In the fall of 2022, around 9,000 numeric domain names such as 0146.se, 0148.se, 0149.se, and so on were registered in the .SE zone. These domains were registered with two registrars, Register.eu and 1API. They had the same kind of SSL certificate, and there were other similarities among them that strongly suggested they were connected. All these domains were registered after September 1, 2022, but not on the same date—it was spread out until December. There was unfavorable content on all these domain names, and the whole thing looked like phishing. To say the least, it didn’t do any good for the .SE zone.

It is obvious that such registrations pose a threat to the security and overall health of the zone file. But there is also a risk to business continuity.

While registry operators focus on security and abuse monitoring, they should also consider metrics such as LTV and churn. It is sometimes believed that registrars should worry about things like that, not registries. Such an approach seems odd from a business perspective. Since there is lots of data available to every registry and registrar, there is much more that industry operators can do with it regarding sales and marketing. Registries and registrars can and should track trends in domain data and communicate about them to improve enterprise value and benefit the industry overall.

Using data to look deeper

Speaking of the dubious registrations mentioned at the beginning, it is obvious that there is a shady reseller behind them. This is the area where registries and registrars can cooperate in a better way.

The common health check process for a registry often boils down to checking the information on registrars: how much they sell, their renewal rate, and the abuse rate. But from the business continuity perspective, it may be interesting for the registry to take one step further by looking at the quality level of the resellers their registrars cooperate with and including that in some sort of health check process.

Of course, normally, from a registry point of view, resellers are a black box. Registries don’t know which resellers registrars are working with, which one they get or lose, and if the reseller turns up elsewhere.

But by looking at the data in detail and analyzing trends, they can see fluctuations in the sales and renewal rate in some registrars. A pattern of improved or decreased quality emerges depending on which registrar is connected to which reseller. Some registries are already working with the reporting where they have KPIs, analyzing different registrars on how they perform with quantity, renewals, support issues, etc.

Here is an example from .SE in 2019 and 2020.

This is the renewal rate for domain names that have been registered for the last seven years in .SE zone with one particular registrar. The data point is the month when the domain name was registered. If we look at this registrar, in 2018-19 they had a renewal rate between 20-30% the first year. According to the industry average, it is quite low. It is safe to assume that at some point, they had a bad reseller who just bought a lot of domains and then churned them. But during 2022, seemingly, this registrar fixed by removing those resellers, and their first-year renewal rate increased. The renewal rate is much higher if you look at the blue line, which represents the second year. Once again, there was probably one reseller that bought a lot of domains and then dropped them directly after a year for some reason.

So, speaking from the registrars’ point of view, you don’t want to onboard a reseller with a hundred thousand domain names but then after a year to see that renewal rates are going down, or there’s a lot of abuse and a lot of support going into the reseller. As an option, reseller agreements should have tiered pricing depending on the renewal rates—it is resellers that have good renewal rates (like 80-90%) that should be given discounts, not the ones with 20% after the first year. Registrars have to be able to assess resellers based on data and statistics—this is the industry average, and this is the kind of renewal rate, or kind of churn, or kind of cases we have with this or that reseller.

The challenge is to spot unreliable or shady resellers early in the process to be able to adjust the development strategy.

Searching for similarities

So how do you respond to that challenge? How do you spot “funky” activity and tie it to the reseller? By constantly monitoring domain data. The frequency of data monitoring and reporting must be increased significantly. The more often, the better.

Ten years ago, you would typically find one registrant doing a mass registration of 10,000 domain names in one day. And it was quite easy to spot that because the new sales figures went up extremely high during the day. Nowadays, the approaches have become more sophisticated. Registrants with malicious intent know that there’s much more abuse monitoring, so they use several registrars, several resellers, and several days—going the extra mile just to hide it. In order to see the pattern of what’s happening, the other side has to be much more sophisticated in their monitoring and reporting. It’s not okay to look back and realize that “unusual activity” should have been found a month ago. You should have seen it a few hours after it happened.

That is something that should be flagged by the BI team, the abuse team, and the monitoring team within the registry or registrar. And even if you don’t have it in-house, you can do all these similarity checks between all the registers automated. This kind of research doesn’t put some extreme additional load on the organization.

At DomainCrawler we specialize in slicing and dicing data so that registries can better see the situation in their zone file—by looking at the similarities between registrars in DNS records, we can identify cases such as those suspicious 9,000 domain names mentioned in the beginning. We can identify domains associated with a register and a reseller by researching and finding the similarities and grouping them by the A, AAAA, TXT, NS, MX records, and SSL certificates. You usually have excellent accuracy when you find two or three similar data points.

Conclusion

Monitoring and comparing trends by country, reseller, language and other data points enables industry operators not only to see security threats but also churn risks which eventually can be turned into upsell/cross-sell opportunities. Of course, it requires better communication between registries and registrars aiming to see deeper, so that there is a better understanding of resellers. Supporting registrars with actionable data leads to higher renewals, increased revenue, and less abuse, ensuring business continuity.