An interesting report on newly used domain names and their usage in spam

May 28, 2019

One of the interesting things from Geoff Huston's DNS-OARC 30: Bad news for DANE (via, which has useful comments, especially from tptacek, and seen also Against DNSSEC) is some information about the churn in new domain names over the time span of a week, in a section called "The modality of mortality of domain names". I'm just going to quote the end summary, but the whole section is well worth reading. The summary:

The majority of the short-lived names were observed in the gTLD space, and here blacklisting is the primary cause of name death. This was also observed in those ccTLDs that are used as generic TLDs. Overall, some 8% of new names die within seven days.

The observation from this study is that we appear to be spending a huge set of resources to remove names that should never have existed in the first place. If further rounds of new gTLD rounds turn out to be little more than an exercise to offer more choices for spammers, then why are we doing this to ourselves?

(Geoff Huston's article has the wrong link for the presentation materials; the correct link is The Modality of Mortality in Domain Names. Also, 'name death' here does not mean that the DNS records are removed; merely being listed on a domain blacklist is enough. From Paul Vixie's slides, the domain blacklists used are Spamhaus, Swinog URIBL, and SURBL.)

The cynical observation is that people pay a lot of money to register as operators for new gTLDs, and who is going to turn down that money? The operators may not make much money (but maybe they do, from some spammers), but the people who approve new gTLDs and get money for them sure do.

Another striking thing from the slides is that almost 1/5th of new gTLD domains die within a week, and it is usually due to blacklists. This is a much higher rate of death than the overall numbers, which backs up what I suspect will be most people's intuition that random gTLD domain names are most likely to be involved in spam. Some gTLDs have dramatic death rates in the study; the slides suggest that 65% of new domains in .date get blacklisted within a week, for example.

This is for 'newly observed domains', which means that this is the first time the domain names have been used. They may or may not have been registered recently, although the speculation that some fast removals from the DNS result from credit card chargebacks and other charging failures suggests that perhaps that recent registration is also the case.

Since blacklisting is apparently often so fast, there is an obvious approach in an anti-spam system that wanted to do the work. You could keep track of domain names that you've seen in email and then temporarily defer all messages with new domain names for six hours or so. This is a clear extension of IP-based or sender-based greylisting, with part of the same goal of hoping that any bad actors appear on blocklists before you reach your timeout period and accept the email.

Written on 28 May 2019.
« Something that Linux distributions should not do when packaging things
Distribution packaging of software needs to be informed (and useful) »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue May 28 17:03:32 2019
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.