Files
hermes-skills/skills/email/email-workflows/references/domain-verification-for-random-looking-senders.md
T

48 lines
3.3 KiB
Markdown

# Domain Verification for Random-Looking Sender Domains
The triage collector (`imap_triage.py`) flags sender domains as suspicious when the `@domain` part matches the `RANDOM_LABEL_RE` pattern (e.g. letter-digit mixes, long lowercase strings). This produces false positives when a legit company owns a domain that happens to look like a random label.
## UDRP-transferred domains
A domain that looks like `statefarmservice.com` (brand+service+generic TLD) was registered by a cybersquatter, but may now be legitimately owned by the brand after a successful UDRP proceeding.
### Verification checklist
When a triage job flags `"random_looking_sender_domain"`:
1. **WHOIS registrar:** If the registrar is **MarkMonitor** (or CSC, CSC Corporate Domains), the domain is likely owned by a large brand — MarkMonitor is a brand-protection registrar, not a consumer registrar.
2. **DNS inspection:**
- Check SPF record (`dig +short TXT domain`): does it include `amazonses.com` or other enterprise ESPs? Legit corporate sending often goes through Amazon SES, Salesforce, etc.
- Check MX record: enterprise-grade inbound providers confirm corporate ownership.
2. **UDRP search:** Search `"<domain>" + "UDRP" + "Forum"` or `"<domain>" + "ADR"` to find prior UDRP decisions. The Forum (adrforum.com) is a common UDRP provider.
3. **Content cross-check:** Does the email reference specific policy numbers, agent names, or account details that match the recipient's real accounts? State Farm email with policy `1151329-SFP-11` and agent Chris Looney (GA license) in Roswell, GA is internally consistent — a scammer wouldn't have the policy number/agent combo right.
4. **MarkMonitor hint:** If whois shows `MarkMonitor Inc.` as the registrar, the domain is almost certainly brand-protected and legitimate. MarkMonitor is not a domainer registrar.
### No-data calls
If `whois` is unavailable or the TLD doesn't support whois freely, use web search for UDRP decisions as the primary verification path.
### Pitfall: don't over-correct
The `RANDOM_LABEL_RE` heuristic is intentionally broad — it catches genuine phishing domains. Only override it after positive verification (UDRP decision + MarkMonitor registrar + matching policy details).
## Example: statefarmservice.com
| Check | Result | Signal |
|-------|--------|--------|
| Registrar | MarkMonitor Inc. | ✅ Brand-protection registrar |
| SPF | `include:amazonses.com` | ✅ Enterprise ESP |
| UDRP decision | FA1904001840173 — transferred to State Farm, May 2019 | ✅ Won by brand |
| Content | Policy 1151329-SFP-11, 2022 KIA RIO, Agent Chris Looney GA-3191967 | ✅ Real agent matches real policy |
| **Verdict** | **Legitimate** | |
### How to investigate UDRP decisions
- Web search: `"statefarmservice.com" UDRP` or `site:adrforum.com "statefarmservice.com"`
- The Forum (adrforum.com) publishes all UDRP decisions
- Look for "TRANSFERRED from Respondent to Complainant" in the decision
## When to update the triage script
Do NOT add UDRP-verified domains to `KNOWN_LEGIT_DOMAINS` — that list is for domains that are *obviously* the company's primary domain (e.g. `statefarm.com`, not `statefarmservice.com`). The triage script's `random_looking_sender_domain` heuristic is intentionally conservative; override it on a per-message basis via `--mark UID legit "reason"` rather than whitelisting.