On 04/06/2026 02:57, Karl Auerbach via At-Large wrote:
> I skimmed through those documents.
>
It seems quite comprehensive and there are serious issues for the next
round of new gTLDs.
>
> From where I sit claims of "malicious" and "abuse" are often mere
> whining about acts that are neither actually malicious nor actually abusive.
There may be a time between registration and weaponisation for a
malicious registration. Blocklists may use reporting rather than
detection and by the time a malicious registration is used, it is
already too late.
The renewals figures were a bit strange as the 2025 set of new
registrations will renew over 2026 and early 2027. The various grace
periods skew the renewals and what the 2025 renewals mentioned in the
Interisle report may actually apply to 2024 registrations because a lot
of the 2025 registration have not gone through their first
renewal/deletion cycle. (Tracking renewal rates at a domain name level
for statistical purposes is possible. I do this kind of work for two
monthly spreadsheets.)
> The Interisle report says this (on page 35):
>
> /How does Interisle determine if a domain has been “maliciously
> registered?”/
>
> /We consider domains blocklisted within 90 days of registration to be
> malicious./
>
> I note that Interisle seems to distinguish between malicious
> *registration* and malicious *use*. There us a vast gap there - the
> same as the difference between a) buying a glass cutter and b) using
> that glass cutter in a crime (such as cutting through a window pane in
> order to commit a burglary.)
From a very brief read of the report, it seems to mainly rely on
blocklists and registration patterns. A reliance on blocklists once
their methodologies are clear is fine. Compromised websites are often a
major issue especially when there has been a new Wordpress exploit
published. Some of those affected domain names might end up on
blocklists. Again, it can vary by blocklist type (spam/malware etc).
The registration patterns may be a more solid methodology though with
the mess that GDRP and WHOIS Privacy made of things, only the registrar
data may be reliable.
The alternative to lookups of a sample or full dataset is to use ICANN's
registry report data and that its typically delayed by three months. It
is also volume based. It does provide comprehensive new registration and
deletion volume data. (Have rebuilt all the ICANN registrar report data
including the flakey PDF versions of Excel spreadsheets into a
gTLD/registrar transactions database table going back to July 2001. The
2012 round of new gTLDs were not the first to engage in this boom and
bust registration pattern.)
It can be very difficult to determine user intent when registering a
domain name. With bulk registrations, there might be some legitimate
reason. If a registrar offers an API to legitimate and iffy customers,
it becomes difficult to determine that intention and registration
timelines (bursts of registration activity) might have to be used
(correlating known blocklist domain names with specific times).
There are some other indications that were not mentioned in the
Interisle methodology that could be used as some malicious registrations
may have usage patterns beyond registration data.
Verifying the nature of the DNS Abuse would require the blocklists to
share more data than just domain names. It would also require this data
to be investigated. The problem is the operational lifetime of an
abusive registration. It may already have been removed from the zone by
the registry or the registrar.
> A true definition would dig into real actions that have been actually
> performed through the use of an accused domain name.
That would involve a lot of work on an ongoing basis. Some of the
blocklist companies and anti-DNS Abuse companies do this. I don't think
that ICANN has the capabilities to do this on an ongoing basis.
> Perhaps the Interisle definition could be useful as a sieve to identify
> registrations that deserve deeper inquiry.
It certainly makes for some terrifying headlines on new registration
activity. It also could raise questions about the awareness and
complicity of registries and registrars in this activity. There is also
an ecnomic issue that I don't think was clearly mentioned in the report.
That is the commercial viability of some of these new gTLDs without
having discounting.
The discounting model reduces the first year registration fee to make a
new TLD attractive to registrants. Most of those new registrations will
not renew at first renewal. Some will. It varies from gTLD to gTLD and
cound be lower than 5% for some gTLDs. The renewal fee is often a
multiple of the discounted first year fee and the registry and
registrars make their money from this small set of renewals. Rinse and
repeat often enough and it builds up a core of domain names that keep
renewing. Eventually, it creates two TLDs within that gTLD. The first is
the discounted TLD with low renewal rates and the second is composed of
domain names that keep renewing. The registry can continue to increase
the renewal fee for this second class of domain names safe in the
knowledge that most of them are on auto-renew or are brand protection
registrations.
Without that process, some of these gTLDs might not be commercially
viable as many of them discovered when the 2012 round gTLDs launched. It
was the Field Of Dreams fallacy (if you build it, they will come) and it
has turned some gTLDs into nightmares.
Regards...jmcc
--
**********************************************************
John McCormac * e-mail: jmcc@hosterstats.com
MC2 * web: http://www.hosterstats.com/
22 Viewmount * Domain Registrations Statistics
Waterford * Domnomics - the business of domain names
Ireland * https://amzn.to/2OPtEIO
IE * Skype: hosterstats.com
**********************************************************
--
This email has been checked for viruses by Avast antivirus software.
www.avast.com
_______________________________________________
At-Large mailing list -- at-large@icann.org
To unsubscribe send an email to at-large-leave@icann.org
At-Large Official Site: http://atlarge.icann.org
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.