Why doesn't the Risk Level change as content change? Does Risk Levels look at page content?
Risk Levels are determined by a series of classifiers, we call “caucuses” or voting systems. These look at the metadata features surrounding the site. So while we might not know what the site is doing, we can statistically prove that the site is doing something directly correlated with bad behavior.
Some Examples of our caucuses are:
Shady Traffic: It looks at the URL request itself: query string, user-agent, filename, port, path etc…
Shady content: Looks at file type, content, tags, etc…
Shady name: looks at the TLD, domain name, etc…
Shady Neighborhood: looks at the IP reputation of the sites network
Shady Response: looks at the response of the request.
Context Engine: Examines virtually all tokens available from the URL
All of these ultimately have different weights that combine with ground truth knowledge such as Malware Analysis or other feeds to form a final Risk Level
Of all of these, it just so happens that over a decade of analysis has proven to us that content a less significant factor in determining the risk of a site than others. So when content changes, our Risk Level calculator doesn’t pay a lot of attention to it.