Cyber Security

Spamhaus Exposes The 10 Most Abused Top Level Domains

Top Level Domain (TLD) registries which allow registrars to sell high volumes of domains to professional spammers and malware operators in essence aid and abet the plague of abuse on the Internet. Some registrars and resellers knowingly sell high volumes of domains to these actors for profit, and many registries do not do enough to stop or limit this endless supply of domains.

A TLD may be “bad” in two ways. On one side, the ratio of bad to good domains may be higher than average, indicating that the registry could do a better job of enforcing policies and shunning abusers. However, some TLDs with a high fraction of bad domains may be quite small, and their total number of bad domains could be relatively limited with respect to other, bigger TLDs. Their total “badness” to the Internet is limited by their small total size.

The other side is that some large TLDs may have a large number of bad domains as a result of the sheer size of their domain corpus. Even if their corrective measures are effective, they still constitute a problem on the global scale, and they could assign further resources to improve their anti-abuse processes and bring down the overall number of bad domains.

In defining a “badness” index, we decided to weight in both these factors. With a certain amount of arbitrariness—and at the same time a desire to avoid excessive complications—we defined badness as:

where

  • Db is the number of bad domains detected
  • Dt is the number of active domains observed
Spamhaus Exposes The 10 Most Abused Top Level Domains
Spamhaus Exposes The 10 Most Abused Top Level Domains

You can think of this number as the bad domains fraction weighted with the TLD’s size, or as the order of magnitude of the problem weighted with the effectiveness of anti-abuse policies. Presented this way, this data more closely matches the perceptions Spamhaus staff has in dealing with this issue in a daily production basis. We hope that this definition helps to spotlight registries that in one way or another can be considered problematic, in a fair way.

These data represent domains seen by Spamhaus systems, and not a TLD’s total domain corpus. Domains in this data are in active use, showing up in mail feeds and related DNS traffic. Other domains may be parked or used for traffic outside of our systems’ focus, and those domains are not included in this summary.

The registries listed on this page and include .men, .loan, .qg, .cf, .ml provide spammers and other miscreants with a service they need in order to survive. Many, even most, TLDs succeed, by and large, in keeping abusers off their systems and work to maintain a positive reputation. That success shows that these ten worst could, if they tried, “keep clean” by turning spammers and other abusers away.