Blue Coat Labs

Labs Blog

.Top of the Junk Pile (Shady TLD research part 16)

Share this: 

.Top of the Junk Pile (Shady TLD research part 16)

Chris Larsen

[Sorry about neglecting the external blog during all of the Symantec excitement this summer, but we had a lot going on... This post is from our internal blog, back in July (7/08/2016), and we wanted to get it out on the site when we resumed blogging, since a lot of people have been asking for updated info on the Shady TLD space. --C.L.]


With the close of Q2, it's time to take a look at how the Shady TLD landscape is evolving, and to profile .top, another of the shadiest TLDs.

As a general observation, the TLD landscape remains a very dynamic and interesting place. As of July 8th, IANA listed 1,378 valid TLDs, and a lot of them are heavily abused...

How heavily? Well, here is the latest version of our "Top Ten" list:


  TLD Percentage of Shady Sites *
1 .mom (new) 100.00%
2 .country 99.96%
3 .xin (new) 99.90%
4 .racing 99.47%
5 .vip (new) 99.44%
6 .download 99.39%
7 .kim 99.33%
8 .loan 99.22%
9 .ren (new) 98.92%
10 .science 98.82%

* As of late June, 2016. Shady Percentage is simply calculated as the ratio of "domains and subdomains ending in this TLD which are rated in our database with a 'shady' category rating, divided by the total number of database entries ending in this TLD". Shady categories include Suspicious, Spam, Scam, Phishing, Botnet, Malware, and Potentially Unwanted Software (PUS). Categories such as Porn, Piracy, and Placeholders (for example) are not counted as "shady" for this research.



Note that there are four newcomers in the Top Ten: .mom, .xin, .vip, and .ren. These TLDs have now reached a threshold where they have enough rated domains in our database to be considered for membership on the list. However, they still have far fewer URLs (hundreds) than more-established list members. As such, we caution against reading too much into their relative positions on this list. Rankings are very fluid from quarter to quarter.

We are not advocating setting up policy to block all domains on these TLDs. Any such recommendation would come only after more research into a TLD. In particular, .xin and .ren are rather popular in China, and it would not be wise to automatically block such domains if you do any business there. Similarly, .vip has a mix of legitimate and shady/junk domains. In general, it's better to leave shady domain blocking up to the professionals...


And Now, Our .Top Story

.Top lurks just outside of our Top Ten list, currently [late June] at #13, with 97.83% of its URLs in our database having a shady category rating.

In terms of recent traffic, when I looked at the top 100 .top sites (by traffic) in our WebPulse logs for a week in late June, here is how the categorization broke out:

Category Count
Malware 47
Suspicious 26
Scam 4
Piracy 8
Gambling 1
Porn 1
Adult 1
News/Media 4
Shopping 2
Entertainment 2
Sports 1
Business 1
Society/DailyLiving 1

In other words, in recent traffic, less than 80% of the .top domains are shady ones, as measured by the classic categories, and even if we include the yellow "borderline shady" categories, we're still well below its historical score of 97.83%.

This speaks to the inherent value of .top as a good universal TLD -- there are a number of legitimate sites in this neighborhood. However, there is also a lot of riff-raff...


.Top Shadies

A few months back, some of the more active exploit kit families were heavily abusing .top, and the echoes of that malware boom can be seen in the number of malicious .top domains that still show up in our traffic. (For example, we are still seeing traffic to, even though we flagged it as malicious back in March, and it was rated as Suspicious for two months prior to that.)

The notes on some I checked mentioned Neutrino and Angler. These days, however, there is a lot of Spam and Scam. For example:



These were representative samples of a shady "Tech Support" scam -- at least, that was how our sensors had flagged them (they were dead by the time I checked them).



These were representative samples from a spam network. Note the naming scheme of the subdomains, trying to look more legitimate. Here are some of the images they were serving:


sample spam image 1

sample spam image 2



As mentioned, there are some legitimate sites in the .top neighborhood. However, we recommend aggressive filtering, since the percentage of malicious domains is relatively higher than in the other TLDs we've profiled in the past. (See below for those.) Or, you can let us do that for you...


P.S. For easy reference, here are the links to the earlier posts in our "Shady TLD" series: