Architelos.com, a issued today a report on the state of domain name abuse in new generic top-level domains (gTLDs) space in 2014, the first full year when many new gTLDs were launched and operated.
This report focuses on the detection of domain abuse (spam, phishing, malware) as monitored by the Architelos NameSentrySM service, and not the efficacy of their abuse mitigation efforts. Architelos.com is the developer of the NameSentry system, which continuously monitors the entire Internet (legacy gTLDs, IDNs, ccTLD and new gTLDs) and this report presents market statistics based upon that information.Here are the findings:
- As of the end of 2014, new gTLDs had approximately 1/4 the level of abuse found in established of legacy gTLDs.
- New gTLDs as a whole, have not resulted in disproportionate levels of abuse when compared to legacy gTLDs.
- In 2014, 157 new gTLDs had one or more abusive domains on block lists which represents roughly 50% of all new gTLDs launched in 2014.
- The first abusive domain was spam and detected in February 2014.
- The first phishing domain was detected in May 2014.
- The first malware domain was detected in September 2014.
- New gTLD domains listed for abuse grew 600% in 4th quarter of 2014.
Architelos, says that Approximately 50% of all new gTLDs have had one or more domains listed for abuse, with 99% being spam.
The sequence of abuse follows an expected pattern where spam is the first to enter, followed by phishing and malware later once the TLDs are more established.
Abusive domains were being registered slowly across approximately 20-25% of TLDs in general availability for the first six months of 2014.
However, in August the number of gTLDs having domains listed for abuse significantly increased from 50 to over 100, resulting in over 50% of gTLDs in General Availability, to have a domain listed for abuse in NameSentry.
The 50% level of abuse penetration has remained fairly constant through the fourth quarter of 2014.
The month of August experienced a nearly 400% increase in the number of spam listings, from 1,163 in July to 4,179 in August. These are domains advertised in the bodies of spam emails, and are destinations advertised by spammers. Spammers tend to consume large batches of domains, discarding domains as they are added to blocklists, and then moving on to use new domains for the next round of spamming.
Lets look at how new gTLDs compare in aggregate to legacy gTLDs.
To compare TLDs of varying size, Architelos has created the Namespace Quality Index (NQI). The NQI index is modeled after the air quality and water quality indexes that both use a parts per million metric. The Internet has become a ubiquitous utility, much like clean air and clean water, and thus should have a similar quality metric. We instituted the Namespace Quality Index over 18 months ago, and have published several reports already utilizing the NQI metric.
We set the goal for excellent Namespace quality to be 99.9% or less than 100 abuses per million DUM. From there, the levels increase along a logarithmic scale.
Legacy gTLDs are the 22 TLDs that include: .com, .net, .org,.gov, .edu and others.
Country code TLDs (ccTLDs) are excluded from this comparison.
Legacy gTLDs have an aggregate Namespace Quality Index score of 11,951 abuses per million domain names for a Red or “At Risk” rating in December 2014. In other words, about 1.2% of all domain names in legacy gTLDs are reported as abusive.
Legacy gTLDs have over 1.85M abusive domains listed on blocklists, from over 155M total domains as of year end 2014.
In comparison, new gTLDs had just over 12,000 abusive domains listed on blocklists from over 3.7M total domains during the same period.
This results in a new gTLD Namespace Quality Index (NQI) rating of 3,241 abuses per million domains or about 0.3% of all new gTLD domains.
Currently, new gTLDs have approximately 1/4 the level of abuse that is found in legacy gTLDs.
The level of abuse in new gTLDs scores in the “Orange” zone of Architelos’ Namespace Quality Index. We have classified Orange as “Caution” as it means that between 1,001 – 10,000 abuses per million domains exist in the TLDs. Note: this is after less than one year of operation for most of the new gTLDs.
Architelos, has some disclaimers at the end of the report; the mere presence of abuse in a top-level domain in no way indicates mismanagement by the registry operator.
Several factors can influence the presence or absence of abuse including pricing, registration policies and location of registrant.
New gTLD registry operators have different business models, and employ different abuse mitigation processes and systems.
However we have some issues with the report:
For one, not all of the new gTLD registered domains are registered by third parties.
We noted out of the 3.6 million new gTLD domain names registered at the end of 2014, a few hundred thousand were owned by the registry or those related to the registry and obviously those are not going to be used for malicious purposes.
Secondly, not to belabor the point, but we know around 370K .XYZ were placed into the accounts of Network Solutions customers and many may not be aware they even own the domains. Certainly spammers and other malicious users of domains register domains for such purposes and those domains really should not be counted in the number of total domains names especially when the pool is as small as 3.6 Million.
We know that people who are realtors were given a .realtor domain which represents around 85,000 of the 3.6 million.
I think the biggest problem with the report is that although it purports to represent the entire year of 2014, the first new gTLD’s didn’t even go live until February and according to Architelos own report the amount of abusive domains rose 400% in August when there were older new gTLD’s, more gTLD’s and heavy discounting of many new gTLD’s to the point they were selling for around $1.
Likewise, ntldstats.com which has been keeping track of fraudulent domains had only around 2,500 domains marked as fraudulent as of December 31, but as of today has over 8,000.
Still 8,000 domains out of 4 million is not a huge problem.
I would love to know the number of .TK domain names out of the 25 million or so registered would be marked as abusive.
This is another issue in my opinion, like renewal rates, we are not going to know much until after this year is over.
You can read the whole report here
Joseph Peterson says
Those are some sound criticisms of Architelos’s reported NQI number, Mike.
Still, I don’t think we need to wait until next year to make predictions. The trends are there already in Architelos’s raw data, and a more accurate NQI could be teased out (I suspect) with a bit of mathematical subtlety.
jcmatson says
Mike – thanks for posting the report and providing critique. Yes, there are some adjustments to the data that could be made in the new gTLD totals, but we could not make similar adjustments to the legacy gTLD totals to enable comparison so we left the analysis as presented. And yes, we are seeing clear trends how abuse (spam, phishing and malware) is entering the new gTLD namespace – thanks for the feedback and we will incorporate in future reporting. john