Recent Posts
- ICANN puts blockchain on the agenda for good
- New gTLD in trouble as largest registrar gets suspended
- ICANN picks comms firm for new gTLDs outreach
- Donuts goes with bland, forgettable, for new company name [rant]
- Broker says it will sue after DNS abuse sting operation
- Unstoppable targets another city gTLD with free domains
- Dynadot takes down its own web site after apparent breach
- The slow crawl to closed generics at ICANN 74
- Controversial Chinese firm among two newly revealed UNR gTLD buyers
- Over 900 people show up for ICANN 74
- Verisign and Afilias spar over .web delays
- Hamburg selected for next year’s ICANN AGM
- Amazon governments not playing ball with Amazon’s .amazon
- High fives, or elbows only? ICANN 74 intros traffic light system for socializing
- NetBeacon goes live for DNS abuse reporting
- As registration closes, many ICANN 74 sessions at bursting point
- Belarusian domains to change hands
- As GoDaddy shutters URL shortener, could x.co come back on the market?
- Nominet opens directorship nominations
- GoDaddy acquires two education-themed gTLDs
- Crypto domains: a feminist issue?
- Turkey name change could free up gTLD string
- Porkbun offering free .gay domains for Pride month
- DNSAI to name most-abused registries, registrars
- NameSilo profitable in Q1
- Meds regulator won’t say why it gets domains suspended
- Porkbun hits a million domains
- Porn names to feature at NamesCon Global
- Pizza company suffers from penisland syndrome
- Seat reservations and waiting lists on the cards for ICANN 74
- New gTLDs or Whois access? What’s more important?
- Domain sales down even as revenue booms at CentralNic
- ICANN kicks the can on .web yet again
- ALAC’s brutal takedown of that “aggressive” ICANN 74 coronavirus waiver
- .link gTLD buyer revealed
- After 10 months, ICANN board “promptly” publishes its own minutes
- China yanks Daily Stormer domain after Buffalo mass shooting
- Fewer domain companies closing down than expected
- ICANN highlights “not getting things done” risk
- Another single-TLD brand protection service planned
- Dot Hip Hop slashes prices 80% in relaunch
- Three gTLDs to lose Donuts trademark protection
- Tucows to reanimate Tucows brand as sales flatten
- Blockchain domains pose “significant risks” to internet, says ICANN
- Russian registry hit with second breach notice after downtime
- Two countries could lose registrar competition after breach notices
- .tattoo — another UNR gTLD auction winner emerges
- Neustar now linked to scandal in the Catholic church
- SSAD: Whois privacy-busting white elephant to be shelved
- ICANN reports shocking increase in pandemic scams
- Kaufmann selected for ICANN board
- Secondary market fluffs GoDaddy amid slowdown concerns
- Washington DC picked for ICANN 77
- UDRP suspended in Ukraine
- Gee, thanks. auDA cuts price of .au names by five cents
- ICANN salary porn: 2021 edition
- A sign of things to come? Verisign slashes outlook in post-pandemic slowdown
- UDRP comments reveal shocking lack of trust in ICANN process
- CentralNic sees 51% growth in Q1
- Ukraine won’t delete domains until war is over
- Covid surge scuppers ICANN LA meetings
- Vox Pop defends its favorite cybersquatter
- ICANN picks recipient of $1 million Ukraine aid
- More friction over closed generics
- ICANN’s Covid-19 waiver formally appealed
- GoDaddy and XYZ sign away rights after UNR’s crypto gambit
- Verisign wipes free TLDs from the world stats
- ICANN picks 28 registries for abuse audit
- TMCH turning off some brand-blocking services
- Bye-bye Alice’s Registry
- .kids goes live, plans to launch this year
- ICANN suggests its Covid waiver may be worthless
- Domain sales exempt from US sanctions on Russia
- African Union can’t register .africa domain
- Microsoft seizes domains Russia was using to attack Ukraine
- Blacknight objects to ICANN 74 Covid waiver
- DNS Abuse Institute names free tool NetBeacon, promises launch soon
- Radix renewals drive growth as revenue hits $38 million
- GoDaddy formally signs .tv registry contract
- ICANN lists the reasons I probably won’t be going to ICANN 74
- A public apology for my April Fool’s blog post
- ICANN accidentally summons Lesser Old One in DNSSEC snafu
- ICANN “volunteers” want to get paid for sitting through pandemic Zoom calls
- War fails to stop .ua domains selling
- Marby pledges low red tape in $1 million Ukraine donation
- 2LDs boost .au’s growth
- With mystery auction winner, .sexy prices go from $25 to $2,500
- Ukraine registry hit by 57 attacks in a week
- ICANN says higher domain prices may be in the public interest
- .org price caps: ICANN chair denies “secret” meetings
- Nigeria slashes prices to compete with .com
- .au names available today
- GoDaddy acquires DNAcademy
- Google to launch a shopping-themed gTLD next week
- Another DNSSEC screw-up takes down thousands of .au domains
- XYZ bought most of Uniregistry’s TLDs
- What to make of this strange trend in new domain regs?
- EURid appoints new CEO
- Mutually assured destruction? Now Afilias faces .web disqualification probe
- Closed generic gTLDs likely to be allowed, as governments clash with ICANN
- 101domain throttles its business in Russia
- ICANN bigwigs support sanctions on Russian domains
- Soviet Union “no longer considered eligible for a ccTLD”, ICANN chair confirms
- Nominet cuts off Russian registrars
- Now Sedo pulls the plug on Russians
- DNSSEC claims another victim as entire TLD disappears
- Ukraine’s emotional plea to ICANN 73
- ICANN extends Covid-19 abuse monitoring to Ukraine war
- ICANN’s Ukraine relief may extend to Russians too
- ICANN offers $1 million to Ukraine projects, supports Ukrainian registrants
- Here’s a way ICANN could actually help the people of Ukraine
- GoDaddy stops selling .ru domains, commits money to support Ukraine
- Gandi says it supports Ukraine but WON’T cut off Russians
- Now IONOS kicks out Russian customers
- ICANN says NO to Ukraine’s Big Ask
- Namecheap offers free services to Russian dissidents
- CENTR kicks out Russia
- Ukraine asks ICANN to turn off Russia’s internet, but it’s a bad idea
- Namecheap boss goes nuclear on Russian customers
- Noss pressures bankers, lawyers over Russian oligarch links
- As Russia advances on Kyiv, .ua moves out-of-country
- Maybe now’s the time for ICANN to start dismantling the Soviet Union
- Cybersquatting cases down in .uk
- GoDaddy among five companies competing for .za contract
- Registrar hit with second porn UDRP breach notice this year
SpamHaus ranks most-botted TLDs and registrars
Namecheap and Uniregistry have emerged as two of the most-abused domain name companies, using statistics on botnet command and control centers released by SpamHaus this week.
SpamHaus data shows that over a quarter of all botnet C&Cs found during the year were using NameCheap as their registrar.
It also shows that almost 1% of domains registered in Uniregistry’s .click are used as C&Cs.
The spam-fighting outfit said it discovered “almost 50,000” domains in 2017 that were registered for the purpose of controlling botnets.
Comparable data for 2016 was not published a year ago, but if you go back a few years, SpamHaus reported that there were just 3,793 such domains in 2014.
Neither number includes compromised domains or free subdomains.
The TLD with the most botnet abuse was of course .com, with 14,218 domains used as C&C servers. It was followed by Directi’s .pw (8,587) and Afilias’ .info (3,707).
When taking into account the relative size of the TLDs, SpamHaus fingered Russian ccTLD .ru as the “most heavily abused” TLD, but its numbers don’t ring true to me.
With 1,370 botnet controllers and about five and a half million domains, .ru’s abused domains would be around 0.03%.
But if you look at .click, with 1,256 botnet C&Cs and 131,000 domains (as of September), that number is very close to 1%. When it comes to botnets, that’s a high number.
In fact, using SpamHaus numbers and September registry reports of total domains under management, it seems that .work, .space, .website, .top, .pro, .biz, .info, .xyz, .bid and .online all have higher levels of botnet abuse than .ru, though in absolute numbers some have fewer abused domains.
In terms of registrars, Namecheap was the runaway loser, with a whopping 11,878 domains used to control botnets. 
While SpamHaus acknowledges that the size of the registrar has a bearing on abuse levels, it’s worth noting that GoDaddy — by far the biggest registrar, but well-staffed with over-zealous abuse guys — does not even feature on the top 20 list here.
SpamHaus wrote:
While the total numbers of botnet domains at the registrar might appear large, the registrar does not necessarily support cybercriminals. Registrars simply can’t detect all fraudulent registrations or registrations of domains for criminal use before those domains go live. The “life span” of criminal domains on legitimate, well-run, registrars tends to be quite short.
However, other much smaller registrars that you might never have heard of (like Shinjiru or WebNic) appear on this same list. Several of these registrars have an extremely high proportion of cybercrime domains registered through them. Like ISPs with high numbers of botnet controllers, these registrars usually have no or limited abuse staff, poor abuse detection processes, and some either do not or cannot accept takedown requests except by a legal order from the local government or a local court.
The SpamHaus report, which you can read here, concludes with a call for registries and registrars to take more action to shut down repeat offenders, saying it is “embarrassing” that some registrars allow perpetrators to register domains for abuse over and over and over again.
Recent Comments