URLBouncerURLBouncer
← Back to home

How scoring works

URLBouncer uses a multi-factor scoring system to evaluate URL safety. Every URL receives a score from 0-100 and a verdict: Safe, Caution, or Likely Scam.

What URLBouncer checks

URLBouncer analyzes URLs across multiple dimensions to detect phishing, scams, and malicious behavior. We examine the domain structure, brand similarity, page content, certificate age, and DNS patterns to build a comprehensive safety assessment.

What 'Safe', 'Caution', and 'Likely Scam' mean

Safe80-100: Low risk, legitimate site. No critical red flags detected.
Caution40-79: Some risk factors detected. Exercise caution and verify before proceeding.
Likely Scam0-39: High risk, likely malicious. Multiple red flags or highly suspicious patterns detected.

Signals we look for

When scanning a URL, we check for the following signals. Each signal contributes to the overall safety score:

Wallet connection behavior detected

Critical

This page contains scripts commonly used to request wallet approvals or transactions.

Ethereum wallet probing detected

Critical

This page attempts to detect or interact with cryptocurrency wallets in your browser.

Brand lookalike detected

Warning

This domain closely resembles a known brand, which may indicate a phishing attempt.

Suspicious keywords detected

Warning

This URL contains words commonly used in phishing and scam campaigns.

High-risk domain ending

Warning

Some top-level domains are frequently abused for phishing and scams.

Very new certificate

Warning

This domain's SSL certificate was issued very recently, which may indicate a newly created scam site.

Excessive subdomain depth

Info

This URL has an unusually high number of subdomains, which may indicate an attempt to obscure the true domain.

Highly obfuscated code

Warning

The page's JavaScript code is heavily obfuscated, which may hide malicious behavior.

Excessive hidden form inputs

Warning

This page contains many hidden form fields, which may be used to collect sensitive data without your knowledge.

Could not fetch page content

Info

We couldn't retrieve the page to inspect its scripts. Results may be less certain.

Scoring Factors

Each URL is analyzed across five categories. The final score is a weighted combination of these factors:

Brand Lookalike Detection

30% weight

Checks if the domain resembles known brands using Levenshtein distance and homoglyph detection (e.g., "c0inbase" vs "coinbase").

  • Exact brand match: 0 suspicion points (legitimate site)
  • 1-character difference: 50 suspicion points
  • 2-character difference: 30 suspicion points

Domain Heuristics

25% weight

Analyzes the domain structure, TLD, and keywords for suspicious patterns.

  • Suspicious TLD (e.g., .top, .xyz, .click): +30 points
  • Excessive subdomain depth: +15 points
  • Scam keywords (verify, wallet, secure, etc.): +10 per keyword, max +40

HTML Content Analysis

30% weight

Examines the webpage content for phishing indicators and suspicious patterns.

  • Wallet connect patterns: +40 points
  • Ethereum wallet probing: +20 points
  • High code obfuscation (>92%): +15 points
  • Excessive hidden inputs (>5): +10 points
  • Urgency words (urgent, limited time, etc.): +5 per word, max +20

Certificate Age

10% weight

Checks SSL certificate age via crt.sh. Newly registered domains are more suspicious.

  • Certificate < 1 day old: +30 points
  • Certificate < 7 days old: +20 points
  • Certificate < 14 days old: +10 points
  • Certificate ≥ 14 days old: 0 points

DNS Features

5% weight

Analyzes DNS records for suspicious patterns (currently limited in Cloudflare Workers).

  • Multiple IPs in short time: +10 points
  • Recent DNS changes: +15 points

Score Calculation

The system calculates a suspicion score (0-100, higher = more suspicious) by combining all factors with their weights:

suspicion = (brand × 0.3) + (domain × 0.25) + (html × 0.3) + (cert × 0.1) + (dns × 0.05)

The safety score is then calculated as: safety = 100 - suspicion

Exact brand matches with no red flags receive a safety score of 90-100.

Critical Red Flags

Certain factors automatically prevent a "Safe" verdict, regardless of the calculated score:

  • Suspicious TLD — Domains using known risky TLDs (e.g., .top, .xyz) can never be marked Safe
  • Brand lookalike + scam keywords — Combination of brand similarity and suspicious keywords
  • Wallet connect patterns — Detection of cryptocurrency wallet connection attempts
  • High obfuscation — Code obfuscation ratio above 92%

AI Enhancement

For scores in the borderline range (typically 40-70), URLBouncer may use an AI language model to analyze the page content and provide more nuanced reasoning. The AI can:

  • Analyze page text for phishing indicators
  • Provide context-aware explanations
  • Detect subtle social engineering patterns

Note: Critical red flags still override AI recommendations to ensure safety.

Limitations

While URLBouncer uses multiple signals to assess URL safety, there are some limitations to be aware of:

  • HTML fetch failures — Some sites may block automated access, preventing us from analyzing page content. In these cases, we rely on domain and certificate signals only.
  • New domains — Very new domains may not have enough historical data for a complete assessment. Certificate age helps, but legitimate new sites may initially score lower.
  • Content changes — Scam sites may change their content after being flagged. Re-scanning may show different results.
  • Cache window — Results are cached for performance. Recent changes to a site may not be immediately reflected.
  • False positives/negatives — No automated system is perfect. If you see an incorrect verdict, please report it.

Privacy

URLBouncer is designed with privacy in mind:

  • No login required — You can use URLBouncer without creating an account or providing personal information.
  • No tracking pixels from sponsors — Sponsored results are clearly labeled and do not include tracking pixels or cookies.
  • No raw URL storage — By default, we only store URL hashes and scan results, not the full URLs. This protects your privacy while allowing us to improve our detection.
  • Minimal analytics — We use basic analytics for service improvement and fraud prevention only.

See something wrong?

If you believe a URL was incorrectly flagged (false positive) or missed (false negative), please report it. Your feedback helps us improve our detection accuracy.

Report FP/FN →