Skip to content
Have I Been Squatted logo Have I Been Squatted logo Have I Been Squatted Docs

Signals Reference

This reference documents all available signals that can be used in rule conditions. Each signal represents data collected during domain analysis and can be used to detect suspicious patterns.

Core Domain Information

permutation · string
Domain permutation
Example: "shopfacebook.com", "facebook-login.com"

levenshtein_distance · number
Edit distance from original domain
Example: 4, 6, 8

DNS Resolution Data

dns_a · array
DNS A records (IPv4)
Example: ["31.13.66.4"]

dns_aaaa · array
DNS AAAA records (IPv6)
Example: ["2a03:2880:f003:c07:face:b00c:0:2"]

dns_mx · array
DNS MX records
Example: ["smtpin.vvv.facebook.com."]

dns_ns · array
DNS NS records
Example: ["a.ns.facebook.com.", "b.ns.facebook.com."]

dns_cname · array
DNS CNAME records
Example: ["target.domain.com."]

dns_txt · array
DNS TXT records
Example: ["v=spf1 -all", "google-site-verification=..."]

Server and Infrastructure

smtp · string
SMTP banner
Example: "220 mx.example.com ESMTP ready"

http_banner · string
HTTP server banner
Example: "nginx/1.18.0", "cloudflare"

Geolocation and Network

geolocation.country.iso_code · string
Country ISO code
Example: "US", "CA", "GB"

geolocation.country.continent · string
Continent code
Example: "NA", "EU", "AS"

geolocation.asn.number · number
ASN number
Example: 32934, 13335, 16509

geolocation.asn.organization · string
ASN organization name
Example: "FACEBOOK", "CLOUDFLARENET"

Classification Scores

classification.phishing · number
Phishing classification score (0-1)
Example: 0.01, 0.85, 0.95

classification.parked · number
Parked domain score (0-1)
Example: 0.0, 0.8, 0.95

classification.legitimate · number
Legitimate domain score (0-1)
Example: 0.99, 0.15, 0.05

Domain Registration

whois · string
WHOIS lookup data
Example: Raw WHOIS response text

rdap · object
Registration Data Access Protocol data
Example: Structured RDAP response object

registration_metadata · object
Domain registration metadata
Example: Processed registration information

Registration Metadata Fields

registration_metadata.registrar · string
Domain registrar name
Example: "RegistrarSafe, LLC", "GoDaddy.com, LLC"

registration_metadata.registration_date · string
Domain registration date
Example: "1997-03-29T05:00:00Z"

registration_metadata.expiration_date · string
Domain expiration date
Example: "2034-03-30T04:00:00Z"

registration_metadata.nameservers · array
Domain nameservers
Example: ["A.NS.FACEBOOK.COM", "B.NS.FACEBOOK.COM"]

registration_metadata.dnssec_status · string
DNSSEC status
Example: "Unsigned", "Signed"

registration_metadata.registrar_iana_id · string
Registrar IANA ID
Example: "3237", "146"

Technologies and Content

technologies · array
Technologies detected on the domain
Example: ["HSTS", "HTTP/3"], ["Cloudflare", "HTTP/3"]

redirect_chain · object
HTTP redirect chain data
Example: Array of redirect objects with URLs and status codes

TLS Certificate Data

origin_x509.fingerprint_sha256 · string
TLS certificate SHA256 fingerprint
Example: "a3dbb3df24d38f81e40dacbcab1317dafa1a597cc4bb5ab7404bf9db6a3193a7"

origin_x509.issuer_dn · string
Certificate issuer distinguished name
Example: "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA"

origin_x509.subject_dn · string
Certificate subject distinguished name
Example: "C=US, ST=California, L=Menlo Park, O=Meta Platforms, Inc., CN=*.facebook.com"

origin_x509.san_dns · array
Certificate Subject Alternative Names (DNS)
Example: ["*.facebook.com", "*.facebook.net", "facebook.com"]

origin_x509.not_before · number
Certificate valid from timestamp
Example: 1742515200

origin_x509.not_after · number
Certificate valid until timestamp
Example: 1750377599

origin_x509.key_alg · string
Certificate key algorithm
Example: "1.2.840.10045.2.1"

origin_x509.sig_alg_oid · string
Certificate signature algorithm OID
Example: "1.2.840.113549.1.1.11"

origin_x509.is_ca · boolean
Whether certificate is a CA certificate
Example: false, true

Field Availability

Always Available

  • permutation
  • levenshtein_distance

Conditional Availability

  • DNS fields (dns_*): Available when domain resolves

  • Web fields (http_banner, technologies): Available when web services respond

  • Certificate fields (origin_x509.*): Available when HTTPS is configured

  • Registration fields (whois, rdap, registration_metadata.*): Available when registration data is accessible

  • Geolocation fields (geolocation.*): Available when IP resolution succeeds