[CPWG] The Bulk Registrations issue and why it is complex

Theo Geurts atlarge at dcx.nl
Sun Apr 3 18:39:28 UTC 2022 

Good write up John, 

Do you have any stats on DGA botnet domains? I have not seen much of those in the last few years, but since Avalanche (2016) and Conficker (2008) they are not the size they used to be?
I do see them at other places, blockchain, IOT, dropbox API abuse. 

Thanks in advance. 
Theo

On Sun, Apr 3, 2022, at 6:21 PM, John McCormac via CPWG wrote:
> This is a kind of introduction to bulk registrations based on tracking 
> domain name statistics and running Web Usage surveys that measures the 
> rates of usage in gTLDs and ccTLDs. I've left out the brand 
> protection/IP aspect as that's really covered by UDRP and URS.
> 
> The bulk registrations problem is complex but DA is only part of it. 
> While spam, botnet C&C and some other registrations are problems in 
> terms of DA, many bulk registrations are often borderline "content 
> abuse" problems.
> 
> Some search engines still have problems with handling links from 
> websites and it is not uncommon to see large numbers of webspam websites 
> generated from scraped web content from legitimate websites, Social 
> Media and even search engine results. The more inbound links a website 
> has, the more authoritative it appears. Some search engines have been 
> fighting this problem for years.
> 
> The software that produces these webspam sites is quite sophisticated 
> and it can churn out thousands of these sites in a few hours. The 
> essential element is low priced or free domain names. These websites are 
> typically one year registrations. They do not renew. This is because the 
> economics do not justify paying the full-priced renewal fee. It is 
> cheaper to register another heavily discounted domain name either in the 
> same gTLD or another gTLD where there is a heavily discounted 
> registrations offer running.
> 
> There is also a speculative element to some bulk registrations in that 
> there are often mini-bubbles which target short domain names (four 
> letter (4Ls), five letter (5Ls) and some numerical domain names). Many 
> of the registries or brand owners have already registered the three 
> letter domain names. Again, some of these trends are linked to 
> discounting offers. They are not abusive registrations and often end up 
> on domain name sales sites. These trends may start in one gTLD and then, 
> once the 4Ls are all registered in that gTLD, move into other gTLDs. The 
> Chinese bubble in .COM and other legacy gTLDs is a good example of this 
> kind of trend. Most of the bubble registrations did not renew.
> 
> Affiliate landers (adult and gambling) are also a feature of bulk 
> registrations. There has been somewhat of a shift away from parking 
> undeveloped domain names on pay per click (PPC) landing pages. Again, 
> these types of bulk registrations have a high attrition rate. These 
> affiliate landers have similarities to the automatically generated 
> websites mentioned above.
> 
> That leaves the real problem categories in bulk registrations. 
> Disposable registrations used for spam are part of the bulk 
> registrations spectrum but detecting them is made more difficult by the 
> damage that GDPR and the reaction to GDPR has caused on WHOIS. The 
> problem of deciding what is and is not a spam domain name is compounded 
> by the fact that the majority of domain names in most gTLDS do not have 
> developed websites. The blacklists generaly operate on the principle of 
> detected use rather than identifying intent.
> 
> Registration for botnet C&C, phishing, pharming and other forms of abuse 
> can be obvious and non-obvious. Domain generation algorithms used for 
> C&C and other malware generate pseudorandom domain names but sometimes 
> these registrations already exist. The problem with a simple approach is 
> that some languages, like those in China, may use numbers as part of a 
> domain name because they sound like other words. To someone with only 
> experience of English, they may appear to be a random string of characters.
> 
> Separating these abusive registrations is quite difficult. In the 
> absence of WHOIS data and other data it is extremely difficult to guess 
> the intent of the registrant. With some of the affiliate lander 
> registrations, there is often a clustering pattern in both gTLD and 
> webservers. But that only happens with domain names that a have 
> websites. Spam registrations may only be detected once used for spam and 
> even then they have a finite lifespan. (Heavily discounted registrations 
> are disposable.)
> 
> These are the Quick Delta numbers and percentages of some new gTLDs. The 
> Quick Delta compares a gTLD's zonefile with the zonefile from a year ago.
> 
> March 2021 - - Retained - Deleted - Retained % - Deleted %
> 1,317,370 80,358 1,237,012 6.10 93.90
> 246,344 22,025 224,319 8.94 91.06
> 32,838 2,972 29,866 9.05 90.95
> 
> Other new gTLDs are quite normal and some even have Quick Delta rates 
> approaching those of ccTLDs (very stable). Discounting is part of the 
> business model of registries. They use it to grow the number of domain 
> name under management.
> 
> The theory is much like throwing mud at a wall to see how much sticks. A 
> small percentage of domain names will renew at full fee. A registry will 
> gradually build up a core set of domain names that may keep renewing but 
> the vast majority delete without being renewed. Somewhere in those bulk 
> registrations are the abusive registrations. It is made more difficult 
> by the fact that most bulk registrations are one year registrations and 
> the bulk registration problem is a moving target.
> 
> Regards...jmcc
> -- 
> **********************************************************
> John McCormac  *  e-mail: jmcc at hosterstats.com
> MC2            *  web: http://www.hosterstats.com/
> 22 Viewmount   *  Domain Registrations Statistics
> Waterford      *  Domnomics - the business of domain names
> Ireland        *  https://amzn.to/2OPtEIO
> IE             *  Skype: hosterstats.com
> **********************************************************
> 
> -- 
> This email has been checked for viruses by AVG.
> https://www.avg.com
> 
> _______________________________________________
> CPWG mailing list
> CPWG at icann.org
> https://mm.icann.org/mailman/listinfo/cpwg
> 
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/cpwg/attachments/20220403/e250107c/attachment.html>

More information about the CPWG mailing list