Over Half of All .MEN and .LOANS Are Bad: Spamhaus

Three in 5 .men domain names are classified as “bad” according to the latest Spamhaus analysis of the world’s most abused TLDs, but only slightly worse than .loan, who have a “Badness Index” of 6.43 and 6.35 respectively.

The Spamhaus analysis found that 43,758 of the 72,370, or 60.2%, .men domain names analysed were classified as “bad” and with a “Badness Index” of 6.43, slightly worse than the 39,642 out of 65,782 (60.0%) .loan domain names and a Badness Index of 6.35. Following was .gq (Equatorial Guinea) with 55.3% of analysed domains classified as bad and a Badness Index of 6.32, then .cf (Central African Republic) with 54.6% and a Badness Index of 6.24, .ga (Gabon) with 53.0% bad and a Badness Index of 6.06, .ml (Mali) with 51.5% bad and a Badness Index of 5.89, .top (46.4% bad and a Badness Index of 5.58), .work (53.4% bad and a Badness Index of 5.58), .click (64.9% bad and a Badness Index of 5.49) and the world’s third largest top level domain and second largest country code top level domain .tk rounding out the top 10 with 42.1% bad and a Badness Index of 4.83.

Registries that allow registrars to sell high volumes of domains to professional spammers and malware operators in essence aid and abet the plague of abuse on the Internet, say Spamhaus. Some registrars and resellers knowingly sell high volumes of domains to these actors for profit, and many registries do not do enough to stop or limit this endless supply of domains.

So what is a bad TLD? Spamhaus explains that a TLD may be “bad” in two ways. On one side, the ratio of bad to good domains may be higher than average, indicating that the registry could do a better job of enforcing policies and shunning abusers. However, some TLDs with a high fraction of bad domains may be quite small, and their total number of bad domains could be relatively limited with respect to other, bigger TLDs. Their total “badness” to the Internet is limited by their small total size.

The other side is that some large TLDs may have a large number of bad domains as a result of the sheer size of their domain corpus. Even if their corrective measures are effective, they still constitute a problem on the global scale, and they could assign further resources to improve their anti-abuse processes and bring down the overall number of bad domains.

In defining a “badness” index, Spamhaus decided to weight in both these factors. With a certain amount of arbitrariness—and at the same time a desire to avoid excessive complications—so they defined badness as:


  • Db is the number of bad domains detected
  • Dt is the number of active domains observed

Spamhaus says one can think of this number as the bad domains fraction weighted with the TLD's size, or as the order of magnitude of the problem weighted with the effectiveness of anti-abuse policies. Presented this way, this data more closely matches the perceptions Spamhaus staff has in dealing with this issue in a daily production basis. We hope that this definition helps to spotlight registries that in one way or another can be considered problematic, in a fair way.

These data represent domains seen by Spamhaus systems, and not a TLD's total domain corpus. Domains in this data are in active use, showing up in mail feeds and related DNS traffic. Other domains may be parked or used for traffic outside of our systems' focus, and those domains are not included in this summary.

The registries listed provide spammers and other miscreants with a service they need in order to survive. Many, even most, TLDs succeed, by and large, in keeping abusers off their systems and work to maintain a positive reputation. That success shows that these ten worst could, if they tried, “keep clean” by turning spammers and other abusers away.