Home / Blogs

.COM - The Riskiest Top-Level Domain? (Part 2)

Terry Zink

Following up from my post yesterday, I thought I would take a look at how spammy each particular TLD is. At the moment, I only track 8 TLD's - .cn, .ru, .com, .net, .org, .info, .biz and .name. To check to see which one is the spammiest, I took all of our post-IP blocked mail and determined how many times those messages occurred in email, and how many times that email was marked as spam. This marking occurs before the message is bifurcated into multiple recipients; if it happened afterwards, that could potentially skew the results because the amount of mail marked as spam by our content filter prior to bifurcation is about 1/3 of the email stream.

Anyhow, here are the results for how many times a message containing a particular URL is marked as spam (I omitted .name):

RankDomain% Spam
1.ru96.6%
2.info84.2%
3.cn40.4%
4.net22.8%
5.biz20.7%
6.org19.9%
7.com18.9%

Looking at the numbers this way, the .ru domain is by far the spammiest domain as nearly every single message with a .ru in it is marked as spam. .cn has cleaned up its act this year but is still having problems. The .com domain is way below that in last place. Now, this does not necessarily mean that every message with a .com domain is clean, but rather, that we found characteristics in the mail such that the mail was likely to be non-spam rather than spam (we only count an occurrence of a domain once per message so if there are multiple .com's per message, we only count it once). Looking at it this way it is clear that the .com TLD is actually one of the cleanest TLDs, the opposite of what McAfee's report found.

However, this is not the best way to measure how risky the domain is. We should also measure prevalence. To do that, I counted up the total occurrences of a particular domain (i.e., their absolute count). I then multiplied the count by the % spam and then normalized the counts. The result is a Riskiness rating, with the table outlined below:

RankDomain% SpamRiskiness
1.com18.9%187
2.ru96.6%106
3.org19.9%93
4.net22.8%47
5.info84.2%23
6.cn40.4%2
7.biz20.7%1

The way to interpret this table is that for every 1 message marked as spam that contained a .biz, 187 messages marked as spam contained a .com, 106 contained a .ru, and so forth. Going by this, the amount of .com's that are spammy shoots straight to the top because while the proportion of abuse is smaller, the rate at which all kinds of spammers go for .com is very large. This chart illustrates that the .cn domain is still abused (lots of spammers pick it compared to non-spammers) but it just isn't seen in the wild being abused in spam nearly as much as the .com domain. To put this another way, given a particular email message marked as spam that contains a domain, there is a 40% chance that the domain is a .com, and a 23% chance that it contains a .ru (assuming we only pick from these seven TLDs).

Going by this perspective, then the .com domain remains the most abused TLD but primarily because of its popularity with the general public, not necessarily because its security is lax. Lots of people use .com for legitimate purposes, whereas almost nobody uses .ru for legitimate purposes.

By Terry Zink, Program Manager
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Spam and "riskiness" not the same Frank Bulk  –  Nov 12, 2010 10:51 AM PDT

Perhaps the NetworkWorld report was just a launching spot to look at spam, but please don't equate riskiness and spam.  According to the report, they looked at "Web sites analyzed [that] are considered risky for malware distribution and attack code".  How much spam a country originates may have absolutely no bearing or correlation on web sites they host.

Frank

Not "websites they host" Suresh Ramasubramanian  –  Nov 13, 2010 6:20 PM PDT

More like - "how good or bad are registries and local registrars in keeping spammers from buying massive amounts of domains on the TLDs / ccTLDs they control or provide services to".

There are several other TLDs / ccTLDs that have handled these issues quickly, without fuss and proactively.  Others (like HKDNR for .hk) did the right thing but only after a barrage of negative publicity and a lot of pressure + assistance from multiple people

To post comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

New TLDs

Sponsored byAfilias