One of the goals of threat research is to establish the adversary’s patterns of behavior. Why? So models can be created to predict their behavior, then proactively block them. The fact is, criminals and spies are still people, and people have patterns of activity. They often chose the same providers, same techniques, and same tools across multiple operations. "If it ain't broke, don't fix it,” as the saying goes.
As part of ongoing research that will ultimately lead to what we'll call the "Internet Death Penalty Bundle,” recognizing outstanding achievements for registrars and network providers in the assistance of cyber crime, we've been measuring abuse as a percentage of a provider's total portfolio. In this case, we're just examining Top-Level Domains.
There are thousands of top-level domains (TLDs) with .com, of course, being the most popular. There are also some "free" top-level domains that often have a high-proportion of junk domains, if not overtly criminal ones. In this case, by examining ThreatSTOP data, we aimed to get a measure of maliciousness. This varies somewhat from the methods used by ICANN with their Domain Anti-Abuse Report Project (which I consulted on) and various anti-spam providers.
ThreatSTOP ultimately works to protect against maliciousness and we usually don't have potentially-unwanted applications or other spammy-but-not-malicious indicators represented in our data. How we measure is first taking all TLDs that do not have at least 100 domains registered, getting a count of our own abusive hostname list and counting only occurrences of unique second-level domains. Then, calculating a percentage of the total number of abusive domains by the total number of domains registered by a given Top-Level Domain. Below are the Top 20 worst and all have a statistically significant percentage of abuse.
Depending on the risk-appetite of false-positives, these can be safely blocked whole and entire until you get to .ru. (the TLD for the Russian Federation) In fact, blocking these 20 TLDs would block 25% of all abusive domains in our data. (Including many we do not yet recognize as abusive or those that become abusive later)
This is just an analysis of one day's worth of data, but will be repeated for registrars and network operators to start creating near-time reports of which providers are those most likely to be used by criminals as motivation for those businesses to start cleaning up their acts.
If you want to check out how many threats we’re blocking per day (and threat per category), check out our live threat blocker report at www.threatstop.com.