[CPWG] DNS Abuse and Content Abuse Issues

John McCormac jmcc at hosterstats.com
Fri Apr 30 06:29:58 UTC 2021 

As mentioned on a working group call covering DNS and Content abuse 
measurements, these are the December 2020 survey results for 150K sample 
surveys for .COM/NET/ORG/BIZ/INFO.

The categories are the HosterStats.com categories for web usage 
measurement and some of the methodology is discussed in the Domnomics 
book. There is a also spreadsheet of the survey (statistical 150K 
surveys for the larger (>1M) new gTLDs and complete gTLD surveys for the 
smaller gTLDs) results for the new gTLDs.

The main problem with the discussions on DNS Abuse is that there is no 
solid definition, yet, of what consititutes DNS Abuse.

The registries and registrars have a clear understanding of dealing with 
DNS Abuse and some Content Abuse as it applies to their customers. There 
also seems to be a push to include some forms of intellectual property 
(infringement) abuse as DNS Abuse. While the IP community has a valid 
point about this form of abuse, it has an inherent problem. Is the 
domain name the problem or the content on the website under the domain 
name the problem? The domain name problem is often addressed by taking a 
UDRP action and that takes time. The legal path with content is less clear.

The problem, in terms of phishing, is probably worse in the new gTLDs 
were low registration fees make this kind of activity more economically 
feasible. There was a survey (SIDN related) cited in the CCT report that 
mentioned that a lot of problematic content shifted from the legacy 
gTLDs to the new gTLDs.

	.COM	
Zone Coverage	100.00%	
		
No Site	16,754	11.17%
No Response	13,002	8.67%
Active/unclassified	15,587	10.39%
Brand protection	261	0.17%
Clone site	216	0.14%
In-page Redirect	895	0.60%
External TLD Redirect	1,299	0.87%
Not Found/Forbidden	7,745	5.16%
Holding Page	13,801	9.20%
Internal Redirect	5,504	3.67%
No Content	923	0.62%
Affiliate Lander	2,480	1.65%
Matched External TLD Redirect	768	0.51%
Duplicate Content (2)	142	0.09%
Duplicate Content (>2)	285	0.19%
PPC Parked	25,860	17.24%
Questionable Content	4	0.00%
Redirect	6,238	4.16%
Sales	11,786	7.86%
HTTPS Redirect	19,933	13.29%
Unavailable	883	0.59%
Video Affiliate Lander	375	0.25%
Adult Affiliate Lander	307	0.20%
Compromised	36	0.02%
Social Media 	103	0.07%
In-zone Redirect	4,813	3.21%
	150,000	

	.NET	
Zone Coverage	100.00%	
		
No Site	25,010	16.67%
No Response	14,189	9.46%
Active/unclassified	14,085	9.39%
Brand protection	1,877	1.25%
Clone site	217	0.14%
In-page Redirect	997	0.66%
External TLD Redirect	5,904	3.94%
Not Found/Forbidden	6,570	4.38%
Holding Page	16,789	11.19%
Internal Redirect	4,286	2.86%
No Content	1,447	0.96%
Affiliate Lander	1,105	0.74%
Matched External TLD Redirect	3,655	2.44%
Duplicate Content (2)	146	0.10%
Duplicate Content (>2)	208	0.14%
PPC Parked	29,441	19.63%
Questionable Content	3	0.00%
Redirect	3,807	2.54%
Sales	5,107	3.40%
HTTPS Redirect	12,849	8.57%
Unavailable	895	0.60%
Video Affiliate Lander	62	0.04%
Adult Affiliate Lander	223	0.15%
Compromised	175	0.12%
Social Media 	1	0.00%
In-zone Redirect	952	0.63%
	150,000	

	.ORG	
Zone Coverage	100.00%	
		
No Site	18,403	12.27%
No Response	14,376	9.58%
Active/unclassified	13,439	8.96%
Brand protection	1,384	0.92%
Clone site	196	0.13%
In-page Redirect	969	0.65%
External TLD Redirect	5,011	3.34%
Not Found/Forbidden	6,371	4.25%
Holding Page	16,039	10.69%
Internal Redirect	5,718	3.81%
No Content	587	0.39%
Affiliate Lander	381	0.25%
Matched External TLD Redirect	2,741	1.83%
Duplicate Content (2)	92	0.06%
Duplicate Content (>2)	64	0.04%
PPC Parked	30,936	20.62%
Questionable Content	3	0.00%
Redirect	6,436	4.29%
Sales	4,817	3.21%
HTTPS Redirect	18,109	12.07%
Unavailable	687	0.46%
Video Affiliate Lander	16	0.01%
Adult Affiliate Lander	15	0.01%
Compromised	323	0.22%
Social Media 	0	0.00%
In-zone Redirect	2,887	1.92%
	150,000	

	.BIZ	
Zone Coverage	100.00%	
		
No Site	26,505	17.67%
No Response	15,239	10.16%
Active/unclassified	10,395	6.93%
Brand protection	2,056	1.37%
Clone site	195	0.13%
In-page Redirect	702	0.47%
External TLD Redirect	8,904	5.94%
Not Found/Forbidden	6,455	4.30%
Holding Page	20,088	13.39%
Internal Redirect	3,536	2.36%
No Content	782	0.52%
Affiliate Lander	242	0.16%
Matched External TLD Redirect	5,666	3.78%
Duplicate Content (2)	208	0.14%
Duplicate Content (>2)	96	0.06%
PPC Parked	30,473	20.32%
Questionable Content	8	0.01%
Redirect	3,500	2.33%
Sales	3,345	2.23%
HTTPS Redirect	10,013	6.68%
Unavailable	697	0.46%
Video Affiliate Lander	1	0.00%
Adult Affiliate Lander	11	0.01%
Compromised	29	0.02%
Social Media 	6	0.00%
In-zone Redirect	848	0.57%
	150,000	

	.INFO	
Zone Coverage	100.00%	
		
No Site	21,543	14.36%
No Response	16,552	11.03%
Active/unclassified	8,734	5.82%
Brand protection	1,529	1.02%
Clone site	192	0.13%
In-page Redirect	510	0.34%
External TLD Redirect	9,342	6.23%
Not Found/Forbidden	6,513	4.34%
Holding Page	15,195	10.13%
Internal Redirect	3,772	2.51%
No Content	949	0.63%
Affiliate Lander	392	0.26%
Matched External TLD Redirect	5,007	3.34%
Duplicate Content (2)	130	0.09%
Duplicate Content (>2)	60	0.04%
PPC Parked	41,059	27.37%
Questionable Content	2	0.00%
Redirect	3,742	2.49%
Sales	3,245	2.16%
HTTPS Redirect	9,552	6.37%
Unavailable	610	0.41%
Video Affiliate Lander	9	0.01%
Adult Affiliate Lander	80	0.05%
Compromised	635	0.42%
Social Media 	4	0.00%
In-zone Redirect	642	0.43%
	150,000	

There has been a shift towards HTTPS in the last ten years. A website 
may have an IP address in the DNS but that does not necessarily mean 
that a webserver is running on the IP.

The registries and registars definition of DNS Abuse is quite 
conservative. Taken in terms of what can be solved by registries and 
registrars, it is logical. The problem is that due to the declining 
market share of the gTLDs, the "kill chain" for dealing with a problem 
domain name or website is not as well defined as it was once. There is a 
new element: the reseller.

Approximately 25% of the gTLD market (based on the monthly HosterStats 
gTLD transactions reports) consists of resellers with the ICANN 
accredited registrars accounting for the rest of the market. These 
resellers register their domain names in the usual way through the ICANN 
registrars but it is not financially viable for them to become 
accredited ICANN registrars. They are often accredited ccTLD registrars 
in their own country level markets. Blurring the line between DNS Abuse 
and Content Abuse would make dealing with the problem domain 
name/website a bit more complicated because DNS Abuse seems relatively 
clearly defined but there are multiple definitions of Content Abuse.

There is also the issue of Reporting versus Detection. Most phishing 
sites are reported rather than detected. That means that what is 
reported is often the tip of the iceberg. With Content Abuse, ICANN does 
not have the expertise or resources to deal with the issue and that's 
even before there is any clear definition of "Content Abuse". (Is it 
Intellectual Property infringment, phishing, pharming or compromise?)

In terms of Content Abuse, the numbers of defaced websites has dropped 
over the last ten years or so and many compromised sites are more likely 
to have link injection compromises. This is due mainly to old and 
unmaintained plugins for CMSes like Wordpress and Joomla.

Web Usage is no longer a simple active website versus no website. It is 
quite a complex thing to measure and it changes. In defining DNS Abuse, 
there should be an awareness that the format of DNS Abuse will also change.

Regards...jmcc
-- 
**********************************************************
John McCormac  *  e-mail: jmcc at hosterstats.com
MC2            *  web: http://www.hosterstats.com/
22 Viewmount   *  Domain Registrations Statistics
Waterford      *  Domnomics - the business of domain names
Ireland        *  https://amzn.to/2OPtEIO
IE             *  Skype: hosterstats.com
**********************************************************

-- 
This email has been checked for viruses by AVG.
https://www.avg.com

More information about the CPWG mailing list