Domain Reputation Glossary
Definitions of key terms in domain blacklisting, false positive resolution, and cybersecurity vendor ecosystems.
Blacklist (URL/Domain)
A database maintained by a security vendor containing URLs or domains classified as malicious, phishing, deceptive, or otherwise dangerous. When a domain appears on a blacklist, browsers display warnings, firewalls block access, and email systems may reject messages. Major blacklist operators include Google Safe Browsing, Fortinet FortiGuard, Sophos, Kaspersky, and Bitdefender.
Blocklist
The modern, preferred terminology for "blacklist." Functionally identical — a database of domains or IPs classified as threats by a security vendor. The industry has largely shifted to "blocklist" in documentation, though both terms remain in active use across vendor interfaces and APIs.
Content Security Policy (CSP)
An HTTP response header that instructs browsers which sources of content (scripts, styles, images, frames) are permitted to load on a page. Implementing a strict CSP helps prevent cross-site scripting (XSS) attacks and can reduce the risk of false positive flags triggered by unauthorized third-party script injection. Defined in W3C specification.
Delisting
The process of removing a domain from a security vendor's blacklist/blocklist after demonstrating that the flagged content has been remediated or that the original classification was incorrect (false positive). Each vendor has a unique delisting process with specific evidence requirements, submission channels, and review timelines.
DNS-based Blocklist (DNSBL)
A blocklist that operates via DNS queries, primarily used for email spam filtering. When a mail server receives a connection, it queries DNSBLs to check if the sending IP is listed. Common DNSBLs include Spamhaus ZEN, Barracuda BRBL, and SORBS. Distinct from URL/domain blacklists used by browsers and firewalls.
Domain Reputation
A composite score or classification assigned to a domain by security vendors, email providers, and web services. Influenced by factors including hosting history, content analysis, link profile, SSL configuration, IP neighborhood, historical behavior, and reports from users or automated crawlers. A damaged reputation triggers blacklisting, email filtering, and reduced search visibility.
False Positive
A classification error where a security vendor incorrectly identifies a legitimate, non-malicious domain as dangerous. This triggers warnings, blocks, and filtering against a site that has done nothing wrong. False positives occur due to heuristic detection errors, IP reputation contamination, automated classifier mistakes, or outdated threat intelligence data. The opposite of a false negative (failing to detect an actual threat).
FortiGuard Web Filtering
Fortinet's URL classification database used by FortiGate firewalls and other Fortinet security appliances. Categorizes websites into 80+ categories. When a domain is categorized as "Malicious Websites," "Phishing," or "Spam URLs," FortiGate devices block access for all users behind the firewall. Particularly impactful for B2B services accessed through corporate networks.
Google Safe Browsing
Google's threat detection service protecting over 5 billion devices across Chrome, Firefox, Safari, and Android. Maintains a continuously-updated database of dangerous URLs. When a site is flagged, users see a full-page red interstitial warning. Safe Browsing classifications include social engineering (phishing), malware, and unwanted software. Data is shared with other browsers and services via the Safe Browsing API.
Heuristic Detection
A method used by security vendors to identify threats based on behavioral patterns rather than known signatures. Heuristic engines analyze code structure, network behavior, and content patterns to flag potentially malicious activity. While effective at catching new threats, heuristic detection has higher false positive rates than signature-based detection because it relies on probabilistic pattern matching.
IP Reputation
The trust score associated with a specific IP address based on its historical behavior and associations. Shared hosting means multiple domains share one IP. If any domain on that IP engages in malicious activity, the IP's reputation suffers and can cause other clean sites on the same IP to be flagged — a phenomenon called "IP neighborhood contamination" or "collateral damage."
Phishing
A social engineering attack where a malicious website impersonates a legitimate service to steal credentials, financial data, or personal information. Security vendors maintain databases of known and suspected phishing URLs. Legitimate sites can be misclassified as phishing when their login pages resemble known phishing templates, or when automated classifiers misinterpret form elements.
Recategorization
The process of requesting a security vendor to change the category assigned to a domain. Used when a vendor has classified a site into a harmful category (e.g., "Phishing" or "Malware") when it should be classified as legitimate (e.g., "Business" or "Information Technology"). Recategorization is the specific mechanism used by vendors like Fortinet FortiGuard and Webroot BrightCloud.
Review Request
A formal submission to a security vendor asking them to re-evaluate a flagged domain. Different vendors use different terms: Google calls it a "Review Request" (via Search Console), Fortinet calls it a "Rating Submission," Bitdefender calls it a "False Positive Report." The quality and format of the review request significantly impacts resolution speed.
Safe Browsing API
A public API provided by Google that allows applications to check URLs against Google's database of dangerous sites. Used by browsers (Chrome, Firefox, Safari), email clients, and security tools. The API distributes Safe Browsing data via hash prefix lookups, providing privacy-preserving URL checking at scale. Available in v4 (Update API) and v5 (Lookup API) versions.
Security Vendor
An organization that maintains threat intelligence databases and provides security products (antivirus, firewalls, web filters, email gateways) that rely on URL and domain reputation data. Major vendors include Google, Microsoft, Fortinet, Sophos, Kaspersky, ESET, Bitdefender, McAfee/Trellix, Symantec/Broadcom, and Cisco Talos. BrandsDefender monitors 87+ vendors.
Shared Hosting Contamination
When a domain is flagged not because of its own content, but because it shares a hosting IP address with one or more malicious domains. Security vendors that evaluate IP-level reputation can penalize all sites on a shared IP when any one site is compromised. This is one of the most common causes of false positive flags for legitimate businesses using shared or budget hosting.
Threat Intelligence
Aggregated data about current and emerging cyber threats, including malicious URLs, IP addresses, file hashes, and behavioral indicators. Security vendors consume and produce threat intelligence feeds. VirusTotal is a major aggregation platform where 70+ vendors contribute their detection results, creating a shared intelligence ecosystem.
VirusTotal
A free URL and file scanning service owned by Google/Alphabet that aggregates results from 70+ antivirus engines and URL scanners. Widely used by security professionals to check the reputation of files and URLs. When a domain shows even one positive detection on VirusTotal, it can trigger blocks by enterprise security tools that consume VirusTotal data.
Web Application Firewall (WAF)
A security appliance or service that filters HTTP/HTTPS traffic to web applications. WAFs can block access to and from blacklisted domains. Enterprise WAFs from vendors like Fortinet, Palo Alto, and Cisco use URL reputation databases to prevent users from accessing flagged sites — meaning a false positive in these databases blocks your site for entire organizations.