"The aim of the project was a statistical analysis of domain name abuse in new and legacy gTLDs," explained Maarten Wullink, Senior Research Engineer at SIDN Labs, the research arm of SIDN. "The New Generic Top-Level Domain Programme that ICANN started in 2013 has led to more than 1,200 new gTLDs being added to the domain name system. And this is the first time that the abuse of new and legacy top-level domain names has been subject to rigorous scientific study."
Spam is migrating to new gTLDs
The report looks at the abuse of new gTLDs for malicious practices such as phishing, spamming and malware distribution. One striking finding is that, although the overall volume of spam is fairly stable, spammers are increasingly leaving legacy gTLDs and working from new gTLDs instead. However, there are big differences between the new gTLDs. "For one in three new gTLDs, not a single spam report was made in the fourth quarter of 2016," points out Maciej Korczynski, who worked on the study for TU Delft . "Yet, in the same period, Spamhaus blacklisted fifteen new gTLDs because at least 10 per cent of their registered domain names were being used to send spam."
"The results of the study show that some new gTLDs are more popular with spammers than others," adds Maarten Wullink. "That might be because the gTLDs in question have less strict registration conditions, or simply because they are cheap. Or maybe both."
CCT Review Team
SIDN Labs and TU Delft carried out their Statistical Analysis of DNS Abuse in gTLDs (SADAG) for ICANN's Competition, Consumer Trust and Consumer Choice (CCT) Review Team. Visit ICANN's website for the final report. The CCT Review Team's role is to evaluate ICANN's New gTLD Programme. It'll use the study's findings to make recommendations about the prevention and reduction of domain name abuse.
SIDN Labs will also be using methodology and findings of the SADAG study for a project of its own called DNS-EMAP. The project will involve mapping the DNS ecosystem in order to track security incidents and identify players with high abuse concentrations, for example. Relationships between high-abuse players and others will be examined as well. "We'll be using the SADAG methodology and statistics to build a model of the players within a TLD," says Maarten Wullink. "That'll mean looking at things such as DNS resolvers, domain names, registrars and web servers. The aim is then to assign security attributes to the various players."