Latest news of the domain name industry

Recent Posts

Schilling, Famous Four rubbish Spamhaus “worst TLD” league

Kevin Murphy, March 17, 2016, 17:41:55 (UTC), Domain Registries

Uniregistry and Famous Four Media have trashed claims by Spamhaus that their gTLDs are are much as 75% spam.
FFM says it is “appalled” by the “wholly inaccurate” claims, while Uniregistry boss Frank Schilling said Spamhaus has “totally jumped the shark here.”
In a statement to DI today, FFM chief legal officer Oliver Smith said the spam-fighting organization’s recently launched World’s Worst TLDs list is “reckless”, adding that the numbers are:

not only wholly inaccurate, but are misleading and, potentially, injurious to the reputation of Famous Four Media and those TLDs it manages. It is particularly worrisome that Spamhaus’s “findings” seem to have been taken as gospel within certain corners of the industry, despite not being proffered with any analytical methodology in support of the same.

The Spamhaus report, which is updated daily, presents the 10 TLDs that are more spam than not.
The rank is based on a percentage of domains seen by Spamhaus that Spamhaus considers to be “bad” — that is, are advertised in spam or carry malware.
Today, Uniregistry’s .diet tops the chart with “74.4% bad domains”, but the scores and ranks can and do shift significantly day by day.
Spamhaus describes its methodology like this:

This list shows the ratio of domains seen by the systems at Spamhaus versus the domains our systems profile as spamming or being used for botnet or malware abuse. This is also not a list that retains a long history, it is a one-month “snapshot” of our current view.

The words “seen by the systems at Spamhaus” are important. If a domain name never crosses Spamhaus’s systems, it isn’t counted as good or bad. The organization is not running the whole zone file against its block-list to check what the empirical numbers are.
In important ways, the Spamhaus report is similar to the discredited Blue Coat report into “shady” TLDs last September, which was challenged by myself and others.
However, in a blog post, Spamhaus said it believes its numbers are reflective of the TLDs as a whole:

In the last 18-years, Spamhaus has built its data gathering systems to have a view of most of the world’s domain traffic. We feel the numbers shown on this list are representative of the actual full totals.

I disagree.
In the case of .diet, for example, if 74% of the full 19,000-domain zone was being used in spam, that would equate to 14,000 “bad” domains.
But the .diet zone is dominated by domains owned by North Sound Names, the Frank Schilling vehicle through which Uniregistry markets its premium names.
NSN snapped up well over 13,000 .diet names at launch, and Schilling said today that NSN owns north of 70% of the .diet zone.
That would mean either Uniregistry is a spammer, or Spamhaus has no visibility into the NSN portfolio and its numbers are way the hell off.
“Spamhaus’ assertion that 74% of the registrations in the .diet space are spam is a numerical impossibility,” Schilling said. “They totally jumped the shark here.”
NSN’s domains don’t send mail, he said.
He added that diet-related products are quite likely to appear in spam, which may help account for Spamhaus’s systems identifying .diet emails as spam. He said:

Spamhaus is a high-minded organization and we applaud their efforts but this report is so factually inaccurate it casts into doubt the validity of everything they release. Spamhaus should be smarter than this and at a minimum consult with registries (our door is open) to gain a better understanding of the subject matter they wrongly profess to be expert in.

Similarly, FFM’s .review gTLD was briefly ranked last week as the “worst” gTLD at 75.1% badness. With 66,000 domains, that would mean almost 50,000 names are spammy.
Yet it appears that roughly 25,000 .review domains are long-tail geo names related to the hotels industry, registered by a Gibraltar company called A Domains Limited, which appears to be run by AlpNames, the registry with close ties to FFM itself.
Again, if Spamhaus’s numbers are accurate, that implies the registrar and/or registry are spamming links to content-free placeholder web sites.
FFM’s Smith says the registry has been using Spamhaus data as part of its internal Registry Abuse Monitoring tool, and that its own findings show significantly less spam. Referring to .review’s 75% score, he said:

This simply does not accord with FFM’s own research, which relies heavily on data made available by Spamhaus. The reality is that, in reviewing registration data for the period 8 February to 8 March 2016, only 4.8% of registered domains have been blacklisted by Spamhaus – further, it is questionable as whether every single such listing is wholly merited. When reviewing equivalent data for the period of 1 January to 8 March 2016 across ALL FFM managed TLDs this rate averages out to a mere 3.2%.

I actually conducted my own research into the claims.
Between March 8 and March 15, I ran the whole .review zone file through the Spamhaus DBL and found 6.9% of the names were flagged as spam.
My methodology did not take account of the fact that Spamhaus retires domains from its DBL after they stop appearing in spam, so it doesn’t present a perfect apples-to-apples comparison with Spamhaus, which bases its scoring on 30 days of data.
All told, it seems Spamhaus is painting a much bleaker picture of the amount of abuse in new gTLDs than is perhaps warranted.
During ICANN meetings last week and in recent blog comments, current and former executives of rival registries seemed happy to characterize new gTLD spam as a Famous Four problem rather than an industry problem.
That, despite the fact that Uniregistry, Minds + Machines and GMO also feature prominently on Spamhaus’s list.
I would say it’s more of a low prices problem.
It’s certainly true that FFM and AlpNames are attracting spammers by selling domains for $0.25 wholesale or free at retail, and that their reputations will suffer as a result.
We saw it with Afilias and .info in the early part of the last decade, we’ve see it with .tk this decade, and we’re seeing it again now.


If you find this post or this blog useful or interestjng, please support Domain Incite, the independent source of news, analysis and opinion for the domain name industry and ICANN community.

Tagged: , , , , , , ,

Comments (16)

  1. Jay Westerdal says:

    I can’t think of a motive that would justify such a bad reporting of details. It would appear that someone against new TLDs must be sponsoring spamhaus.

  2. R. Funden says:

    I would not be surprised if Garth Bruen and Spamhaus announced a merger next week. Their methodologies seem similar.
    Never trust self declared cops or other vigilantes.

  3. Garth says:

    Does Spamhaus view parked pages as “spam”?

  4. BetTheLot says:

    Isnt it all relative in that if it goes through Spamhaus system it would mean the domain is being actively used. So that its 75% of active domains, excluding parked domains.
    It would not surprise me at all if .diet active domains were at 75% spam and all those gtlds that are giving them away also, as they are a magnet for spammers

  5. Acro says:

    Check this out, might be of help.
    https://ntldstats.com/fraud

  6. Domainer says:

    Surprisingly as of now .Diet is not even in Top 10 “worst domains list” published on spamhouse website (the % is only diet = 23.2% bad). It sees the miracles do happen in domain world.

  7. NoTieNET says:

    Since they are concerned about email spam, perhaps they should just clarify that “of the domains that send email”…
    Then, the author wouldn’t be able to jump to conclusions like these:
    “In the case of .diet, for example, if 74% of the full 19,000-domain zone was being used in spam, that would equate to 14,000 “bad” domains.”

    • Kevin Murphy says:

      That would help, but I don’t think that’s what Spamhaus is doing. As the post notes, it’s “spamming or being used for botnet or malware abuse”.

  8. @Kevin Murphy,
    Spamhaus’s report deserves some criticism at the very least because
    (A) Its methodology isn’t discussed AT ALL;
    (B) Very specific numerical findings are presented with no discussion of what those numbers specifically measure or even mean.
    Because their report is so vague, I’m afraid your refutation of it also fails. That’s just because their claims are so unclear as to be unintelligible. We can’t refute, say, “70.3% bad domains” for .CLICK because none of us can be sure what that is meant to mean.
    When I skimmed Spamhaus’s post earlier, I certainly didn’t imagine that they were claiming, with regard to .DIET, that “74% of the full 19,000-domain zone was being used in spam”. That’s certainly untrue, as you say. But did they claim that? I didn’t interpret it that way, and I assume most readers didn’t either.
    Presumably, they meant 74% of unique email messages using .DIET were “bad”. What does “bad” mean? How were the emails gathered? We don’t know.
    Spamhaus ought to help readers understand what they’re claiming and how they arrived at their conclusions. Until then, we can’t really say whether they’re right or wrong.

  9. Sandra says:

    I have yet to see a valid mail coming from .diet (but I see a lot of Spam coming from them). So what Spamhaus signals is the ratio of legit use vs illegit use of a TLD. Domains that are inactive are not counted.
    This makes sense as the end user and email providers are interested in the probability of a TLD sending Spam. So if I get a mail from .diet it is Spam with 75% probability. That’s what the Spamhaus stats say.
    Otherwise you could just create a lot of inactive .diet domains to get better stats.

  10. Anon says:

    Spamhaus’s abuse monitoring and reporting is reckless at best…and it is completely inaccurate to suggest that they discount inactive domain names.
    As a little experiment, I ran a list of 50 domain names that I registered less than a week ago through their system – none of these domains have any NS records set and have not been used for any other purpose. Can you guess how many were on their blocklist??? EVERY SINGLE ONE. And no, I am not involved in any sort of nefarious activity that could otherwise have caused my domains to make the list (not that that should be a factor anyway…).
    Oh, and the reason I conducted that experiment is because the registry in question (ironically, Uniregistry) has suspended every single domain name based solely on Spamhaus falsely reporting them as having been used for spam.
    Organisations with sloppy methodologies, like Spamhaus, are damaging the domain name industry by encouraging registries and registrars to become lazy and reckless when it comes to abuse monitoring and prevention – this has a knock-on effect for consumers and domain name professionals alike.
    Why is everything that these guys publish taken as gospel??? The registries need to stop relying on spoon fed BS and start putting some time/effort/money into doing things properly.

    • Sandra says:

      Sorry, but that can’t be true. Why would Spamhaus list 50 domains that have never been used? What would be in it for them?
      Please list one of the domains here for proof. Thanks.

Add Your Comment