I skimmed through those documents. With my IP lawyer hat on I hear lots of lawyers and trademark owners claim that they are being abused by a malicious domain when, in fact, all that is happening is that someone beat them to the name registration of a name that they feel is standing too close to one of theirs. I remember one case in which an investment firm - a firm that speculates in things - didn't get a domain name that had the same initials as the investment firm because a college kid had registered a name with his initials. Of course the kid did not have a trademark in his name or initials. There was no malicious purpose nor any abuse, but the investment firm screamed to high heaven that the kid was a criminal and that the domain should be transferred from the kid to the investment firm. i was amused that an investment firm - a firm based on the idea of being quicker than others to the marketplace - forgot that even in the domain name space sometimes the quicker actor legitimately takes the spoils. From where I sit claims of "malicious" and "abuse" are often mere whining about acts that are neither actually malicious nor actually abusive. What I am suggesting is that when writing about domain names (or in this case, about the mere registration of a name) as being malicious or abusive that those terms not only ought to be clearly defined, but that those definitions be front and center on any report about such domains. The Interisle report says this (on page 35): /How does Interisle determine if a domain has been “maliciously registered?”/ /We consider domains blocklisted within 90 days of registration to be malicious./ I note that Interisle seems to distinguish between malicious *registration* and malicious *use*. There us a vast gap there - the same as the difference between a) buying a glass cutter and b) using that glass cutter in a crime (such as cutting through a window pane in order to commit a burglary.) In other words in the minds of Interisle, a domain that somebody puts onto some block lists within three months is adjudged, usually without further inquiry, as "malicious". Or to put it another way around, what is "malicious" depends on the opinions of some unknown block listing agencies. That is not not a definition. Rather it is an invitation to vigilante and inconsistent behaviour. A true definition would dig into real actions that have been actually performed through the use of an accused domain name. Perhaps the Interisle definition could be useful as a sieve to identify registrations that deserve deeper inquiry. But saying that a domain name is malicious simply on the basis of block list entries is a process based on third party rumor (in law we would call that "hearsay", a thing that is usually excluded by our rules of evidence) rather than on a presentation of relevant, directly obtained, supporting facts. --karl-- On 6/3/26 9:06 AM, Joly MacFie via At-Large wrote:
I have summarised it here https://isoclive.substack.com/p/interisle-dns-abuse
Out of nearly 85 million new gTLD domains registered in 2025, more than 8.4 million had already been blocklisted by May 2026. The report argues that malicious registrations exceeded overall market growth during several months of 2025. In January 2025, for example, net gTLD growth was about 408,000 domains, while approximately 723,000 domains registered that month were later identified as malicious. Similar patterns occurred in February and May.
-- -------------------------------------- Joly MacFie +12185659365 -------------------------------------- -
_______________________________________________ At-Large mailing list --at-large@icann.org To unsubscribe send an email toat-large-leave@icann.org
At-Large Official Site:http://atlarge.icann.org _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.