Back in 2014, ICANN, the organization primarily behind the governance of the Internet, opened up the world to massive amounts of new top-level domains (TLDs) beyond the .com, .org, and .edu domains we were used to. The goal was to begin fixing a problem of the .com domains causing negotiations for people who would gladly offer five or six figures in order to claim the (E.G.) [bikes].com URL for their business.
With a huge number of new websites added to the Internet on a daily basis, the idea was that we needed to reach beyond the six or so locked down TLDs that were available at that time.
The results have been interesting to analyze from a cybersecurity risk standpoint. Spamhaus.org, an international nonprofit organization that tracks spam and related cyberthreats, recently published stats about the spammiest, riskiest TLDs on the Internet. Brian Krebs also wrote a great piece on the report that’s worth a read. It seems the “badness index” for TLDs such as .men, .work., and .click are a few of the highest on the worst list.
And, no, this isn’t just an issue hitting Australia (the “Down Under”); obviously, we just wanted to make a bad pun about Men at Work. We apologize.
The list below is a snippet from the Spamhaus.org report:
“A TLD may be "bad" in two ways. On one side, the ratio of bad to good domains may be higher than average, indicating that the registry could do a better job of enforcing policies and shunning abusers. However, some TLDs with a high fraction of bad domains may be quite small, and their total number of bad domains could be relatively limited with respect to other, bigger TLDs. Their total "badness" to the Internet is limited by their small total size.
The other side is that some large TLDs may have a large number of bad domains as a result of the sheer size of their domain corpus. Even if their corrective measures are effective, they still constitute a problem on the global scale, and they could assign further resources to improve their anti-abuse processes and bring down the overall number of bad domains.”
Read their full report to get an understanding of the rating methods they used to create their list.
The group added a salient point:
“Some registrars and resellers knowingly sell high volumes of domains to these actors for profit, and many registries do not do enough to stop or limit this endless supply of domains.” The particular domains could get off the “bad” list if they chose not to sell to obvious spammers and abusers.
This list provides some really great, hard data that IT and security teams can use to make decisions within their organizations that can greatly reduce the risk for their businesses.
1) First and foremost, ensure that you have the visibility to know what traffic is occurring within your organization.
2) While it is tempting to just blacklist all “bad” TLDs on your networks, “It’s a Mistake” to do so (thanks, again, Men at Work!). Rather, a smarter option would be to use common sense in deciding what should be blocked and filtered.
a. For instance, there may not be a justifiable business reason for your accounting team to be browsing/accessing .party and .sex related sites. Block and filter where required.
3) Monitor for and enable the ability to manage redirects from “good” TLDs to “bad” TLDs.
4) Educate users, educate users, educate users. Much of the ‘badness’ is rooted in dead-simple phishing/ drive-by techniques, which are easily avoided when users are aware and wary of suspicious and/or risky behavior on the Internet.