.xxx shows up in botnet top-five TLDs for the first time
It is a truth universally acknowledged that the cheaper a TLD, the more likely it is to be abused by bad actors, and that may be what happened to .xxx in the fourth quarter.
SpamHaus listed .xxx as its fourth most-abused TLD for botnet command and control domains in its newly published Q4 statistics, a new entry on the top 20 table that raised researchers’ eyebrows.
From zero, .xxx went up to 223 C&C domains in the period, sandwiched between .ga’s 143 and .xyz’s 396, SpamHaus said. It worked out to 2.4% of .xxx’s active domains, the compamny said.
.com was of course still the runaway leader, with 3,719 C&C domains. .top came in second, with 715 domains.
SpamHaus said:
We don’t often see new TLD entries within the top five of this Botnet C&C Top 20; however, .xxx, an adult TLD, run by registry ICM, has entered at #4. With less than 10,000 active domains but a total of 223 domains associated with botnet C&C activity in Q4 we can only assume that there are problems.
It’s noteworthy because .xxx is not a cheap TLD. With wholesale prices around $60, they usually sell for around $100 a year. Botnet operators, like other types of malefactor, usually choose cheap domains for their activities.
But in 2021 .xxx was celebrating its 10th anniversary, and at least one company was offering names at a .com-equivalent $10 a year, starting in the middle of the year and extending into Q4.
While .xxx registry ICM is now owned by GoDaddy, it was still part of MMX at the time the pricing promotion began.
.com and NameSilo fingered as “most-abused” after numbers rocket
SpamHaus has revealed the most-abused TLDs and registrars in its second-quarter report on botnets.
The data shows huge growth in abuse at Verisign’s .com and the fast-growing NameSilo, which overtook Namecheap to top the registrar list for the first time.
Botnet command-and-control domains using .com grew by 166%, from 1,549 to 4,113, during the quarter, SpamHaus said.
At number two, .xyz saw 739 C&C domains, up 114%.
In the registrar league table, NameSilo topped the list for the first time, unseating Namecheap for the first time in years.
NameSilo had 1,797 C&C domains on its books, an “enormous” 594% increase. Namecheap’s number was 955 domains, up 52%.
Botnets are one type of “DNS abuse” that even registrars agree should be acted on at the registrar level.
The most-abused lists and lots of other botnet-related data can be found here.
AlpNames died months ago. Why is it still the “most-abused” registrar?
Despite going out of business, being terminated by ICANN, and losing all its domains several months ago, defunct AlpNames is still being listed as the world’s most-abused registrar by a leading spam-fighting organization.
SpamHaus currently ranks the Gibraltar-based company as #1 on its list of the “The 10 Most Abused Domain Registrars”, saying 98.7% of its domains are being used to send spam.
But AlpNames customers and regular DI readers will recall that AlpNames mysteriously went titsup in March, then got terminated by ICANN, then had its entire customer base migrated over to CentralNic in April.
So what’s this about?
I asked SpamHaus earlier this week, and it turns out that Whois query throttling is to blame.
It seems SpamHaus only pings Whois to update the registrar associated with a specific domain when the domain expires, or the name servers change, or where it’s a new registration with an unknown registrar.
I gather that when CentralNic took over AlpNames’ customer base, it did so with all the original name server information intact.
So, SpamHaus’ database still associates the domains with AlpNames even though it’s been out of business for the better part of a year.
A SpamHaus spokesperson said:
This is a very unusual situation, as a huge majority of the domains that contribute to the Top 10 list in question are created, abused, and burnt quickly; meaning a change of registrar is exceptionally rare. However, in the case of these particular domains registered with AlpNames we can only assume that the sheer volume of unused domains was too high for the owner to use in one single hit.
The actual number of “AlpNames” domains rated as spammy by SpamHaus is pretty low — 1,976 of the 2,002 domains it saw were rated as “bad”.
GMO, at #4 on the list, had over 40,000 “bad” domains, but a lower percentage given the larger number of total domains seen.
Spammy .loan makes Alibaba fastest-growing and fastest-shrinking registrar in June
Chinese registrar Alibaba was both the fastest-growing and fastest-shrinking registrar in June, purely due to its dalliance with hundreds of thousands of cheap .loan domain names.
Stats compiled by DI from the latest monthly registry reports show that Alibaba’s Singapore-based registrar — which has only been active for a year — grew its domains under management by 720,669 in June, almost four times as many as second-placed NameCheap.
The huge increase was due to Alibaba’s DUM in .loan doubling in June, going from from 621,851 to 1,274,532. Another 50,000 extra domains came from .win.
Both .loan and .win are run by registry GRS Domains, the company that replaced Famous Four Media as manager of the Domain Venture Partners gTLD portfolio.
According to SpamHaus, .loan has a “badness” of just shy of 90%, based on a sample size of 45,000 observed domains. SpamHaus has .win at almost 39% bad.
GRS has promised to turn its portfolio around and cut off its deep-discounting promotions effective August 20. The June figures reflect a time when discounts were still in place.
The Singapore Alibaba had DUM of 1,771,730 at the end of June.
At the bottom end of the June league table was a second Alibaba accrediation, Beijing-based Alibaba Cloud Computing (aka HiChina or net.cn), which had a net DUM loss of 266,411, after seeing 345,268 deletes in .loan (along with 45,000 deletes in .xyz and 35,000 in .xin).
The second biggest loser was AlpNames, which is owned by the same people as Famous Four, which deleted over 114,000 names in the month. The vast majority of these names were in FFM/GRS gTLDs, including .loan.
The main, earliest Alibaba accreditation, Alibaba Cloud Computing (Beijing), which has zero exposure to new gTLDs, grew by 69,794 domains to end June as the seventh fastest-growing registrar with DUM of 7,672,594.
As of a couple weeks ago, Alibaba has a fourth ICANN accreditation, Alibaba Cloud US LLC, but that obviously does not figure into the June numbers.
Here’s the top 10 registrars for June by DUM growth:
[table id=52 /]
And the bottom 10:
[table id=53 /]
You may notice that in both tables the net change column is not equal to the sum of adds and net transfers minus deletes. This is because, per ICANN contract, domains still in their five-day Add Grace Period are counted in DUM but not in adds, so many adds slip over into the following month.
.CLUB sees spam double after China promotion
.CLUB Domains has seen the amount of spam in .club double a month after seeing a huge registration spike prompted by a deep discount deal.
The registry saw its domains under management go up by about 200,000 names over a few days in early August, largely as a result of a promotion at Chinese registrar AliBaba.
AliBaba sold .club domains for CNY 3 ($0.44) during the promotion, helping it overtake GoDaddy as the top .club registrar.
At that time, spam tracker SpamHaus was reporting that 17.9% of the .club domains it was seeing in the wild were being used in spam.
Today, that number is 35.4%, almost double the August 7 level. SpamHaus does not publish the actual number of spammy domains for .club; that honor is only bestowed upon the top 10 “bad” TLDs.
Correlation does not equal causation, of course. There could be factors other than the AliBaba promotion that contributed to the increase, but I believe there’s probably a link here.
.CLUB chief marketing officer Jeff Sass told DI:
When registrars have domains “on sale”, there is always the chance that low-cost domains will be attractive to abusers. We monitor abuse proactively, and respond promptly to complaints, as well as monitor our registrar partners collectively and individually.
It’s almost certainly unfair of me to single out fluctuations in .club here, rather than take a comparative look at multiple TLDs. There are certainly many worse TLDs per SpamHaus’ statistics — .men leads among the gTLDs, with 87.2% spam.
But, given the industry truism that cheaper domains leads to more abuse, I think such a large increase correlating with such a successful promotion is a useful data point.
SpamHaus ranks most-botted TLDs and registrars
Namecheap and Uniregistry have emerged as two of the most-abused domain name companies, using statistics on botnet command and control centers released by SpamHaus this week.
SpamHaus data shows that over a quarter of all botnet C&Cs found during the year were using NameCheap as their registrar.
It also shows that almost 1% of domains registered in Uniregistry’s .click are used as C&Cs.
The spam-fighting outfit said it discovered “almost 50,000” domains in 2017 that were registered for the purpose of controlling botnets.
Comparable data for 2016 was not published a year ago, but if you go back a few years, SpamHaus reported that there were just 3,793 such domains in 2014.
Neither number includes compromised domains or free subdomains.
The TLD with the most botnet abuse was of course .com, with 14,218 domains used as C&C servers. It was followed by Directi’s .pw (8,587) and Afilias’ .info (3,707).
When taking into account the relative size of the TLDs, SpamHaus fingered Russian ccTLD .ru as the “most heavily abused” TLD, but its numbers don’t ring true to me.
With 1,370 botnet controllers and about five and a half million domains, .ru’s abused domains would be around 0.03%.
But if you look at .click, with 1,256 botnet C&Cs and 131,000 domains (as of September), that number is very close to 1%. When it comes to botnets, that’s a high number.
In fact, using SpamHaus numbers and September registry reports of total domains under management, it seems that .work, .space, .website, .top, .pro, .biz, .info, .xyz, .bid and .online all have higher levels of botnet abuse than .ru, though in absolute numbers some have fewer abused domains.
In terms of registrars, Namecheap was the runaway loser, with a whopping 11,878 domains used to control botnets.
While SpamHaus acknowledges that the size of the registrar has a bearing on abuse levels, it’s worth noting that GoDaddy — by far the biggest registrar, but well-staffed with over-zealous abuse guys — does not even feature on the top 20 list here.
SpamHaus wrote:
While the total numbers of botnet domains at the registrar might appear large, the registrar does not necessarily support cybercriminals. Registrars simply can’t detect all fraudulent registrations or registrations of domains for criminal use before those domains go live. The “life span” of criminal domains on legitimate, well-run, registrars tends to be quite short.
However, other much smaller registrars that you might never have heard of (like Shinjiru or WebNic) appear on this same list. Several of these registrars have an extremely high proportion of cybercrime domains registered through them. Like ISPs with high numbers of botnet controllers, these registrars usually have no or limited abuse staff, poor abuse detection processes, and some either do not or cannot accept takedown requests except by a legal order from the local government or a local court.
The SpamHaus report, which you can read here, concludes with a call for registries and registrars to take more action to shut down repeat offenders, saying it is “embarrassing” that some registrars allow perpetrators to register domains for abuse over and over and over again.
SpamHaus now publishing better TLD abuse data
SpamHaus has updated its “10 Most Abused Top Level Domains” list to provide a much more useful insight into abuse levels.
Rather than simply showing unexplained percentages of “badness” in each TLD, the spam-fighting organization’s daily report now exposes the hard numbers, in domain terms, underneath.
For example, on today’s list Famous Four Media’s .download is the most-abused TLD with 82% bad domains.
That percentage is based on SpamHaus categorizing 11,431 domains as abusive of the 13,945 .download domains that crossed its systems.
But the gTLD has 67,500 domains in its zone file, so the actual percentage of abusive domains could be as low as about 17%, much lower than SpamHaus’s 82%.
Whether you think the 82% metric is fair will depend on whether you think SpamHaus’s sample — about 20% of the full .download zone — is representative.
Some of the other TLDs on its list have even smaller sample sizes.
Minds + Machines’ .work is ranked #2 on the SpamHaus list with 73.3% badness, based on a SpamHaus-seen sample of 6,297 domains, something like 7% of the full .work zone.
Registries criticized SpamHaus for publishing misleading data when this list was first published in March, and I agreed with them.
Now that the group is publishing empirical data alongside its percentages, the conversation can now shift to something along the lines of:
“Is it okay that at least 17% of .download domains are abusive?”
To which the answer I believe is a clear: “Hell, no.”
The SpamHaus daily report can be found here.
Schilling, Famous Four rubbish Spamhaus “worst TLD” league
Uniregistry and Famous Four Media have trashed claims by Spamhaus that their gTLDs are are much as 75% spam.
FFM says it is “appalled” by the “wholly inaccurate” claims, while Uniregistry boss Frank Schilling said Spamhaus has “totally jumped the shark here.”
In a statement to DI today, FFM chief legal officer Oliver Smith said the spam-fighting organization’s recently launched World’s Worst TLDs list is “reckless”, adding that the numbers are:
not only wholly inaccurate, but are misleading and, potentially, injurious to the reputation of Famous Four Media and those TLDs it manages. It is particularly worrisome that Spamhaus’s “findings” seem to have been taken as gospel within certain corners of the industry, despite not being proffered with any analytical methodology in support of the same.
The Spamhaus report, which is updated daily, presents the 10 TLDs that are more spam than not.
The rank is based on a percentage of domains seen by Spamhaus that Spamhaus considers to be “bad” — that is, are advertised in spam or carry malware.
Today, Uniregistry’s .diet tops the chart with “74.4% bad domains”, but the scores and ranks can and do shift significantly day by day.
Spamhaus describes its methodology like this:
This list shows the ratio of domains seen by the systems at Spamhaus versus the domains our systems profile as spamming or being used for botnet or malware abuse. This is also not a list that retains a long history, it is a one-month “snapshot” of our current view.
The words “seen by the systems at Spamhaus” are important. If a domain name never crosses Spamhaus’s systems, it isn’t counted as good or bad. The organization is not running the whole zone file against its block-list to check what the empirical numbers are.
In important ways, the Spamhaus report is similar to the discredited Blue Coat report into “shady” TLDs last September, which was challenged by myself and others.
However, in a blog post, Spamhaus said it believes its numbers are reflective of the TLDs as a whole:
In the last 18-years, Spamhaus has built its data gathering systems to have a view of most of the world’s domain traffic. We feel the numbers shown on this list are representative of the actual full totals.
I disagree.
In the case of .diet, for example, if 74% of the full 19,000-domain zone was being used in spam, that would equate to 14,000 “bad” domains.
But the .diet zone is dominated by domains owned by North Sound Names, the Frank Schilling vehicle through which Uniregistry markets its premium names.
NSN snapped up well over 13,000 .diet names at launch, and Schilling said today that NSN owns north of 70% of the .diet zone.
That would mean either Uniregistry is a spammer, or Spamhaus has no visibility into the NSN portfolio and its numbers are way the hell off.
“Spamhaus’ assertion that 74% of the registrations in the .diet space are spam is a numerical impossibility,” Schilling said. “They totally jumped the shark here.”
NSN’s domains don’t send mail, he said.
He added that diet-related products are quite likely to appear in spam, which may help account for Spamhaus’s systems identifying .diet emails as spam. He said:
Spamhaus is a high-minded organization and we applaud their efforts but this report is so factually inaccurate it casts into doubt the validity of everything they release. Spamhaus should be smarter than this and at a minimum consult with registries (our door is open) to gain a better understanding of the subject matter they wrongly profess to be expert in.
Similarly, FFM’s .review gTLD was briefly ranked last week as the “worst” gTLD at 75.1% badness. With 66,000 domains, that would mean almost 50,000 names are spammy.
Yet it appears that roughly 25,000 .review domains are long-tail geo names related to the hotels industry, registered by a Gibraltar company called A Domains Limited, which appears to be run by AlpNames, the registry with close ties to FFM itself.
Again, if Spamhaus’s numbers are accurate, that implies the registrar and/or registry are spamming links to content-free placeholder web sites.
FFM’s Smith says the registry has been using Spamhaus data as part of its internal Registry Abuse Monitoring tool, and that its own findings show significantly less spam. Referring to .review’s 75% score, he said:
This simply does not accord with FFM’s own research, which relies heavily on data made available by Spamhaus. The reality is that, in reviewing registration data for the period 8 February to 8 March 2016, only 4.8% of registered domains have been blacklisted by Spamhaus – further, it is questionable as whether every single such listing is wholly merited. When reviewing equivalent data for the period of 1 January to 8 March 2016 across ALL FFM managed TLDs this rate averages out to a mere 3.2%.
I actually conducted my own research into the claims.
Between March 8 and March 15, I ran the whole .review zone file through the Spamhaus DBL and found 6.9% of the names were flagged as spam.
My methodology did not take account of the fact that Spamhaus retires domains from its DBL after they stop appearing in spam, so it doesn’t present a perfect apples-to-apples comparison with Spamhaus, which bases its scoring on 30 days of data.
All told, it seems Spamhaus is painting a much bleaker picture of the amount of abuse in new gTLDs than is perhaps warranted.
During ICANN meetings last week and in recent blog comments, current and former executives of rival registries seemed happy to characterize new gTLD spam as a Famous Four problem rather than an industry problem.
That, despite the fact that Uniregistry, Minds + Machines and GMO also feature prominently on Spamhaus’s list.
I would say it’s more of a low prices problem.
It’s certainly true that FFM and AlpNames are attracting spammers by selling domains for $0.25 wholesale or free at retail, and that their reputations will suffer as a result.
We saw it with Afilias and .info in the early part of the last decade, we’ve see it with .tk this decade, and we’re seeing it again now.
Recent Comments