[UA-discuss] Blue Coat's Web's Shadiest Neighborhoods and implications on TLD acceptance
David Conrad
david.conrad at icann.org
Thu Sep 17 16:11:49 UTC 2015
Jeff,
In a separate post, DomainIncite quoted Architelos numbers that are more inline with what I'd expect (see http://domainincite.com/19269-architelos-shadiest-new-gtld-is-only-10-shady), however in this context I am not sure the exact percentages matter. Unfortunately, I believe there is a perception outside the ICANN community and particularly in the security and network operational communities, that many of the new gTLDs are, to paraphrase Obi Wan Kenobi, wretched hives of scum and villainy. And folks are quite emotional about it. There are numerous security/operational folks out there who suggest like Bluecoat that new TLDs should be blocked at network borders until it can be demonstrated that they aren't "shady". A quick perusal of the comments from one of the "regurgitation of a press release as reporting" references to the Bluecoat report include:
"Can confirm this. We blocked a lot of new TLDs from e-mailing us because 100% of incoming mail was, well not even spam, but fake spam (what a world we live in, eh?) pushing malware or attempting to game search engines with fake referrals."
"My spam filters are regularly catching spam with URLs in TLD's like .faith, .win, .review, .space, .date, etc. I'm pretty close to treating 100% of all these new gTLD's as spam identifiers at this point."
"Our domain has sen such an increase in the new TLD - and try as you might, so much of this "crap" (technical term for SPAM) is still getting through. Too Many TLD's means so much more work for the e-mail admin!"
"Personally I do not trust anything hosted on the new top-level domains."
"I blocked all of them in our email servers. Reason? 100% spam. Not a single valid email coming from the new domains so far. Not one."
Etc.
My group (Office of the CTO) is looking to collect data on the level of blockage as well as the situation with regards to domain name abuse in order to address reports like Bluecoat with facts, but as I suspect everyone is aware, it can be challenging to combat perception with facts when emotion is involved.
While this may be a bit outside of "universal acceptance", it could suggest new gTLD registries may want to take a more aggressive approach in relation to mitigating "domain name abuse" within their namespaces if they do not want _all_ new gTLDs to be blocked at network borders.
Regards,
-drc
(ICANN CTO, but speaking only for myself)
> On Sep 16, 2015, at 9:07 PM, Jeff Neuman <jeff.neuman at comlaude.com> wrote:
>
> So we all know that the information on .zip is a little sketchy, but what information do we have on the other extensions cited in the report like .review, .kim, etc. are the results for those accurate and should we be concerned?
>
> Jeff Neuman
>
>> On Sep 16, 2015, at 7:51 PM, Siemen Roorda <siemen at openprovider.nl> wrote:
>>
>> Hello Ram,
>>
>> That is true, BlueCoat treats file extensions as domain extensions.
>> DomainIncite has posted some explanation from them on
>> http://domainincite.com/19241-blue-coat-explains-zip-screw-up, including
>> the doesn't-make-any-sense statement "In conclusion, none of the .zip
>> “domains” we see in our traffic logs are requests to registered sites.
>> Nevertheless, we recommend that people block these requests, until valid
>> .zip domains start showing up."
>>
>> Kind regards,
>>
>> Siemen Roorda
>> Openprovider
>>
>>> On 16/09/15 22:37, Ram Mohan wrote:
>>> BlueCoat’s methodology is discussed in some security group mailing lists.
>>>
>>>
>>>
>>> My understanding is that in the case of .zip, there were instances of
>>> <file>.pdf.zip which allowed for drive-bys, malware etc. regardless of
>>> the state of name registration.
>>>
>>>
>>>
>>> -ram
>>>
>>>
>>>
>>>
>>>
>>> *From:* Jennifer Gore Standiford [mailto:JStandiford at web.com
>>> <mailto:JStandiford at web.com>]
>>> *Sent:* Wednesday, September 16, 2015 4:32 PM
>>> *To:* Ram Mohan <rmohan at afilias.info <mailto:rmohan at afilias.info>>
>>> *Cc:* UA-discuss at icann.org <mailto:UA-discuss at icann.org>
>>> *Subject:* RE: [UA-discuss] Blue Coat's Web's Shadiest Neighborhoods and
>>> implications on TLD acceptance
>>>
>>>
>>>
>>> Ram and UA Members,
>>>
>>>
>>>
>>> Have we requested or received any of the underlying data that supports
>>> the stats outlined in the BlueCoat report? I wonder why the .zip
>>> extension was referenced as a ‘shady’ considering it hasn’t launched yet.
>>>
>>>
>>>
>>> Thanks,
>>> Jennifer
>>>
>>>
>>>
>>> *Jennifer Gore Standiford*
>>>
>>> Policy Director
>>>
>>> Web.com
>>>
>>> 12808 Gran Bay Parkway, West | Jacksonville, FL 32258
>>>
>>> Office: 904. 680-6919| Cell: 904. 401-4347
>>>
>>> cid:image003.png at 01CFD6B5.902BADC0
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:*ua-discuss-bounces at icann.org
>>> <mailto:ua-discuss-bounces at icann.org>
>>> [mailto:ua-discuss-bounces at icann.org] *On Behalf Of *Ram Mohan
>>> *Sent:* Wednesday, September 16, 2015 1:43 PM
>>> *To:* UA-discuss at icann.org <mailto:UA-discuss at icann.org>
>>> *Subject:* [UA-discuss] Blue Coat's Web's Shadiest Neighborhoods and
>>> implications on TLD acceptance
>>>
>>>
>>>
>>> Folks,
>>>
>>> BlueCoat <https://www.bluecoat.com/company-overview>, a security vendor
>>> used by most of the Fortune 500, released a report on the Web’s shadiest
>>> TLDs
>>> <https://www.bluecoat.com/company/press-releases/blue-coat-reveals-webs-shadiest-neighborhoods>
>>> on Sep 1, 2015. They recommend to their 15,000+ customers to block all
>>> listed TLDs (report attached). Most of these are new gTLDs.
>>>
>>>
>>>
>>> There are implications for universal acceptance. This will result in
>>> some discussion at the upcoming UA Coordination Summit in Horsham
>>> tomorrow and Friday. The summit will have a conference bridge for anyone
>>> interesting in participating. Don Hollander will provide details.
>>>
>>>
>>>
>>> -Ram
>>>
>>> Chair, UASG
>>>
>>>
>>>
>>> o: +1.215.706.5700 x103; m: +1.215.431.0958; f: +1.215.706.5701
>>>
>>> Skype: gliderpilot30
>>>
>>>
>>>
>>> -----------------------------------------------------------------------------------------------
>>>
>>>
>>>
>>> *The Web’s Top 10 "TLDs with Shady Sites*"*
>>>
>>> *Rank * *Top-Level Domain Name * *Percentage of Shady Sites*
>>>
>>> *#1 .zip 100.00%*
>>>
>>> *#2 .review 100.00% *
>>>
>>> *#3 .country 99.97%*
>>>
>>> *#4 .kim 99.74% *
>>>
>>> *#5 .cricket 99.57% *
>>>
>>> *#6 .science 99.35% *
>>>
>>> *#7 .work 98.20%*
>>>
>>> *#8 .party 98.07% *
>>>
>>> *#9 .gq (Equatorial Guinea) 97.68%*
>>>
>>> *#10 .link 96.98%*
>>
>> --
>> Met vriendelijke groet,
>>
>> Siemen Roorda
>> Product developer Openprovider
>>
>> Hosting Concepts B.V.
>> Willem Buytewechstraat 40
>> 3024 BN Rotterdam
>> The Netherlands
>> Tel +31 (0)10 448 22 96
>> Fax +31 (0)10 244 02 50
>>
>> www.openprovider.nl www.twitter.com/openprovider
>> www.openprovider.co.uk www.twitter.com/openprovider_en
>> www.openprovider.es www.twitter.com/openprovider_es
>>
>> The information contained in this communication is confidential and may
>> be legally privileged. It is intended solely for the use of the
>> individual or entity to whom it is addressed and others authorized to
>> receive it. If you are not the intended recipient you are hereby (a):
>> notified that any disclosure, copying, distribution or taking any action
>> with respect to the content of this information is strictly prohibited
>> and may be unlawful, and (b): kindly requested to inform the sender
>> immediately and destroy any copies.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20150917/17b1676b/signature.asc>
More information about the UA-discuss
mailing list