Recent Posts
- Pirate Bay founder says ICANN won’t let him be a registrar
- ICANN finally cans Net 4 India
- Got beef with ICANN? Why you may not want to use the Ombudsman
- EU cancels .eu tender after Brexit cock-up
- More acquisitions? GoDaddy to raise $800 million
- Facebook lawsuit brings one country’s domain to a screeching halt
- CentralNic buys German monetization firm for up to $13 million
- .hotel battle lands ICANN in court over accountability dodges
- ICANN purges another dormant dot-brand
- Conspiracy nut ordered to pay thousands to “kingpins” as “cartel” lawsuit chucked out
- Three ICANN directors voted against Marby’s pay rise
- Former ICANN vice-chair Disspain joins Donuts
- Donuts acquires four more gTLDs, but allows one to be scrapped
- Rival wants the truth about the Afilias-Donuts deal amid “collusion” claims
- Coronavirus has made ICANN $11 million richer than predicted so far this year
- Lockdown bump sees GoDaddy double customer gains in 2020
- Brit .eu owners get another three-month stay of execution
- Verisign upgrades its cash-printing machine but warns post-pandemic “could go either way”
- Nominet declares member coup “invalid”
- Public comments open on new Whois policies
- ICANN CEO gets 5% pay rise
- Security firm sues Facebook to overturn UDRP loss of “good faith” typo domains
- Registrar giant created as Web.com merged with Endurance
- Nominet chair eats humble pie to stave off mass board cull
- ShortDot adds fourth gTLD to its stable, plans March launch
- Nominet boss has epiphany and calls for calm as his job hangs by a thread
- One year on, Namecheap still fighting aborted .org takeover and may target GoDaddy and Donuts next
- Defensive windfall on the cards for .spa? It’s not just for spas any more
- Two more dot-brands take the easy way out
- RobinHood.club showered with five-star reviews after .com confusion
- EURid reports 3% growth in final quarter before Brexit crunch
- Webcentral to change its branding yet again after tricky takeover
- Fire the board! Registrars attempt a coup at Nominet
- .club back over a million names as Clubhouse drives growth
- Eight years after asking, Israel to get its Hebrew ccTLD
- Time is running out for Net4 as ICANN questions Indian court ruling
- UNR getting out of the registry business with $17 million no-reserve auctions on 23 new gTLDs
- Amid .club boom, one AV vendor is blocking the whole damn TLD
- New rules could stop registries ripping off big brands
- MMX vows to refocus under new boss after crappy 2020
- Failed .org buyer Ethos Capital buys Donuts
- Crackdown looms for new gTLD auction gaming
- Would-be new country wants to share another country’s ccTLD
- 153 registrars fingered for ICANN security probe
- ICANN axes Cancun again. Apparently there’s a pandemic
- Gun nut site crashes at Epik after GoDaddy shoots it down
- It’s pandemic continuity versus gender diversity in ICANN’s board wish-list
- Free domains for .in registrants
- Here’s why two ICANN directors opposed extending Marby’s CEO contract
- Rules for the next new gTLD round near the final straight
- Island demands return of its “naked” ccTLD
- Donuts punter welcomes our new alien overlords in December premium sale
- Net 4 India gets unwelcome Christmas gift from ICANN
- Fuji Xerox kills off gTLD after rebrand
- EURid suspends 80,000 domains as Brexit transition ends
- GoDaddy’s female geeks make a bit more than men
- Donuts acquisition of Afilias closes, integration work begins
- GoDaddy pranks employees with “insensitive” phishing test
- US sneaks public Whois demands into pandemic relief bill
- Verisign drops half a mill on pandemic relief
- Mixed messages from ICANN on pandemic travel in 2021
- ICANN predicts rosy post-pandemic domain industry — time to start panicking?
- DI World Global International Headquarters is relocating
- ICANN throws the book at Net4 over dodgy transfer claims
- Fraud checks coming to .ch as SWITCH renews contract
- South African registry to be merged with film censor, broadband regulator
- There’s one obvious pick for next year’s ICANN Community Excellence Award
- ICANN could block Donuts from buying Afilias
- Westerdal offloads two more gTLDs to Donuts
- Whois privacy group finds its new chair
- Three more new gTLDs blink out of existence
- NamesCon Europe founder Dietmar Stefitz reportedly dies
- Credit union gTLD changes hands to perhaps surprising buyer
- After 20 years, DomainTools takes its first VC dough
- Gay charities get first taste of domain cash
- CIRA hits major .ca milestone on 20th anniversary
- .org made $97 million last year
- XYZ launches its beauty-themed gTLDs with slashed prices
- “Criminal” domain suspensions drop again in .uk but thousands of pandemic domains frozen
- NameSilo in profit as sales rise 11%
- CentralNic more than doubles revenue as parking business thrives
- WIPO handles 50,000th UDRP case as coronavirus drives complaints
- Brits get small reprieve in Brexit domain crackdown
- Vaccine agency to get more domain takedown powers next year
- Domain growth dropped off in Q3, says Verisign
- Donuts boss discusses shock Afilias deal
- GoDaddy has a secret weapon in its push into corporate domains
- Donuts acquires Afilias to create registry giant
- ICANN finally addresses Net 4 India meltdown, but mysteries remain
- Masochistic mug urgently wanted for thankless, pay-free ICANN leadership role
- ICANN made over $500k in secret lawyer payments over [REDACTED] legal dispute
- .spa registry relocates to .xyz
- .forum sunrise period will cost less than half the regular reg fee
- .trust finds a new home with UNR
- Web.com acquires Kiwi registrar Freeparking
- GoDaddy set to pay millions to settle robocalling class action
- Tributes as “great mentor” Marilyn Cade dies
- GoDaddy sees 12% growth in domains revenue
- One-letter .lu domains could be bought for peanuts
- Another domain firm going private as Endurance announces $3 billion deal
- Verisign increases focus on .com after flogging public DNS to Neustar
- Blood on the boardroom floor after MMX admits revenue screwup
- Angry investor sues for 30% of new .spa gTLD
- Amazon sold rights to .box gTLD for $3 million
- Big pharma firm dumps its gTLD
- Facebook to enter the retail registrar business?
- .web ruling might not come this year
- Verisign sells a million more domains than it did last year
- Free speech, or bad faith? UDRP panels split on Everything.sucks domains
- The internet just got its first proper new gTLD of the year, and the timing couldn’t be worse
- ICANN may not meet again for a looong time
- ICANN denies Whois policy “failure” as Marby issues EU warning
- These eight companies account for more than half of ICANN’s revenue
- Lockdown bump was worth $600,000 to ICANN, but end of Club Med saves 10x as much
- That .sucks weirdness? Worse than I thought
- Something weird’s going on at .sucks
- Are 25x price increases on the cards as XYZ corners the cars market?
- .gay and Star Trek star troll the right to promote new gTLD
- Forty weddings and a funeral? .wed is dead but may come up for auction
- Holy Scheisse! Did you know ICANN 69 starts TOMORROW?
- MMX probing accounting of mystery contract
- NamesCon will be back to in-person events next July
- .eu registry contract up for grabs
- EURid suspends and delays thousands of coronavirus domains
- .jobs plans to raise millions from premium names after dumping its sponsor
SpamHaus ranks most-botted TLDs and registrars
Namecheap and Uniregistry have emerged as two of the most-abused domain name companies, using statistics on botnet command and control centers released by SpamHaus this week.
SpamHaus data shows that over a quarter of all botnet C&Cs found during the year were using NameCheap as their registrar.
It also shows that almost 1% of domains registered in Uniregistry’s .click are used as C&Cs.
The spam-fighting outfit said it discovered “almost 50,000” domains in 2017 that were registered for the purpose of controlling botnets.
Comparable data for 2016 was not published a year ago, but if you go back a few years, SpamHaus reported that there were just 3,793 such domains in 2014.
Neither number includes compromised domains or free subdomains.
The TLD with the most botnet abuse was of course .com, with 14,218 domains used as C&C servers. It was followed by Directi’s .pw (8,587) and Afilias’ .info (3,707).
When taking into account the relative size of the TLDs, SpamHaus fingered Russian ccTLD .ru as the “most heavily abused” TLD, but its numbers don’t ring true to me.
With 1,370 botnet controllers and about five and a half million domains, .ru’s abused domains would be around 0.03%.
But if you look at .click, with 1,256 botnet C&Cs and 131,000 domains (as of September), that number is very close to 1%. When it comes to botnets, that’s a high number.
In fact, using SpamHaus numbers and September registry reports of total domains under management, it seems that .work, .space, .website, .top, .pro, .biz, .info, .xyz, .bid and .online all have higher levels of botnet abuse than .ru, though in absolute numbers some have fewer abused domains.
In terms of registrars, Namecheap was the runaway loser, with a whopping 11,878 domains used to control botnets. 
While SpamHaus acknowledges that the size of the registrar has a bearing on abuse levels, it’s worth noting that GoDaddy — by far the biggest registrar, but well-staffed with over-zealous abuse guys — does not even feature on the top 20 list here.
SpamHaus wrote:
While the total numbers of botnet domains at the registrar might appear large, the registrar does not necessarily support cybercriminals. Registrars simply can’t detect all fraudulent registrations or registrations of domains for criminal use before those domains go live. The “life span” of criminal domains on legitimate, well-run, registrars tends to be quite short.
However, other much smaller registrars that you might never have heard of (like Shinjiru or WebNic) appear on this same list. Several of these registrars have an extremely high proportion of cybercrime domains registered through them. Like ISPs with high numbers of botnet controllers, these registrars usually have no or limited abuse staff, poor abuse detection processes, and some either do not or cannot accept takedown requests except by a legal order from the local government or a local court.
The SpamHaus report, which you can read here, concludes with a call for registries and registrars to take more action to shut down repeat offenders, saying it is “embarrassing” that some registrars allow perpetrators to register domains for abuse over and over and over again.
Recent Comments