Recent Posts
- CentralNic more than doubles revenue as parking business thrives
- WIPO handles 50,000th UDRP case as coronavirus drives complaints
- Brits get small reprieve in Brexit domain crackdown
- Vaccine agency to get more domain takedown powers next year
- Domain growth dropped off in Q3, says Verisign
- Donuts boss discusses shock Afilias deal
- GoDaddy has a secret weapon in its push into corporate domains
- Donuts acquires Afilias to create registry giant
- ICANN finally addresses Net 4 India meltdown, but mysteries remain
- Masochistic mug urgently wanted for thankless, pay-free ICANN leadership role
- ICANN made over $500k in secret lawyer payments over [REDACTED] legal dispute
- .spa registry relocates to .xyz
- .forum sunrise period will cost less than half the regular reg fee
- .trust finds a new home with UNR
- Web.com acquires Kiwi registrar Freeparking
- GoDaddy set to pay millions to settle robocalling class action
- Tributes as “great mentor” Marilyn Cade dies
- GoDaddy sees 12% growth in domains revenue
- One-letter .lu domains could be bought for peanuts
- Another domain firm going private as Endurance announces $3 billion deal
- Verisign increases focus on .com after flogging public DNS to Neustar
- Blood on the boardroom floor after MMX admits revenue screwup
- Angry investor sues for 30% of new .spa gTLD
- Amazon sold rights to .box gTLD for $3 million
- Big pharma firm dumps its gTLD
- Facebook to enter the retail registrar business?
- .web ruling might not come this year
- Verisign sells a million more domains than it did last year
- Free speech, or bad faith? UDRP panels split on Everything.sucks domains
- The internet just got its first proper new gTLD of the year, and the timing couldn’t be worse
- ICANN may not meet again for a looong time
- ICANN denies Whois policy “failure” as Marby issues EU warning
- These eight companies account for more than half of ICANN’s revenue
- Lockdown bump was worth $600,000 to ICANN, but end of Club Med saves 10x as much
- That .sucks weirdness? Worse than I thought
- Something weird’s going on at .sucks
- Are 25x price increases on the cards as XYZ corners the cars market?
- .gay and Star Trek star troll the right to promote new gTLD
- Forty weddings and a funeral? .wed is dead but may come up for auction
- Holy Scheisse! Did you know ICANN 69 starts TOMORROW?
- MMX probing accounting of mystery contract
- NamesCon will be back to in-person events next July
- .eu registry contract up for grabs
- EURid suspends and delays thousands of coronavirus domains
- .jobs plans to raise millions from premium names after dumping its sponsor
- Peaceful transfer of power? GNSO’s next chair is a shoo-in
- Two American women appointed to ICANN board
- Europe’s top dogs could decide the future of Whois
- ICANN playing ping-pong on closed generics controversy
- Has ICANN cut off its regulatory hands?
- Will you shut up, man? Trump takedown domain on sale for ridiculous fee
- MMX revenue down even as sales rise during pandemic
- This ICANN comment period is a Kafkaesque nightmare
- Could .cpa be the most successful new gTLD sunrise yet?
- ICANN 69 returning to YouTube
- Three-letter .blog domains priced up to $100k
- Whois plan approved, but it may be a waste of money
- Should YOU have to pay when lawyers access your private Whois info?
- Nominet shuts down “hostile” discussion forum
- Donuts to launch .contact next week
- GoDaddy denies weird front-running claim
- Is India’s largest registrar about to go titsup? And where the hell is ICANN?
- Webcentral rejects Web.com buyout bid for LOWER offer from Aussie telco
- Portugal reports lockdown boom continued through the summer
- No ICANN meetings until 2021
- ZADNA hikes up the price of .za domains
- Floodgates, open! Trademark Clearinghouse now supports .com
- Radix premium renewals approach $1 million
- GoDaddy could lose control of .co this week
- ICANN ordered to freeze .hotel after “serious questions” about trade secrets “theft”
- CentralNic parking boosts revenue even as its registrars suffer
- ICANN will spend $51,000 on your broadband
- Verisign measures the industry’s lockdown bump
- ICANN apologizes to “arms dealer” claim security firm after email goes missing
- Amazon waves off demand for more government blocks
- Told us so? Nominet ditches auctions plan, will charge drop-catchers higher fees instead
- Schreiber really did sue you all, sorry
- Fight over closed generics ends in stalemate
- New gTLD prices could be kept artificially high
- Here’s what’s in the NamesCon Online schwag bag
- New back-end approval program could reduce the cost of a new gTLD
- Single/plural gTLD combos to be BANNED
- ICANN might pay for your lockdown broadband
- The end of the beginning? ICANN releases policies for next round of new gTLDs
- It’s a CONSPIRACY! Canadian registrant “sues” pretty much everybody
- “Arms dealer” registrar probed by ICANN
- No lockdown bump for .eu as domain base shrinks in Q2
- After a year’s delay, .gay reveals launch dates
- ICANN names Egypt-based head of Istanbul office
- Countries ask Amazon for thousands more domain blocks
- Dot-brand fizzles out after acquisition
- The two biggest registrars knock it out of the park in Q2
- Domain industry had best April ever under lockdown
- .bible-thumping anti-porn registrar goes titsup
- The pricey, complex, clusterfuck plan to reopen Whois
- Tucows sells off Ting business, retreats into the back-end
- No .sex please, we’re infected!
- Domainers immune from the lockdown bump?
- Drop auctions not a slam-dunk, says Nominet
- After Chapter 11 filing, JCPenney dumps its dot-brand
- Israeli registrar denies “arms dealer” claims
- Nominet members revolt over “deepest pockets wins” auction plans
- CSC becomes first foreign registrar to get the China nod
- ICANN close to becoming $200 million gift-giver
- The $135 million battle for .web could be won in weeks
- .com renewals lowest in years, but Verisign sees lockdown bump anyway
- ICANN washes its hands of Amazon controversy
- Google’s .new now generally available
- $11 billion dot-brand blames coronavirus as it self-euthanizes
- ICANN still has no clue how coronavirus will affect the domain industry
- ICANN throws out “Ugly Houses” UDRP appeal
- Brazil to launch domains for detectives, librarians and geologists
- Endurance also got a lockdown bump in Q2
- Nominet wants to kill off the .uk drop-catching market
- Right to reply: new gTLD applicant hits back at my “delusional” comments
- One.com takes big chunk of Danish market with third acquisition this year
- Web.com acquires another of the original five registrars
- Mucho weirdness as Google “forgets” to renew major domain
- First deadbeat dot-brand ripped from the root
- Coronavirus helps .nl beat 6 million regs
- NamesCon Online ticket prices and name change revealed
- GoDaddy domains doing just fine during pandemic, lays off hundreds anyway
- I was wrong, rejected “racist” web site didn’t go to Epik
- World’s most deluded new gTLD applicant makes coronavirus pitch
- Does ICANN have a race problem?
SpamHaus ranks most-botted TLDs and registrars
Namecheap and Uniregistry have emerged as two of the most-abused domain name companies, using statistics on botnet command and control centers released by SpamHaus this week.
SpamHaus data shows that over a quarter of all botnet C&Cs found during the year were using NameCheap as their registrar.
It also shows that almost 1% of domains registered in Uniregistry’s .click are used as C&Cs.
The spam-fighting outfit said it discovered “almost 50,000” domains in 2017 that were registered for the purpose of controlling botnets.
Comparable data for 2016 was not published a year ago, but if you go back a few years, SpamHaus reported that there were just 3,793 such domains in 2014.
Neither number includes compromised domains or free subdomains.
The TLD with the most botnet abuse was of course .com, with 14,218 domains used as C&C servers. It was followed by Directi’s .pw (8,587) and Afilias’ .info (3,707).
When taking into account the relative size of the TLDs, SpamHaus fingered Russian ccTLD .ru as the “most heavily abused” TLD, but its numbers don’t ring true to me.
With 1,370 botnet controllers and about five and a half million domains, .ru’s abused domains would be around 0.03%.
But if you look at .click, with 1,256 botnet C&Cs and 131,000 domains (as of September), that number is very close to 1%. When it comes to botnets, that’s a high number.
In fact, using SpamHaus numbers and September registry reports of total domains under management, it seems that .work, .space, .website, .top, .pro, .biz, .info, .xyz, .bid and .online all have higher levels of botnet abuse than .ru, though in absolute numbers some have fewer abused domains.
In terms of registrars, Namecheap was the runaway loser, with a whopping 11,878 domains used to control botnets. 
While SpamHaus acknowledges that the size of the registrar has a bearing on abuse levels, it’s worth noting that GoDaddy — by far the biggest registrar, but well-staffed with over-zealous abuse guys — does not even feature on the top 20 list here.
SpamHaus wrote:
While the total numbers of botnet domains at the registrar might appear large, the registrar does not necessarily support cybercriminals. Registrars simply can’t detect all fraudulent registrations or registrations of domains for criminal use before those domains go live. The “life span” of criminal domains on legitimate, well-run, registrars tends to be quite short.
However, other much smaller registrars that you might never have heard of (like Shinjiru or WebNic) appear on this same list. Several of these registrars have an extremely high proportion of cybercrime domains registered through them. Like ISPs with high numbers of botnet controllers, these registrars usually have no or limited abuse staff, poor abuse detection processes, and some either do not or cannot accept takedown requests except by a legal order from the local government or a local court.
The SpamHaus report, which you can read here, concludes with a call for registries and registrars to take more action to shut down repeat offenders, saying it is “embarrassing” that some registrars allow perpetrators to register domains for abuse over and over and over again.
Recent Comments