Previous month:
July 2018
Next month:
September 2018

August 2018

Can Global Registry Services clean up the spammiest neighborhoods in the DNS?

Domain Incite reports that Famous Four Media’s portfolio of top-level domains is now under the control of Global Registry Services Ltd. The new company has promised to "abandon its failed penny-domain strategy and crack down on spam".

Time will tell whether new ownership cleans up arguably the spammiest neighborhoods in the DNS.

Famous Four's portfolio includes .loan, .win, .men, .bid, .stream, .review, .trade, .date, .party, .download, .science, .racing, .accountant, .faith, .webcam and .cricket. Historically, nearly all of these have at some point been egregiously spammy.

How spammy?

Check SURBL's Most Abused TLD list: .date, .loan, .men, .review, .stream, .trade currently have large numbers of abuse domains. Raw counts of abuse domains are interesting. But these data points don't reveal the truly extraordinary density of abuse in several of Famous Four's TLDs; for example,  .com is several orders of magnitude larger than .men, yet .men has the second highest abuse domain count. 

Screenshot (5)

 

To truly appreciate how spammy .men and other Famous Four TLDs are, check the TLD badness index and abuse percentages at Spamhaus Top Ten Worst page: the badness index for nearly all of Famous Four's portfolio are extraordinarily high percentages of abuse domains. Famous Four TLDs are routinely among the worst of the worst in today's reporting:

.men (75% )
.date (60%)
.racing (53%)
.accountant (49%)
.loan (44%)
.review (37%)
.trade (32%)
.bid (29%)
.download (32%)
.party (27%) 
.faith (26%)
.stream (20%)
.cricket (23%)
.webcam (20%)
.science (18%)
.win (17%)

Comparing these to .com at 4.7%, and realize that  it is three to fifteen times more likely that a domain registered in a Famous Four domain is associated with spam than a domain registered in .com.

In my post, Spam: the security threat you easily forget, I explain that many security threats are delivered using spam. Given these percentages, it's hard not to recommend that organizations simply block at least these top-level domains in their entirety to mitigate a variety of threats. 

While at ICANN, I had the opportunity  to track Famous Four TLDs since 2014. The full extent and persistence of abuse among these TLDs will be exposed when ICANN  publishes reports from the Domain Abuse Activity Reporting system (DAAR).

DAAR maintains not only daily historical abuse domain counts, but cumulative abuse domain counts over 365 days (see the DAAR methodology white paper for details). The cumulative counts are even more damning.

DAAR also associates abuse domains to sponsoring registrars. This association has long been hampered for the DAAR and other systems by  registrars that rate limit Whois queries, a practice that is ironically promoted as protecting registrars' customers from spammers. ICANN's own SSAC has conducted tests to assess the impact of rate limiting and in a report observed that "At the rate-limits currently being imposed in the industry, most users... can only observe a fraction of the activity taking place in many TLDs and registrar portfolios. This prevents security practitioners from finding and monitoring abusive domains." 

Despite the challenges that rate limiting poses, the truth will out. Sampling rather than full census studies can easily reveal that a handful of registrars account for nearly all of the spam domains in the new top-level domain registries. You can easily test this yourself with simple scripts:

  • Obtain a Famous Four TLD zone file from ICANN's Centralized Zone Data Service, CZDS.
  • Strip the registered domains from the zone data. 
  • Query the Spamhaus Domain Block List (DBL) for each domain.
  • For all domains that are reported on the DBL, query Whois for the sponsoring registrar. Patience is required, as rate limiting will interfere with this positive use of Whois.
  • Count the abuse domains per registrar
  • Calculate the percentage of abuse domains per registrar

I strongly encourage Global Registry Services Ltd. to conduct this or a similar exercise. One registrar will stand out among all others as the sponsor to an extraordinary percent of abuse domains registered under Famous Four TLDs.

If the new ownership truly wants to eliminate the "penny-domain strategy", I further encourage them to investigate this  registrar's practice of discounting registrations by up to 90%. Lastly, look at this registrar's bulk registrations practices. These are the kinds of business activities that are necessary to morph from spam haven to a reputable, successful registry.