Evidence Best Practice Guidelines

To take down a domain, the registrars demand very specific evidence of malicious activity. This section shows you how!

Evidence can be uploaded in TXT, MSG, EML, or MBOX formats. Virus scans can be uploaded in PDF or TXT formats.

To request a takedown of a suspicious domain, the user must supply the original phishing email, sent from the suspicious domain, complete with the email headers (not simply a screenshot).

The header information provides the digital trail of the email and describes how the email passed from its origin to the user's mailbox. This serves the following purposes:

Validate the legitimacy of the email (headers are very difficult to falsify).
Provide some insight into if the email came from the domain listed or if it was spoofed.

Follow the instructions in the following sections to prepare evidence for uploading to the remediation request.

To extract email headers from Gmail:
To extract email headers from Outlook:
To extract email headers from Apple Mail:
To create a malware scan with VirusTotal:
To create a malware scan with URLscan.io:

If proper evidence cannot be produced, see what other options are available at Additional Monitoring and Protection Steps.

To extract email headers from Gmail:

In Gmail, open the email message for which you want to extract the header.
In the top-right of the message, click More, then select Show original.


 
1
A page with the email headers is displayed in a new tab or window:


 
1
- Click **Copy to clipboard** (or highlight and copy everything), then paste into a searchable text editor.
2

3
- Search (Ctrl-F) to ensure that the phishing domain is located in the pasted content.
4

5
- Attach the pasted content to the takedown request as TXT, MSG, EML, or MBOX.

Alternatively, click Download Original, and upload the downloaded EML file.

To extract email headers from Outlook:

Double-click the email message so it displays in a full window.
Display the Properties dialog in either of these ways:
- From the email window, choose File > Properties.
- From the email window, from the Tags section, click the small down-arrow:
The Properties dialog is displayed:
Highlight, copy and, paste everything from the Internet headers section into a searchable text editor.
Search (Ctrl-F) to ensure that the phishing domain is located in the pasted content.
Attach the pasted content to the takedown request as TXT, MSG, EML, or MBOX.

To extract email headers from Apple Mail:

Open the email message in the macOS or OS X Mail reading pane or its window.
Choose View > Message > All Headers.
The email header is displayed:
$C:\a9cf9f93a8ce6c439648dd4b6b362401$
Highlight, copy and, paste everything from the Internet headers section into a searchable text editor.
Search to ensure that the phishing domain is located in the pasted content.
Attach the pasted content to the takedown request as TXT, MSG, EML, or MBOX.

To create a malware scan with VirusTotal:

Copy the domain name that you want to scan.
Visit https://www.virustotal.com/
Select the Search tab and paste the domain name:

The domain scan is displayed, in which you can verify if there is malicious activity:
Copy and paste the URL of the page, then upload that URL as evidence as a PDF or TXT file.

To create a malware scan with URLscan.io:

Copy the domain name you want to scan.
Visit https://urlscan.io/
Click Search and paste the domain name:

The domain scan is displayed, in which you can verify if there is malicious activity:


 
1
![urlscan.io on Twitter: &quot;Taking a first stab at creating a versatile API for  returning maliciousness-verdicts for scanned pages. This probably won't be  the final form, so maybe don't rush to using the](/threat-command/images/Imported/tutorial-domain-malware-scan-img0005.png)

Copy and paste the URL of the page, then upload that URL as evidence as a PDF or TXT file.

Did this page help you?

Threat Command

Initiate a Blocklist Remediation

Threat Command

Additional Monitoring and Protection Steps