Crawl a site and audit where it links out to. Every external link, script, iframe and form target is collected and grouped by destination domain — domains on nonstandard TLDs (.dev, .xyz, .top, …), raw IPs, punycode hosts and spam-keyword URLs are flagged as suspicious.
| Signal | Meaning |
|---|---|
| nonstandard TLD | Any TLD that is not a two-letter country code or a classic gTLD (.com, .net, .org, …). New gTLDs such as .dev, .xyz, .top or .icu are cheap and heavily abused for spam and malware. |
| raw IP address | A reference pointing at an IP address instead of a hostname. |
| punycode / IDN | xn-- hostnames can visually impersonate other domains (homograph attacks). |
| SEO-spam keywords | Casino/pharma/adult keywords in the target URL or anchor text — typical of injected spam links. |
| active content | A flagged domain that also serves scripts, iframes or receives form posts — code execution or data exfiltration, not just a link. |