[CPWG] The Bulk Registrations issue and why it is complex
Theo Geurts
atlarge at dcx.nl
Sun Apr 3 18:39:28 UTC 2022
Good write up John,
Do you have any stats on DGA botnet domains? I have not seen much of those in the last few years, but since Avalanche (2016) and Conficker (2008) they are not the size they used to be?
I do see them at other places, blockchain, IOT, dropbox API abuse.
Thanks in advance.
Theo
On Sun, Apr 3, 2022, at 6:21 PM, John McCormac via CPWG wrote:
> This is a kind of introduction to bulk registrations based on tracking
> domain name statistics and running Web Usage surveys that measures the
> rates of usage in gTLDs and ccTLDs. I've left out the brand
> protection/IP aspect as that's really covered by UDRP and URS.
>
> The bulk registrations problem is complex but DA is only part of it.
> While spam, botnet C&C and some other registrations are problems in
> terms of DA, many bulk registrations are often borderline "content
> abuse" problems.
>
> Some search engines still have problems with handling links from
> websites and it is not uncommon to see large numbers of webspam websites
> generated from scraped web content from legitimate websites, Social
> Media and even search engine results. The more inbound links a website
> has, the more authoritative it appears. Some search engines have been
> fighting this problem for years.
>
> The software that produces these webspam sites is quite sophisticated
> and it can churn out thousands of these sites in a few hours. The
> essential element is low priced or free domain names. These websites are
> typically one year registrations. They do not renew. This is because the
> economics do not justify paying the full-priced renewal fee. It is
> cheaper to register another heavily discounted domain name either in the
> same gTLD or another gTLD where there is a heavily discounted
> registrations offer running.
>
> There is also a speculative element to some bulk registrations in that
> there are often mini-bubbles which target short domain names (four
> letter (4Ls), five letter (5Ls) and some numerical domain names). Many
> of the registries or brand owners have already registered the three
> letter domain names. Again, some of these trends are linked to
> discounting offers. They are not abusive registrations and often end up
> on domain name sales sites. These trends may start in one gTLD and then,
> once the 4Ls are all registered in that gTLD, move into other gTLDs. The
> Chinese bubble in .COM and other legacy gTLDs is a good example of this
> kind of trend. Most of the bubble registrations did not renew.
>
> Affiliate landers (adult and gambling) are also a feature of bulk
> registrations. There has been somewhat of a shift away from parking
> undeveloped domain names on pay per click (PPC) landing pages. Again,
> these types of bulk registrations have a high attrition rate. These
> affiliate landers have similarities to the automatically generated
> websites mentioned above.
>
> That leaves the real problem categories in bulk registrations.
> Disposable registrations used for spam are part of the bulk
> registrations spectrum but detecting them is made more difficult by the
> damage that GDPR and the reaction to GDPR has caused on WHOIS. The
> problem of deciding what is and is not a spam domain name is compounded
> by the fact that the majority of domain names in most gTLDS do not have
> developed websites. The blacklists generaly operate on the principle of
> detected use rather than identifying intent.
>
> Registration for botnet C&C, phishing, pharming and other forms of abuse
> can be obvious and non-obvious. Domain generation algorithms used for
> C&C and other malware generate pseudorandom domain names but sometimes
> these registrations already exist. The problem with a simple approach is
> that some languages, like those in China, may use numbers as part of a
> domain name because they sound like other words. To someone with only
> experience of English, they may appear to be a random string of characters.
>
> Separating these abusive registrations is quite difficult. In the
> absence of WHOIS data and other data it is extremely difficult to guess
> the intent of the registrant. With some of the affiliate lander
> registrations, there is often a clustering pattern in both gTLD and
> webservers. But that only happens with domain names that a have
> websites. Spam registrations may only be detected once used for spam and
> even then they have a finite lifespan. (Heavily discounted registrations
> are disposable.)
>
> These are the Quick Delta numbers and percentages of some new gTLDs. The
> Quick Delta compares a gTLD's zonefile with the zonefile from a year ago.
>
> March 2021 - - Retained - Deleted - Retained % - Deleted %
> 1,317,370 80,358 1,237,012 6.10 93.90
> 246,344 22,025 224,319 8.94 91.06
> 32,838 2,972 29,866 9.05 90.95
>
> Other new gTLDs are quite normal and some even have Quick Delta rates
> approaching those of ccTLDs (very stable). Discounting is part of the
> business model of registries. They use it to grow the number of domain
> name under management.
>
> The theory is much like throwing mud at a wall to see how much sticks. A
> small percentage of domain names will renew at full fee. A registry will
> gradually build up a core set of domain names that may keep renewing but
> the vast majority delete without being renewed. Somewhere in those bulk
> registrations are the abusive registrations. It is made more difficult
> by the fact that most bulk registrations are one year registrations and
> the bulk registration problem is a moving target.
>
> Regards...jmcc
> --
> **********************************************************
> John McCormac * e-mail: jmcc at hosterstats.com
> MC2 * web: http://www.hosterstats.com/
> 22 Viewmount * Domain Registrations Statistics
> Waterford * Domnomics - the business of domain names
> Ireland * https://amzn.to/2OPtEIO
> IE * Skype: hosterstats.com
> **********************************************************
>
> --
> This email has been checked for viruses by AVG.
> https://www.avg.com
>
> _______________________________________________
> CPWG mailing list
> CPWG at icann.org
> https://mm.icann.org/mailman/listinfo/cpwg
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/cpwg/attachments/20220403/e250107c/attachment.html>
More information about the CPWG
mailing list