[CPWG] The Bulk Registrations issue and why it is complex

John McCormac jmcc at hosterstats.com
Sun Apr 3 18:21:50 UTC 2022 

This is a kind of introduction to bulk registrations based on tracking 
domain name statistics and running Web Usage surveys that measures the 
rates of usage in gTLDs and ccTLDs. I've left out the brand 
protection/IP aspect as that's really covered by UDRP and URS.

The bulk registrations problem is complex but DA is only part of it. 
While spam, botnet C&C and some other registrations are problems in 
terms of DA, many bulk registrations are often borderline "content 
abuse" problems.

Some search engines still have problems with handling links from 
websites and it is not uncommon to see large numbers of webspam websites 
generated from scraped web content from legitimate websites, Social 
Media and even search engine results. The more inbound links a website 
has, the more authoritative it appears. Some search engines have been 
fighting this problem for years.

The software that produces these webspam sites is quite sophisticated 
and it can churn out thousands of these sites in a few hours. The 
essential element is low priced or free domain names. These websites are 
typically one year registrations. They do not renew. This is because the 
economics do not justify paying the full-priced renewal fee. It is 
cheaper to register another heavily discounted domain name either in the 
same gTLD or another gTLD where there is a heavily discounted 
registrations offer running.

There is also a speculative element to some bulk registrations in that 
there are often mini-bubbles which target short domain names (four 
letter (4Ls), five letter (5Ls) and some numerical domain names). Many 
of the registries or brand owners have already registered the three 
letter domain names. Again, some of these trends are linked to 
discounting offers. They are not abusive registrations and often end up 
on domain name sales sites. These trends may start in one gTLD and then, 
once the 4Ls are all registered in that gTLD, move into other gTLDs. The 
Chinese bubble in .COM and other legacy gTLDs is a good example of this 
kind of trend. Most of the bubble registrations did not renew.

Affiliate landers (adult and gambling) are also a feature of bulk 
registrations. There has been somewhat of a shift away from parking 
undeveloped domain names on pay per click (PPC) landing pages. Again, 
these types of bulk registrations have a high attrition rate. These 
affiliate landers have similarities to the automatically generated 
websites mentioned above.

That leaves the real problem categories in bulk registrations. 
Disposable registrations used for spam are part of the bulk 
registrations spectrum but detecting them is made more difficult by the 
damage that GDPR and the reaction to GDPR has caused on WHOIS. The 
problem of deciding what is and is not a spam domain name is compounded 
by the fact that the majority of domain names in most gTLDS do not have 
developed websites. The blacklists generaly operate on the principle of 
detected use rather than identifying intent.

Registration for botnet C&C, phishing, pharming and other forms of abuse 
can be obvious and non-obvious. Domain generation algorithms used for 
C&C and other malware generate pseudorandom domain names but sometimes 
these registrations already exist. The problem with a simple approach is 
that some languages, like those in China, may use numbers as part of a 
domain name because they sound like other words. To someone with only 
experience of English, they may appear to be a random string of characters.

Separating these abusive registrations is quite difficult. In the 
absence of WHOIS data and other data it is extremely difficult to guess 
the intent of the registrant. With some of the affiliate lander 
registrations, there is often a clustering pattern in both gTLD and 
webservers. But that only happens with domain names that a have 
websites. Spam registrations may only be detected once used for spam and 
even then they have a finite lifespan. (Heavily discounted registrations 
are disposable.)

These are the Quick Delta numbers and percentages of some new gTLDs. The 
Quick Delta compares a gTLD's zonefile with the zonefile from a year ago.

March 2021 - - Retained - Deleted - Retained % - Deleted %
1,317,370	80,358	1,237,012	6.10	93.90
246,344	22,025	224,319	8.94	91.06
32,838	2,972	29,866	9.05	90.95

Other new gTLDs are quite normal and some even have Quick Delta rates 
approaching those of ccTLDs (very stable). Discounting is part of the 
business model of registries. They use it to grow the number of domain 
name under management.

The theory is much like throwing mud at a wall to see how much sticks. A 
small percentage of domain names will renew at full fee. A registry will 
gradually build up a core set of domain names that may keep renewing but 
the vast majority delete without being renewed. Somewhere in those bulk 
registrations are the abusive registrations. It is made more difficult 
by the fact that most bulk registrations are one year registrations and 
the bulk registration problem is a moving target.

Regards...jmcc
-- 
**********************************************************
John McCormac  *  e-mail: jmcc at hosterstats.com
MC2            *  web: http://www.hosterstats.com/
22 Viewmount   *  Domain Registrations Statistics
Waterford      *  Domnomics - the business of domain names
Ireland        *  https://amzn.to/2OPtEIO
IE             *  Skype: hosterstats.com
**********************************************************

-- 
This email has been checked for viruses by AVG.
https://www.avg.com

More information about the CPWG mailing list