Recent Posts
- ICANN name servers come under attack
- NamesCon will be virtual again this year, and more expensive
- Net4 nightmare almost over as court rules ICANN can shut down chaotic registrar
- IWF finds 3,401 “commercial” child porn domains
- Price caps on .org could return, panel rules
- DNS genius and ICANN key-holder Dan Kaminsky dies at 42
- .gov TLD quietly changes hands
- ICANN asks registries to freeze Net 4 India’s expired domains
- UNR cuts $5.2 million from price of new gTLD portfolio
- Formerly massive drop-catcher faces ICANN probe
- Verisign expects huge domain growth in 2021
- Decision on $135 million .web auction expected in weeks
- Net4’s “complete breakdown” is bringing India to a screeching halt, and ICANN could have prevented it
- Everything.sucks publishes transfer auth codes for thousands of domains in latest .sucks pimpage
- Kiwis finally making the switch to EPP with Canadian deal
- Squarespace files to go public in New York
- Facebook gunning for Web.com in latest $27 million-plus cybersquatting lawsuit
- Verisign says it needs .web because .com is running out of names
- Anger as Nominet rejects coup’s pick for chair
- Ahead of GoDaddy acquisition, MMX to scrap premium fees on 725,000 domains
- ICANN threatens to seize gTLD after Whois downtime
- China could block GoDaddy’s $120 million MMX swoop
- .CLUB CEO on selling to GoDaddy, Clubhouse, and .club’s “twerking moment”
- GoDaddy buys 30 new gTLDs for over $120 million
- Nominet members wail as ousted director made CEO
- XYZ adds .tickets to its gTLD stable
- EFF rages as Ethos closes Donuts buy
- Outrage at ICANN’s new “clown shoes” social distancing mandate
- ICANN refuses to say why it allowed Donuts to buy Afilias
- ShortDot bought another gTLD. Guess what .sbs stands for now?
- As Net4 goes dark, NIXI says customers won’t lose their expired domains
- .sucks mystery deepens. Who the hell is Pat Honeysalt?
- Universal Acceptance – making the internet work for everyone [Guest Post]
- ICANN rules out vaccine passports, kinda, but warns in-person meetings may be a long way off
- Motion to fire five Nominet directors passes in tight vote
- Nominet boss jumps before he is pushed
- Watch: the exact moment Nominet’s CEO sealed his fate
- Stick a fork in Nominet’s leadership. Tucows votes to fire half the board
- IP lobby demands halt to Whois reform
- Donuts adds another TLD to its stable as Richemont finally bows out of new gTLD program
- NamesCon Europe cancelled — “pandemics suck”
- As .gov changes hands, would Verisign run it for free?
- Nominet warns of government takeover as Namecheap backs fire-the-directors campaign
- ICANN 71 is online-only, because of course it is
- Correction: UNR’s trademark block service
- ICANN 70 has virtual schwag, other new stuff
- Everything.sucks, in losing UDRPs, puts the lie to the .sucks business model
- Domain industry shrank in Q4, but as usual there’s a big BUT
- Pirate Bay founder says ICANN won’t let him be a registrar
- ICANN finally cans Net 4 India
- Got beef with ICANN? Why you may not want to use the Ombudsman
- EU cancels .eu tender after Brexit cock-up
- More acquisitions? GoDaddy to raise $800 million
- Facebook lawsuit brings one country’s domain to a screeching halt
- CentralNic buys German monetization firm for up to $13 million
- .hotel battle lands ICANN in court over accountability dodges
- ICANN purges another dormant dot-brand
- Conspiracy nut ordered to pay thousands to “kingpins” as “cartel” lawsuit chucked out
- Three ICANN directors voted against Marby’s pay rise
- Former ICANN vice-chair Disspain joins Donuts
- Donuts acquires four more gTLDs, but allows one to be scrapped
- Rival wants the truth about the Afilias-Donuts deal amid “collusion” claims
- Coronavirus has made ICANN $11 million richer than predicted so far this year
- Lockdown bump sees GoDaddy double customer gains in 2020
- Brit .eu owners get another three-month stay of execution
- Verisign upgrades its cash-printing machine but warns post-pandemic “could go either way”
- Nominet declares member coup “invalid”
- Public comments open on new Whois policies
- ICANN CEO gets 5% pay rise
- Security firm sues Facebook to overturn UDRP loss of “good faith” typo domains
- Registrar giant created as Web.com merged with Endurance
- Nominet chair eats humble pie to stave off mass board cull
- ShortDot adds fourth gTLD to its stable, plans March launch
- Nominet boss has epiphany and calls for calm as his job hangs by a thread
- One year on, Namecheap still fighting aborted .org takeover and may target GoDaddy and Donuts next
- Defensive windfall on the cards for .spa? It’s not just for spas any more
- Two more dot-brands take the easy way out
- RobinHood.club showered with five-star reviews after .com confusion
- EURid reports 3% growth in final quarter before Brexit crunch
- Webcentral to change its branding yet again after tricky takeover
- Fire the board! Registrars attempt a coup at Nominet
- .club back over a million names as Clubhouse drives growth
- Eight years after asking, Israel to get its Hebrew ccTLD
- Time is running out for Net4 as ICANN questions Indian court ruling
- UNR getting out of the registry business with $17 million no-reserve auctions on 23 new gTLDs
- Amid .club boom, one AV vendor is blocking the whole damn TLD
- New rules could stop registries ripping off big brands
- MMX vows to refocus under new boss after crappy 2020
- Failed .org buyer Ethos Capital buys Donuts
- Crackdown looms for new gTLD auction gaming
- Would-be new country wants to share another country’s ccTLD
- 153 registrars fingered for ICANN security probe
- ICANN axes Cancun again. Apparently there’s a pandemic
- Gun nut site crashes at Epik after GoDaddy shoots it down
- It’s pandemic continuity versus gender diversity in ICANN’s board wish-list
- Free domains for .in registrants
- Here’s why two ICANN directors opposed extending Marby’s CEO contract
- Rules for the next new gTLD round near the final straight
- Island demands return of its “naked” ccTLD
- Donuts punter welcomes our new alien overlords in December premium sale
- Net 4 India gets unwelcome Christmas gift from ICANN
- Fuji Xerox kills off gTLD after rebrand
- EURid suspends 80,000 domains as Brexit transition ends
- GoDaddy’s female geeks make a bit more than men
- Donuts acquisition of Afilias closes, integration work begins
- GoDaddy pranks employees with “insensitive” phishing test
- US sneaks public Whois demands into pandemic relief bill
- Verisign drops half a mill on pandemic relief
- Mixed messages from ICANN on pandemic travel in 2021
- ICANN predicts rosy post-pandemic domain industry — time to start panicking?
- DI World Global International Headquarters is relocating
- ICANN throws the book at Net4 over dodgy transfer claims
- Fraud checks coming to .ch as SWITCH renews contract
- South African registry to be merged with film censor, broadband regulator
- There’s one obvious pick for next year’s ICANN Community Excellence Award
- ICANN could block Donuts from buying Afilias
- Westerdal offloads two more gTLDs to Donuts
- Whois privacy group finds its new chair
- Three more new gTLDs blink out of existence
- NamesCon Europe founder Dietmar Stefitz reportedly dies
- Credit union gTLD changes hands to perhaps surprising buyer
- After 20 years, DomainTools takes its first VC dough
- Gay charities get first taste of domain cash
- CIRA hits major .ca milestone on 20th anniversary
- .org made $97 million last year
SpamHaus ranks most-botted TLDs and registrars
Namecheap and Uniregistry have emerged as two of the most-abused domain name companies, using statistics on botnet command and control centers released by SpamHaus this week.
SpamHaus data shows that over a quarter of all botnet C&Cs found during the year were using NameCheap as their registrar.
It also shows that almost 1% of domains registered in Uniregistry’s .click are used as C&Cs.
The spam-fighting outfit said it discovered “almost 50,000” domains in 2017 that were registered for the purpose of controlling botnets.
Comparable data for 2016 was not published a year ago, but if you go back a few years, SpamHaus reported that there were just 3,793 such domains in 2014.
Neither number includes compromised domains or free subdomains.
The TLD with the most botnet abuse was of course .com, with 14,218 domains used as C&C servers. It was followed by Directi’s .pw (8,587) and Afilias’ .info (3,707).
When taking into account the relative size of the TLDs, SpamHaus fingered Russian ccTLD .ru as the “most heavily abused” TLD, but its numbers don’t ring true to me.
With 1,370 botnet controllers and about five and a half million domains, .ru’s abused domains would be around 0.03%.
But if you look at .click, with 1,256 botnet C&Cs and 131,000 domains (as of September), that number is very close to 1%. When it comes to botnets, that’s a high number.
In fact, using SpamHaus numbers and September registry reports of total domains under management, it seems that .work, .space, .website, .top, .pro, .biz, .info, .xyz, .bid and .online all have higher levels of botnet abuse than .ru, though in absolute numbers some have fewer abused domains.
In terms of registrars, Namecheap was the runaway loser, with a whopping 11,878 domains used to control botnets. 
While SpamHaus acknowledges that the size of the registrar has a bearing on abuse levels, it’s worth noting that GoDaddy — by far the biggest registrar, but well-staffed with over-zealous abuse guys — does not even feature on the top 20 list here.
SpamHaus wrote:
While the total numbers of botnet domains at the registrar might appear large, the registrar does not necessarily support cybercriminals. Registrars simply can’t detect all fraudulent registrations or registrations of domains for criminal use before those domains go live. The “life span” of criminal domains on legitimate, well-run, registrars tends to be quite short.
However, other much smaller registrars that you might never have heard of (like Shinjiru or WebNic) appear on this same list. Several of these registrars have an extremely high proportion of cybercrime domains registered through them. Like ISPs with high numbers of botnet controllers, these registrars usually have no or limited abuse staff, poor abuse detection processes, and some either do not or cannot accept takedown requests except by a legal order from the local government or a local court.
The SpamHaus report, which you can read here, concludes with a call for registries and registrars to take more action to shut down repeat offenders, saying it is “embarrassing” that some registrars allow perpetrators to register domains for abuse over and over and over again.
Recent Comments