DNS Abuse and Content Abuse Issues
![](https://secure.gravatar.com/avatar/2ff339ebf71d0eaf8075c22cbf3809fd.jpg?s=120&d=mm&r=g)
As mentioned on a working group call covering DNS and Content abuse measurements, these are the December 2020 survey results for 150K sample surveys for .COM/NET/ORG/BIZ/INFO. The categories are the HosterStats.com categories for web usage measurement and some of the methodology is discussed in the Domnomics book. There is a also spreadsheet of the survey (statistical 150K surveys for the larger (>1M) new gTLDs and complete gTLD surveys for the smaller gTLDs) results for the new gTLDs. The main problem with the discussions on DNS Abuse is that there is no solid definition, yet, of what consititutes DNS Abuse. The registries and registrars have a clear understanding of dealing with DNS Abuse and some Content Abuse as it applies to their customers. There also seems to be a push to include some forms of intellectual property (infringement) abuse as DNS Abuse. While the IP community has a valid point about this form of abuse, it has an inherent problem. Is the domain name the problem or the content on the website under the domain name the problem? The domain name problem is often addressed by taking a UDRP action and that takes time. The legal path with content is less clear. The problem, in terms of phishing, is probably worse in the new gTLDs were low registration fees make this kind of activity more economically feasible. There was a survey (SIDN related) cited in the CCT report that mentioned that a lot of problematic content shifted from the legacy gTLDs to the new gTLDs. .COM Zone Coverage 100.00% No Site 16,754 11.17% No Response 13,002 8.67% Active/unclassified 15,587 10.39% Brand protection 261 0.17% Clone site 216 0.14% In-page Redirect 895 0.60% External TLD Redirect 1,299 0.87% Not Found/Forbidden 7,745 5.16% Holding Page 13,801 9.20% Internal Redirect 5,504 3.67% No Content 923 0.62% Affiliate Lander 2,480 1.65% Matched External TLD Redirect 768 0.51% Duplicate Content (2) 142 0.09% Duplicate Content (>2) 285 0.19% PPC Parked 25,860 17.24% Questionable Content 4 0.00% Redirect 6,238 4.16% Sales 11,786 7.86% HTTPS Redirect 19,933 13.29% Unavailable 883 0.59% Video Affiliate Lander 375 0.25% Adult Affiliate Lander 307 0.20% Compromised 36 0.02% Social Media 103 0.07% In-zone Redirect 4,813 3.21% 150,000 .NET Zone Coverage 100.00% No Site 25,010 16.67% No Response 14,189 9.46% Active/unclassified 14,085 9.39% Brand protection 1,877 1.25% Clone site 217 0.14% In-page Redirect 997 0.66% External TLD Redirect 5,904 3.94% Not Found/Forbidden 6,570 4.38% Holding Page 16,789 11.19% Internal Redirect 4,286 2.86% No Content 1,447 0.96% Affiliate Lander 1,105 0.74% Matched External TLD Redirect 3,655 2.44% Duplicate Content (2) 146 0.10% Duplicate Content (>2) 208 0.14% PPC Parked 29,441 19.63% Questionable Content 3 0.00% Redirect 3,807 2.54% Sales 5,107 3.40% HTTPS Redirect 12,849 8.57% Unavailable 895 0.60% Video Affiliate Lander 62 0.04% Adult Affiliate Lander 223 0.15% Compromised 175 0.12% Social Media 1 0.00% In-zone Redirect 952 0.63% 150,000 .ORG Zone Coverage 100.00% No Site 18,403 12.27% No Response 14,376 9.58% Active/unclassified 13,439 8.96% Brand protection 1,384 0.92% Clone site 196 0.13% In-page Redirect 969 0.65% External TLD Redirect 5,011 3.34% Not Found/Forbidden 6,371 4.25% Holding Page 16,039 10.69% Internal Redirect 5,718 3.81% No Content 587 0.39% Affiliate Lander 381 0.25% Matched External TLD Redirect 2,741 1.83% Duplicate Content (2) 92 0.06% Duplicate Content (>2) 64 0.04% PPC Parked 30,936 20.62% Questionable Content 3 0.00% Redirect 6,436 4.29% Sales 4,817 3.21% HTTPS Redirect 18,109 12.07% Unavailable 687 0.46% Video Affiliate Lander 16 0.01% Adult Affiliate Lander 15 0.01% Compromised 323 0.22% Social Media 0 0.00% In-zone Redirect 2,887 1.92% 150,000 .BIZ Zone Coverage 100.00% No Site 26,505 17.67% No Response 15,239 10.16% Active/unclassified 10,395 6.93% Brand protection 2,056 1.37% Clone site 195 0.13% In-page Redirect 702 0.47% External TLD Redirect 8,904 5.94% Not Found/Forbidden 6,455 4.30% Holding Page 20,088 13.39% Internal Redirect 3,536 2.36% No Content 782 0.52% Affiliate Lander 242 0.16% Matched External TLD Redirect 5,666 3.78% Duplicate Content (2) 208 0.14% Duplicate Content (>2) 96 0.06% PPC Parked 30,473 20.32% Questionable Content 8 0.01% Redirect 3,500 2.33% Sales 3,345 2.23% HTTPS Redirect 10,013 6.68% Unavailable 697 0.46% Video Affiliate Lander 1 0.00% Adult Affiliate Lander 11 0.01% Compromised 29 0.02% Social Media 6 0.00% In-zone Redirect 848 0.57% 150,000 .INFO Zone Coverage 100.00% No Site 21,543 14.36% No Response 16,552 11.03% Active/unclassified 8,734 5.82% Brand protection 1,529 1.02% Clone site 192 0.13% In-page Redirect 510 0.34% External TLD Redirect 9,342 6.23% Not Found/Forbidden 6,513 4.34% Holding Page 15,195 10.13% Internal Redirect 3,772 2.51% No Content 949 0.63% Affiliate Lander 392 0.26% Matched External TLD Redirect 5,007 3.34% Duplicate Content (2) 130 0.09% Duplicate Content (>2) 60 0.04% PPC Parked 41,059 27.37% Questionable Content 2 0.00% Redirect 3,742 2.49% Sales 3,245 2.16% HTTPS Redirect 9,552 6.37% Unavailable 610 0.41% Video Affiliate Lander 9 0.01% Adult Affiliate Lander 80 0.05% Compromised 635 0.42% Social Media 4 0.00% In-zone Redirect 642 0.43% 150,000 There has been a shift towards HTTPS in the last ten years. A website may have an IP address in the DNS but that does not necessarily mean that a webserver is running on the IP. The registries and registars definition of DNS Abuse is quite conservative. Taken in terms of what can be solved by registries and registrars, it is logical. The problem is that due to the declining market share of the gTLDs, the "kill chain" for dealing with a problem domain name or website is not as well defined as it was once. There is a new element: the reseller. Approximately 25% of the gTLD market (based on the monthly HosterStats gTLD transactions reports) consists of resellers with the ICANN accredited registrars accounting for the rest of the market. These resellers register their domain names in the usual way through the ICANN registrars but it is not financially viable for them to become accredited ICANN registrars. They are often accredited ccTLD registrars in their own country level markets. Blurring the line between DNS Abuse and Content Abuse would make dealing with the problem domain name/website a bit more complicated because DNS Abuse seems relatively clearly defined but there are multiple definitions of Content Abuse. There is also the issue of Reporting versus Detection. Most phishing sites are reported rather than detected. That means that what is reported is often the tip of the iceberg. With Content Abuse, ICANN does not have the expertise or resources to deal with the issue and that's even before there is any clear definition of "Content Abuse". (Is it Intellectual Property infringment, phishing, pharming or compromise?) In terms of Content Abuse, the numbers of defaced websites has dropped over the last ten years or so and many compromised sites are more likely to have link injection compromises. This is due mainly to old and unmaintained plugins for CMSes like Wordpress and Joomla. Web Usage is no longer a simple active website versus no website. It is quite a complex thing to measure and it changes. In defining DNS Abuse, there should be an awareness that the format of DNS Abuse will also change. Regards...jmcc -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com ********************************************************** -- This email has been checked for viruses by AVG. https://www.avg.com
![](https://secure.gravatar.com/avatar/94586d59085875a8554b3224c9736369.jpg?s=120&d=mm&r=g)
On Fri, 30 Apr 2021 at 02:59, John McCormac via CPWG <cpwg@icann.org> wrote: Hi John, The problem, in terms of phishing, is probably worse in the new gTLDs
were low registration fees make this kind of activity more economically feasible. There was a survey (SIDN related) cited in the CCT report that mentioned that a lot of problematic content shifted from the legacy gTLDs to the new gTLDs.
It appears to me that this issue can probably be traced back to a fairly small number of new gTLDs whose business models stress high volume and domain prices low enough to be disposable. It strikes me that many of the new gTLDs are not cheaper than the legacy ones and are making at least a superficial stab at identity and taxonomy. Is there benefit in your research in isolating the disposable-domain TLDs from the others? Or do all of them -- even the ones who are promoting themselves based on identity -- have this problem? Thank you again for bringing research-based focus to ALAC's work. - Evan
![](https://secure.gravatar.com/avatar/2ff339ebf71d0eaf8075c22cbf3809fd.jpg?s=120&d=mm&r=g)
On 03/05/2021 17:37, Evan Leibovitch wrote:
On Fri, 30 Apr 2021 at 02:59, John McCormac via CPWG <cpwg@icann.org <mailto:cpwg@icann.org>> wrote: Hi John,
The problem, in terms of phishing, is probably worse in the new gTLDs were low registration fees make this kind of activity more economically feasible. There was a survey (SIDN related) cited in the CCT report that mentioned that a lot of problematic content shifted from the legacy gTLDs to the new gTLDs.
It appears to me that this issue can probably be traced back to a fairly small number of new gTLDs whose business models stress high volume and domain prices low enough to be disposable. It strikes me that many of the new gTLDs are not cheaper than the legacy ones and are making at least a superficial stab at identity and taxonomy.
Is there benefit in your research in isolating the disposable-domain TLDs from the others? Or do all of them -- even the ones who are promoting themselves based on identity -- have this problem?
It was an economic shift, Evan, The problem domain names seem to rely on either stolen payment details or other methods of payment. The heavily discounted registration fees made some forms abuse economically more viable. The spreadsheet for the December new gTLDs Web Usage survey is available. I only posted the CNOBI results to the list. In terms of phishing, it might be easier to run a simple keyword search on the zone files for domain names not using the "official" nameservers for a brand and group them by gTLD. Some of the more obvious phishing domain names have a brand name and the word "account" or similar as part of the domain to make it seem like the recipient has to validate their account. From just a brief glance, it seems to be the discounted gTLDs that have more obvious examples of the problem. At the moment, I'm running a full gTLD (legacy and new) website/IP address survey and some of these phishing domain names are apparent. The higher priced new gTLDs tend to be relatively clean as the higher regfee acts as a deterrent to the more opportunistic phisher. One thing is clear. Heavy discounting on a gTLD with some development results in a collapse in the rate of development in that gTLD and locks the registry into a dependence on discounting as a business model. Some of the gTLDs that had used discounting have shifted towards increased renewal fees to maintain volume. The .ICU gTLD was one of the major discounters and it went from about 6 million registrations in early 2020 to around 600K at present. As a business model, as long as the basic fees and costs are covered, the registry can make money. The renewal rate on most of these discounted registrations is typically below 10%. The first renewal rate for some of the legacy gTLDs is over 50% and ccTLDs often break 70%. The SIDN report covered all gTLDs but noted the shift from the legacy gTLDs. Discounted gTLDs have very different registration and usage patterns to the mature gTLDs. The registration spikes tend to last for a few months before falling back to a steadier pattern and there is often a geographical nature to the spikes. It would be possible to run the stats on this but it would take some time. There is a monthly Quick Delta report that compares the zone files with the zone files from a year ago to check what domain names are still present. Some gTLDs have between 60% and 80% zone replacement (domain names from previous year not in current zone). Regards...jmcc -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com ********************************************************** -- This email has been checked for viruses by AVG. https://www.avg.com
participants (2)
-
Evan Leibovitch
-
John McCormac