GuardPuppy watches every domain the internet creates, and recognises a malicious operation — phishing, scam shop, brand impersonation — while it is still being assembled. rspamd gets a verdict it can act on immediately. Cloaked or not.
No message content leaves your network. The intelligence arrives as symbols and scores rspamd already knows how to act on.
A malicious domain is registered, built, and harvesting victims within the hour. Reputation feeds and blocklists are reactive by nature: they learn a domain is bad after someone has already been hurt. Against fast-burn campaigns — phishing, fake shops, brand impersonation — the window between first mail and first listing is exactly where the losses happen.
The most sophisticated operations go further: they cloak. The site shows a clean page to crawlers and scanners, and shows the payload only to selected victims — chosen by source network, device, locale, referrer, and TLS fingerprint. Content scanning alone cannot even see the problem it is meant to catch.
The timing makes it acute: replacing a carrier-grade commercial filter with rspamd swaps in an excellent scoring engine — but rspamd is not, by itself, a global anti-abuse intelligence network. The migration opens a detection gap exactly where these attacks live.
Every malicious site — phishing kit, fake shop, impersonated brand, cloaked or naked — has to be built. Domains acquired, certificates issued, DNS staged, mail warmed, redirectors deployed, infrastructure rotated as reputation burns. That work leaves a sequence of observable events in DNS, Certificate Transparency, SPF, hosting, and web behaviour — and it begins hours before the first victim is targeted.
The signal that matters is not “this domain looks unusual” — unusual is the normal state of every new SaaS, CDN, and marketing domain. The signal that matters is:
“This domain's setup sequence resembles the pre-launch sequence of operations we have already confirmed as malicious.”
A worked example of the event sequence we observe and score, drawn from confirmed campaign behaviour.
And when the operation cloaks — a clean page for scanners, the payload for victims — we render the page exactly as the victim would see it, and catch the difference:
New-domain observation from first sight — every record, every change, from the moment a domain exists.
SPF, DNS, certificate, and hosting churn — modelled against blacklist events as a leading indicator.
Adaptive multi-vantage verification: render the page as the victim would see it, and diff it against the crawler view.
The campaign-memory graph: every confirmed operation, correlated, so the next one is recognised by its setup sequence.
Watched-brand monitoring, attack timelines, and legal-grade takedown evidence for brand owners.
The open plugin: symbols, maps, and feed consumption. Boring to operate — that is the point.
An operator can switch certificate authority, ASN, or CDN in minutes. It is much harder to change the entire operational workflow while still running at scale. The workflow is the fingerprint.
Cloaking kits branch on the client TLS handshake to separate bots from victims. We verify with TLS stacks that match real Japanese mobile and desktop browsers — defeating an evasion class that user-agent-spoofing scanners never reach.
We consume the CT log stream in real time and match new issuance against the new-domain feed plus lookalike and homoglyph detection — frequently catching a brand-impersonation certificate minutes before the campaign launches.
Malicious operators stage in batches — same hour, same registrar, same nameserver choreography, same certificate timing. We score the litter, not just the single domain, so one campaign lights up dozens of related domains at once.
When reputation burns, attackers are forced to move — and that churn leaks through SPF edits, include-graph changes, and hosting moves. Churn velocity correlated with blacklist events is a signal the adversary cannot stop producing.
rspamd verdicts, user phishing reports, and bounce data flow back to label the campaign-memory graph. More deployment, more confirmed labels; more labels, a better model; a better model, more measurable lift. The asset compounds rather than decays.
The first thing worth doing is not a generic demo. Give us a sample of malicious domains that targeted your customers recently — cloaked phishing included — and we will show what the infrastructure-history, cohort, and CT signals would have reported before each campaign fired, alongside measured false-positive behaviour on a matched set of legitimate new domains.
Measurable lift over the outgoing provider, shown side-by-side via shadow scoring.
A bounded, reviewed false-positive rate on legitimate new SaaS, CDN, and marketing domains — treated as the primary success metric, not an afterthought.
An evidence bundle for every high-confidence verdict, suitable for analyst review and takedown.
Decades of work in email security, anti-abuse, and internet infrastructure — running identity systems continuously since 2006. The collection, correlation, and adaptive-verification pipeline runs on existing infrastructure: not a roadmap, a deployment.
This site itself was stood up quickly, on purpose. It is a sample of how fast useful things can be delivered.
Your new-domain feed is first sight. rspamd is enforcement — the first enforcement point, not the only one. The missing layer is memory — and it can be tested against your own data before you commit to anything.
