Most parked domains now serving malicious content
13 comments
·December 18, 2025Bender
I park mine by having no IP address, MX record is "0 ." meaning it does not receive email, the SPF record is "v=spf1 -all" and DMARC is a strict reject, CAA is 0 issue ";", BIMI is "v=BIMI1; l=; a=;". I do the same for wildcard DNS. There's probably more I should add.
ericpauley
Indeed, this is a common practice in the broader data. It seems the linked article is filtering to resolvable+hosted domains, a subset of overall domain parking.
Bender
Yup. That's why I am suggesting to stop that practice and just remove the IP rather than trusting the landing page someone else maintains. Or if one would like to give bots something to do point it to a multicast address or perhaps MoD/US Military address.
rickcarlino
Hopefully “direct navigation” does not become a boogeyman like “side loading” has.
wlesieutre
Especially when the alternative is "type the company name into google" where the top 3 results are ads and they've previously been seen to stick malware distribution sites above the legitimate company pages
This was happening for months with blender in 2022/2023, previously collected links about it here: https://news.ycombinator.com/item?id=34917701
dvh
Yesterday I received spam with link on https://storage.googleapis.com/ that redirected to some parked domain.
moralestapia
This just happened to me a month ago, I was waiting for a unused domain to expire. The domain was hosted on Epik (which I think is a trashy company but w/e).
About a month before expiration it somehow got renewed for 10 years, which is weird because it was not available ... and now is hosting a "get-rich-quick" scam that pretends a genuine Petro Canada campaign.
homebrewer
> About a month before expiration it somehow got renewed for 10 years, which is weird because it was not available
I've seen some domain registrars auctioning off domains during the last 2-4 weeks before they expire. If nobody buys it, then it actually expires and is then released.
excalibur
The bit about the gmai.com mailserver is disturbing. One would imagine there are many other typo squatters with a similar setup.
imglorp
I just checked. At least it's not answering on 25 to receive all that free typo mail. Same for gmali.com. But they could spoof the gmail login page. Not finding out.
PORT STATE SERVICE
80/tcp open http
443/tcp open https
8080/tcp open http-proxy
We did a large-scale study of this phenomenon recently: https://www.cs.bu.edu/faculty/crovella/paper-archive/wung-if...
Across a broad sample of typo domains of major sites, most registered domains aren’t actually reachable, implying they are registered for defensive, legitimate, or unrelated purposes. Interestingly, the typo space on major sites is actually very sparsely registered (2% at edit distance 1), meaning that typosquatting may actually be underexploited.