Analysis shows that .su doesn’t rank the highest on any single day by unique networks. However, over longer periods (such as seven days), it sees queries from more unique networks than other TLDs. The top hostnames within .su are associated with a popular online world-building game. Over half of queries for that TLD come from the United States, Germany and Brazil.
Email security: Identifying high-risk TLDs
The most immediately actionable data for security teams comes from Cloudflare’s email security analysis. The service identifies TLDs with the highest percentages of malicious and spam messages. The data is based on analysis of the From: header in email messages processed by Cloudflare’s cloud email security service.
Several TLDs show malicious rates above 90%. The .motorcycles TLD leads at 94.7%. This means that 94.7% of all email from that TLD processed by the service was identified as malicious or spam.
“From an email security perspective, our list of the most abused TLDs can certainly be used as an input to decisions about domains or TLDs to block,” Belson explained. “As part of the normal course of business, do you expect to be getting many emails from customers or partners in a .motorcycles or .zw domain? If not, then there’s probably a low risk of blocking something important.”
He added that TLD operators and managers should also monitor the data for their own operations. “TLD operators/managers may want to keep an eye on the query volume graph and geographical distribution table,” Belson said. “Seeing anomalies in those metrics could indicate potential abuse.”
Certificate transparency and anomaly detection
Each TLD page in Cloudflare Radar includes certificate transparency (CT) data. The information shows TLS/SSL certificate issuance volume and the distribution among certificate authorities (CAs). Pre-certificates serve as a proxy for actual certificate deployment.
