This independent measurement effort investigates the security impact of typographical domains (“typosquatting”) on real-world infrastructures. The lab operates quietly, prioritizing empirical data collection and low-noise observation over theoretical assumptions.
The main objective is to understand how mail systems, web clients and automated services behave when interacting with look-alike domains, and to generate actionable insights for defenders and incident response teams.
– Conduct longitudinal measurements of traffic created by typographical errors.
– Identify abuse patterns related to phishing, spam, malware distribution and botnet activity.
– Study protocol-level behavior (SMTP, DNS, HTTP/HTTPS) in a passive sinkhole environment.
– Produce technical observations that improve detection and resilience.
A curated set of look-alike domains is registered and pointed to dedicated research infrastructure. Traffic is collected using standardized tooling (DNS logs, SMTP telemetry, web access logs), then normalized and tagged for analysis. The emphasis remains on systemic artifacts and infrastructure behavior, not on individual users.
When relevant weaknesses are identified that may affect a specific service, provider or ecosystem, findings may be shared through coordinated and responsible disclosure channels.
– Traffic spikes correlated with marketing campaigns and transactional notifications.
– Automated crawlers and scanners probing typo domains as reconnaissance artifacts.
– Persistent human confusion patterns in certain brand names and services.
– Evidence of misconfigured internal infrastructure occasionally leaking diagnostics externally.
Domains are operated as passive endpoints. No phishing is initiated, no credential harvesting is attempted, and no impersonation is performed. Logs that may contain personal data are minimized.
Data is analyzed primarily in aggregated or truncated form. Individual communications are never profiled or monetized.
Shared results are oriented toward strengthening defenses, not exposing affected entities.
A dedicated encrypted contact channel is available.