Public Comment CloseStatement



Call for
Comments Open
Call for
Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number

27 September 2017

Statistical Analysis of DNS Abuse in gTLDs (SADAG) Report

No Statement



Hide the information below, please click here 


The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 




The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.




The first draft submitted will be placed here before the call for comments begins.



  1. Olivier Crepin-Leblond advised the ALAC not to comment on this public comment proceeding, with the following assessment: 

     I have read the SADAG report and have found it very interesting.

    First thing, I was surprised to see that .pharmacy was seen as community TLD. (p.2) but then that's not the topic of the report. There are a few other grammatical errors, but that's no big deal either. What matters is the substance of the paper. 

    It basically confirms our suspicions when we spoke of misuse of TLDs and made our case regarding sensitive strings. Alan will remember this episode in Singapore when Alan, Evan and I had a meeting with the NGPC and several members of the GNSO - including contracted parties. What we are seeing now is the proof of the pudding - that:

    "While legacy gTLDs collectively
    had a spam-domains-per-10,000 rate of 56.9, in the last quarter of
    2016, the new gTLDs experienced a rate of 526.6–which is almost
    one order of magnitude higher. "

    The methodology and technical details of the analysis are of good quality. The model which they used to perform the crawl of the domain name space appears to be thorough, thus I have no reason to believe that the analysis would be flawed.

    Some of the report's findings show that some new gTLDs are very affected by misuse/malware domains.
    Gibraltar (surprise!) figures on the top of Registrars with most malware domains.
    Community gTLDs are less likely to be used for malware that standard gTLDs.
    Cheaper domains appear to be more used for malware - although the authors do writein their conclusions:  "It is not clear, however, if pricing is the only factor driving high concentra-
    tions of maliciously registered domains."

    But they do also say:

    "Our findings suggest that some new gTLDs have become
    a growing target for malicious actors." (page 25)

    Well, nothing really new in this, but it corroborates the work that ICANN has done, as well as many other groups like the APWG.

    But at present, short of congratulating the authors of the report and asking the CCT-RT to take strong note of the report's finding, including expressing the concern that we have about the use of new gTLD for malware, I don't see any other reason to write a Statement/Comment.
    I asked Tatiana Tropina to also go through the report. She did note that one thing was missing: whether abuse correlates with semantic properties of the gTLD names, e.g. some names are more attractive to abuse because of the words themselves. As the authors are explaining that they are seeing some potential for further work, it might be interesting to suggest this to them.

    Last, I note that there is a Webinar about the topic:[]
    I would encourage At-Large participants to participate in the Webinar. Perhaps during that Webinar should many At-Large participants express their concerns.

  2. First, a big thank you to Olivier for his response and the concerns it raises, yet again,  I'm sorry I missed the webinar - I was on holidays and staying with friends so couldn't participate - but I hope we follow through on what is an important issue for end users