Pricing

from $5.00 / 1,000 websites

Domain History Checker

Research the full history of any domain: how old it is, what content it used to host, whether it was ever used for malware or spam, and whether it has any blacklist flags. Essential for domain buyers, SEO professionals, and more who need to do due diligence before acquiring an expired domain.

Pricing

from $5.00 / 1,000 websites

Rating

0.0

(0)

Developer

Trove Vault

Actor stats

Bookmarked

Total users

Monthly active users

2 days ago

Last modified

What it checks

Registration data (RDAP)

RDAP (Registration Data Access Protocol) is the standardised replacement for WHOIS, returning structured JSON registration data directly from the domain registry.

Domain age — days since the domain was first registered
Registration date — when the domain was created (cannot be falsified by sellers)
Expiration date — when the current registration expires
Registrar — who currently manages the domain
Status flags — administrative locks such as clientDeleteProhibited, clientTransferProhibited

Wayback Machine (Internet Archive)

The Internet Archive has been crawling and archiving the web since 1996. The actor queries the CDX API to find the first and most recent snapshot of any domain.

First snapshot date — earliest recorded appearance on the web
Most recent snapshot — last time the domain was actively crawled and archived
Years active — span between first and last snapshot; a domain with 10 years of Wayback history carries different value than a freshly dropped one
Has any history — some domains have never been archived (very new or very low-traffic)

URLHaus (abuse.ch) — full malware hosting history

URLHaus is a free threat intelligence feed maintained by the abuse.ch community, tracking URLs used to distribute malware. The actor queries all historical records, not just currently active ones.

Was this domain ever used to host malware?
How many malware URLs were associated with it in total?
Are any still active right now?
Threat type (Emotet, RedLineStealer, AgentTesla, etc.) and date per record

A domain that was used for malware distribution years ago may be perfectly clean today — but that history is critical to know before building email infrastructure or SEO authority on it.

ThreatFox (abuse.ch) — full IOC history

ThreatFox tracks Indicators of Compromise (IOCs) — domains and IPs used in active malware operations. The actor queries all IOC records ever, covering the domain's complete threat history.

Is this domain a known C2 (command-and-control) server?
Was it used for payload delivery, phishing, or botnet infrastructure?
Confidence level (0–100) and malware family per record
First and last seen dates for each IOC

DNS Blacklists — 6 lists via DNS queries

Real-time DNS queries against 6 domain-based blacklists. Unlike the URLHaus/ThreatFox checks above (which reflect historical data), these reflect the domain's current listing status.

List	Focus
SURBL Multi	Aggregated spam URL intelligence
URIBL Multi	Broad-coverage spam domain list
NordSpam DBL	Spam-sourced domain list
MSRBL Phishing	Phishing-specific domain list
MSRBL Spam	Spam-specific domain list

How it works

The actor runs all five data sources in parallel for each domain:

RDAP query → rdap.org/domain/{domain} — structured registration data from the registry
Wayback CDX API → web.archive.org/cdx/search/cdx?url={domain} — first snapshot date
Wayback Availability API → archive.org/wayback/available?url={domain} — most recent snapshot
URLHaus API → POST urlhaus-api.abuse.ch/v1/host/ — all historical malware records
ThreatFox API → POST threatfox-api.abuse.ch/api/v1/ — all historical IOC records
DNS queries → 6 domain blacklists in parallel via Node's built-in DNS resolver

All sources complete within a few seconds per domain. A 5-second timeout per external call prevents any single unresponsive source from blocking the run.

Output fields

Field	Description
`domain`	The domain checked
`isClean`	`true` if no malware, IOC, or blacklist history found
`riskLevel`	`low`, `medium`, or `high` based on number of flag sources
`registrar`	Domain registrar
`registrationDate`	Date the domain was first registered
`expirationDate`	Current expiration date
`domainAgeDays`	Days since registration
`hasWaybackHistory`	`true` if Wayback Machine has any snapshots
`waybackFirstSeen`	Date of the earliest Wayback snapshot
`waybackLastSeen`	Date of the most recent Wayback snapshot
`waybackYearsActive`	Years between first and last snapshot
`urlhausFound`	`true` if URLHaus has any record for this domain
`urlhausUrlsCount`	Total malware URLs ever recorded
`urlhausActiveCount`	Malware URLs currently live
`urlhausUrls`	URL details (up to 10)
`threatFoxFound`	`true` if domain is a known IOC in ThreatFox
`threatFoxIocCount`	Number of IOC records
`threatFoxIocs`	IOC details (up to 5)
`domainBlacklists`	Per-list DNS blacklist result
`domainBlacklistCount`	Number of DNS blacklists that flagged this domain

How to use

Add one or more domains to the Domains to Check input
Click Start — results appear within seconds
Export as JSON, CSV, or Excel

No API keys. No proxy. Pure DNS queries and open threat intelligence APIs.

Understanding the risk levels

Level	Meaning
`low`	No flags found on any source
`medium`	One flag source triggered (e.g. on a blacklist but no malware or IOC history)
`high`	Two or more flag sources triggered (e.g. malware history + currently blacklisted)

A high risk level does not mean the domain is unsafe today — it means the domain has a flagged history that warrants deeper investigation. Many previously abused domains are cleaned up and resold. Use this data as a starting point for due diligence, not as a final verdict.

Use cases

Expired domain due diligence

The most common use case. Before purchasing an expired domain — for SEO link equity, email infrastructure, or brand use — run a full history check. Look for:

No URLHaus records — the domain was never used to host malware
No ThreatFox IOCs — the domain was never flagged as C2 or phishing infrastructure
Wayback history that matches the stated niche — a domain claiming SEO value should have relevant archived content, not parked pages or foreign-language spam
Domain age that matches the claimed age — RDAP registration dates cannot be falsified

SEO risk assessment

A domain's link profile is only part of the picture. Domains with spam blacklist history or malware associations may carry negative trust signals that are difficult to recover from, regardless of backlink quality. Run this check before any domain acquisition intended for SEO purposes.

Brand protection monitoring

Monitor domains similar to yours — typosquatting variants, competitor domains, brand keyword combinations — to detect if any are being weaponised for phishing or malware distribution targeting your customers or employees.

Domain age verification

RDAP registration dates come directly from domain registries and cannot be altered. Use this to verify the claimed age of a domain before relying on it for trust signals, partnerships, or SEO value assessments.

Security research and threat actor mapping

Map the historical infrastructure of threat actors by checking known malicious domains against URLHaus and ThreatFox. Identify malware families, C2 patterns, and domain rotation strategies from the historical IOC data.

Frequently asked questions

What is the difference between Domain History Checker and Domain Security Scanner?

Domain History Checker focuses on the past — was this domain ever bad? It queries URLHaus and ThreatFox for all historical records, RDAP for registration data, and Wayback Machine for content history. Domain Security Scanner focuses on the present — is this domain bad right now? It checks URLHaus for active malware only, ThreatFox for the last 30 days, PhishTank, and Sucuri SiteCheck. For expired domain buying, use Domain History Checker. For live threat monitoring, use Domain Security Scanner.

What is RDAP and how is it different from WHOIS?

RDAP (Registration Data Access Protocol) is the standardised successor to WHOIS, introduced by ICANN. It returns structured JSON data with better encoding support and more consistent field names across all registries. This actor queries rdap.org, a free public RDAP gateway that covers all major TLDs.

Why would a domain have URLHaus records but still be listed for sale as clean?

URLHaus records are not visible to most domain buyers and are not part of standard reputation checks at domain registrars. A domain can have active URLHaus malware history and still be listed as available for purchase with no warnings. That's exactly what this actor is designed to surface.

Can I use this to check domains I don't own?

Yes. All checks use public APIs and DNS queries. No domain ownership or access is required.

What does it mean if the Wayback Machine shows no history?

Either the domain was registered very recently, had very low traffic in its previous life, or the Internet Archive's crawlers never indexed it. A domain with no Wayback history is not necessarily suspicious — but it means you cannot verify what content it previously hosted.

Does a ThreatFox listing mean the domain is currently dangerous?

Not necessarily. ThreatFox shows all historical IOC records, including old ones. Check the last_seen date in the IOC details — an IOC from 3 years ago is very different from one from last month. Use Domain Security Scanner alongside this actor to check for active threats only.

Domain Security Scanner — active threat intelligence: URLHaus malware (live), ThreatFox recent IOCs (last 30 days), PhishTank phishing, Sucuri multi-vendor scan, and 10 DNS blacklists
Email Domain Blacklist Checker — 15 email blacklist checks (Spamhaus, SURBL, SpamCop, Barracuda) plus SPF, DMARC, MX, and PTR validation

Changelog

2026-03-05 — v0.1.4

Removed Spamhaus DBL — returns positive results for all domains from unauthorized datacenter IPs (anti-harvesting), causing false positives on every run
Now checks 5 domain-based DNS blacklists — all verified to work correctly without paid authorization

2026-03-05 — v0.1.0

Initial release
RDAP registration data (age, registrar, expiration)
Wayback Machine first/last snapshot and active years
URLHaus malware hosting history (all entries including historical)
ThreatFox IOC history (all entries including historical)
6 domain-based DNS blacklist checks
Risk level aggregation: low / medium / high

Domain Security Scanner

trovevault/domain-security-scanner

Scan any domain for active threats like malware hosting, phishing, botnet command-and-control, and security vendor blacklisting using multiple open threat intelligence sources in parallel. No API keys required. Designed for security teams, researchers, and sysadmins who need to do threat assessment.

Trove Vault

Email Domain Blacklist Checker

trovevault/email-domain-blacklist-checker

Check any domain against email blacklists (Spamhaus, SURBL, SpamCop, Barracuda, and more) and validate SPF, DMARC, and MX records in seconds, with no API keys required. Essential for who need to know whether a domain is clean before sending email from it, migrating to it, or purchasing it.

Trove Vault

Domain Registration Date Checker

tuningsearch/domain-registration-time

🔥 Only $1.0 per 1,000 domain queries 🔥 **CHEAPEST** Domain Registration Date Extractor & WHOIS Lookup Tool

tuningsearch

Domain Age Checker

onescales/domain-age-checker

Bulk domain age lookup tool. Get registration date, expiration date, and domain history for hundreds of domains at once. Supports .com, .co.uk, .io, .ai, and 100+ TLDs.

One Scales

5.0

(2)

Wayback Machine Checker

automation-lab/wayback-machine-checker

This actor checks if URLs are archived in the Internet Archive Wayback Machine. It retrieves snapshot counts, oldest and newest archive dates, and direct links to archived versions. Uses both the Availability API and CDX API for comprehensive results.

Stas Persiianenko

Domain Availability, Expiry, WHOIS, DNS, IP, ASN, 70+ TLD

datascoutapi/DomainDaddy

Domain availability and expiry dates, WHOIS & RDAP data, DNS (A, MX, NS, TXT), IP geolocation and ASN details, calculates domain age, and supports batch processing. Supports 70+ TLDs, handles errors gracefully, and delivers clean, structured JSON output.

halam

5.0

(4)

Moz Domain Authority Checker

jdtpnjtp/moz-domain-authority-checker

The MOZ Domain Authority API provides comprehensive domain analysis and SEO metrics through a simple REST interface. Analyze any domain to retrieve critical SEO indicators including Domain Authority (DA), Page Authority

Data Collector

1.8

(4)

Domain Checker - WHOIS & DNS

vivid_astronaut/domain-checker

Check domain availability, WHOIS records, DNS records, and SSL certificates. Supports bulk domain checking.

Fabio Suizu

Fake Candidates Checker

syntellect_ai/Fake-Candidates-Checker

The Fake-Candidates-Checker is intended to flag risky LinkedIn-profiles by: Verifying profile URLs resolve correctly before crawling. Collecting page titles and links as a baseline dataset. Cheerio-based crawl loop that you can extend to score red flags such as thin work histories, low connection

christopher athans crow

SEO Backlink Checker

salman_bareesh/seo-backlink-checker

Backlink Checker is a focused SEO data Actor built to deliver clean, reliable backlink intelligence for any domain or URL list. It accepts a simple input structure with only two fields: domainsToCheck and Backlink Mode. For every target submitted, it returns exactly one output item.