DomainTools names and shames bad TLDs – Domain Name Wire

The “bad” domains have something in common.

Cybersecurity firm DomainTools has released its Spring 2022 report, naming and shaming top-level domains it says are overrepresented for badness.

Rather than ranking by absolute number of malware, phishing, and spam domains, DomainTools analyzed the prevalence of usage against the number of registered domains.

And here’s the bottom line: domains offered for free or at low prices are the most abused. Full stop.

This has been the case for a long time and will be the case in the future. Registries that offer cheap domains have more bad guys using their domains.

You will also find it in other Internet resources. Let’s Encrypt tops DomainTools’ poor quality reports for SSL certificates, and it offers SSL for free.

Some of the TLDs on the list can do an excellent job of cleaning up bad activity when discovered. But by the time a domain lands on a phishing or malware blocklist, a lot of damage has already been done.

.Xyz, for example, uses blocklists and an internal system to monitor abuse. It quickly suspends domains that are misused. But it still tops DomainTools lists. DomainTools said:

Sorry, .xyz, but your reputation in the infosec community is what it is for a reason. In the Malware category, we observed over 323,000 domains in .xyz, a significant increase from its previous display of around 207,000 still substantial. Add to that the signal strength of 108.60, and it becomes especially clear why this TLD has the reputation it does.

For his report, a signal strength of 1.0 is neutral. Anything below is positive and above is negative. So 108.6 is a very high number.

In response to the report, XYZ told Domain Name Wire, “We reached out to DomainTools to discuss their report. We dispute their findings and would like to work cooperatively to dispel any misconceptions.

While .xyz appears in some categories, other TLDs take top honors in others.

According to DomainTools, .buzz is worst for phishing, and .cam is worst for spam. I’m a little surprised that .cam isn’t in the top 10 for phishing due to its similarity to .com. But in a game of raw numbers, phishers will pick the cheapest domains, not the ones most likely to fool people.

Freenom’s free names are also on the list, including .ml, .ga, .cf, and .gq. .Tk is its most registered domain, but the sheer volume of registrations could prevent it from appearing at the top of these lists due to DomainTools’ methodology.

So what incentives do TLD operators have to reduce badness? In the long run, top-level domains that appear on lists like this could have lower email deliverability and report more security warnings, ultimately making it worse for all of their registrants.

TLD operators have several options to solve the problem. The first is to invest in proactive suspension systems. The other is to simply raise first-year prices by a few dollars.

Here are the 5 worst in each category, according to DomainTools.

Phishing

1..buzz
2..gq
3. .ga
4. rest
5ml

Malware

1..xyz
2.cc
3..buzz
4.cfd
5..cy

spam

1..cam
2. bar
3. .surf
4..xyz
5. .click