Latest news of the domain name industry

Recent Posts

SpamHaus now publishing better TLD abuse data

SpamHaus has updated its “10 Most Abused Top Level Domains” list to provide a much more useful insight into abuse levels.

Rather than simply showing unexplained percentages of “badness” in each TLD, the spam-fighting organization’s daily report now exposes the hard numbers, in domain terms, underneath.

For example, on today’s list Famous Four Media’s .download is the most-abused TLD with 82% bad domains.

That percentage is based on SpamHaus categorizing 11,431 domains as abusive of the 13,945 .download domains that crossed its systems.

But the gTLD has 67,500 domains in its zone file, so the actual percentage of abusive domains could be as low as about 17%, much lower than SpamHaus’s 82%.

Whether you think the 82% metric is fair will depend on whether you think SpamHaus’s sample — about 20% of the full .download zone — is representative.

Some of the other TLDs on its list have even smaller sample sizes.

Minds + Machines’ .work is ranked #2 on the SpamHaus list with 73.3% badness, based on a SpamHaus-seen sample of 6,297 domains, something like 7% of the full .work zone.

Registries criticized SpamHaus for publishing misleading data when this list was first published in March, and I agreed with them.

Now that the group is publishing empirical data alongside its percentages, the conversation can now shift to something along the lines of:

“Is it okay that at least 17% of .download domains are abusive?”

To which the answer I believe is a clear: “Hell, no.”

The SpamHaus daily report can be found here.

IWF finds child abuse imagery on new gTLD domains

Kevin Murphy, April 21, 2016, Domain Services

The Internet Watch Foundation said it found child abuse imagery on new gTLD domain names for the first time in 2015.

The UK-based organization, tasked with identifying and blocking child abuse imagery online, today released its 2015 annual report.

The report says that it found 68,092 unique URLs with this illegal content in the year, spread over 1,991 domains. It says:

Five top level domains (.com .net .ru .org .se) accounted for 91 per cent of all webpages identified as containing child sexual abuse images and videos.

However, it also says that child abuse was found on new gTLDs for the first time.

While the report doesn’t make much of this trend, it should be worrying.

The IWF said it took action on 436 new gTLD domains in 2015, many of which “appeared to have been registered specifically for that purpose”.

While new gTLD names appear to be responsible for a very small percentage of flagged URLs, they seem to be 21% of the total number of domains on which child abuse imagery was found.

This discrepancy may be explained by the fact that 78% of the total abuse URLs were found on free-to-use image hosting sites, probably concentrated in .com.

The IWF added that 138 of the new gTLD domains hosted “disguised” abuse sites. These are sites where illegal content is only shown when visitors arrive from a specific referrer link.

The IWF offers a “Domain Alerts” service to its members, which allows registries and registrars to quickly take down domains confirmed as containing illegal material.

Judging by its member list, not many domain name companies are members.

Members include Go Daddy, ICM Registry, .London Domains, Rightside, Afilias and Nominet.

Schilling, Famous Four rubbish Spamhaus “worst TLD” league

Kevin Murphy, March 17, 2016, Domain Registries

Uniregistry and Famous Four Media have trashed claims by Spamhaus that their gTLDs are are much as 75% spam.

FFM says it is “appalled” by the “wholly inaccurate” claims, while Uniregistry boss Frank Schilling said Spamhaus has “totally jumped the shark here.”

In a statement to DI today, FFM chief legal officer Oliver Smith said the spam-fighting organization’s recently launched World’s Worst TLDs list is “reckless”, adding that the numbers are:

not only wholly inaccurate, but are misleading and, potentially, injurious to the reputation of Famous Four Media and those TLDs it manages. It is particularly worrisome that Spamhaus’s “findings” seem to have been taken as gospel within certain corners of the industry, despite not being proffered with any analytical methodology in support of the same.

The Spamhaus report, which is updated daily, presents the 10 TLDs that are more spam than not.

The rank is based on a percentage of domains seen by Spamhaus that Spamhaus considers to be “bad” — that is, are advertised in spam or carry malware.

Today, Uniregistry’s .diet tops the chart with “74.4% bad domains”, but the scores and ranks can and do shift significantly day by day.

Spamhaus describes its methodology like this:

This list shows the ratio of domains seen by the systems at Spamhaus versus the domains our systems profile as spamming or being used for botnet or malware abuse. This is also not a list that retains a long history, it is a one-month “snapshot” of our current view.

The words “seen by the systems at Spamhaus” are important. If a domain name never crosses Spamhaus’s systems, it isn’t counted as good or bad. The organization is not running the whole zone file against its block-list to check what the empirical numbers are.

In important ways, the Spamhaus report is similar to the discredited Blue Coat report into “shady” TLDs last September, which was challenged by myself and others.

However, in a blog post, Spamhaus said it believes its numbers are reflective of the TLDs as a whole:

In the last 18-years, Spamhaus has built its data gathering systems to have a view of most of the world’s domain traffic. We feel the numbers shown on this list are representative of the actual full totals.

I disagree.

In the case of .diet, for example, if 74% of the full 19,000-domain zone was being used in spam, that would equate to 14,000 “bad” domains.

But the .diet zone is dominated by domains owned by North Sound Names, the Frank Schilling vehicle through which Uniregistry markets its premium names.

NSN snapped up well over 13,000 .diet names at launch, and Schilling said today that NSN owns north of 70% of the .diet zone.

That would mean either Uniregistry is a spammer, or Spamhaus has no visibility into the NSN portfolio and its numbers are way the hell off.

“Spamhaus’ assertion that 74% of the registrations in the .diet space are spam is a numerical impossibility,” Schilling said. “They totally jumped the shark here.”

NSN’s domains don’t send mail, he said.

He added that diet-related products are quite likely to appear in spam, which may help account for Spamhaus’s systems identifying .diet emails as spam. He said:

Spamhaus is a high-minded organization and we applaud their efforts but this report is so factually inaccurate it casts into doubt the validity of everything they release. Spamhaus should be smarter than this and at a minimum consult with registries (our door is open) to gain a better understanding of the subject matter they wrongly profess to be expert in.

Similarly, FFM’s .review gTLD was briefly ranked last week as the “worst” gTLD at 75.1% badness. With 66,000 domains, that would mean almost 50,000 names are spammy.

Yet it appears that roughly 25,000 .review domains are long-tail geo names related to the hotels industry, registered by a Gibraltar company called A Domains Limited, which appears to be run by AlpNames, the registry with close ties to FFM itself.

Again, if Spamhaus’s numbers are accurate, that implies the registrar and/or registry are spamming links to content-free placeholder web sites.

FFM’s Smith says the registry has been using Spamhaus data as part of its internal Registry Abuse Monitoring tool, and that its own findings show significantly less spam. Referring to .review’s 75% score, he said:

This simply does not accord with FFM’s own research, which relies heavily on data made available by Spamhaus. The reality is that, in reviewing registration data for the period 8 February to 8 March 2016, only 4.8% of registered domains have been blacklisted by Spamhaus – further, it is questionable as whether every single such listing is wholly merited. When reviewing equivalent data for the period of 1 January to 8 March 2016 across ALL FFM managed TLDs this rate averages out to a mere 3.2%.

I actually conducted my own research into the claims.

Between March 8 and March 15, I ran the whole .review zone file through the Spamhaus DBL and found 6.9% of the names were flagged as spam.

My methodology did not take account of the fact that Spamhaus retires domains from its DBL after they stop appearing in spam, so it doesn’t present a perfect apples-to-apples comparison with Spamhaus, which bases its scoring on 30 days of data.

All told, it seems Spamhaus is painting a much bleaker picture of the amount of abuse in new gTLDs than is perhaps warranted.

During ICANN meetings last week and in recent blog comments, current and former executives of rival registries seemed happy to characterize new gTLD spam as a Famous Four problem rather than an industry problem.

That, despite the fact that Uniregistry, Minds + Machines and GMO also feature prominently on Spamhaus’s list.

I would say it’s more of a low prices problem.

It’s certainly true that FFM and AlpNames are attracting spammers by selling domains for $0.25 wholesale or free at retail, and that their reputations will suffer as a result.

We saw it with Afilias and .info in the early part of the last decade, we’ve see it with .tk this decade, and we’re seeing it again now.

ICANN: we won’t force registrars to suspend domains

Kevin Murphy, October 2, 2015, Domain Registrars

In one of the ongoing battles between registrars and the intellectual property lobby, ICANN’s compliance department seems to have sided with the registrars, for now.

Registrars will not be forced to suspend domain names when people complain about abusive or illegal behavior on the associated web sites, according to chief contract compliance office Allen Grogan.

The decision will please registrars but will come as a blow to the likes of music and movie studios and those who fight to shut down dodgy internet pharmacies.

Grogan yesterday published his interpretation of the 2013 Registrar Accreditation Agreement, specifically the section (3.18) that obliges registrars to “investigate and respond appropriately” abuse reports.

The IP crowd take this to mean that if they submit an abuse report claiming, for example, that a web site sells medicines across borders without an appropriate license, the registrar should check out the site then turn off the domain.

Registrars, on the other hand, claim they’re in no position to make a judgment call about the legality of a site unless presented with a proper court order.

Grogan appears to have taken this view also, though he indicated that his work is not yet done. He wrote:

Sometimes a complaining party takes the position that that there is only one appropriate response to a report of abuse or illegal activity, namely to suspend or terminate the domain name registration. In the same circumstances, a registrar may take the position that it is not qualified to make a determination regarding whether the activity in question is illegal and that the registrar is unwilling to suspend or terminate the domain name registration absent an order from a court of competent jurisdiction. I am continuing to work toward finding ways to bridge these gaps.

It’s a testament to how little agreement there is on this issue that, when we asked Grogan back in June how long it would take to provide clarity, he estimated it would take “a few weeks”. Yet it’s still not fully resolved.

His blog post last night contains a seven-point checklist that abuse reporters must conform to in order to give registrars enough detail to with with.

They must, for example, be specific about who they are, where the allegedly abusive content can be found, whose rights are being infringed, and which laws are being broken in which jurisdiction.

It also contains a six-point checklist for how registrars must respond.

Registrars are only obliged to investigate the URL in question (unless they fear exposure to malware or child abuse material), inform the registrant about the complaint, and inform the reporter what, if anything, they’ve done to remediate the situation.

There’s no obligation to suspend domains, and registrars seem to have great leeway in how they treat the report.

In short, Grogan has interpreted RAA 3.18 in a way that does not seem to place any substantial additional burden on registrars.

He’s convening a roundtable discussion for the forthcoming ICANN meeting in Dublin with a view to getting registrars to agree to some non-binding “voluntary self-regulatory” best practices.

Afilias wins $10m judgment in Architelos “trade secrets” case

Kevin Murphy, August 25, 2015, Domain Services

Afilias has won a $10 million verdict against domain security startup Architelos, over claims its flagship NameSentry abuse monitoring service was created using stolen trade secrets.

A jury in Virginia today handed Afilias $5 million for “misappropriation of trade secrets”, $2.5 million for “conversion” and another $2.5 million for “civil conspiracy”.

The jury found (pdf) in favor of Architelos on claims of business conspiracy and tortious interference with contractual relations, however.

Ten million dollars is a hell of a lot of cash for Architelos, which reportedly said in court that it has only made $300,000 from NameSentry.

If that’s true, I seriously doubt the four-year-old, three-person company has even made $10 million in revenue to date, never mind having enough cash in the bank to cover the judgment.

“We’re disappointed in the jury’s verdict and we plan to address it in some post-trial motions,” CEO Alexa Raad told DI.

The lawsuit was filed in January, but it has not been widely reported on and I only found out about its existence today.

The original complaint (pdf) alleged that three Architelos employees/contractors, including CTO Michael Young, were previously employees or contractors of Afilias and worked on the company’s own abuse tools.

It claimed that these employees took trade secrets with them when they joined Architelos, and used them to build NameSentry, which enables TLD registries to monitor and remediate abuse in their zones.

Architelos denied the claims, saying in its March answer (pdf) that Afilias was simply trying to disrupt its business by casting doubt over the ownership of its IP.

That doubt has certainly been cast, though the jury verdict says nothing about transferring Architelos’ patents to Afilias.

The $5 million portion of the verdict deals with Afilias’ claim that Architelos misappropriated trade secrets — ie that Young and others took work they did for Afilias and used it to build a product that could compete with something Afilias had been building.

The other two counts that went against Architelos basically cover the same actions by Architelos employees.

The company may be able to get the amount of the judgment lowered in post-trial, or even get the jury verdict overturned, so it’s not necessarily curtains yet. But Architelos certainly has a mountain to climb.