Personal computer computation power and connection capability dramatically increase such that personal computers becomes malicious attack major targets instead of traditional servers. By using worms and Trojan horses infecting victim personal computers, attackers establish their Botnets, which remote control victims performing malicious activities in order to make money and thus become major Internet threats. Encryption and domain fluxing become current major evading techniques for Botnet. In order to defend Botnet, DNS black list is one of the most effective defensive strategies to hidden Botnet connections. Therefore, effectively identifying malicious domain names is a critical issue for Botnet detection. This paper presents lexical analysis approach to find domain name different patterns, and adopts decision tree models to train the best combination of malicious domain name lexical features. We propose five major features: domain length, syllable count, vowel count, vowel ratio, character redundant. Experiment results show vowel ratio and vowel count can effectively differentiate black and white list samples while cross comparing them. While calculating false positive and negative rates, the combination of vowel ratio and vowel count provides the best results, 0.01% false positive rate and 4.3 % false negative rate, which show our approach can effectively identify malicious domain names.