Recent Posts
- UDRP respondent has name hidden on mental health grounds
- Facebook rebrand: did one new gTLD or domainer just hit the jackpot?
- .basketball domain emerges under GoDaddy with fewer hoops
- Donuts shuts down 14 registrars, but it’s “not related to DropZone”
- EURid fends off rivals for .eu contract
- Guy fills exact-match domain with porn, wins UDRP anyway
- Bahrain to relaunch ccTLD globally
- CentralNic says it’s making more money than expected
- Most registrars did NOT “fail” abuse audit, ICANN says
- Surprise eleventh-hour picks for NomCom leadership after ICANN U-turn
- Man with broken shift key sues ICANN and GoDaddy over Bitcoin domain
- Alice’s Registry disappears down the rabbit hole
- Nominet rebels dominate directorship slate
- 10 Years Ago… new gTLDs, ICANN pay, DNS abuse and ethics
- Nominet to purge £50 million from war chest for good causes as new chair outlines strategy
- .club — the whole TLD just went down
- Donuts’ DropZone approved despite competition fears
- I’m not kidding, ICANN is flirting with banning jokes
- DotConnectAfrica slammed for two-faced strategy as it loses .africa appeal
- PIR poaches new CTO from Verisign
- Marby finds his pandemic pessimism
- James Bond domains listed for sale by .bond registry
- Afnic gets renewed for .fr
- Tucows buys UNR’s registry business as Schilling bows out
- Neustar exec fingered in Trump’s Russian “collusion” probe
- Donuts’ drop-catching service not anti-competitive, ICANN says
- Almost no security researchers asking for Whois records – Tucows
- Price of Whois lookups could rise as ICANN delays reform work
- Cloudflare goes all-in with at-cost domains
- Hold on to your stats! ShortDot gets two gTLDs approved in China
- CentralNic spends $6.5 million on traffic network
- Nothing but losses ahead for MMX
- Afilias appeals .web ruling, Verisign responds with “rigging” claims
- ICANN won’t vote on new gTLDs for another year
- ICANN now has half a billion bucks in the bank after huge pandemic profits
- Dead dot-brands top 100. Here’s the list and breakdown
- I had a stroke
- Volkswagen drives IDN dot-brand off a cliff
- CTO Conrad quits ICANN
- France gets more domain takedown powers
- MMX to return GoDaddy cash to investors
- Could registrars get sued under new Texas abortion law?
- DropCatch raises antitrust concerns about Donuts’ Dropzone proposal
- ICANN could get the ball rolling on next new gTLD round this weekend
- Domain industry SHRINKS again… except of course it doesn’t
- Toilet-maker’s dot-brand gets flushed
- Latest geo-gTLD goes to sunrise
- NameSilo says it’s growing too fast to be acquired
- Most registrars fail ICANN abuse audit
- More privacy headaches? UK to withdraw from GDPR
- Bizarre redactions in Pirate Bay founder’s ICANN registrar ban
- ICANN cuts the weekend from next public meeting
- DotKids signs very weird new gTLD contract
- Dropping domains might get more expensive at Donuts
- .sucks registry probably “connected” to mass cybersquatter, panel rules
- As Kabul falls, Whois could present a danger to ordinary Afghans
- Second-level .au names coming next March with tight deadline
- ICANN director picks for 2021 revealed
- Over 2,000 attendees for ICANN 73?
- .za back-end deal up for grabs
- ICANN spills beans on Marby’s million-dollar payday
- ICANN 73 will be “virtual first”
- Registrars to get more domain takedown powers
- Irish domain sales closely track pandemic restrictions
- MMX drops two registrars
- “Crimes against humanity” claims against Afilias
- Dead dot-brands #92 and #93
- GoDaddy and MMX delay closure of $120 million gTLD deal
- This company had every reason to want a dot-brand, but just killed it off
- Olympics: Australia preemptively blocking Brisbane 2032 regs
- GoDaddy rides another 21 gTLDs into its stable
- CentralNic expects H1 revenue of $174 million
- Domainers at risk as EnCirca takes over deadbeat registrar’s customer base
- Another new gTLD applicant lawyers up on ICANN
- Big names shunned as Nominet names first registrar council members
- As judge freezes assets, is this OnlineNic domain portfolio really worth $70,000?
- Nominet names new chair, slashes exec pay, promises reforms and more boardroom exits
- Facebook’s war on privacy claims first registrar scalp
- GoDaddy welcomes four porn TLDs
- New gTLD buzz is back again as ICA hosts “second round” webinar
- Nope, no Seattle meeting for ICANN
- .org domains could come in seven new languages
- .com and NameSilo fingered as “most-abused” after numbers rocket
- MMX gets nod to sell 22 gTLDs to GoDaddy
- ICANN to hold hybrid meeting in October (not that one)
- Cambodia looking at new registry overseer
- Panel hands .sucks squatter a WIN, but encourages action against the registry
- Three rivals challenge EURid for .eu contract
- Amazon has started using hard-won .amazon
- Will you use SSAD for Whois queries?
- CentralNic gets into artificial intelligence
- “Diversity” warning over ICANN Seattle
- ICANN DOESN’T money-grub in new gTLD contract shocker
- Pirate Bay founder among candidates for Nominet advisory council
- XYZ scraps .tickets rules but won’t lower the price
- EURid scraps residency rules for three countries
- Epik buys DNForum, explores member ownership options
- Nominet throws money at member-chosen charities
- ICANN backtracks on executive pay transparency
- Brexit-hit domains can still be recovered
- Net4 domains now parked after “fraud” ruling
- Pride Month not transformative for .gay
- Schwartz makes deal to sell ass.com for over $6 million
- US Feds seize 33 Iranian news site domains
- Domain firms plan “Trusted Notifier” takedown rules
- Did Harry and Meghan squat the Queen? [clickbait]
- There’s really only one question about the return to face-to-face ICANN meetings
- Registries unveil plan to tackle botnet abuse with mass takedowns
- Next new gTLD round should be less English, says ICANN boss
- Cade and Dammak win ICANN awards
- In two weeks, Brits will lose their .eu domains forever
- ICANN waves off EFF concerns about the Ethos-Donuts deal
- ICANNers itching to get back to face-to-face shindigs
- How awful would ICANN 72 have to be for you to stay at home?
- More non-rules proposed for Whois privacy
- Domain regs dip for second quarter in a row and it’s all China’s fault
- ICANN 71 — now with added bearded men!
- .autos priced waaay below its XYZ rivals
- Barrett to replace Da Silva on ICANN board
- CentralNic trumpets organic growth as its registrars reverse shrinkage
- EURid sells 1,369 Cyrillic names in five years
- Afilias hints at more legal action over .web
- ShortDot plans domain blocking service for brands
- No more acquisitions for Nominet
- Afilias leftovers rebrand as Altanovo
SpamHaus ranks most-botted TLDs and registrars
Namecheap and Uniregistry have emerged as two of the most-abused domain name companies, using statistics on botnet command and control centers released by SpamHaus this week.
SpamHaus data shows that over a quarter of all botnet C&Cs found during the year were using NameCheap as their registrar.
It also shows that almost 1% of domains registered in Uniregistry’s .click are used as C&Cs.
The spam-fighting outfit said it discovered “almost 50,000” domains in 2017 that were registered for the purpose of controlling botnets.
Comparable data for 2016 was not published a year ago, but if you go back a few years, SpamHaus reported that there were just 3,793 such domains in 2014.
Neither number includes compromised domains or free subdomains.
The TLD with the most botnet abuse was of course .com, with 14,218 domains used as C&C servers. It was followed by Directi’s .pw (8,587) and Afilias’ .info (3,707).
When taking into account the relative size of the TLDs, SpamHaus fingered Russian ccTLD .ru as the “most heavily abused” TLD, but its numbers don’t ring true to me.
With 1,370 botnet controllers and about five and a half million domains, .ru’s abused domains would be around 0.03%.
But if you look at .click, with 1,256 botnet C&Cs and 131,000 domains (as of September), that number is very close to 1%. When it comes to botnets, that’s a high number.
In fact, using SpamHaus numbers and September registry reports of total domains under management, it seems that .work, .space, .website, .top, .pro, .biz, .info, .xyz, .bid and .online all have higher levels of botnet abuse than .ru, though in absolute numbers some have fewer abused domains.
In terms of registrars, Namecheap was the runaway loser, with a whopping 11,878 domains used to control botnets. 
While SpamHaus acknowledges that the size of the registrar has a bearing on abuse levels, it’s worth noting that GoDaddy — by far the biggest registrar, but well-staffed with over-zealous abuse guys — does not even feature on the top 20 list here.
SpamHaus wrote:
While the total numbers of botnet domains at the registrar might appear large, the registrar does not necessarily support cybercriminals. Registrars simply can’t detect all fraudulent registrations or registrations of domains for criminal use before those domains go live. The “life span” of criminal domains on legitimate, well-run, registrars tends to be quite short.
However, other much smaller registrars that you might never have heard of (like Shinjiru or WebNic) appear on this same list. Several of these registrars have an extremely high proportion of cybercrime domains registered through them. Like ISPs with high numbers of botnet controllers, these registrars usually have no or limited abuse staff, poor abuse detection processes, and some either do not or cannot accept takedown requests except by a legal order from the local government or a local court.
The SpamHaus report, which you can read here, concludes with a call for registries and registrars to take more action to shut down repeat offenders, saying it is “embarrassing” that some registrars allow perpetrators to register domains for abuse over and over and over again.
Recent Comments