Good write up John, Do you have any stats on DGA botnet domains? I have not seen much of those in the last few years, but since Avalanche (2016) and Conficker (2008) they are not the size they used to be? I do see them at other places, blockchain, IOT, dropbox API abuse. Thanks in advance. Theo On Sun, Apr 3, 2022, at 6:21 PM, John McCormac via CPWG wrote:
This is a kind of introduction to bulk registrations based on tracking domain name statistics and running Web Usage surveys that measures the rates of usage in gTLDs and ccTLDs. I've left out the brand protection/IP aspect as that's really covered by UDRP and URS.
The bulk registrations problem is complex but DA is only part of it. While spam, botnet C&C and some other registrations are problems in terms of DA, many bulk registrations are often borderline "content abuse" problems.
Some search engines still have problems with handling links from websites and it is not uncommon to see large numbers of webspam websites generated from scraped web content from legitimate websites, Social Media and even search engine results. The more inbound links a website has, the more authoritative it appears. Some search engines have been fighting this problem for years.
The software that produces these webspam sites is quite sophisticated and it can churn out thousands of these sites in a few hours. The essential element is low priced or free domain names. These websites are typically one year registrations. They do not renew. This is because the economics do not justify paying the full-priced renewal fee. It is cheaper to register another heavily discounted domain name either in the same gTLD or another gTLD where there is a heavily discounted registrations offer running.
There is also a speculative element to some bulk registrations in that there are often mini-bubbles which target short domain names (four letter (4Ls), five letter (5Ls) and some numerical domain names). Many of the registries or brand owners have already registered the three letter domain names. Again, some of these trends are linked to discounting offers. They are not abusive registrations and often end up on domain name sales sites. These trends may start in one gTLD and then, once the 4Ls are all registered in that gTLD, move into other gTLDs. The Chinese bubble in .COM and other legacy gTLDs is a good example of this kind of trend. Most of the bubble registrations did not renew.
Affiliate landers (adult and gambling) are also a feature of bulk registrations. There has been somewhat of a shift away from parking undeveloped domain names on pay per click (PPC) landing pages. Again, these types of bulk registrations have a high attrition rate. These affiliate landers have similarities to the automatically generated websites mentioned above.
That leaves the real problem categories in bulk registrations. Disposable registrations used for spam are part of the bulk registrations spectrum but detecting them is made more difficult by the damage that GDPR and the reaction to GDPR has caused on WHOIS. The problem of deciding what is and is not a spam domain name is compounded by the fact that the majority of domain names in most gTLDS do not have developed websites. The blacklists generaly operate on the principle of detected use rather than identifying intent.
Registration for botnet C&C, phishing, pharming and other forms of abuse can be obvious and non-obvious. Domain generation algorithms used for C&C and other malware generate pseudorandom domain names but sometimes these registrations already exist. The problem with a simple approach is that some languages, like those in China, may use numbers as part of a domain name because they sound like other words. To someone with only experience of English, they may appear to be a random string of characters.
Separating these abusive registrations is quite difficult. In the absence of WHOIS data and other data it is extremely difficult to guess the intent of the registrant. With some of the affiliate lander registrations, there is often a clustering pattern in both gTLD and webservers. But that only happens with domain names that a have websites. Spam registrations may only be detected once used for spam and even then they have a finite lifespan. (Heavily discounted registrations are disposable.)
These are the Quick Delta numbers and percentages of some new gTLDs. The Quick Delta compares a gTLD's zonefile with the zonefile from a year ago.
March 2021 - - Retained - Deleted - Retained % - Deleted % 1,317,370 80,358 1,237,012 6.10 93.90 246,344 22,025 224,319 8.94 91.06 32,838 2,972 29,866 9.05 90.95
Other new gTLDs are quite normal and some even have Quick Delta rates approaching those of ccTLDs (very stable). Discounting is part of the business model of registries. They use it to grow the number of domain name under management.
The theory is much like throwing mud at a wall to see how much sticks. A small percentage of domain names will renew at full fee. A registry will gradually build up a core set of domain names that may keep renewing but the vast majority delete without being renewed. Somewhere in those bulk registrations are the abusive registrations. It is made more difficult by the fact that most bulk registrations are one year registrations and the bulk registration problem is a moving target.
Regards...jmcc -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com **********************************************************
-- This email has been checked for viruses by AVG. https://www.avg.com
_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.