wiredepth
Run a check

Free tool · Threat intel

Domain reputation + threat intel

Layered free check across malware-distribution feeds, confirmed-phishing URL feeds, active-threat intelligence, IP abuse scoring, mail blocklists, and the domain's registration age. One verdict, every signal. No signup.

What this tool checks

Malware distribution: We check against curated feeds of hosts that have been observed serving malware payloads. A listing usually means at least one URL on this host has been caught distributing malicious binaries.

Phishing intel: Separate community-curated feed of confirmed-phishing URLs (credential harvesting, fake login pages, brand impersonation kits). A listing means the host carries at least one URL that's been verified as phishing - a different shape of attack from malware payloads.

Active threat IOC intelligence: Hosts associated with active malware infrastructure - command-and- control endpoints, post-infection callback hosts, botnet domains. Different signal from distribution feeds; covers the callback end of the malware lifecycle.

IP abuse confidence + mail blocklists: A 0-100 community-reported abuse score for the resolved IPs, plus parallel checks against six major mail blocklists picked for low false-positive rates. Catches scanning, brute-forcing, and spam-sourcing IPs that domain-only feeds miss.

Domain registration age: Domains registered under 7 days are the canonical phishing-staging window. We surface the registration date so a freshly-spun-up lookalike of microsoft-secure-billing.com gets caught even when the malware feeds haven't indexed it yet.

How to read the results

Listed on the malware feed = treat as actively malicious. The host has been verified as serving payloads within the recent past.

Listed on the phishing feed = at least one URL on this host has been confirmed as a phishing landing page. Sender domains lighting up here are typosquats or disposable lookalikes more often than not.

Listed on active-threat IOCs but not malware / phishing = either compromised infrastructure (a legitimate host an attacker is using) or a callback endpoint. Investigate the apex's other history before drawing conclusions.

Clean across all feeds, registered <7 days = could be a fresh phishing operation that hasn't been indexed yet, OR a legitimate new business. Newness alone is not damning, but it shifts the burden of proof.

IP abuse score > 75 = the resolved IP is heavily reported. Could be shared hosting where one bad tenant tarnishes everyone, or a dedicated abuse host. Check the underlying breakdown to see which.

Frequently asked questions

Is this Shodan / Censys?

No. Shodan and Censys are infrastructure-discovery scanners (what services run on what IPs). This is reputation: which feeds have flagged this host as malicious. Different layer entirely - we use the feeds; they discover the surface. Both are useful for different jobs.

How fresh is the data?

Each underlying feed updates on its own cadence - some near-real-time, some daily. We hit them live at request time so you always get the most recent listing status.

My domain is flagged but is legitimate - what do I do?

Each feed has its own delisting flow - we link to it from the listing detail. If the listing is wrong, file the delisting request directly with the feed operator. Wiredepth Pro continuously monitors all your domains across these feeds and alerts when a NEW listing appears.

Can I check IPs as well as domains?

Yes - paste an IP address instead of a domain. We'll check it directly against the IP-reputation feeds and the mail blocklists.

Why six mail blocklists, not 30?

We picked the six with the lowest false-positive rates and highest signal weight at major receivers. Free tools that check 30+ blocklists are mostly noise - many of those lists are run by individuals with low rigor.

Related free tools

DNS health checker

DNSSEC, CAA, NS, MX, expiry, blacklists.

Subdomain inventory

Enumerate via Certificate Transparency.

TLS / SSL checker

Cert validity, chain, protocols, HSTS.