The domain name abuses are tracked by measuring the number of registered domain names used in four kinds of abuse: phishing, malware distribution, command and control of botnets, and spam. The number of abusive domains are tabulated either based on the TLD in which they are registered (Measures M2.1.*.*) or based on the registrar that registered them (Measures M2.2.*.*). The values measured each way differ. One reason for the difference is the inclusion of "parked" domains in the TLD counts. These domains are known to be used for abuse, have been taken over by law enforcement or by other regulation systems, and are "parked" in specialized registrars. These specialized registrars are not included in the metrics "per registrar".
Each subset of M2 comprises 4 different sub metrics, one for each type of abuse. For each of these abuse, the first metric (M2.*.*.1) is defined as the number of domains engaged in that type of abuse for 10000 domains. The second and third metric measure the "shape" of the distribution of abuse with two key values: the minimum number of agents (TLD or registrars) that account for 50% of this type of abuse, and the minimum number that account for 90% of the abuse.
The following table provides the value observed for the "abuse per 10,000 domains" metric in the current month, as well as the average value over the 3 previous months, and the "historical" minimum and maximum observed since the beginning of the measurements.
Metric | Current Value | Past 3 months | Historic Low | Historic High | ||
---|---|---|---|---|---|---|
Abuse Domains per 10,000 names registered in GTLDs | Phishing | M2111 (?) | - | - | - | - |
Malware | M2121 (?) | - | - | - | - | |
Botnets C&C | M2131 (?) | - | - | - | - | |
Spam | M2141 (?) | - | - | - | - | |
Number of GTLDs to account for 50% of abuses | Phishing | M2112 (?) | - | - | - | - |
Malware | M2122 (?) | - | - | - | - | |
Botnets C&C | M2132 (?) | - | - | - | - | |
Spam | M2142 (?) | - | - | - | - | |
Number of GTLDs to account for 90% of abuses | Phishing | M2113 (?) | - | - | - | - |
Malware | M2123 (?) | - | - | - | - | |
Botnets C&C | M2133 (?) | - | - | - | - | |
Spam | M2143 (?) | - | - | - | - | |
Abuse Domains per 10,000 names registered by Registrars | Phishing | M2211 (?) | - | - | - | - |
Malware | M2231 (?) | - | - | - | - | |
Botnets C&C | M2231 (?) | - | - | - | - | |
Spam | M2241 (?) | - | - | - | - | |
Number of Registrars to account for 50% of abuses | Phishing | M2212 (?) | - | - | - | - |
Malware | M2222 (?) | - | - | - | - | |
Botnets C&C | M2232 (?) | - | - | - | - | |
Spam | M2242 (?) | - | - | - | - | |
Number of Registrars to account for 90% of abuses | Phishing | M2213 (?) | - | - | - | - |
Malware | M2223 (?) | - | - | - | - | |
Botnets C&C | M2233 (?) | - | - | - | - | |
Spam | M2243 (?) | - | - | - | - |
The following graphs show the evolution over time of the value metrics for each class of abuse, first by registrar and then by GTLD. Please pay attention to the scale, as the number of spam domains is much larger than the number of domains involved in the other forms of malware.
The following graph shows the evolution of the phishing domain metric M2.1.1 (?) over time. This metric is measured on a set of tracked GTLD.
The following graph shows the evolution of the malware domain metric M2.1.2 (?) over time. This metric is measured on a set of tracked GTLD.
The following graph shows the evolution of the botnet command and control domain metric M2.1.3 (?) over time. This metric is measured on a set of tracked GTLD.
The following graph shows the evolution of the spam domain metric M2.1.4 (?) over time. This metric is measured on a set of tracked GTLD.
The following graph shows the evolution of the phishing domain metric M2.2.1 (?) over time. This metric is measured on a set of tracked registrars.
The following graph shows the evolution of the malware domain metric M2.2.2 (?) over time. This metric is measured on a set of tracked registrars.
The following graph shows the evolution of the botnet command and control domain metric M2.2.3 (?) over time. This metric is measured on a set of tracked registrars.
The following graph shows the evolution of the spam domain metric M2.2.4 (?) over time. This metric is measured on a set of tracked registrars.