Throwaway TLD in link — .xyz / .top / .click / .tk credential-harvest landing page
href-suspicious-tld
What this tier means
Warning signal — bulk / marketing / mild spam. Contributes to the trash score but is not by itself sufficient.
How Gorganizer detects this
An `<a href>` in the body points at a hostname on a cheap/free TLD with overwhelming abuse rates (.xyz, .top, .click, .tk, .loan, .work, .icu, .cyou, and ~25 others from Spamhaus DBL data). Common multi-stage phishing pattern: a clean-looking sender delivers the message while the actual credential-harvest page lives on a throwaway host registered minutes ago for pennies. Legitimate brands never host login/checkout on these TLDs — the reputation cost is too high and the registration-to-suspension window is too short. URL-level sibling of the sender-level `suspicious-tld` signal.
False-positive guard
Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a warning-tier signal — bulk / marketing / mild spam. It contributes to the trash score but never triggers deletion on its own. Gorganizer requires multiple signals + a margin over the safety floor before any email is moved to trash.
About the scoring engine
Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.
Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.
Ready to clean your inbox?
Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.
Get started