The Spamhaus Project

blog

Troubles in Tokelau, malfeasance in Mali... what's happening with Freenom?

In the first quarter of 2023 we noticed a sharp decline in new registrations in Freenom's TLDs – good and bad. So, what is happening?

by The Spamhaus TeamApril 24, 20235 minutes reading time

Jump to

Introduction

For many years the Freenom operated TLDs have been a mainstay in virtually every statistic created around internet abuse-related domain registrations, whether they cover spam, phishing or malware. In the first quarter of 2023 we noticed a sharp decline in new registrations in their TLDs – good and bad. So, what is happening?### From ccTLD to gTLD

Freenom operates five country-code top level domains (ccTLDs): .cf (Central African Republic), .ga (Gabon), .gq (Equatorial Guinea), .ml (Mali) and the most well-known one: .tk (Tokelau). While all these are owned by the countries they represent, the policies and operational aspects implemented by Freenom effectively turn them into general top level domains (gTLDs). Consequently, anyone can register any name, without having any special ties to the countries the TLDs are assigned to. Yet, what truly sets these TLDs apart from any others, are their registration fees: for most domain names in these TLDs, registration is free.

Top 10 isn’t always good

As with any free service on the internet, this price point attracts abuse. Time and again, free services attract all sorts of abuse, ranging from drive-by blackhat SEO to the Internet equivalent of serious organized crime. This is especially the case where the free resource is not properly managed with “abuse” in mind.

Ever since Spamhaus have published statistics around which TLDs get the most abuse related registrations, Freenom-operated TLDs have been a consistent Top 10 entry. It’s not just us. Going back as far as 2006, reports from the Anti Phishing Working Group, Interisle Consulting Group, and McAfee have pointed out the large number of abuse-related domain registrations in Freenom TLDs. It is therefore safe to say that Freenom did not have a good grip on the abuse levels of their TLDs.

The polluter pays

In Europe, a simple but powerful idea lies at the heart of environmental laws: “the polluter pays”. This principle is based on common sense: the polluter — the actors or the activity causing the pollution — should pay to right their wrong. This concept is near and dear to Spamhaus, as for over 20 years we have empowered recipients of ‘internet pollution’ by providing the necessary data to clean it up. By allowing accurate blocking of bad internet identifiers such as IP addresses and domain names, we have shifted a significant part of the cleanup costs back to those who own the abusive resources.

Whilst many other TLDs (and registrars) invest resources into the prevention and management of abuse, Freenom, produced an automated anti-abuse tooling, shifting their costs of the clean-up to the recipient. Accordingly, it would appear the consistent pollution of the internet namespace by Freenom-operated TLDs has come back to haunt them.

Meta be ready for this

As of early 2023, Freenom stopped new registrations in any of their free TLDs. While their website cites “technical issues”, we expect there could be a different explanation. Namely, a lawsuit filed on behalf of Meta Platforms (Facebook, Whatsapp, Instagram) naming Freenom and a number of associated companies as defendants. The lawsuit alleges cybersquatting, trademark infringement, false designation of origin and violations of the California Anti-Phishing Act.

The amended filing contains many example domain names that immediately stand out as being problematic. They contain the names of Meta’s products, sometimes in obfuscated form, along with contexts, words and actions regularly found in phishing domain names. All matching an all-too-common pattern that we have seen many times in Freenom operated TLDs.

As is often the case with lawsuits like this, it’s not just about stopping the problem. In spirit with the earlier mentioned principle of ‘the polluter pays’, Meta’s lawyers have put a price tag on dealing with the cleanup. For example, for phishing domains “… Plaintiffs are entitled to recover the greater of their actual damages or five hundred thousand dollars ($500,000) per each phishing website …“. While this is a plea to the court and certainly not an awarded amount of money (yet!), it certainly draws a line in the sand.

Free-no-more

With this in mind, we are not at all surprised about the current suspension of registrations at Freenom. Given their track record, it would be hard to imagine opening registrations again anytime soon, while also being equipped to deal with the inevitable abuse of free registrations. Not to mention their business model and operational policies would need to drastically change.

Looking ahead, it will be interesting to see how this unfolds. It would be naïve to believe the abuse thriving on free domains from Freenom will now stop. In reality, abuse-related TLD registrations will be redirected to paid domains, resulting in more miscreants operating across domains in the low-end pricing bracket, causing them slightly higher costs. This is something registries are already experiencing, as explained in Domain Registries – are you experiencing the Freenom effect, and highlighted by the data in our most recent Domain Reputation Report.

Believe it or not, this could be a positive outcome for the internet. Many cybercrimes that require a domain name to function will have an increase in costs, and profitability will decline. The result….a less polluted internet namespace, a concept we certainly get behind.

Read ‘Domain Registrars – are you experiencing the Freenom effect?‘ and access the ‘Q1 2023 Domain Reputation Update’.