Somehow that seems worse. Don't apply automatic filters to sketchy, fly-by-night spam sites that pop up and disappear, but do apply purely automatic filters to sites with a significant enough amount of legitimate traffic?
That seems to be exactly backwards of the way things should be done if it wasn't mostly security theater.
It's also how machine-learning based "malware detections" work - they don't run in real time on users computers so you can create a fresh executable and it won't be flagged but once enough users run it and their anti-virus software uploads it will get scanned and receive a made-up virus name (and this can and often does happen even if the executable is not malicious).
- Have to consider the domain is a string, not a hierarchy. Too many premier domains have had subdomains with spam, malware, etc., running on some random thing in their namespace, trying to draft on the domain rep.
- Legit traffic + comment forms + web links are a thing spam and adult "se.xx 2nite?" bots target. They seek out the ranked traffic to boost their clicks and good rep to boost their SERPs, so -- perhaps counterintuitive -- scoring traffic + rep as an indicator (to be combined with other indicators of course) is sensible.
That's because Vodafone believes that daniel.haxx.se implies that "Daniel Has Sex" and is clearly a pornographic web-site un-suitable for its celibate and holy network.
That seems to be exactly backwards of the way things should be done if it wasn't mostly security theater.