Latest news of the domain name industry

Recent Posts

Adware dominating popular new gTLD ranks

Kevin Murphy, March 11, 2015, Domain Registries

Afilias’ .kim has become the latest victim (beneficiary?) of adware, as robo-registrations boost the gTLD’s zone file and apparent popularity.

It’s the latest new gTLD, after .xyz and .country, to see its rankings soar after hundreds of gibberish, bulk-registered domains started being used to serve ads by potentially unwanted software.

.kim is today the 4th most-popular new gTLD, with 85 domains in the top 100,000 on the internet and 264 in the top one million.

A month ago, it had a rank of 223, with just 16 domains in the top one million.

The domain names involved — gems such as oatmealsmoke.kim, vegetableladybug.kim and tubhaircut.kim — have seen a boat-load of traffic and rocketing Alexa rank.

The reason for the boost seems to be a one-off bulk registration of about 1,000 meaningless .kim domain names in early February, which now appear to be being used to serve ads via adware.

In this chart (click to enlarge), we see .kim’s zone file growth since the start of 2015.

The spike on February 5, which represents over 1,000 names, is the date almost all of the .kim names with Alexa rank were first registered.

They all appear to be using Uniregistry as the registrar and its free privacy service to mask their Whois details.

These domains often do not resolve if you type them into your browser. They’re also using robots.txt to hide themselves from search engines.

But they’ve been leaving traces of their activity elsewhere on the web, strongly suggesting their involvement in adware campaigns.

It seems that the current (ab?)use of .kim domains is merely the latest in a series of possibly linked campaigns.

I noted in January that gibberish .country domains — at the time priced at just $1 at Uniregistry — were suddenly taking over from .xyz in the popularity charts.

The following three charts, captured from DI PRO’s TLD Health Check, show how the three TLDs’ Alexa popularity rose and fell during what I suspect were related adware campaigns..

First, .xyz, which was the first new gTLD to show evidence of having robo-registrations used in adware campaigns, saw its popularity spike at the end of 2014 and start of 2015:

Next, Minds + Machines’ .country, which saw its zone file spike by 1,500 names around January 6, starts to see its Alexa-ranked total rocket almost immediately.

.country peaks around February 9, just a few days after the .kim robo-registrations were made.

Finally, as .country’s use declines, .kim takes over. Its popularity has been growing day by day since around February 13.

I think what we’re looking at here is one shadowy outfit cycling through bulk-registered, throwaway domain names to serve ads via unwanted adware programs.

It seems possible that domains are retired when they become sufficiently blocked by security countermeasures, and other domains in other TLDs are then brought online to take over.

None of this necessarily reflects badly on any of the new gTLDs in question, or even new gTLDs as a whole, of course.

For starters, I’ve reason to believe that TLDs such as .eu and .biz have previously been targeted by the same people.

The “attacks”, for want of a better word, are only really noticeable because the new gTLDs being targeted are young and still quite small.

It takes much longer to build up genuine popularity for a newly launched web site than it does to merely redirect exist captive traffic to a newly registered domain.

What it may mean, however, is that .kim and .country are going to be in for statistically significant junk drops about a year from now, when the first-year registrations expire.

For .kim, 1,000 names is about 14% of its current zone file. For .country, it’s more like a quarter.

The daily-updated list of new gTLD domains with Alexa rank can be explored by DI PRO subscribers here. The charts in this post were all captured from the respective TLD’s page on TLD Health Check.

Pop-ups boost most-popular new gTLD domains, and it’s not just .xyz any more

Kevin Murphy, January 26, 2015, Domain Registries

The .xyz and .country gTLDs are currently dominating the league table of most-popular new gTLDs, but massive pop-up advertising campaigns using junk domains can account for the majority of their leading sites.

Today, Amazon’s Alexa site popularity tool sees 2,425 new gTLD domains in its top one million. Of those, 163 are in the top 50,000 sites.

But almost two thirds of those 163 domains appear to be throwaways that receive traffic not because they’re attracting visitors, but because they’re used to serve pop-up advertising, in some cases via adware.

The trend has been visible for a few months now, restricted almost exclusively to .xyz, but over the last two weeks .country has also started to be used in this way.

That’s interesting because, unlike .xyz, .country is not a low-cost gTLD. Go Daddy currently sells it for $39.95 per year.

(UPDATE: As Andrew points out in the comments, Uniregistry is selling .country names for $1 for the first year, which almost certainly explains the .country bump.)

Almost 100 of the top 163 new gTLD domains comprise two unrelated dictionary words put together to make something nonsensical.

Domains such as iciclecellar.country, laborervolcano.country, classkitten.country, sweepstakesglove.country, rewardmen.country, installationdesk.country have recently joined have joined the likes of vasegiraffe.xyz, cactusstew.xyz, bedcrow.xyz, notebookwrist.xyz, wishgrass.xyz, pencilkite.xyz and basketriver.xyz on this list.

As far as I can tell, they’re all registered via Uniregistry and using its free Whois privacy service to mask the identities of the registrants.

Visiting these domains in your browser will either result in an error — where I suspect the site is checking the referrer before deciding whether to show a page — or will send you on a merry redirect chain that terminates in an affiliate marketing sign-up page.

Some of the domains have been discussed in online forums as serving up pop-up ads, which would account for large amounts of traffic and high popularity.

Some have alleged that they’ve seen adware serve up ads from some of these domains.

Pop-up ads may be annoying, but they’re legal and — unlike spam and malware — not usually a violation of gTLD registries’ terms of service.

Whether benefiting from adware would leave a registrant in violation of a registrar or registry’s ToS is also a fuzzy area.

But for the new gTLD industry, which is currently in a mindshare-building mode, this kind of use does not make for great optics. If internet users see new gTLDs most often in an unwanted context, it could impair their trust in the new gTLD environment.