Latest news of the domain name industry

Recent Posts

SpamHaus ranks most-botted TLDs and registrars

Kevin Murphy, January 9, 2018, Domain Registrars

Namecheap and Uniregistry have emerged as two of the most-abused domain name companies, using statistics on botnet command and control centers released by SpamHaus this week.

SpamHaus data shows that over a quarter of all botnet C&Cs found during the year were using NameCheap as their registrar.

It also shows that almost 1% of domains registered in Uniregistry’s .click are used as C&Cs.

The spam-fighting outfit said it discovered “almost 50,000” domains in 2017 that were registered for the purpose of controlling botnets.

Comparable data for 2016 was not published a year ago, but if you go back a few years, SpamHaus reported that there were just 3,793 such domains in 2014.

Neither number includes compromised domains or free subdomains.

The TLD with the most botnet abuse was of course .com, with 14,218 domains used as C&C servers. It was followed by Directi’s .pw (8,587) and Afilias’ .info (3,707).

When taking into account the relative size of the TLDs, SpamHaus fingered Russian ccTLD .ru as the “most heavily abused” TLD, but its numbers don’t ring true to me.

With 1,370 botnet controllers and about five and a half million domains, .ru’s abused domains would be around 0.03%.

But if you look at .click, with 1,256 botnet C&Cs and 131,000 domains (as of September), that number is very close to 1%. When it comes to botnets, that’s a high number.

In fact, using SpamHaus numbers and September registry reports of total domains under management, it seems that .work, .space, .website, .top, .pro, .biz, .info, .xyz, .bid and .online all have higher levels of botnet abuse than .ru, though in absolute numbers some have fewer abused domains.

In terms of registrars, Namecheap was the runaway loser, with a whopping 11,878 domains used to control botnets.

While SpamHaus acknowledges that the size of the registrar has a bearing on abuse levels, it’s worth noting that GoDaddy — by far the biggest registrar, but well-staffed with over-zealous abuse guys — does not even feature on the top 20 list here.

SpamHaus wrote:

While the total numbers of botnet domains at the registrar might appear large, the registrar does not necessarily support cybercriminals. Registrars simply can’t detect all fraudulent registrations or registrations of domains for criminal use before those domains go live. The “life span” of criminal domains on legitimate, well-run, registrars tends to be quite short.

However, other much smaller registrars that you might never have heard of (like Shinjiru or WebNic) appear on this same list. Several of these registrars have an extremely high proportion of cybercrime domains registered through them. Like ISPs with high numbers of botnet controllers, these registrars usually have no or limited abuse staff, poor abuse detection processes, and some either do not or cannot accept takedown requests except by a legal order from the local government or a local court.

The SpamHaus report, which you can read here, concludes with a call for registries and registrars to take more action to shut down repeat offenders, saying it is “embarrassing” that some registrars allow perpetrators to register domains for abuse over and over and over again.

Directi expects all 31 of its gTLDs to be contested

Directi has applied for 31 new top-level domains and expects all 31 of them to be contested, according to CEO Bhavin Turakhia.

The company has budgeted $30 million for its unashamedly mainstream portfolio of applications – which includes the likes of .web – but that’s not including what it expects to spend at auction.

“I expect there to be contention in all of them,” he said. “Whether they will end up going to auction… we’re completely open to strategic partnerships with other industry players who we believe can add value and join hands with us, based on merit. We’ll be evaluating this on a case by case basis.”

“Something like a .web, there’ll be enough competitors out there that it will certainly go to auction, no matter what,” he said, adding that he expects at least 10 rivals for .web.

Directi has applied for: .web, .shop, .bank, .law, .music, .news, .blog, .movie, .baby, .store, .doctor, .hotel, .play, .home .site, .website, .click, .online, .one, .ping, .space, .world, .press, .chat, .city, .deals, .insurance .loans, .app, .host, and .hosting.

The company is applying via its new business unit, Radix, using ARI Registry Services as its back-end registry provider.

Turakhia said he expects to use a traditional registry-registrar model for most of the domains, assuming Directi wins its contention sets.

“The strings that we have gone for are strings that are relevant to all registrars so we expect there to be significant adoption,” he said.

“If eNom were to apply for .web and .shop – and they probably will – and if they were to win those TLDs, then our registrar businesses would definitely carry them irrespective of the fact that we have our own TLDs,” he said. “There are only so many good viable strings out there.”

Most of Directi’s gTLDs, if approved, will be completely unrestricted.

For .movie, .law, .doctor and .bank there will be some tight restrictions, Turakhia said. (UPDATE: he later added that .insurance and .loans will also be restricted).

Some will also have additional rights protection mechanisms that go above and beyond what ICANN mandates in its standard registry contracts.

But none of its applications are “community” applications, the special category of application defined by ICANN.

Turakhia said he doesn’t think some of the applicants trying to “sneak through” as community applications will be successful.

“We’re treating these as all generic strings for anyone to register domains in,” he said. “.music for me does not represent a community. I could be a bathroom singer and want a .music domain name.”

“If you treat music lovers as a community then 100% of the world is part of that community.”