Spamhaus: Most abused top-level domains, Q4 2021

Spamhaus published the latest report for the most abused top-level domains in botnets from Q4 2021:

A new entry at #4

We don’t often see new TLD entries within the top five of this Botnet C&C Top 20; however, .xxx, an adult TLD, run by registry ICM, has entered at #4. With less than 10,000 active domains but a total of 223 domains associated with botnet C&C activity in Q4 we can only assume that there are problems.

.de reappears

The ccTLD de (Germany) re-entered our quarterly ranking at #20, having dropped off the Top 20 in Q2.

Reductions and departures

We’d like to congratulate all the registries that manage TLDs who departed from our listings along with those who significantly reduced the number of associated botnet C&Cs using their TLDs, including .buzz and .net, who both saw an 80% reduction.

Q3 data inaccuracy

Apologies to Verisign for an error in our Q3 2021 statistic for .com. We misreported the number of botnet C&Cs for the TLD, and the correct figure was 3,730. Various issues led to this error, but we are pleased to confirm that we have worked with Verisign to rectify these.

Interpreting the data

Registries with a greater number of active domains have greater exposure to abuse. For example, in Q4 2021, .net had more than 13 million active domain zones, of which 0.00103% were associated with botnet C&Cs. Meanwhile, .xxx had just over 9,000 active domains, of which 2.4% were associated with botnet C&Cs. Both are in the top ten of our listings, but one had a much higher percentage of active domains associated with botnet C&Cs than the other.

Working together with the industry for a safer internet

Naturally, our preference is for no TLDs to have botnet C&Cs associated with them, but we live in the real world and understand there will always be abuse. What is crucial is that abuse is dealt with quickly. Where necessary, if domain names are registered with the sole purpose of distributing malware or hosting botnet C&Cs, we would like registries to suspend these domain names. We appreciate the efforts of many registries who work with us to ensure these actions are taken, including .xyz and .top.


About Konstantinos Zournas

I studied Computer Engineering and Computer Science in London, UK and I am now living in Athens, Greece. I went online in 1995, started coding in 1996 and began buying domain names and creating websites in 2000. I started the blog in 2012.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.