David Goldstein - Abuse in gTLDs More Likely With Laxer Eligibility Rules and Lower Prices


    Abuse in the domain name system is a serious topic. Examples of abuse include spam, phishing, and malware distribution. To examine the issues of abuse in generic top level domains, both legacy and new, ICANN commissioned a study to compare the rates of these activities, as well as employing inferential statistical analysis to measure the effects of Domain Name System Security Extensions (DNSSEC), domain parking and registration restrictions on abuse rates using historical data covering the first three full years of the New gTLD Program from 2014 to 2016.

    The report, Statistical Analysis of DNS Abuse in gTLDs, made a number of key findings which were:

    • the amount of "compromised" (i.e. "hacked") domains appear higher in legacy gTLDs
    • the amount of "maliciously registered" (i.e. domains registered for malicious purposes) appear higher in new gTLDs
    • registration restrictions appear to have an impact on reduced abuse rates with the more open new gTLDs having higher abuse counts
    • abuse counts—or absolute number of abused domains—show relatively constant and higher levels of abuse in legacy gTLDs and an upward trend of abuse in new gTLDs
    • with some exceptions and spikes, rates of phishing and malware domains in new gTLDs, which are based on an "abused domains per 10,000" ratio, tend to be lower than in legacy gTLDs. Phishing and malware trends in new and legacy gTLDs appear to be converging to similar levels by the end of 2016
    • privacy and proxy service-associated domains do not appear to correlate with abnormally high levels of abuse.

    The problem of abuse is not occurring in all of the new gTLDs. When looking at the problems among these new gTLDs, the report found that around a third available for public registration did not experience a single spam incident in the last quarter of 2016. But of those experiencing spam, Spamhaus blacklisted at least 10% of all registered domains in as many as 15 new gTLDs at the end of 2016.

    The report found higher concentrations of compromised domains in legacy gTLDs, however miscreants frequently choose to maliciously register domain names using one of the new gTLDs. The registry operators of the most abused new gTLDs compete on price. The report found that the retail registration prices of these were occasionally below US$1 or even $0.50, which was lower than the registration fee for .com domains. The report was uncertain though if pricing is the only factor driving high concentrations of maliciously registered domains.
    In their conclusion, the report suggests “that some new gTLDs have become a growing target for malicious actors. Competitive domain registration prices, unrestrictive registration practices, a variety of other registration options such as available payment methods, free services such as DNS or WHOIS privacy, and finally the increased availability of domain names decrease barriers to abuse and may make some new gTLDs targets for cybercriminals.”