Krebs on Security shared data on absolute and relative phishing abuse by top-level domain in a recent post.

Yes, .com has the highest absolute number of phishing domains, but it also has the overwhelmingly highest number of registered domains period. The relative prevalence is only 24.2, as compared with 2nd-ranked (by absolute score) .top, with a phishing domains core of 422.7. That's still not the highest listed, which is .lol at 577.5.

<https://krebsonsecurity.com/2024/07/phish-friendly-domain-re...>

If you're looking at relative benefit vs. harm from blocking, blocking TLDs with a higher relative (abusive vs. legitimate) domains score gives an additional security benefit.

Reputation-based scoring by TLD, domain, ASN, or basis is likely to become more prevalent over time. We've already been doing that for email for over a quarter century, with the Spamhaus Project being founded in 1998 (it reports abusive email domains).

Most registrars are receptive to abuse complaints and will take down domains quickly if they're being created to host content that violates ToS/AUP

TLDs that are most commonly abused actually do get blocked on a regular basis.

.ru, .io, .xyz, .cf, .tk, .ly, .top and .link are common examples

Many corporate networks block URL shortener services for the same reason

The operative word being most registrars. If you look at the list of registrars commonly used by bad actors, you can find a list of registrars that are either non-responsive to abuse complaints, or only take action after n days.

What is easy and has limited impact on your own operations will be done. Blocking *.trycloudflare.com is easy on entire fleets of servers and firewalls and has limited impact for, e.g., a company network.

sad truth

blocklists are effective and now we need things like DoH, 3rd-party dns providers and sketchy vpn's in order to internet

mission fucking accomplished

People didn't seriously think that privatizing the ownership of the Internet would result in the end-to-end principle being retained, did they?

> Imagine trying to use the internet like an end user or a webdev if you couldn't use cloudflare.

Anecdote: i've been an internet end user for 30-ish years, an active FOSS developer for most of that time (with no small amount of web dev), and have never once intentionally used CloudFlare (only indirectly, by visiting sites which use it). Not because i'm especially "into privacy or paranoid," but because it's never once been necessary.

> have never once intentionally used CloudFlare (only indirectly, by visiting sites which use it).

And there is the problem. Too many sites are behind Cloudfare, so if you want to block Cloudfare for your organization, your employees will start complaining that the "internet doesn't work".

I have a small dedicated server with OVH that I use as a wireguard based VPN sometimes. The amount of sites that become unusable because of Cloudflare blocking me is insane. The inverse would be true if I blocked Cloudflare.

People have, however, blocked .tk, .xyz, and other registrars that feature overwhelmingly in malware / scam domain lists.

Not just TLDs. I've seen whole Class A networks blocked after a DDoS, based on the affiliation to a particular (not small) country. Like with covid, you just need a small reason and suddenly, all the freedom in the west goes to hell.

Let's not conflate eradicating a deadly virus with eradicating internet access please.

And let's also not conflate policing the good old internet with policing today's internet. There is still freedom that could be lost, but it's hard to see for all the trackers and malware.

All of .com? Nope.

But you can bet your ass we block newly registered domains and have an active list of domain reputations - your brand new .com or your axuuasck32213mczo.com malware domain isn't getting through any decent security tool.

If Cloudflare lets this continue, it's only a matter of time before trycloudflare.com's reputation puts them on block lists everywhere.