Blue Coat Labs

Labs Blog

Floating Down .Stream (Shady TLD Research, Part 17)

Share this: 

Floating Down .Stream (Shady TLD Research, Part 17)

Chris Larsen

The end of September means the leaves are starting to change -- and our quarterly Top Ten list of the shadiest TLDs is changing as well, with three newcomers since last time...

Rank TLD Percentage of Shady Sites *
1 .country 99.96%
2 .stream (new) 99.78%
3 .mom 99.73%
4 .xin 99.37%
5 .kim 99.30%
6 .download 99.24%
7 .gdn (new) 99.22%
8 .racing 99.06%
9 .loan 98.92%
10 .men (new) 98.87%

* As of late September, 2016. Shady Percentage is a simple calculation: the ratio of "domains and subdomains ending in this TLD which are rated in our database with a 'shady' category rating, divided by the total number of database entries ending in this TLD". Shady categories include Suspicious, Spam, Scam, Phishing, Botnet, Malware, and Potentially Unwanted Software (PUS). Categories such as Porn, Piracy, and Placeholders (for example) are not counted as "shady" for this research.



As always, we caution against reading too much into the relative positions of TLDs on this list. Rankings are very fluid from quarter to quarter.

Also, we are not advocating setting up policy to block all domains on all of these TLDs. Any such recommendation would come only after more research into a TLD. In particular, .xin is rather popular in China, as is .kim in South Korea, and it would not be wise to automatically block such domains if you do any business there. Also, three of the TLDs (.mom, .xin, .men) have percentages based on much lower numbers of domains than the other TLDs in the list.

In general, it's better to leave shady domain blocking up to the professionals...


Diving Into a .Stream of Spam

Our deep dive, this time around, looks at one of the relative newcomers to the Top Ten list: .stream, which has been a very busy place recently. Unfortunately, most of its energy has been directed into shady pursuits, as I saw when I pulled the traffic logs for a recent 24-hour period as a quick check...

Out of the Top 200 sites (in terms of number of requests received in the WebPulse datacenters), a whopping 172 were categorized as Spam in our database. The other 28 didn't have database ratings yet, and since there was a relatively small number of them, I went ahead and checked all 28. Here's how the breakdown ended up (keep in mind that this is just 24 hours of traffic):

Category Count
Spam 172
Suspicious 24
Piracy + P2P 3
Video Streams 1

(Although, to be completely fair, two of the Suspicious sites might be rated a bit too aggressively, since they got that rating based on the ad networks they funnelled traffic to. Without that, that would have "only" been rated as Piracy...)


Looking at a full week of traffic, as we normally do in these deep dives, the percentages didn't look much better. For the Top 100 sites, here's how the categories broke down:

Category Count
Spam 77
Suspicious 16
Piracy + P2P 3
Porn 1
Gambling 1
Video Streams 2


Clearly, whether or not you include the Yellow ones in with the Red, or not, .stream is probably not a place you want to go surfing.




P.S. For easy reference, here are the links to the earlier posts in our "Shady TLD" series: