Anecdotally, the autosuggestions and improved browsing history recommendations may mean this is way less lucrative than it used to be.

Also, anyone doing search like behaviour in their address bar is far more likely to see a knowledge panel style reply for prominent websites vs the 10 blue link format of historical search engine results.

I'd leap to say that because of this, people find their intended domain by using natural language far more than they used to.

"... meaning that typosquatting may actually be underexploited."

Missing from the paper is an examination of web user behaviour

Over time, so-called "direct navigation" where the domain name, e.g., example.com, was typed into the browser address bar, has declined. By the time Google terminated "Adsense for domains" in 2012 IMO it had managed to systematically subsume most of the traffic and associated revenue from the typosquatting/domain parking racket

https://web.archive.org/web/20250320184725if_/https://domain...

With the introduction of the so-called "omnibar" or "omnibox" in Firefox^1 and Chrome, typographical errors in domain names are submitted as "searches" to a company that sells ad services. For example, Safari, Firefox, Chrome all sending search traffic to Google, LLC. From the DoJ antitrust litigation we know that Google has been paying ridiculously large sums of money to various companies for this traffic

1. Firefox originally called this the "awesome bar"

https://web.archive.org/web/20250927011424if_/https://www.cn...

Not to mention increasingly common user practice of direct navigation to a search engine webpage, e.g., google.com, then searching for the desired website, e.g., example.com

As everyone knows, one company, in some cases through acquisitions and/or anticompetitive conduct, came to control 1. search, 2. "the web browser", 3. online advertising services on the open web, 4. operating systems (mobile, "chromebook"), ...

If parked domains only get traffic from "direct navigation",^2 then it stands to reason that such traffic has declined as it has been increasingly captured by advertising-sponsored "default browsers" and, ultimately, Google. IMO, it makes sense that domain parking as a means of delivering ads and generating revenue would give way to these domains becoming unregistered or registered to malware distributers or the like

What are the registration histories for the unregistered edit distance 1 typosquatting domains. Consider the number that are "currently unregistered" versus "never before registered"

2. Perhaps malware distributers are using other ways to send traffic to these domains

If I understand correctly from the paper what qualifies as an edit distance of 1 is pure Levenshtein distance-1 right?

Just curious because while the edit-1 space can be fairly big, I’d assume all edits have very different probabilities. So the squatted domains probably skew to a higher probability edit. By that I mean mostly keyboard edit typos, eg on a phone: the “cwt” typo is more likely than “cpt” for “cat” because of an and w keyboard proximity. Wonder what the squatting rate is when you filter for edit within one key stroke for example (only really change the add and replace types of edits, not delete or swap)

> About a month before expiration it somehow got renewed for 10 years, which is weird because it was not available

I've seen some domain registrars auctioning off domains during the last 2-4 weeks before they expire. If nobody buys it, then it actually expires and is then released.

Especially when the alternative is "type the company name into google" where the top 3 results are ads and they've previously been seen to stick malware distribution sites above the legitimate company pages

This was happening for months with blender in 2022/2023, previously collected links about it here: https://news.ycombinator.com/item?id=34917701

Yeah, I think there’s just multiple definitions of the word “parked” in play. To a registrar it may just mean idle, but there is an industry out there of what I’d call “monetized parking” where you can point domains to this kind of garbage and collect the ad money.

It’s unclear what the definition used in this study is.

> For a refresher

I've never seen that image before. :/

I remember her!

Facebook[1], Google, etc all use (or used to use) MarkMonitor that offers domain squatting monitoring as a service[2] that utilizes the Uniform Domain Name Dispute Resolution Policy to remove offending domains violating their trademark. These services are quite expensive from my understanding.

[1] It appears Facebook now utilizes their own internal registry.

[2] https://www.markmonitor.com/domain-dispute-recovery-solution...

Yeah maybe it's not over 90% of the time. But I wonder if a study has been done to what the percentage is just for search ads.

We have one; that's the registration fee.