Traffic Distribution System (TDS) abuse - What’s hiding behind the veil?

Those who follow the DNS abuse landscape closely may have noticed a rise in activity and abuse reports related to Traffic Distribution Systems (TDS). The use of this infrastructure for malicious purposes - particularly in phishing campaigns - is becoming increasingly common.

In this blog, we look at how TDS are being exploited to facilitate abuse, why they present challenges for takedowns, and what we can do as a community to address the problem.

What are TDS?

A TDS is a network that redirects or filters web traffic; typical use includes advertising and affiliate tracking or geolocation targeting. TDS essentially act as intermediaries, often sitting between the link you click—say, in an email—and the page or service you ultimately reach.

There are legitimate use cases for a TDS, but the advantages they offer are useful for cybercriminals too. Spamhaus has observed an increase in their use, enabling large-scale phishing, malware distribution, malvertising, and other harmful activities that rely on domains to distribute, conceal, and accurately target victims.

Types of TDS

There are many types of malicious TDS, but the most common are:

• TDS cloaking: This involves the use of filters such as geolocation, user-agent, or referrals to hide malicious payloads.
• Redirect chains and domain rotation: A rotation of domain names are used combined with multiple step redirects, eventually leading to malicious landing pages.
• Affiliate / phishing: Offers, or fake updates are disseminated to lure users from non-malicious content through to a harmful destination.

Obfuscating badness with TDS

Adversarial use of TDS also makes life much harder for researchers and successful takedowns because they don’t deliver malicious content consistently. Instead, content is only served if a specific set of parameters is met. Otherwise you are simply redirected to innocuous sites, such as Google — leaving no visible trail of the malicious flow. This behaviour leads to reproducibility problems and makes collecting evidence challenging. You can’t capture the malicious content unless you replicate the targeting conditions precisely, turning investigations and remediation into a frustrating game of cat and mouse. It’s also important to note that, as the technology itself has legitimate applications, they aren’t technically abuse, even when exploited for malicious purposes. This makes TDS abuse a bit of a grey area.

“TDS” abuse blindspot

The current definition of abuse at ICANN refers to five types of harmful activity:

• Botnets
• Malware
• Pharming
• Phishing
• Spam (if it’s used to distribute one of the other four types of abuse)

Excluding spam, this definition focuses only on directly harmful outputs, not the infrastructure used to distribute them.

Due to this definition, a TDS redirector domain is therefore considered ambiguous, as it serves only as enabling infrastructure of DNS abuse tactics like malware or phishing. Similarly, systems that use geo-targeting to hide abuse, also lie in this grey-area as technically, they represent infrastructure abuse not DNS abuse.

When it comes to takedowns, it also poses a unique challenge because registrars may not necessarily view them as abuse. They might contact the domain owner to remove the malicious link, but they wouldn’t necessarily consider the entire domain as malicious. Unfortunately, this would be compliant with ICANN’s definition of abuse, and consequently this wouldn’t trigger enforcement action.

Is to facilitate, not to abuse?

From ICANNS’s perspective, if a domain is used to facilitate abuse, but not to host it, it’s often outside the scope of DNS Abuse. From our point of view, however, TDS infrastructure is part of DNS abuse, for the very reason that it is facilitating large-scale malicious operations and, in these cases, exists solely to facilitate abuse.

In essence, TDS are part of a larger ecosystem that enables abuse, rather than being the direct source of the abuse itself.

Infoblox shares 100,000 domain names

In June 2025, core network services provider, Infoblox, shared 100,000 domain names with Spamhaus, identified as belonging to the notorious Vextrio, a threat actor group known for its extensive use of TDS. Researchers found these domains to be spread across the globe, with many using top-level domains (TLDs). .life, .com, .club, and .top, (no surprises here) - many of which you will see in the latest Spamhaus Domain Reputation Update.

Some domains cost as little as $2/domain, while others are more expensive, representing a minimum investment of around $200,000 - showing significant money being pumped into this infrastructure. Over two thirds of the domain names are registered with two providers Namesilo (66,000), and Namecheap (17,000). The pattern is clear: cheap domains are easy to acquire, often in bulk, making them ideal for large-scale operations like Vextrio.

The good news? To provide user protection, we’ve added these domains to the Spamhaus Domain Blocklist and are now actively tracking TDS activity!

What we can do

As a community, we need to raise awareness among registrars and the wiser industry that TDS are a growing problem that are actively enabling malicious behaviour. You can also help by sharing any suspicious or malicious domains and urls with us via the Spamhaus Threat Intel Community Portal. Whether you have one domain or thousands of URLs, you can make a difference.