On 04/06/2026 02:57, Karl Auerbach via At-Large wrote:
I skimmed through those documents.
It seems quite comprehensive and there are serious issues for the next round of new gTLDs.
From where I sit claims of "malicious" and "abuse" are often mere whining about acts that are neither actually malicious nor actually abusive.
There may be a time between registration and weaponisation for a malicious registration. Blocklists may use reporting rather than detection and by the time a malicious registration is used, it is already too late. The renewals figures were a bit strange as the 2025 set of new registrations will renew over 2026 and early 2027. The various grace periods skew the renewals and what the 2025 renewals mentioned in the Interisle report may actually apply to 2024 registrations because a lot of the 2025 registration have not gone through their first renewal/deletion cycle. (Tracking renewal rates at a domain name level for statistical purposes is possible. I do this kind of work for two monthly spreadsheets.)
The Interisle report says this (on page 35):
/How does Interisle determine if a domain has been “maliciously registered?”/
/We consider domains blocklisted within 90 days of registration to be malicious./
I note that Interisle seems to distinguish between malicious *registration* and malicious *use*. There us a vast gap there - the same as the difference between a) buying a glass cutter and b) using that glass cutter in a crime (such as cutting through a window pane in order to commit a burglary.)
From a very brief read of the report, it seems to mainly rely on blocklists and registration patterns. A reliance on blocklists once their methodologies are clear is fine. Compromised websites are often a major issue especially when there has been a new Wordpress exploit published. Some of those affected domain names might end up on blocklists. Again, it can vary by blocklist type (spam/malware etc). The registration patterns may be a more solid methodology though with the mess that GDRP and WHOIS Privacy made of things, only the registrar data may be reliable. The alternative to lookups of a sample or full dataset is to use ICANN's registry report data and that its typically delayed by three months. It is also volume based. It does provide comprehensive new registration and deletion volume data. (Have rebuilt all the ICANN registrar report data including the flakey PDF versions of Excel spreadsheets into a gTLD/registrar transactions database table going back to July 2001. The 2012 round of new gTLDs were not the first to engage in this boom and bust registration pattern.) It can be very difficult to determine user intent when registering a domain name. With bulk registrations, there might be some legitimate reason. If a registrar offers an API to legitimate and iffy customers, it becomes difficult to determine that intention and registration timelines (bursts of registration activity) might have to be used (correlating known blocklist domain names with specific times). There are some other indications that were not mentioned in the Interisle methodology that could be used as some malicious registrations may have usage patterns beyond registration data. Verifying the nature of the DNS Abuse would require the blocklists to share more data than just domain names. It would also require this data to be investigated. The problem is the operational lifetime of an abusive registration. It may already have been removed from the zone by the registry or the registrar.
A true definition would dig into real actions that have been actually performed through the use of an accused domain name.
That would involve a lot of work on an ongoing basis. Some of the blocklist companies and anti-DNS Abuse companies do this. I don't think that ICANN has the capabilities to do this on an ongoing basis.
Perhaps the Interisle definition could be useful as a sieve to identify registrations that deserve deeper inquiry.
It certainly makes for some terrifying headlines on new registration activity. It also could raise questions about the awareness and complicity of registries and registrars in this activity. There is also an ecnomic issue that I don't think was clearly mentioned in the report. That is the commercial viability of some of these new gTLDs without having discounting. The discounting model reduces the first year registration fee to make a new TLD attractive to registrants. Most of those new registrations will not renew at first renewal. Some will. It varies from gTLD to gTLD and cound be lower than 5% for some gTLDs. The renewal fee is often a multiple of the discounted first year fee and the registry and registrars make their money from this small set of renewals. Rinse and repeat often enough and it builds up a core of domain names that keep renewing. Eventually, it creates two TLDs within that gTLD. The first is the discounted TLD with low renewal rates and the second is composed of domain names that keep renewing. The registry can continue to increase the renewal fee for this second class of domain names safe in the knowledge that most of them are on auto-renew or are brand protection registrations. Without that process, some of these gTLDs might not be commercially viable as many of them discovered when the 2012 round gTLDs launched. It was the Field Of Dreams fallacy (if you build it, they will come) and it has turned some gTLDs into nightmares. Regards...jmcc -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com ********************************************************** -- This email has been checked for viruses by Avast antivirus software. www.avast.com