[ALAC] Fwd: Re: SADAG Public Comment

Alan Greenberg alan.greenberg at mcgill.ca
Wed Sep 6 04:27:59 UTC 2017

I asked Olivier to look at whether we needed to 
comment on a recent study on DNS abuse 
(commissioned by the CCT-RT). His report followed 
and is an excellent example of what we should be 
doing to evaluate whether ALAC action is 
required. See https://community.icann.org/x/bRUhB.

In this case, Olivier is recommending no comment, a recommendation I support.


>Subject: Re: SADAG Public Comment
>To: Ariel Liang <ariel.liang at icann.org>, Alan 
>Greenberg <alan.greenberg at mcgill.ca>
>CC: 'At Large Staff' <Staff at atlarge.icann.org>
>From: Olivier MJ Crépin-Leblond <ocl at gih.com>
>Date: Wed, 6 Sep 2017 03:07:33 +0200
>Dear Ariel,
>Dear Alan,
>thanks for your follow-up. I have read the SADAG 
>report and have found it very interesting.
>First thing, I was surprised to see that 
>.pharmacy was seen as community TLD. (p.2) but 
>then that's not the topic of the report. There 
>are a few other grammatical errors, but that's 
>no big deal either. What matters is the substance of the paper.
>It basically confirms our suspicions when we 
>spoke of misuse of TLDs and made our case 
>regarding sensitive strings. Alan will remember 
>this episode in Singapore when Alan, Evan and I 
>had a meeting with the NGPC and several members 
>of the GNSO - including contracted parties. What 
>we are seeing now is the proof of the pudding - that:
>"While legacy gTLDs collectively
>had a spam-domains-per-10,000 rate of 56.9, in the last quarter of
>2016, the new gTLDs experienced a rate of 526.6–which is almostt
>one order of magnitude higher. "
>The methodology and technical details of the 
>analysis are of good quality. The model which 
>they used to perform the crawl of the domain 
>name space appears to be thorough, thus I have 
>no reason to believe that the analysis would be flawed.
>Some of the report's findings show that some new 
>gTLDs are very affected by misuse/malware domains.
>Gibraltar (surprise!) figures on the top of 
>Registrars with most malware domains.
>Community gTLDs are less likely to be used for malware that standard gTLDs.
>Cheaper domains appear to be more used for 
>malware - although the authors do writein their 
>conclusions:  "It is not clear, however, if 
>pricing is the only factor driving high concentra-
>tions of maliciously registered domains."
>But they do also say:
>"Our findings suggest that some new gTLDs have become
>a growing target for malicious actors." (page 25)
>Well, nothing really new in this, but it 
>corroborates the work that ICANN has done, as 
>well as many other groups like the APWG.
>But at present, short of congratulating the 
>authors of the report and asking the CCT-RT to 
>take strong note of the report's finding, 
>including expressing the concern that we have 
>about the use of new gTLD for malware, I don't 
>see any other reason to write a Statement/Comment.
>I asked Tatiana Tropina to also go through the 
>report. She did note that one thing was missing: 
>whether abuse correlates with semantic 
>properties of the gTLD names, e.g. some names 
>are more attractive to abuse because of the 
>words themselves. As the authors are explaining 
>that they are seeing some potential for further 
>work, it might be interesting to suggest this to them.
>Last, I note that there is a Webinar about the 
>I would encourage At-Large participants to 
>participate in the Webinar. Perhaps during that 
>Webinar should many At-Large participants express their concerns.
>Kindest regards,
>On 01/09/2017 22:10, Ariel Liang wrote:
>>Hello Olivier,
>>Any update on this public comment? 
>>Saw this action item has been checked but just 
>>want to reconfirm whether a statement will be needed or not.
>>Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/alac/attachments/20170906/4ba53c60/attachment.html>

More information about the ALAC mailing list