When a new top-level domain (TLD) is starting out, we understand that it needs to find its way to being commercially viable. But registries need to walk a fine line between profit and managing abuse on their TLD. One of the Spamhaus Project Team takes a look at TLD ".sld".

Profit V managing abuse

On the side of profit, a registry requires as many domains as possible to be registered and operating with its TLD. Meanwhile, on the side of managing abuse, a registry needs to pro-actively work with the relevant organizations to assist in taking down malicious domains and stop bad actors from registering new ones. We don’t know precisely where the line falls between the two – it’s not our job to. Nevertheless, it is the job of our researchers and analysts to list malicious domains.

Is it, or isn’t it terminated?

.sbs recently came to our attention. We’ll be honest, at an initial glance, we thought this TLD was in the process of being terminated but quickly realized this wasn’t the case.

In November 2014, .sbs was registered with ICANN by Australia Broadcaster, Special Broadcasters Services (SBS), and yes, you can spot the birth of a TLD in that acronym! In April 2020, the broadcaster filed a termination notice with ICANN.

ICANNWiki states, “On April 22, 2020, Special Broadcasting Service submitted a Termination Notice to ICANN. ICANN is currently processing the termination request according to its procedures.” Still, since the wiki isn’t run by ICANN, we decided to dig a little deeper.

We soon discovered that .sbs was taken over by ShortDot in June of this year and became a generic TLD (gTLD). Unfortunately, even ICANN’s records appear to be a little askew as their website indicates that ShortDot’s operator agreement started on 7 November 2014 – clearly the date of the original agreement with SBS. Although, in fairness, IANA’s Delegation Record for .sbs is still showing SBS as the sponsoring organization. So, it would appear various key organizations need to update their records.

Do increased registrations need to equal increased abuse?

The graph below clearly illustrates how .sbs is starting to grow in popularity. The green shows the total number of newly registered domains. Unfortunately, that popularity is not only shared amongst legitimate operators, as the red in the graph shows. In the past month, our analysts listed 10% of their total registered domains. Now, in the grand scheme of things, that’s not a disgraceful percentage; after all, in the Top 10 Most Abused Top Level Domains, operators are showing rates between 19%-59%.

Chart showing Domains listing in Domain Blocklist and total registered domain


(and there’s always a but, isn’t there?)

When you have, what is effectively a shiny new domain, clean and pristine, surely you want to keep it that way? Particularly, when you’re marketing .sbs to stand for “Side-by-Side“ and your value propositions is a TLD “where people cultivate unbiased mindsets” and “public interest agendas meet meaningful actions.” Surely this TLD doesn’t want to be associated with any malware?

Over the coming months, we will be exploring the world of TLDs, talking with registries, and looking at what they’re doing to fight abuse. Hopefully, .sbs keeps a lid on the amount of abuse on their TLD to match their value proposition… we’re always happy to provide advice to assist in those efforts.

The Blocklist Tester

To ensure our DNSBLs protect your email stream, a simple tool is available called the Blocklist Tester. It’s quick and easy to use; once you have verified an email address associated with your email server, test emails are sent. These emails contain resources listed on our blocklists and should be rejected.

Once the test is complete, a full detailed report is available, and the SMTP exchange of each email sent is available to help you understand where any problems may lie in your configuration.

  • It's free to use for any Spamhaus DNSBL user
  • Multiple test scenarios - SMTP, content or both
  • Detailed test reports for troubleshooting

Spamhaus Intelligence API (SIA)

This API provides access to metadata relating to IP addresses exhibiting compromised behavior, including malware, worm and trojan infections, and SMTP-specific traffic emitting spam.

The breadth of data available via an easily consumable API provides security developers with scores of opportunities.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in

What does Spamhaus do?

30 November 2021


I write this article for all of you out there who aren't deeply embedded in this industry because the people I work with are remarkable. The world should know what they are doing to quietly protect all those who say “Spamwho?” be that your grandma or the network nerd at work.

“The day I blocked a nation from sending email…” and its unlikely aftermath

29 October 2021


In celebration of the first-ever networked email being sent 50 years ago today (!), one Spamhaus Project researcher recounts when they blocked the whole of Italy from sending email, and nobody wanted to do anything to fix it!

When doorbells go rogue!

19 October 2021


Here's a story of doorbells, specific software development kits (SDKs), proxies, and miscreants using your home network to send spam.