Latest news of the domain name industry

Recent Posts

.icu joins the million-domains club in one year, but spam triples

Another new gTLD has joined the exclusive list of those to enter seven figures in terms of domains under management.

.icu, managed by ShortDot, topped one million names this week, according to COO Kevin Kopas.

It’s taken about a month for DUM to increase from 900,000 names, and if zone files are any guide half of that growth seems to have happened in the last week.

.icu domains currently sell for between $1 and $2 for the first year at the cheap end of the market, where most regs are concentrated, with renewals closer to the $10 mark.

The gTLD joins the likes of .club, .xyz, .site and .online to cross the seven-figure threshold.

When we reported on the 900,000-reg mark at the end of May, we noted that .icu had a SpamHaus “badness” rating of 6.4%, meaning that 6.4% of all the emails coming from .icu addresses that SpamHaus saw were classified as spam.

That score was roughly the same as .com, so therefore pretty respectable.

But in the meantime, .icu’s badness score has almost tripled, to 17.4%, while .com’s has stayed about the same.

Picking through the Google search results and Alexa list for .icu domains, it appears that high-quality legit web sites are few and far between.

Whether that’s a fixable symptom of .icu’s rapid growth — it’s only about 13 months post-launch — or a predictor of poor long-term potential remains to be seen.

Rumors swirl as AlpNames suffers “days” of downtime

Kevin Murphy, March 12, 2019, Domain Registrars

The web site of controversial registrar AlpNames has been offline for “days”, and rumors have started to circulate that it might not just a technical problem.

At time of writing, alpnames.com resolves to a Cloudflare error page, warning that the AlpNames web server has an invalid SSL certificate. Cloudflare may also show an ugly, bare-bones cached version of the site.

This means that AlpNames customers are unable to log in to manage their domains, according to threads on Namepros and Reddit, and conversations I’ve had with some of those affected.

It’s said that customers are able to manage their domains by logging in directly to LogicBoxes, AlpNames’ registrar-in-a-box provider, but I’ve been unable to personally verify this.

AlpNames is believed to have almost 700,000 names under management, double the size it was last June but well below its peak, at the height of its deep-discounting period in 2017, of over three million.

It’s not known how many individual registrants are affected. The company tends to attract what one might charitably call “bulk-buyers”, so it will be substantially lower than the number of registered domains.

It’s also not entirely clear when the web site went down. It’s not been loading here for at least 12 hours, but the first reference to downtime on Namepros was on Sunday. Multiple other sources have told me today that it’s been unavailable “for a few days”.

A separate AlpNames-owned web site focused on marketing .icu domains to the Chinese market is still online.

But it seems a lot of AlpNames customers have been left hanging in uncertainty, unsure how or when they will be able to manage their domains.

I’ve been unable to reach any of AlpNames’ senior executives for comment on the situation today.

An email sent to CEO Iain Roache this morning, at the address he was using in December, bounced back with a “disabled account” error message. I have received no response to messages I sent to two other email addresses he is known to use.

I understand that fellow AlpNames exec Geir Rasmussen who, with Roache, was enthusiastically pitching grand plans for AlpNames as recently as October, is no longer with the company.

Chief operating officer Damon Barnard also left the company last October and ceased work as a director around the same time.

Records show the salesperson due to represent AlpNames at this week’s ICANN 64 meeting in Japan did not show up and is believed to have also left the company in January.

The company’s Twitter and Facebook accounts, which are not usually particularly active anyway, have not yet addressed the downtime problem.

If it is simply a case of an expired or misconfigured SSL cert, why is it taking so long to fix, and why has there been radio silence from AlpNames?

Opponents and competitors are putting the word around that there may be a more serious problem with the company, but I’ve not seen any conclusive evidence that this is the case.

It’s possible there’s some confusion between AlpNames and Famous Four Media, the now-defunct Roache/Rasmussen venture that managed the portfolio of new gTLDs owned by Domain Venture Partners, an investment vehicle set up by Roache prior to ICANN’s 2012 gTLD application round.

DVP is no longer affiliated with AlpNames and its gTLDs are managed by a new DVP-controlled entity, GRS Domains, after an investor revolt.

Phishing still on the decline, despite Whois privacy

Kevin Murphy, March 5, 2019, Domain Policy

The number of detected phishing attacks almost halved last year, despite the fact that new Whois privacy rules have made it cheaper for attackers to hide their identities.

There were 138,328 attacks in the fourth quarter of 2018, according to the Anti-Phishing Working Group, down from 151,014 in Q3, 233,040 in Q2, and 263,538 in Q1.

That’s a huge decline from the start of the year, which does not seem to have been slowed up by the introduction in May of the General Data Protection Regulation and ICANN’s Temp Spec, which together force the redaction of most personal data from public Whois records.

The findings could be used by privacy advocates to demonstrate that Whois redaction has not lead to an increase in cybercrime, as their opponents had predicted.

But the data may be slightly misleading.

APWG notes that it can only count the attacks it can find, and that phishers are becoming increasingly sophisticated in how they attempt to avoid detection. The group said in a press release:

There is growing concern that the decline may be due to under-detection. The detection and documentation of some phishing URLs has been complicated by phishers obfuscating phishing URLs with techniques such as Web-spider deflection schemes – and by employing multiple redirects in spam-based phishing campaigns, which take users (and automated detectors) from an email lure through multiple URLs on multiple domains before depositing the potential victim at the actual phishing site.

It also speculates that criminals once involved in phishing may have moved on to “more specialized and lucrative forms of e-crime”.

The Q4 report (pdf) also breaks down phishing attacks by TLD, though comparisons here are difficult because APWG doesn’t always release this data.

The group found .com to still have the most phishing domains — 2,098 of the 4,485 unique domains used in attacks, or about 47%. According to Verisign’s own data, .com only has 40% market share of total registered domains.

But new, 2012-round gTLDs had phishing levels below their market share — 4.95% of phishing on a 6.83% share. This is actually up compared to the 3% recorded by APWG in Q3 2017, the most recent available data I could find.

Only two of the top 20 most-abused TLDs were new gTLDs — .xyz and .online, which had just 70 attack domains between them. That’s good news for .xyz, which in its early days saw 10 times as much phishing abuse.

After .com, the most-abused TLD was .pw, the ccTLD for Palau run by Radix as an unrestricted pseudo-gTLD. It had 374 attack domains in Q4, APWG said.

Other ccTLDs with relatively high numbers included several African zones run as freebies by Freenom, as well as the United Kingdom’s .uk and Brazil’s .br.

Phishing is only one form of cybercrime, of course, and ICANN’s own data shows that when you take into account spam, new gTLDs are actually hugely over-represented.

According to ICANN’s inaugural Domain Abuse Activity Reporting report (pdf), which covers January, over half of cybercrime domains are in the new gTLDs.

That’s almost entirely due to spam. One in 10 of the threats ICANN analyzed were spam, as identified by the likes of SpamHaus and SURBL. DAAR does not include ccTLD data.

The takeaway here appears to be that spammers love new gTLDs, but phishers are far less keen.

ICANN did not break down which gTLDs were the biggest offenders, but it did say that 52% of threats found in new gTLDs were found in just 10 new gTLDs.

This reluctance to name and shame the worst offenders prompted one APWG director, former ICANN senior security technologist Dave Piscitello, to harshly criticize his former employer in a personal blog post last month.

Spammy .loan makes Alibaba fastest-growing and fastest-shrinking registrar in June

Kevin Murphy, October 5, 2018, Domain Registrars

Chinese registrar Alibaba was both the fastest-growing and fastest-shrinking registrar in June, purely due to its dalliance with hundreds of thousands of cheap .loan domain names.

Stats compiled by DI from the latest monthly registry reports show that Alibaba’s Singapore-based registrar — which has only been active for a year — grew its domains under management by 720,669 in June, almost four times as many as second-placed NameCheap.

The huge increase was due to Alibaba’s DUM in .loan doubling in June, going from from 621,851 to 1,274,532. Another 50,000 extra domains came from .win.

Both .loan and .win are run by registry GRS Domains, the company that replaced Famous Four Media as manager of the Domain Venture Partners gTLD portfolio.

According to SpamHaus, .loan has a “badness” of just shy of 90%, based on a sample size of 45,000 observed domains. SpamHaus has .win at almost 39% bad.

GRS has promised to turn its portfolio around and cut off its deep-discounting promotions effective August 20. The June figures reflect a time when discounts were still in place.

The Singapore Alibaba had DUM of 1,771,730 at the end of June.

At the bottom end of the June league table was a second Alibaba accrediation, Beijing-based Alibaba Cloud Computing (aka HiChina or net.cn), which had a net DUM loss of 266,411, after seeing 345,268 deletes in .loan (along with 45,000 deletes in .xyz and 35,000 in .xin).

The second biggest loser was AlpNames, which is owned by the same people as Famous Four, which deleted over 114,000 names in the month. The vast majority of these names were in FFM/GRS gTLDs, including .loan.

The main, earliest Alibaba accreditation, Alibaba Cloud Computing (Beijing), which has zero exposure to new gTLDs, grew by 69,794 domains to end June as the seventh fastest-growing registrar with DUM of 7,672,594.

As of a couple weeks ago, Alibaba has a fourth ICANN accreditation, Alibaba Cloud US LLC, but that obviously does not figure into the June numbers.

Here’s the top 10 registrars for June by DUM growth:

Registrar (IANA ID)DUMTransfers InTransfers OutNet TransfersAddsDeletesChange
Alibaba.com Singapore E-commerce Private Ltd (3775)1771730230017228339416345720669
NameCheap, Inc. (1068)862443322140891613224418008253219187827
GoDaddy.com, LLC (146)59208467703796893114481131439951837153910
NameSilo, LLC (1479)1670604144276041838613653932107111151
Xin Net Technology Corporation (120)262370941275041-91415315466679102744
Google LLC (895)231378010763169190721253194944079148
Alibaba Cloud Computing (Beijing) Co., Ltd. (420)76725941907811732734622080515525869794
Network Solutions, LLC (2)708437552854143003855412243811062853712
GMO Internet, Inc. d/b/a Onamae.com (49)47051283043209195214625917494644668
TLD Registrar Solutions Ltd. (1564)12186886858-77239315232535877

And the bottom 10:

Registrar (IANA ID)DUMTransfers InTransfers OutNet TransfersAddsDeletesChange
Alibaba Cloud Computing Ltd. d/b/a HiChina (www.net.cn) (1599)446845116192891330202094509820-266411
Alpnames Limited (1857)3613027165366314273114254-112825
Chengdu West Dimension Digital Technology Co., Ltd. (1556)2270000422719452282148101269286-94937
Bizcn.com, Inc. (471)9202431203336-3216603663268-69862
eNom, LLC (48)6824378915328741-1958875665101336-52205
Domain.com, LLC (886)197492715348827-72932361958695-37594
Todaynic.com, Inc. (697)13652775154-79138527795-26771
Register.com, Inc. (9)197625412953484-21891918737626-26231
Wild West Domains, LLC (440)300078434777346-38693101546045-18883
Ascio Technologies, Inc. Danmark - Filial af Ascio technologies, Inc. USA (106)157968313143803-24891183828246-16839

You may notice that in both tables the net change column is not equal to the sum of adds and net transfers minus deletes. This is because, per ICANN contract, domains still in their five-day Add Grace Period are counted in DUM but not in adds, so many adds slip over into the following month.

.CLUB sees spam double after China promotion

Kevin Murphy, September 11, 2018, Domain Registries

.CLUB Domains has seen the amount of spam in .club double a month after seeing a huge registration spike prompted by a deep discount deal.

The registry saw its domains under management go up by about 200,000 names over a few days in early August, largely as a result of a promotion at Chinese registrar AliBaba.

AliBaba sold .club domains for CNY 3 ($0.44) during the promotion, helping it overtake GoDaddy as the top .club registrar.

At that time, spam tracker SpamHaus was reporting that 17.9% of the .club domains it was seeing in the wild were being used in spam.

SpamHaus statToday, that number is 35.4%, almost double the August 7 level. SpamHaus does not publish the actual number of spammy domains for .club; that honor is only bestowed upon the top 10 “bad” TLDs.

Correlation does not equal causation, of course. There could be factors other than the AliBaba promotion that contributed to the increase, but I believe there’s probably a link here.

.CLUB chief marketing officer Jeff Sass told DI:

When registrars have domains “on sale”, there is always the chance that low-cost domains will be attractive to abusers. We monitor abuse proactively, and respond promptly to complaints, as well as monitor our registrar partners collectively and individually.

It’s almost certainly unfair of me to single out fluctuations in .club here, rather than take a comparative look at multiple TLDs. There are certainly many worse TLDs per SpamHaus’ statistics — .men leads among the gTLDs, with 87.2% spam.

But, given the industry truism that cheaper domains leads to more abuse, I think such a large increase correlating with such a successful promotion is a useful data point.