M2: Domain Name Abuse

-

The domain name abuses are tracked by measuring the number of registered domain names used in four kinds of abuse: phishing, malware distribution, command and control of botnets, and spam. The number of abusive domains are tabulated either based on the TLD in which they are registered (Measures M2.1.*.*) or based on the registrar that registered them (Measures M2.2.*.*). The values measured each way differ. One reason for the difference is the inclusion of "parked" domains in the TLD counts. These domains are known to be used for abuse, have been taken over by law enforcement or by other regulation systems, and are "parked" in specialized registrars. These specialized registrars are not included in the metrics "per registrar".

Each subset of M2 comprises 4 different sub metrics, one for each type of abuse. For each of these abuse, the first metric (M2.*.*.1) is defined as the number of domains engaged in that type of abuse for 10000 domains. The second and third metric measure the "shape" of the distribution of abuse with two key values: the minimum number of agents (TLD or registrars) that account for 50% of this type of abuse, and the minimum number that account for 90% of the abuse.

The following table provides the value observed for the "abuse per 10,000 domains" metric in the current month, as well as the average value over the 12 months preceeding this one -- or the average since the beginning of measurements if measurements started fewer than 12 months ago. The columns "Nb 50%" and "Nb 90%" provide the minimum number of TLD or Registrars that account for 50% or 90% of the abuse.

M2 metric name Current Average Nb 50% Nb 90%
Metrics for Registries (TLD)
M2.1.1 = number of Phishing Domains per 10000 domain names - - - -
M2.1.2 = number of Malware Domains per 10,000 domain names - - - -
M2.1.3 = number of Botnet C&C Domains per 10,000 domain names - - - -
M2.1.4 = number of Spam Domains per 10,000 domain names - - - -
Metrics for registrars
M2.2.1 = number of Phishing Domains per 10000 registered domain names - - - -
M2.2.2 = number of Malware Domains per 10,000 registered domain names - - - -
M2.2.3 = number of Botnet C&C Domains per 10,000 registered domain names - - - -
M2.2.4 = number of Spam Domains per 10,000 registered domain names - - - -

The following graphs show the evolution over time of these 4 metrics. Please pay attention to the scale, as the number of spam domains is much larger than the number of domains involved in the other forms of malware.

Evolution of metrics per registry (TLD)

M2.1.1 = number of Phishing Domains per 10000 domain names

The following graph shows the evolution of the phishing domain metric M2.1.1 over time. This metric is measured on a set of tracked GTLD.

M2.1.2 = number of Malware Domains per 10,000 domain names

The following graph shows the evolution of the malware domain metric M2.1.2 over time. This metric is measured on a set of tracked GTLD.

M2.1.3 = number of Botnet C&C Domains per 10,000 domain names

The following graph shows the evolution of the botnet command and control domain metric M2.1.3 over time. This metric is measured on a set of tracked GTLD.

M2.1.4 = number of Spam Domains per 10,000 domain names

The following graph shows the evolution of the spam domain metric M2.1.4 over time. This metric is measured on a set of tracked GTLD.

-

Evolution of metrics M2.2.* per registrar

M2.2.1 = number of Phishing Domains per 10000 registered domain names

The following graph shows the evolution of the phishing domain metric M2.2.1 over time. This metric is measured on a set of tracked registrars.

M2.2.2 = number of Malware Domains per 10,000 registered domain names

The following graph shows the evolution of the malware domain metric M2.2.2 over time. This metric is measured on a set of tracked registrars.

M2.2.3 = number of Botnet C&C Domains per 10,000 registered domain names

The following graph shows the evolution of the botnet command and control domain metric M2.2.3 over time. This metric is measured on a set of tracked registrars.

M2.2.4 = number of Spam Domains per 10,000 registered domain names

The following graph shows the evolution of the spam domain metric M2.2.4 over time. This metric is measured on a set of tracked registrars.

-