Methodology

How scoring works, what each rule means, and important limitations.

Scoring Overview

Each analysis starts at 0. Points are added when suspicious indicators trigger. The total is capped at 100. Every triggered rule produces an evidence item explaining exactly why the score went up.

0–29: Low Risk 30–69: Medium Risk 70–100: High Risk
URL Analysis Rules

High Severity

Host is an IP address+30 pts
Punycode (xn--) in hostname+25 pts
URL shortener detected+25 pts
Redirect chain ≥ 3 hops+20 pts

Medium Severity

4+ subdomains+15 pts
URL length ≥ 120 characters+10 pts
6+ query parameters+10 pts
Suspicious keywords (login, verify, etc.)+8 pts
Excessive hyphens in domain+8 pts
Suspicious TLD (.zip, .top, .xyz, etc.)+8 pts

Low Severity

Not using HTTPS+10 pts
Email Analysis Rules

High Severity

DMARC authentication failed+25 pts
SPF authentication failed+20 pts
From / Return-Path domain mismatch+15 pts

Medium Severity

DKIM authentication failed+15 pts
Reply-To domain mismatch+10 pts
5+ routing hops+10 pts
Advanced Rules ACCESS CODE

Access-code users get additional analysis layers that improve detection depth.

🛡 VirusTotal

Any engine flags as maliciousvariable
Community reputation scorevariable

🌐 Domain Reputation Signals

Domain registered < 30 days ago+25 pts
Domain registered < 90 days ago+15 pts
Privacy-protected registrant+5 pts
Limitations

This tool uses heuristic analysis — it checks for indicators of suspicious behavior, not definitive proof. A high score does not guarantee a scam, and a low score does not guarantee safety. The tool does not load or execute content from URLs, and email header parsing may not cover all edge cases.

Safety Notes

Never visit suspicious URLs directly. This tool analyzes URLs without loading them in your browser. Use a sandboxed environment for deeper investigation.

Do not submit sensitive data. This is a static analysis tool. Don't paste passwords, personal info, or production credentials.