Home / Blogs

DNSAI Compass: Six Months of Measuring Phishing and Malware

Aggregate Trends: Phishing and Malware
Source: DNSAI Compass Feb. 2023

The DNS Abuse Institute recently published our sixth monthly report for our project to measure DNS Abuse: DNSAI Compass (‘Compass’). Compass is an initiative of the DNS Abuse Institute to measure the use of the DNS for phishing and malware.

The intention is to establish a credible source of metrics for addressing DNS Abuse. We hope this will enable focused conversations, and identify opportunities for improvement.

DNS Abuse impacts everyone. We want to use this initiative to improve the overall health of the DNS ecosystem. Fundamentally, we want to prevent or quickly mitigate harm to end users, businesses, governments, civil society organisations, public services, and the general public while preserving the benefits and principles of an open Internet.

This February 2023 report includes data from May through December 2022, and we now have eight months of data available on our interactive dashboards. Our methodology for this report is the same as all prior reports (v1.0), and we encourage feedback, questions, ideas, or suggestions to help us improve this initiative.

To ensure Compass is independent, reliable, and uses academically robust methodology, we work with an experienced independent third party who designed the methodology and conducts the data gathering. The technical analysis for this project is performed by KOR Labs, led by Maciej Korczynski from Grenoble INP-UGA.

Our methodology observed an increase in domains involved in malware distribution in December 2022 when compared to the previous month of reporting. For all domains identified as related to malware in December 2022, our methodology observed high levels of mitigation (97%), and a high proportion (83%) of compromised domains. Observed numbers of domains identified as related to phishing are similar to previous months.

This report marks six months since our first report in September 2022. During this journey, we have spoken with a range of stakeholders in various corners of the world, both virtually and in person. Our discussions have included representatives of registrars, registries, law enforcement agencies, governments, trade and consumer organisations, financial and intellectual property interests, hosting providers, civil society, and the security and research community.

This outreach has been far-reaching as we seek to include the global community interested in keeping the internet safe. We welcome opportunities to share our work with new audiences around the world and hear about others’ experience in measuring and fighting DNS Abuse.

Throughout this experience, we’ve learnt several important lessons on how we measure and communicate about DNS Abuse:

One recurring theme we observed in our outreach is the importance of using specific language and granular measurement. Sometimes ‘DNS Abuse’ can be used as shorthand for ‘mitigation is appropriate at the DNS level.’ While this is sometimes true, it isn’t always the case, and to move the conversation forwards, we need to get more specific. We can do this by recognising the need to determine whether the registration is malicious1 or compromised2, understanding the evidence available, and considering the potential for collateral damage if the registration is removed from the DNS.

Secondly, purpose and scope are important. Compass is intended to reliably and consistently measure the prevalence and persistence of the use of domains in phishing and malware; it is not intended to capture all harm on the Internet, or to measure the impact of this harm on end users. We measure unique domains (not URLs) because registrars and registries only have (limited) actions they can take, which all apply at the domain level (not at the URL level).

Finally, context is essential. It’s worth remembering that our project identifies evidence of phishing and malware on a small portion, less than 1%, of all domains currently registered.3 The vast majority of domains registered are not engaged in phishing activity or malware distribution.

As Compass matures, we’re working towards public reporting on individual TLD and registrar performance. Our aim is to celebrate and recognize good practice, as well as shine a spotlight on potential for areas of improvement in the industry.

We hope to understand through these reports which factors, policies, and processes are effective, and empower the industry with evidence.

We are currently considering how best to achieve individualized performance reporting while recognising nuance and context, and incentivising behaviors that reduce and prevent DNS Abuse with minimal unintended consequences. We look forward to gradually expanding the granularity of our data with future iterations of public reports. As we do this, we’ll be reaching out to individual registries and registrars prior to publication.

We have considerably more data than we have currently published. We encourage all registrars and registries to get in contact with us and take the opportunity to view the data associated with their registrar or registry. These meetings typically yield insights for both the registry or registrar and the DNSAI.

These meetings can take place virtually, or for those headed to ICANN76 in Cancun, you may like to take this opportunity to meet with us in person.

Our door is also always open to discuss Compass, NetBeacon - our free centralized reporting service, or our other work, such as our educational materials:

We are, after all, here to support the DNS Community and make it better equipped to tackle DNS Abuse.

You can contact us via our website.

  1. A domain registered for malicious purposes (i.e., to carry out DNS Abuse). 
  2. A benign domain name that has been compromised at the website, hosting, or DNS level. 
  3. Between May 2022 – December 2022, we have reported on roughly 30,000 – 40,000 thousand domains per month. The Verisign Domain Name Industry Brief places the total domains registered for Q3 in 2022 at around 350 million. 

By Rowena Schoo, Director of Programs and Policy at The DNS Abuse Institute

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global