The domain name abuses are tracked by measuring the number of registered domain names used in four kinds of abuse: phishing, malware distribution, command and control of botnets, and spam. These abuses are computed by ICANN's Domain Abuse Activity Reporting (DAAR) project.
Each month, the DAAR project establishes lists of domains engaged in the different type of abuses, using a large set of high-confidence reputation (security threat) data feeds. The number of abusive domains can be tabulated based on the domain's TLD, but the registrar in charge of the domain can also be retrieved using Whois data. This gives us eight sets of metrics, computed either by TLD or by Registrar:
|Phishing||Malware distribution||Botnet C&C||Spam|
The first metric in each set (M2.*.*.1) is the number of abuse reported for 10000 domain names. For example, M22.214.171.124 is the number of spam domains per 10000 domain names, tabulated per registrars, and M126.96.36.199 is the same number tabulated per TLD. In theory these two numbers should be the same, as the total number of abuses for all TLD should be the same as the total for each Registrar. It turns out that this is not the case, because of the inclusion of "parked" domains in the TLD counts. These domains are known to be used for abuse, have been taken over by law enforcement or by other regulation systems, and are "parked" in specialized registrars. These specialized registrars are not included in the metrics "per registrar".
As seen in the discussion of metric M1, the average number does not tell the entire story, because the rate of abuse varies widely across the different registrars and the different TLD. It is of course not our role to explain why abusers choose to use the service of a specific registrar, or choose names in a specific TLD, but we wanted to capture the phenomemon and we use for that two metrics in each set: the minimum number of agents (TLD or registrars) that account for 50% of this type of abuse (M2.*.*.2), and the minimum number that account for 90% of the abuse (M2.*.*.3).
The current value of the metrics is available here.