DomainTools names and shames bad TLDs

The “bad” domains have something in common.

Update: DomainTools has taken the report down to verify/update some calculations. Its website states:

We are investigating a possible error in one of the data inputs we use for this seasonal Domain Report and until we can remediate our concern we are choosing to suspend the previously published version.

It is unclear if this will change the rankings or its conclusions before. This post will be updated when DomainTools republishes its report.

Cybersecurity company DomainTools has published its Spring 2022 Report, naming and shaming top level domains that it says are overrepresented for badness.

Rather than rank by absolute numbers of malware, phishing, and spam domains, DomainTools analyzed the prevalence of usage compared to the number of domains registered.

And here’s the bottom line: domains offered for free or cheap are the most abused. Full stop.

This has been the case for a long time and will be the case in the future. Registries that offer cheap domains have more bad people using their domains.

You find this in other internet resources, too. Let’s Encrypt shows up high in DomainTools’ badness reports for SSL certificates, and it offers SSL for free.

Some of the TLDs on the list might do an excellent job cleaning up bad activity when it’s discovered. But by the time a domain lands on a phishing or malware blocklist, a lot of damage has already been done.

.Xyz, for example, uses blocklists and an in-house system for monitoring abuse. It quickly suspends domains that are misused. But it still lands high on DomainTools’ lists. DomainTools stated:

Sorry, .xyz, but your reputation in the infosec community is what it is for a reason. In the Malware category, we observed over 323,000 domains in .xyz, a significant uptick from its previous showing of a still-substantial ~207,000. Couple this with the signal strength of 108.60, and it becomes especially clear why this TLD has the reputation it does.

For its report, a signal strength of 1.0 is neutral. Anything below that is positive and above it is negative. So 108.6 is a very high number.

In response to the report, XYZ told Domain Name Wire, “We have reached out to DomainTools to discuss their report. We dispute their findings, and would love to cooperatively work together to clear up any misconceptions.”

While .xyz shows up in some categories, other TLDs take the honors in others.

According to DomainTools, .buzz is worst for phishing, and .cam is worse for spam. I’m a bit surprised that .cam isn’t in the top 10 for phishing because of its similarity to .com. But in a raw numbers game, phishers will take the cheapest domains, not the ones most likely to dupe people.

Freenom’s free names also make the list, including .ml, .ga, .cf and .gq. .Tk is its most-registered domain, but the sheer volume of registrations might save it from appearing at the top of these lists because of DomainTools’ methodology.

So, what incentives do TLD operators have to reduce badness? In the long run, top level domains that appear on lists like this could have lower email deliverability and flag more security warnings, ultimately making them worse for all of their registrants.

The TLD operators have a couple of options to fix the problem. One is to invest in proactive suspension systems. The other is just to raise first-year prices by a few dollars.

Here are the top 5 worse in each category, according to DomainTools.

Phishing

1. .buzz
2. .gq
3. .ga
4. rest
5. ml

Malware

1. .xyz
2. .cc
3. .buzz
4. .cfd
5. .cyou

Spam

1. .cam
2. .bar
3. .surf
4. .xyz
5. .click