Detection

Threat intelligence — external lists, local matching.

Phishing domains, malware URLs, suspicious TLDs and URL shorteners are checked against current threat feeds. We pull the lists over HTTP, the match happens locally on every cluster node — no cloud lookup, no URL telemetry to third parties.

External feeds

Three public phishing/malware feeds are refreshed hourly. Each feed is verified individually (signature/checksum where available) and ingested into a local domain/URL list per cluster node.

OpenPhish

Community-driven phishing URL database. Active phishing kits are typically picked up within 30–90 minutes of first sighting. We use the free feed (CSV, every 60 minutes).

URLhaus (abuse.ch)

Malware URL tracker run by the Swiss abuse.ch project. Specialised in URLs that deliver malware (loaders, banking trojans, ransomware stagers). Hourly refresh.

PhishTank

OpenDNS/Cisco Talos phishing database with community verification. Entries are manually cross-checked, keeping false-positive rates low. Hourly refresh.

URL shortener resolver

Phishing mail hides the target URL behind URL shorteners so RBL and blocklist lookups miss. MailGuard follows every shortener URL to its final destination and only checks the resolved URL against the threat feeds. Currently supported:

  • bit.ly
  • tinyurl.com
  • goo.gl
  • t.co (Twitter/X)
  • lnkd.in (LinkedIn)
  • buff.ly
  • ow.ly
  • is.gd
  • cutt.ly
  • shorturl.at
  • rebrand.ly
  • t.ly
  • v.gd
  • tiny.cc
  • bl.ink
  • rb.gy
  • shrtfly.com
  • shortlink.com
  • linktr.ee
  • fb.me
  • amzn.to
  • youtu.be
  • wp.me
  • flip.it
  • chil.li
  • spr.ly

Redirect chains are followed for up to 5 hops. Every hop is checked against the feeds along the way — not just the final destination.

Self-learning suspicious TLDs

Instead of maintaining a fixed TLD blocklist (.zip, .top, .xyz etc.) MailGuard learns per cluster which TLDs end up disproportionately in spam/phishing on your mail volume. Hysteresis prevents overreaction:

  • Trigger: a TLD becomes suspicious when >70 % of inbound mail with sender or URL domain on that TLD is classified as spam/phishing (minimum volume: 50 mails over 7 days).
  • Cooldown: if the spam ratio drops below 30 % (legitimate traffic builds reputation), the TLD becomes neutral again.
  • Score contribution: active suspicious TLDs add +1.5 to the spam score — not a hard block, just a factor in the overall verdict.
  • Operator override: TLDs can be pinned via whitelist/blocklist permanently (e.g. .de fixed neutral, .zip fixed suspicious).

DACH phishing keywords

A custom keyword list for German-language phishing waves — banking pretexts, government notifications, parcel-delivery alerts. Full description of the DACH detection.

What does not happen

  • No lookups against cloud APIs. We don't query VirusTotal, urlscan.io or Google Safe Browsing per mail. Lists are pulled, the match runs locally.
  • No URL telemetry to third parties. We do not report URLs from your mail back to external threat feeds.
  • No mail content sent to external classifiers. Spam/phishing scoring happens in your cluster with local models.

Threat intel is one detection layer of many — combined with RBL/URIBL, SPF/DKIM/DMARC, header-anomaly detection, ML spam scanner and sandbox detonation. Full detection stack.

External feeds, local processing.

Threat intel without data flow back to third parties. GDPR-compliant by architecture.

See pricing