Latest news of the domain name industry

Recent Posts

SpamHaus ranks most-botted TLDs and registrars

Kevin Murphy, January 9, 2018, Domain Registrars

Namecheap and Uniregistry have emerged as two of the most-abused domain name companies, using statistics on botnet command and control centers released by SpamHaus this week.

SpamHaus data shows that over a quarter of all botnet C&Cs found during the year were using NameCheap as their registrar.

It also shows that almost 1% of domains registered in Uniregistry’s .click are used as C&Cs.

The spam-fighting outfit said it discovered “almost 50,000” domains in 2017 that were registered for the purpose of controlling botnets.

Comparable data for 2016 was not published a year ago, but if you go back a few years, SpamHaus reported that there were just 3,793 such domains in 2014.

Neither number includes compromised domains or free subdomains.

The TLD with the most botnet abuse was of course .com, with 14,218 domains used as C&C servers. It was followed by Directi’s .pw (8,587) and Afilias’ .info (3,707).

When taking into account the relative size of the TLDs, SpamHaus fingered Russian ccTLD .ru as the “most heavily abused” TLD, but its numbers don’t ring true to me.

With 1,370 botnet controllers and about five and a half million domains, .ru’s abused domains would be around 0.03%.

But if you look at .click, with 1,256 botnet C&Cs and 131,000 domains (as of September), that number is very close to 1%. When it comes to botnets, that’s a high number.

In fact, using SpamHaus numbers and September registry reports of total domains under management, it seems that .work, .space, .website, .top, .pro, .biz, .info, .xyz, .bid and .online all have higher levels of botnet abuse than .ru, though in absolute numbers some have fewer abused domains.

In terms of registrars, Namecheap was the runaway loser, with a whopping 11,878 domains used to control botnets.

While SpamHaus acknowledges that the size of the registrar has a bearing on abuse levels, it’s worth noting that GoDaddy — by far the biggest registrar, but well-staffed with over-zealous abuse guys — does not even feature on the top 20 list here.

SpamHaus wrote:

While the total numbers of botnet domains at the registrar might appear large, the registrar does not necessarily support cybercriminals. Registrars simply can’t detect all fraudulent registrations or registrations of domains for criminal use before those domains go live. The “life span” of criminal domains on legitimate, well-run, registrars tends to be quite short.

However, other much smaller registrars that you might never have heard of (like Shinjiru or WebNic) appear on this same list. Several of these registrars have an extremely high proportion of cybercrime domains registered through them. Like ISPs with high numbers of botnet controllers, these registrars usually have no or limited abuse staff, poor abuse detection processes, and some either do not or cannot accept takedown requests except by a legal order from the local government or a local court.

The SpamHaus report, which you can read here, concludes with a call for registries and registrars to take more action to shut down repeat offenders, saying it is “embarrassing” that some registrars allow perpetrators to register domains for abuse over and over and over again.

Namecheap to bring millions of domains in-house next week

Kevin Murphy, January 5, 2018, Domain Registrars

Namecheap is finally bringing its customer base over to its own ICANN accreditation.

The registrar will next week accept transfer of an estimated 3.2 million .com and .net domains from Enom, following a court ruling forcing Enom owner Tucows to let go of the names.

The migration will happen from January 8 to January 12, Namecheap said in a blog post today.

Namecheap is one of the largest registrars in the industry, but historically it mostly acted as an Enom reseller. Every domain it sold showed up in official reports as an Enom sale.

While it’s been using its own ICANN accreditation to sell gTLD names since around 2015 — and has around four million names on its own credentials — it still had a substantial portion of its customer base on the Enom ticker.

After the two companies’ arrangement came to an end, and Enom was acquired by Tucows, Namecheap decided to also consolidate its .com/.net names under its own accreditation.

After Tucows balked at a bulk transfer, Namecheap sued, and a court ruled in December that Tucows must consent to the transfer.

Now, Namecheap says all .com and .net names registered before January 2017 or transferred in before November 2017 will be migrated.

There may be some downtime as the transition goes through, the company warned.

Aussie registrar guilty of $6 million slamming campaign

Kevin Murphy, January 4, 2018, Domain Registrars

Domain seller Domain Register Pty Ltd has reportedly been found guilty of scamming thousands of Australians out of a total of $6 million with bogus domain renewal notices.

The Herald Sun reports today that a Federal court ruled that the company’s sales tactics were “misleading or deceptive, or likely to mislead or deceive in breach of state and federal laws”.

The company, at one time a TPP Wholesale reseller but apparently never ICANN-accredited itself, was notorious for being a leading Aussie practitioner of the old “domain slamming” scam popularized by the Brandon Gray gang through fronts such as Domain Registry of America.

It sent paper invoices that appeared to the casual reader to be renewal notices for .com.au names, but were in fact solicitations to buy matching .com names for an outrageous $249 ($195) per year.

So convincing were the notices that the hit rate was one out of every 14 organizations targeted, the Herald Sun reported. Over 21,000 suckers in total.

According to the newspaper, the court was told that Domain Register made AUD 7.7 million ($6 million) from 31,000 registrations and renewals from January 1, 2011, to May 30, 2014.

The lawsuit was filed by Australian state government watchdog Consumer Affairs Victoria a year ago, but the domain industry was warning punters about the scam as far back as 2011.

Domain Register’s punishment has yet to be determined, but the agency had been seeking refunds for victims along with punitive penalties.

Brazil loses its only registrar as UOL bows out

Kevin Murphy, December 1, 2017, Domain Registrars

There are now no ICANN-accredited registrars in Brazil, following the termination of Universo Online’s contract this week.

I understand the agreement was ended at UOL’s request. It’s not a case of it breaching its contract.

UOL is a big deal in Brazil, getting beaten in the eyeballs stakes only by the likes of Google and Facebook, but as a registrar it wasn’t in the top 100 globally.

It had a little over 100,000 gTLD domains under management at the last count, with a peak over the last five years of roughly 200,000

I hear that these remaining domains will be transferred to Tucows’ accreditation.

Brazil has had at least four registrars, including UOL, over the years.

Countries roughly the same size as Brazil by population (over 200 million) include Nigeria and Pakistan, each of which still have one active registrar.

There are 10 contracted registries, managing nine 2012-round new gTLDs, in Brazil.

GoDaddy renewal revamp “unrelated” to domainer auction outrage

Kevin Murphy, November 21, 2017, Domain Registrars

GoDaddy has made some big changes to how it handles expired domain names, but denied the changes are related to domainer outrage today about “fake” auctions.

The market-leading registrar today said that it has reduced the period post-expiration during which registrants can recover their names from 42 days to 30. After day 30, registrants will no longer be able to renew or transfer affected names.

GoDaddy is also going to start cutting off customers’ MX records five days after expiry. This way, if they’re only using their domain for email, they will notice the interruption. Previously, the company did not cut off MX records.

The changes were first reported at DomainInvesting.com and subsequently confirmed by a GoDaddy spokesperson.

One impact of this will be to reduce confusion when GoDaddy puts expired domains up for auction when it’s still possible for the original registrant reclaim them, which has been the cause of complaints from prominent domain investors this week.

As DomaingGang reported yesterday, self-proclaimed “Domain King” Rick Schwartz bought the domain GoDaddyBlows.com in order to register his disgust with the practice.

Konstantinos Zournas of OnlineDomain followed up with a critique of his own today.

But the GoDaddy spokesperson denied the changes are being made in response to this week’s flak.

“This is unrelated to any events in the aftermarket,” he said. “We’ve been working on this policy for more than a year.”

He said the changes are a case of GoDaddy “optimizing our systems and processes”. The company ran an audit of when customers were renewing and found that fewer than 1% of names were renewed between days 30 and 42 following expiration, he said.

GoDaddy renews about 2.5 million domains per month in just the gTLDs it carries, according to my records, so a full 1% would equal roughly 25,000 names per month or 300,000 per year. But the company spokesperson said the actual number “quite a bit less” than that.

How many of these renewals are genuinely forgetful registrants and how many are people attempting to exploit the auction system is not known.

The changes will come into effect December 4. The news broke today because GoDaddy has started notifying its high-volume customers.