[CPWG] DNS Abuse and Content Abuse Issues
John McCormac
jmcc at hosterstats.com
Fri Apr 30 06:29:58 UTC 2021
As mentioned on a working group call covering DNS and Content abuse
measurements, these are the December 2020 survey results for 150K sample
surveys for .COM/NET/ORG/BIZ/INFO.
The categories are the HosterStats.com categories for web usage
measurement and some of the methodology is discussed in the Domnomics
book. There is a also spreadsheet of the survey (statistical 150K
surveys for the larger (>1M) new gTLDs and complete gTLD surveys for the
smaller gTLDs) results for the new gTLDs.
The main problem with the discussions on DNS Abuse is that there is no
solid definition, yet, of what consititutes DNS Abuse.
The registries and registrars have a clear understanding of dealing with
DNS Abuse and some Content Abuse as it applies to their customers. There
also seems to be a push to include some forms of intellectual property
(infringement) abuse as DNS Abuse. While the IP community has a valid
point about this form of abuse, it has an inherent problem. Is the
domain name the problem or the content on the website under the domain
name the problem? The domain name problem is often addressed by taking a
UDRP action and that takes time. The legal path with content is less clear.
The problem, in terms of phishing, is probably worse in the new gTLDs
were low registration fees make this kind of activity more economically
feasible. There was a survey (SIDN related) cited in the CCT report that
mentioned that a lot of problematic content shifted from the legacy
gTLDs to the new gTLDs.
.COM
Zone Coverage 100.00%
No Site 16,754 11.17%
No Response 13,002 8.67%
Active/unclassified 15,587 10.39%
Brand protection 261 0.17%
Clone site 216 0.14%
In-page Redirect 895 0.60%
External TLD Redirect 1,299 0.87%
Not Found/Forbidden 7,745 5.16%
Holding Page 13,801 9.20%
Internal Redirect 5,504 3.67%
No Content 923 0.62%
Affiliate Lander 2,480 1.65%
Matched External TLD Redirect 768 0.51%
Duplicate Content (2) 142 0.09%
Duplicate Content (>2) 285 0.19%
PPC Parked 25,860 17.24%
Questionable Content 4 0.00%
Redirect 6,238 4.16%
Sales 11,786 7.86%
HTTPS Redirect 19,933 13.29%
Unavailable 883 0.59%
Video Affiliate Lander 375 0.25%
Adult Affiliate Lander 307 0.20%
Compromised 36 0.02%
Social Media 103 0.07%
In-zone Redirect 4,813 3.21%
150,000
.NET
Zone Coverage 100.00%
No Site 25,010 16.67%
No Response 14,189 9.46%
Active/unclassified 14,085 9.39%
Brand protection 1,877 1.25%
Clone site 217 0.14%
In-page Redirect 997 0.66%
External TLD Redirect 5,904 3.94%
Not Found/Forbidden 6,570 4.38%
Holding Page 16,789 11.19%
Internal Redirect 4,286 2.86%
No Content 1,447 0.96%
Affiliate Lander 1,105 0.74%
Matched External TLD Redirect 3,655 2.44%
Duplicate Content (2) 146 0.10%
Duplicate Content (>2) 208 0.14%
PPC Parked 29,441 19.63%
Questionable Content 3 0.00%
Redirect 3,807 2.54%
Sales 5,107 3.40%
HTTPS Redirect 12,849 8.57%
Unavailable 895 0.60%
Video Affiliate Lander 62 0.04%
Adult Affiliate Lander 223 0.15%
Compromised 175 0.12%
Social Media 1 0.00%
In-zone Redirect 952 0.63%
150,000
.ORG
Zone Coverage 100.00%
No Site 18,403 12.27%
No Response 14,376 9.58%
Active/unclassified 13,439 8.96%
Brand protection 1,384 0.92%
Clone site 196 0.13%
In-page Redirect 969 0.65%
External TLD Redirect 5,011 3.34%
Not Found/Forbidden 6,371 4.25%
Holding Page 16,039 10.69%
Internal Redirect 5,718 3.81%
No Content 587 0.39%
Affiliate Lander 381 0.25%
Matched External TLD Redirect 2,741 1.83%
Duplicate Content (2) 92 0.06%
Duplicate Content (>2) 64 0.04%
PPC Parked 30,936 20.62%
Questionable Content 3 0.00%
Redirect 6,436 4.29%
Sales 4,817 3.21%
HTTPS Redirect 18,109 12.07%
Unavailable 687 0.46%
Video Affiliate Lander 16 0.01%
Adult Affiliate Lander 15 0.01%
Compromised 323 0.22%
Social Media 0 0.00%
In-zone Redirect 2,887 1.92%
150,000
.BIZ
Zone Coverage 100.00%
No Site 26,505 17.67%
No Response 15,239 10.16%
Active/unclassified 10,395 6.93%
Brand protection 2,056 1.37%
Clone site 195 0.13%
In-page Redirect 702 0.47%
External TLD Redirect 8,904 5.94%
Not Found/Forbidden 6,455 4.30%
Holding Page 20,088 13.39%
Internal Redirect 3,536 2.36%
No Content 782 0.52%
Affiliate Lander 242 0.16%
Matched External TLD Redirect 5,666 3.78%
Duplicate Content (2) 208 0.14%
Duplicate Content (>2) 96 0.06%
PPC Parked 30,473 20.32%
Questionable Content 8 0.01%
Redirect 3,500 2.33%
Sales 3,345 2.23%
HTTPS Redirect 10,013 6.68%
Unavailable 697 0.46%
Video Affiliate Lander 1 0.00%
Adult Affiliate Lander 11 0.01%
Compromised 29 0.02%
Social Media 6 0.00%
In-zone Redirect 848 0.57%
150,000
.INFO
Zone Coverage 100.00%
No Site 21,543 14.36%
No Response 16,552 11.03%
Active/unclassified 8,734 5.82%
Brand protection 1,529 1.02%
Clone site 192 0.13%
In-page Redirect 510 0.34%
External TLD Redirect 9,342 6.23%
Not Found/Forbidden 6,513 4.34%
Holding Page 15,195 10.13%
Internal Redirect 3,772 2.51%
No Content 949 0.63%
Affiliate Lander 392 0.26%
Matched External TLD Redirect 5,007 3.34%
Duplicate Content (2) 130 0.09%
Duplicate Content (>2) 60 0.04%
PPC Parked 41,059 27.37%
Questionable Content 2 0.00%
Redirect 3,742 2.49%
Sales 3,245 2.16%
HTTPS Redirect 9,552 6.37%
Unavailable 610 0.41%
Video Affiliate Lander 9 0.01%
Adult Affiliate Lander 80 0.05%
Compromised 635 0.42%
Social Media 4 0.00%
In-zone Redirect 642 0.43%
150,000
There has been a shift towards HTTPS in the last ten years. A website
may have an IP address in the DNS but that does not necessarily mean
that a webserver is running on the IP.
The registries and registars definition of DNS Abuse is quite
conservative. Taken in terms of what can be solved by registries and
registrars, it is logical. The problem is that due to the declining
market share of the gTLDs, the "kill chain" for dealing with a problem
domain name or website is not as well defined as it was once. There is a
new element: the reseller.
Approximately 25% of the gTLD market (based on the monthly HosterStats
gTLD transactions reports) consists of resellers with the ICANN
accredited registrars accounting for the rest of the market. These
resellers register their domain names in the usual way through the ICANN
registrars but it is not financially viable for them to become
accredited ICANN registrars. They are often accredited ccTLD registrars
in their own country level markets. Blurring the line between DNS Abuse
and Content Abuse would make dealing with the problem domain
name/website a bit more complicated because DNS Abuse seems relatively
clearly defined but there are multiple definitions of Content Abuse.
There is also the issue of Reporting versus Detection. Most phishing
sites are reported rather than detected. That means that what is
reported is often the tip of the iceberg. With Content Abuse, ICANN does
not have the expertise or resources to deal with the issue and that's
even before there is any clear definition of "Content Abuse". (Is it
Intellectual Property infringment, phishing, pharming or compromise?)
In terms of Content Abuse, the numbers of defaced websites has dropped
over the last ten years or so and many compromised sites are more likely
to have link injection compromises. This is due mainly to old and
unmaintained plugins for CMSes like Wordpress and Joomla.
Web Usage is no longer a simple active website versus no website. It is
quite a complex thing to measure and it changes. In defining DNS Abuse,
there should be an awareness that the format of DNS Abuse will also change.
Regards...jmcc
--
**********************************************************
John McCormac * e-mail: jmcc at hosterstats.com
MC2 * web: http://www.hosterstats.com/
22 Viewmount * Domain Registrations Statistics
Waterford * Domnomics - the business of domain names
Ireland * https://amzn.to/2OPtEIO
IE * Skype: hosterstats.com
**********************************************************
--
This email has been checked for viruses by AVG.
https://www.avg.com
More information about the CPWG
mailing list