M2: Domain Name Abuse

-

The domain name abuses are tracked by measuring the number of registered domain names used in four kinds of abuse: phishing, malware distribution, command and control of botnets, and spam. The number of abusive domains are tabulated either based on the TLD in which they are registered (Measures M2.1.*.*) or based on the registrar that registered them (Measures M2.2.*.*). The values measured each way differ. One reason for the difference is the inclusion of "parked" domains in the TLD counts. These domains are known to be used for abuse, have been taken over by law enforcement or by other regulation systems, and are "parked" in specialized registrars. These specialized registrars are not included in the metrics "per registrar".

Each subset of M2 comprises 4 different sub metrics, one for each type of abuse. For each of these abuse, the first metric (M2.*.*.1) is defined as the number of domains engaged in that type of abuse for 10000 domains. The second and third metric measure the "shape" of the distribution of abuse with two key values: the minimum number of agents (TLD or registrars) that account for 50% of this type of abuse, and the minimum number that account for 90% of the abuse.

The metrics incorporate data from many GTLD and many registrars.

The following table provides the value observed for the "abuse per 10,000 domains" metric in the current month, as well as the average value over the 3 previous months, and the "historical" minimum and maximum observed since the beginning of the measurements.

MetricCurrent ValuePast 3 monthsHistoric LowHistoric High
Abuse Domains per 10,000 names registered in GTLDs Phishing M2111 (?) - - - -
Malware M2121 (?) - - - -
Botnets C&C M2131 (?) - - - -
Spam M2141 (?) - - - -
Number of GTLDs to account for 50% of abuses Phishing M2112 (?) - - - -
Malware M2122 (?) - - - -
Botnets C&C M2132 (?) - - - -
Spam M2142 (?) - - - -
Number of GTLDs to account for 90% of abuses Phishing M2113 (?) - - - -
Malware M2123 (?) - - - -
Botnets C&C M2133 (?) - - - -
Spam M2143 (?) - - - -
Abuse Domains per 10,000 names registered by Registrars Phishing M2211 (?) - - - -
Malware M2231 (?) - - - -
Botnets C&C M2231 (?) - - - -
Spam M2241 (?) - - - -
Number of Registrars to account for 50% of abuses Phishing M2212 (?) - - - -
Malware M2222 (?) - - - -
Botnets C&C M2232 (?) - - - -
Spam M2242 (?) - - - -
Number of Registrars to account for 90% of abuses Phishing M2213 (?) - - - -
Malware M2223 (?) - - - -
Botnets C&C M2233 (?) - - - -
Spam M2243 (?) - - - -

The following graphs show the evolution over time of the value metrics for each class of abuse, first by registrar and then by GTLD. Please pay attention to the scale, as the number of spam domains is much larger than the number of domains involved in the other forms of malware.

Evolution of metrics per registry (TLD)

M2.1.1 = number of Phishing Domains per 10000 domain names

The following graph shows the evolution of the phishing domain metric M2.1.1 (?) over time. This metric is measured on a set of tracked GTLD.

M2.1.2 = number of Malware Domains per 10,000 domain names

The following graph shows the evolution of the malware domain metric M2.1.2 (?) over time. This metric is measured on a set of tracked GTLD.

M2.1.3 = number of Botnet C&C Domains per 10,000 domain names

The following graph shows the evolution of the botnet command and control domain metric M2.1.3 (?) over time. This metric is measured on a set of tracked GTLD.

M2.1.4 = number of Spam Domains per 10,000 domain names

The following graph shows the evolution of the spam domain metric M2.1.4 (?) over time. This metric is measured on a set of tracked GTLD.

-

Evolution of metrics M2.2.* per registrar

M2.2.1 = number of Phishing Domains per 10000 registered domain names

The following graph shows the evolution of the phishing domain metric M2.2.1 (?) over time. This metric is measured on a set of tracked registrars.

M2.2.2 = number of Malware Domains per 10,000 registered domain names

The following graph shows the evolution of the malware domain metric M2.2.2 (?) over time. This metric is measured on a set of tracked registrars.

M2.2.3 = number of Botnet C&C Domains per 10,000 registered domain names

The following graph shows the evolution of the botnet command and control domain metric M2.2.3 (?) over time. This metric is measured on a set of tracked registrars.

M2.2.4 = number of Spam Domains per 10,000 registered domain names

The following graph shows the evolution of the spam domain metric M2.2.4 (?) over time. This metric is measured on a set of tracked registrars.

-