Recent Posts
- Portugal reports lockdown boom continued through the summer
- No ICANN meetings until 2021
- ZADNA hikes up the price of .za domains
- Floodgates, open! Trademark Clearinghouse now supports .com
- Radix premium renewals approach $1 million
- GoDaddy could lose control of .co this week
- ICANN ordered to freeze .hotel after “serious questions” about trade secrets “theft”
- CentralNic parking boosts revenue even as its registrars suffer
- ICANN will spend $51,000 on your broadband
- Verisign measures the industry’s lockdown bump
- ICANN apologizes to “arms dealer” claim security firm after email goes missing
- Amazon waves off demand for more government blocks
- Told us so? Nominet ditches auctions plan, will charge drop-catchers higher fees instead
- Schreiber really did sue you all, sorry
- Fight over closed generics ends in stalemate
- New gTLD prices could be kept artificially high
- Here’s what’s in the NamesCon Online schwag bag
- New back-end approval program could reduce the cost of a new gTLD
- Single/plural gTLD combos to be BANNED
- ICANN might pay for your lockdown broadband
- The end of the beginning? ICANN releases policies for next round of new gTLDs
- It’s a CONSPIRACY! Canadian registrant “sues” pretty much everybody
- “Arms dealer” registrar probed by ICANN
- No lockdown bump for .eu as domain base shrinks in Q2
- After a year’s delay, .gay reveals launch dates
- ICANN names Egypt-based head of Istanbul office
- Countries ask Amazon for thousands more domain blocks
- Dot-brand fizzles out after acquisition
- Corrections: AlpNames and Famour Four Media
- The two biggest registrars knock it out of the park in Q2
- Domain industry had best April ever under lockdown
- .bible-thumping anti-porn registrar goes titsup
- The pricey, complex, clusterfuck plan to reopen Whois
- Tucows sells off Ting business, retreats into the back-end
- No .sex please, we’re infected!
- Domainers immune from the lockdown bump?
- Drop auctions not a slam-dunk, says Nominet
- After Chapter 11 filing, JCPenney dumps its dot-brand
- Israeli registrar denies “arms dealer” claims
- Nominet members revolt over “deepest pockets wins” auction plans
- CSC becomes first foreign registrar to get the China nod
- ICANN close to becoming $200 million gift-giver
- The $135 million battle for .web could be won in weeks
- .com renewals lowest in years, but Verisign sees lockdown bump anyway
- ICANN washes its hands of Amazon controversy
- Google’s .new now generally available
- $11 billion dot-brand blames coronavirus as it self-euthanizes
- ICANN still has no clue how coronavirus will affect the domain industry
- ICANN throws out “Ugly Houses” UDRP appeal
- Brazil to launch domains for detectives, librarians and geologists
- Endurance also got a lockdown bump in Q2
- Nominet wants to kill off the .uk drop-catching market
- Right to reply: new gTLD applicant hits back at my “delusional” comments
- One.com takes big chunk of Danish market with third acquisition this year
- Web.com acquires another of the original five registrars
- Mucho weirdness as Google “forgets” to renew major domain
- First deadbeat dot-brand ripped from the root
- Coronavirus helps .nl beat 6 million regs
- NamesCon Online ticket prices and name change revealed
- GoDaddy domains doing just fine during pandemic, lays off hundreds anyway
- I was wrong, rejected “racist” web site didn’t go to Epik
- World’s most deluded new gTLD applicant makes coronavirus pitch
- Does ICANN have a race problem?
- As the world burns, ICANN gives its richest execs huge pay rises
- Web.com is kicking out a racist web site. How long before it winds up at Epik?
- Over 660,000 “coronavirus” domains registered
- Watch three members of the ICANN community get assassinated
- “Horrifying” Zoombombing attack on ICANN meeting, again
- Coronavirus is saving ICANN millions of your money, but will it use the cash wisely?
- Half as many women apply for ICANN leadership jobs
- ICANN decision to cancel Hamburg was NOT unanimous
- NamesCon goes virtual with intriguing 24-hour conference concept
- Virtual cocktails coming to ICANN meetings. Really.
- More dot-brands dump their gTLDs
- GoDaddy, PorkBun and Endurance win domain “blocking” court fight
- You won’t need a password for ICANN 68 after all
- Donuts rolls out free phishing attack protection for all registrants
- .black gTLD has seen boost since George Floyd killing
- ICANN confirms Hamburg cancellation
- Bored? Try the DI Fiendishly Difficult Domain Name Pub Quiz
- Three big registries will take down opioid domains for US govt
- Should Epik be banned from NamesCon as racism debate spills over into domain industry?
- ICANN board tries to redefine mediocrity — literally
- GoDaddy starts protecting American customers’ privacy
- Will ICANN swap Hamburg for Zoom for 69?
- Top-level reshuffle as ICANN loses its COO
- Amazon finally gets its dot-brands despite last-minute government plea
- South Africa might raise, or lower, some wholesale domain fees
- Verisign says its coronavirus fee waivers have saved businesses millions
- Industry growth driven by new gTLD(s) in Q1
- World’s youngest country launches its Nazi-risk TLD next week
- Is ICANN chickening out of Whois access role?
- Irony alert! Data protection agency complains it can’t get access to private Whois data
- ICANN dissenter explains why she wanted .org sale approved
- CSC removes reference to “retiring” new gTLD domain after retiring new gTLD domain
- Google launches .meet gTLD after Meet service goes free during lockdown
- Aussie ccTLD surges under coronavirus lockdown
- Spring Break redux! ICANN picks Cancun for 2023 meeting
- ICANN’s .org decision was NOT unanimous, and it was made in secret
- Donuts kicks down .place fences after attempt at innovation
- .org sale officially dead
- Afilias promotes .vote domains amid US vote-by-mail controversy
- After Zoom trolling, ICANN 68 will be password-protected
- Despite Brexit, .eu actually returned to growth in Q1
- ICANN whistleblower expects to be fired after alleging budget irregularities, bugged meetings
- Portugal ccTLD says growth better than expected during pandemic
- The .org deal may be dead and buried, but calls remain for PIR to lose its contract
- “Dangerous precedent” as ICANN rejects $1.13 billion .org buyout
- ICANN may scrap its $0.18 reg tax in coronavirus “solidarity”
- Domain industry likely to suffer from coronavirus as ICANN slashes budget by 8%
- Decision on .org deal may come sooner than you think
- ICANN meeting got “Zoombombed” with offensive material
- CentralNic does not expect big coronavirus impact as it posts almost-doubled revenue for 2019
- Verisign expects to sell fewer domains because of coronavirus
- Coronavirus lockdown is working out great for at least one registry
- Coronavirus could cause “high risk of widespread outages”, ICANN says
- Free domains registrar gets FOURTH breach notice
- Four more dot-brands join the gTLD deadpool
- As ICANN meets to decide .org’s fate, California AG says billion-dollar deal must be rejected
- Whois privacy talks in Bizarro World as governments and trademark owners urge coronavirus delay
- GoDaddy signs up 30 partners to lockdown-era marketing scheme
- Kuala Lumpur meeting cancelled and ICANN 68 could be even trickier online
- Five SAFE ways to buy and sell domains during the coronavirus pandemic
- To show new focus on registry, Uniregistry dumps “registry” from its brand. Um…
- No ICANN tax relief for Chinese registrars
SpamHaus ranks most-botted TLDs and registrars
Namecheap and Uniregistry have emerged as two of the most-abused domain name companies, using statistics on botnet command and control centers released by SpamHaus this week.
SpamHaus data shows that over a quarter of all botnet C&Cs found during the year were using NameCheap as their registrar.
It also shows that almost 1% of domains registered in Uniregistry’s .click are used as C&Cs.
The spam-fighting outfit said it discovered “almost 50,000” domains in 2017 that were registered for the purpose of controlling botnets.
Comparable data for 2016 was not published a year ago, but if you go back a few years, SpamHaus reported that there were just 3,793 such domains in 2014.
Neither number includes compromised domains or free subdomains.
The TLD with the most botnet abuse was of course .com, with 14,218 domains used as C&C servers. It was followed by Directi’s .pw (8,587) and Afilias’ .info (3,707).
When taking into account the relative size of the TLDs, SpamHaus fingered Russian ccTLD .ru as the “most heavily abused” TLD, but its numbers don’t ring true to me.
With 1,370 botnet controllers and about five and a half million domains, .ru’s abused domains would be around 0.03%.
But if you look at .click, with 1,256 botnet C&Cs and 131,000 domains (as of September), that number is very close to 1%. When it comes to botnets, that’s a high number.
In fact, using SpamHaus numbers and September registry reports of total domains under management, it seems that .work, .space, .website, .top, .pro, .biz, .info, .xyz, .bid and .online all have higher levels of botnet abuse than .ru, though in absolute numbers some have fewer abused domains.
In terms of registrars, Namecheap was the runaway loser, with a whopping 11,878 domains used to control botnets. 
While SpamHaus acknowledges that the size of the registrar has a bearing on abuse levels, it’s worth noting that GoDaddy — by far the biggest registrar, but well-staffed with over-zealous abuse guys — does not even feature on the top 20 list here.
SpamHaus wrote:
While the total numbers of botnet domains at the registrar might appear large, the registrar does not necessarily support cybercriminals. Registrars simply can’t detect all fraudulent registrations or registrations of domains for criminal use before those domains go live. The “life span” of criminal domains on legitimate, well-run, registrars tends to be quite short.
However, other much smaller registrars that you might never have heard of (like Shinjiru or WebNic) appear on this same list. Several of these registrars have an extremely high proportion of cybercrime domains registered through them. Like ISPs with high numbers of botnet controllers, these registrars usually have no or limited abuse staff, poor abuse detection processes, and some either do not or cannot accept takedown requests except by a legal order from the local government or a local court.
The SpamHaus report, which you can read here, concludes with a call for registries and registrars to take more action to shut down repeat offenders, saying it is “embarrassing” that some registrars allow perpetrators to register domains for abuse over and over and over again.
Recent Comments