When a new top-level domain (TLD) is starting out, we understand that it needs to find its way to being commercially viable. But registries need to walk a fine line between profit and managing abuse on their TLD. One of the Spamhaus Project Team takes a look at TLD ".sld".

Profit V managing abuse

On the side of profit, a registry requires as many domains as possible to be registered and operating with its TLD. Meanwhile, on the side of managing abuse, a registry needs to pro-actively work with the relevant organizations to assist in taking down malicious domains and stop bad actors from registering new ones. We don’t know precisely where the line falls between the two – it’s not our job to. Nevertheless, it is the job of our researchers and analysts to list malicious domains.

Is it, or isn’t it terminated?

.sbs recently came to our attention. We’ll be honest, at an initial glance, we thought this TLD was in the process of being terminated but quickly realized this wasn’t the case.

In November 2014, .sbs was registered with ICANN by Australia Broadcaster, Special Broadcasters Services (SBS), and yes, you can spot the birth of a TLD in that acronym! In April 2020, the broadcaster filed a termination notice with ICANN.

ICANNWiki states, “On April 22, 2020, Special Broadcasting Service submitted a Termination Notice to ICANN. ICANN is currently processing the termination request according to its procedures.” Still, since the wiki isn’t run by ICANN, we decided to dig a little deeper.

We soon discovered that .sbs was taken over by ShortDot in June of this year and became a generic TLD (gTLD). Unfortunately, even ICANN’s records appear to be a little askew as their website indicates that ShortDot’s operator agreement started on 7 November 2014 – clearly the date of the original agreement with SBS. Although, in fairness, IANA’s Delegation Record for .sbs is still showing SBS as the sponsoring organization. So, it would appear various key organizations need to update their records.

Do increased registrations need to equal increased abuse?

The graph below clearly illustrates how .sbs is starting to grow in popularity. The green shows the total number of newly registered domains. Unfortunately, that popularity is not only shared amongst legitimate operators, as the red in the graph shows. In the past month, our analysts listed 10% of their total registered domains. Now, in the grand scheme of things, that’s not a disgraceful percentage; after all, in the Top 10 Most Abused Top Level Domains, operators are showing rates between 19%-59%.

Chart showing Domains listing in Domain Blocklist and total registered domain

BUT.

(and there’s always a but, isn’t there?)

When you have, what is effectively a shiny new domain, clean and pristine, surely you want to keep it that way? Particularly, when you’re marketing .sbs to stand for “Side-by-Side“ and your value propositions is a TLD “where people cultivate unbiased mindsets” and “public interest agendas meet meaningful actions.” Surely this TLD doesn’t want to be associated with any malware?

Over the coming months, we will be exploring the world of TLDs, talking with registries, and looking at what they’re doing to fight abuse. Hopefully, .sbs keeps a lid on the amount of abuse on their TLD to match their value proposition… we’re always happy to provide advice to assist in those efforts.

The Blocklist Tester

To ensure our DNSBLs protect your email stream, a simple tool is available called the Blocklist Tester. It’s quick and easy to use; once you have verified an email address associated with your email server, test emails are sent. These emails contain resources listed on our blocklists and should be rejected.

Once the test is complete, a full detailed report is available, and the SMTP exchange of each email sent is available to help you understand where any problems may lie in your configuration.

  • It's free to use for any Spamhaus DNSBL user
  • Multiple test scenarios - SMTP, content or both
  • Detailed test reports for troubleshooting

Spamhaus Intelligence API (SIA)

This API provides access to multiple datasets containing metadata relating to compromised IP addresses. These IP addresses may be exhibiting compromised behavior, including malware, worm, and trojan infections, and SMTP-specific traffic emitting spam, or cybercriminals are using them to control infected computers – botnet command & controllers.

The breadth of data available via an easily consumable API provides security developers with scores of opportunities.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in

XYZ’s best practice on new domains and email deliverability

16 March 2022

Blog

Here are some key considerations regarding the proper processes and procedures when sending email using a newly acquired domain name.

XYZ discusses industry collaboration to ban bad actors

10 March 2022

Blog

XYZ Registry explains how the lack of visibility into a bad actor's domain causes issues and provides suggestions to overcome this problem.

Getting the low-down from XYZ Registry on combating domain abuse

3 March 2022

Blog

We've been reaching out to registries for their views and opinions on combating internet abuse for this blog post series. Recently we had an in-depth conversation with XYZ on their approach to domain abuse.