Latest news of the domain name industry

Recent Posts

.xxx shows up in botnet top-five TLDs for the first time

Kevin Murphy, January 21, 2022, Domain Registries

It is a truth universally acknowledged that the cheaper a TLD, the more likely it is to be abused by bad actors, and that may be what happened to .xxx in the fourth quarter.

SpamHaus listed .xxx as its fourth most-abused TLD for botnet command and control domains in its newly published Q4 statistics, a new entry on the top 20 table that raised researchers’ eyebrows.

From zero, .xxx went up to 223 C&C domains in the period, sandwiched between .ga’s 143 and .xyz’s 396, SpamHaus said. It worked out to 2.4% of .xxx’s active domains, the compamny said.

.com was of course still the runaway leader, with 3,719 C&C domains. .top came in second, with 715 domains.

SpamHaus said:

We don’t often see new TLD entries within the top five of this Botnet C&C Top 20; however, .xxx, an adult TLD, run by registry ICM, has entered at #4. With less than 10,000 active domains but a total of 223 domains associated with botnet C&C activity in Q4 we can only assume that there are problems.

It’s noteworthy because .xxx is not a cheap TLD. With wholesale prices around $60, they usually sell for around $100 a year. Botnet operators, like other types of malefactor, usually choose cheap domains for their activities.

But in 2021 .xxx was celebrating its 10th anniversary, and at least one company was offering names at a .com-equivalent $10 a year, starting in the middle of the year and extending into Q4.

While .xxx registry ICM is now owned by GoDaddy, it was still part of MMX at the time the pricing promotion began.

XYZ bosses agree to pay $1.5 million to settle Fed’s loan scam claims

Kevin Murphy, January 14, 2022, Domain Registries

Some of XYZ’s top executives have agreed to pay $1.5 million to settle a US Federal Trade Commission lawsuit alleging they “deceptively” harvested vast amounts of personal data on millions of people and sold it “indiscriminately” to third parties including potential scammers and identity thieves.

The FTC says that the execs, through a network of interlinked companies, deceptively collected loan applications through at least 200 web sites, promising to connect the applicant with verified lenders, but instead sold the personal data willy-nilly to the highest bidder through a lead-generation marketplace.

The data was bought by companies that in the vast majority of cases were not in the business of providing loans, the FTC said. The buyers were not checked out by the XYZ execs and exposed consumers to identity theft and fraud, it added.

The allegations cover activities starting in 2012 and carrying on until recently, the FTC said.

“[They] tricked millions of people into giving up sensitive financial information and then sold it to companies that were not making loans,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection said in a press release. “The company’s extraction and misuse of this data broke the law in several ways.”

“The FTC’s allegations were wholly without merit,” the defendants’ lawyer, Derek Newman, told DI in an email. “But litigation against the FTC is expensive and resource draining. For that reason, my clients chose to settle the case and move on with their business.”

“In fact, the FTC did not require any changes to my clients’ business practices that they had not already implemented before the case was filed,” he added.

The suit (pdf) named as defendants XYZ.com CEO Daniel Negari, COO Michael Abrose, business development manager Jason Ramin, and general counsel Grant Carpenter. Two other named defendants, Anisha Hancock and Sione Kaufusi, do not appear at first glance to be connected to the domains business.

The settlement (pdf) sees the defendants pay $1.5 million and agree to certain restrictions on their collection and use of data, but they did not admit or deny any liability.

The lead generation business was carried out via at least 17 named companies, including XYZ LLC (which appears to be a different company to the .xyz registry, XYZ.com LLC), Team.xyz LLC and Dev.xyz LLC. The FTC complaint groups them together under the name ITMedia.

Some of the companies are successors to Cyber2Media, the FTC said, a company that in 2011 had to settle a massive typosquatting lawsuit filed by Facebook.

Despite the personnel crossover, nothing in the complaint relates directly to the .xyz domains business, and the only domains listed in the complaint are some pretty nice .coms, including badcreditloans.com, personalloans.com, badcredit.com, fastmoney.com and cashadvance.com.

The complaint alleged deceptive representations and unfair distribution of sensitive information as well as violations of the Fair Credit Reporting Act. It reads:

In numerous instances, Defendants, through ITMedia’s actions, have shared and sold sensitive personal and financial information from consumers’ loan forms — including consumers’ full names, addresses, email addresses, phone numbers, birthdates, Social Security numbers, bank routing and account numbers, driver’s license and state identification numbers, income, status and place of employment, military status, homeownership status, and approximate credit scores—without consumers’ knowledge or consent and without regard for whether the recipients are lenders or otherwise had a legitimate need for the information.

Essentially, the complaint alleged that the defendants bullshitted consumers into handing over personal info thinking they were applying for a legitimate loan, when in fact the info was just being harvested for resale to sometimes dodgy buyers.

The complaint reads:

ITMedia’s practice of broadly disseminating consumer information, including to entities that share information with others whose identities and use of the information are unknown to ITMedia, exposes consumers to the risk of substantial harm from identity theft, imposter scams, unauthorized billing, phantom debt collection, and other misuse of the consumers’ information. Some consumers have complained that, shortly after submitting loan applications to ITMedia, they have received communications using the names of ITMedia websites to present sham loan offers or demands for repayment of counterfeit debt.

The $1.5 million settlement will be paid by “Individual Defendants and Corporate Defendants, jointly and severally”, according to court documents.

UPDATE: This article was updated shortly after publication with a statement from XYZ’s lawyer.

XYZ counting standard sales as “premiums” because its fees are so expensive

Kevin Murphy, November 19, 2021, Domain Registries

Portfolio gTLD registry XYZ appears to be counting regular sales of domains in certain TLDs as “premium” wins, because the base reg fee is so high.

The company said in a recent blog post that it sold over 270 “premium” names in October, but it added the following caveat:

Premium XYZ Registry domains refer to premium domains for extensions with standard and premium domains, and XYZ’s premium namespaces such as .Cars, .Storage, .Tickets, .Security, etc.

So if a name in a .com-equivalent priced TLD such as .xyz had been flagged as a premium by the registry and sold for a few thousands bucks, that counts as a premium sale, but any sale at all in .cars, where all domains cost a few thousand bucks regardless of the second-level string, also counts as a premium.

This reporting practice appears to bring in .security, .storage, .protection, .car, .auto, and .theatre, which all retail for four figures as standard. It also includes .tickets, where you won’t get much change out of a grand. It doesn’t include the fourth member of the cars family, .autos, where domains are priced as .com-equivalent.

I’m not sure how I feel about this.

You can’t accuse the registry of being misleading — it’s disclosing what it’s doing pretty prominently mid-post, not even reducing the font size.

And you can’t reasonably argue that a standard $3,000 .cars domain, which renews at $3,000 a year, for example, has less claim to the adjective “premium” than a domain in .hair that has a premium-tier EPP code selling for $3,000 but renewing at $20.

It just feels weird to see the word used in this way for what appears to be the first time.

Facebook rebrand: did one new gTLD or domainer just hit the jackpot?

Kevin Murphy, October 20, 2021, Domain Sales

Facebook is reportedly just days away from unveiling a major corporate rebranding, which will raise only one question in the minds of DI readers: what domain is it going to use?

Citing an unnamed source, The Verge is scooping that a name change is coming in the next week or so “to reflect its focus on building the metaverse”.

The article suggests that we’re looking at a new parent company, with a new umbrella brand, for services including Facebook, Instagram, WhatsApp and Oculus, along the same lines as Google’s reorganization under the Alphabet monicker a few years back.

You’ll recall that Alphabet famously chose abc.xyz as its domain, giving a huge early boost to marketing efforts at XYZ.com’s .xyz registry.

Could a different TLD registry get a similar leg-up from a new Facebook identity?

If the company has chosen a dictionary word for its brand, we’re looking at either something in a new gTLD, or a .com that would likely have to have been purchased from a domain investor.

If the domain has been bought on the secondary market, it almost certainly would have been acquired via a pseudonymous proxy, to avoid price gouging and to keep the name a secret.

Other options are that Facebook has come up with some fanciful neologism and bought the domain at reg price, or has selected a brand from a domain already in its portfolio.

The Verge expects a revelation by the company’s Connect conference October 28, but says it could come sooner.

.com and NameSilo fingered as “most-abused” after numbers rocket

SpamHaus has revealed the most-abused TLDs and registrars in its second-quarter report on botnets.

The data shows huge growth in abuse at Verisign’s .com and the fast-growing NameSilo, which overtook Namecheap to top the registrar list for the first time.

Botnet command-and-control domains using .com grew by 166%, from 1,549 to 4,113, during the quarter, SpamHaus said.

At number two, .xyz saw 739 C&C domains, up 114%.

In the registrar league table, NameSilo topped the list for the first time, unseating Namecheap for the first time in years.

NameSilo had 1,797 C&C domains on its books, an “enormous” 594% increase. Namecheap’s number was 955 domains, up 52%.

Botnets are one type of “DNS abuse” that even registrars agree should be acted on at the registrar level.

The most-abused lists and lots of other botnet-related data can be found here.

IWF finds 3,401 “commercial” child porn domains

Kevin Murphy, April 28, 2021, Domain Registries

The Internet Watch Foundation last year found child sexual abuse material on 3,401 domains that it says appeared to be commercial sites dedicated to distributing the illegal content.

The UK-based anti-CSAM group said in its annual report, published last week, that it found 5,590 domains containing such material in 2020, and 61% were “dedicated commercial sites… created solely for the purpose of profiting financially from the distribution of child sexual abuse material online.”

That’s a 13% increase in domains over 2019, the report says. It compares to 1,991 domains in 2015.

IWF took action on 153,369 URLs containing CSAM last year, the report says.

For example, the TLD with the most CSAM abuse is of course .com, with 90,879 offending URLs in 2020, 59% of the total. That compares to 69,353 or 52% in 2019.

But because those 90,000 URLs may include, for example, pages on image-hosting sites that use .com domains, the number of unique .com domains being abused will be substantially lower.

Same goes for the other TLDs on the top 10 list — .net, .ru, .nz, .fr, .org, .al, .to, .xyz and .pw.

.co, .cc and .me were on the 2019 list but not the 2019 list, being replaced by .al, .org and .pw.

The most disturbing part of the report, which is stated twice, is the alarming claim that some TLDs exist purely to commercially distribute CSAM:

We’ve also seen a number of new TLDs being created solely for the purpose of profiting financially from the distribution of child sexual abuse material online.

We first saw these new gTLDs being used by websites displaying child sexual abuse imagery in 2015. Many of these websites were dedicated to illegal imagery and the new gTLD had apparently been registered specifically for this purpose.

I can only assume that IWF is getting confused between a top-level domain and a second-level domain.

The alternative would be that the organization believes one or more TLD registries are purposefully catering primarily to commercial child pornographers, and for some reason it’s declining to do anything about it.

I’ve put in a request for clarification but not yet received a response.

IWF is funded by corporate donations from primarily technology companies. Pretty much every big domain registry is a donor. Verisign is a top-tier, £80,000+ donor. The others are all around the £5,000 to £10,000 mark.

UPDATE May 26: IWF has been in touch to clarify that it was in fact referring to SLDs, rather than TLDs, in its claims about dedicated commercial CSAM sites quoted above. It has corrected its report accordingly.

There’s one obvious pick for next year’s ICANN Community Excellence Award

Kevin Murphy, December 15, 2020, Domain Policy

ICANN has opened up nominations for its 2021 ICANN Community Excellence Award, and I don’t think it would be inappropriate of me to suggest that one likely nomination seems like a shoo-in: the late Marilyn Cade.

The award, now in its eighth year, is given to a community member who “deeply invested in consensus-based solutions and contributed substantively to the ICANN multistakeholder model”.

It’s judged by a cross-constituency panel of community leaders and awarded in June each year, using three criteria:

  • Demonstrated ability to work across community lines with both familiar and unfamiliar ICANN stakeholders with the aim of building consensus.
  • Facilitator of dialogue and open discussion in a fair and collegial manner, through the spirit of collaboration as shown through empathy, and demonstrating a sincere desire to engage with people from other backgrounds, cultures, and interests.
  • Demonstrated additional support for the ICANN multistakeholder model and its overall effectiveness through volunteer service via working groups or committees.

I believe Cade, who died last month at 73, fits easily into each of these.

She participated in ICANN’s formation in the late 1990s and participated in almost every public meeting since. She was a long-time member, and three-year chair, of the Business Constituency, and participated in several key volunteer working groups.

There’s a rather fascinating and lengthy audio interview with Cade, conducted by Ayden Férdeline shortly before her death, in which she discusses her involvement with the creation of ICANN, over here.

At the time of her death, ICANN CEO Göran Marby said: “Marilyn had strong views and opinions on many matters but always supported the multistakeholder model. She wanted people to be involved in ICANN and to maximize the potential of the Internet.”

While her views and positions may not have been universally loved, the hundreds of public tributes paid since her death reveal a consensus view that, regardless of competing affiliations, Cade was strongly active in community-building and mentoring new community members, particularly from underrepresented demographics.

It would not be the first time ICANN has given this award posthumously. In 2018, it was awarded to former GNSO Council chair Stéphane Van Gelder after his untimely death earlier that year.

It is of course easier to evaluate an individual’s contribution when their entire body of work is known.

From its inaugural 2014 round, the prize was known as the ICANN Ethos Award. The name was changed earlier this year, most probably to avoid alluding to the private equity firm Ethos Capital, which at the time was involved in a high-profile dispute with the org.

The winner will be announced at the ICANN 71 meeting, wherever that may be, next June.

.spa registry relocates to .xyz

Kevin Murphy, November 16, 2020, Domain Registries

Newly installed .spa registry Asia Spa and Wellness Promotion Council has started using a .xyz domain for its official registry web site.

The organization last week had its IANA records updated to change its “URL for registration services” from aswpc.org to dotspa.xyz.

It currently resolves to a placeholder “Coming Soon” page.

Choosing a TLD other than its own, which entered the DNS root in September, is pretty unusual.

Most new gTLD registries activate nic.example pretty quickly after delegation, even if they ultimately use a domain such as get.example or register.example for their primary marketing sites.

Activating nic.example is actually an obligation under ICANN contracts. ASWPC has registered that domain, but only whois.nic.spa currently resolves.

The dotspa.xyz domain was registered about a year ago, about a month after ASWPC’s former business partner, DotAsia, washed its hands of its stake in the TLD.

Both the .com and .org versions have been registered for well over a decade, so perhaps .xyz was picked as the default third-choice generic.

But that still doesn’t explain why a registry would select a domain outside its own TLD for its primary site.

Domain industry had best April ever under lockdown

Kevin Murphy, August 10, 2020, Domain Registries

The domain industry had its best April ever in terms of new domains sold in gTLDs, according to my tally, despite much of the Western world spending the month in coronavirus lockdown.

There were a total of 5,291,077 domain adds in April, across all 1,253 gTLDs currently filing transaction reports with ICANN.

That’s up almost 100,000 on the 5,191,880 adds in April 2019 and the best April since the first new gTLDs started coming into circulation in 2013.

[table id=60 /]

While a measly 100k jump may be less impressive than expected based on the enthusiastic descriptions of the lockdown bump coming from registries and registrars over the last few months, it makes a bit more sense when you factor out Chinese volume success story .icu.

.icu, currently the largest of the new gTLDs, was having a bit of a growth spurt at the start of 2019, and added 267,287 domains in April last year. That was down to 56,714 this April. The TLD has been declining for the last few months.

Looking at the TLDs that seem most obviously related to lockdown, the standout is .bar, which added 26,175 names this April, compared to just 151 a year ago.

It’s been well-reported that many restaurants and bars affected by coronavirus switched to online ordering and home delivery, and .bar appears to be a strong beneficiary of this trend.

.bar currently has more than 100,000 names in its zone file, roughly double its pre-lockdown level.

.com fared well, adding 3,382,029 domains this April, compared to 3,360,238 in the year-ago period.

But .xyz did better, relatively, adding 256,271 names, compared to 200,003 a year earlier.

Also noteworthy was .buzz, which has been performing very strongly over the last 12 months. It added 60,808 names this April, compared to just a few hundred.

This table shows the 20 gTLDs with the most adds in April 2020, with their April 2019 numbers for comparison.

[table id=61 /]

Industry growth driven by new gTLD(s) in Q1

The number of domain names registered worldwide increased by 4.5 million in the first quarter, a sequential growth of 1.2%, largely due to new gTLDs and one new gTLD in particular, judging by Verisign’s latest data.

According to the company’s latest Domain Name Industry Brief, ShortDot’s .icu grew by 1.6 million domains during the quarter.

That’s more than half the growth of the new gTLDs as a whole, which grew by three million names to close March at 32.3 million.

.icu is one of those inexplicable, faddy Chinese phenomena. Its top registrar, West.cn, is currently selling them for the equivalent of $0.70 for the first year.

It’s now the eighth-largest TLD of any type, sitting on the DNIB league table between .org and .nl.

Fellow Chinese favorite .top was responsible for about 300,000 extra domains, though it’s lost most of that growth post-quarter, if zone files are any guide.

.xyz also appears to have had a decent quarter, growing by a couple hundred thousand names.

Verisign’s own .com contributed an additional 1.9 million domains, ending Q1 at 147.3 million. Baby brother .net was basically flat at 13.4 million.

The ccTLD space continued the decline of the last few quarters, coming in down 200,000 names at 157.4 million. Annually, ccTLDs were up by 600,000 names, however.

Overall, there were 366.8 million domain registrations in the world at the end of Q1, an increase of 14.9 million or 4.2% compared to the same moment last year.