ICANN publishes Internationalized Domain Names Reputation Block List Analysis

The analysis examines domain names registered under generic top-level domains (gTLDs) that were reported in multiple third-party reputation block lists, including Spamhaus, SURBL, APWG, PhishTank, and others.
ICANN publishes Internationalized Domain Names Reputation Block List Analysis

ICANN’s Office of the Chief Technology Officer (OCTO) released an analysis of Internationalized Domain Names (IDNs) in Reputation Block List (RBL) data, covering the period from the fourth quarter of 2022 through the third quarter of 2024. The study provides insight into the prevalence and nature of reported security threats involving IDNs, comparing them with those linked to ASCII-based domain names.

Scope and data sources

The analysis examines domain names registered under generic top-level domains (gTLDs) that were reported in multiple third-party reputation block lists, including Spamhaus, SURBL, APWG, PhishTank, and others. It is important to note that RBL data reflects reports of suspected abuse, rather than confirmed misuse.

The study focused on three key questions:

  1. How reported IDNs compare to ASCII domain names in terms of abuse reports.
  2. The distribution of security threat types associated with IDNs.
  3. The distribution of reported IDNs across different writing systems (scripts).

Comparison: ASCII vs. IDNs

During the study period, an average of 218 million ASCII domain names and 1.5 million IDNs were registered under gTLDs per quarter. On average, about 1.75 million ASCII domains (0.81%) and 2,862 IDNs (0.19%) were reported each quarter.

This means ASCII domain names were reported 4.3 times more frequently than IDNs relative to their total populations.

Security threat types

Both ASCII and IDNs showed a similar distribution of reported threats:

  • Spam was the most frequently reported threat (71.68% of ASCII; 68.39% of IDNs).
  • Phishing was the second most reported (26.77% of ASCII; 31.34% of IDNs).
  • Reports of malware hosting and botnet command-and-control domains were significantly less frequent for both categories.

These findings suggest that IDNs do not present fundamentally different patterns of abuse compared to ASCII domains.

Script analysis of IDNs

The study also examined IDNs by script, focusing on the most recent quarter of analysis (Q3 2024), when 3,717 IDNs were reported:

  • Chinese (Han) script accounted for 53.3% (1,981 domains).
  • Latin script accounted for 35.6% (1,325 domains).
  • Other scripts—Korean, Thai, Cyrillic, Japanese, Arabic, and several minority scripts—together represented the remaining share.

When comparing reported IDNs to total registrations within each script, Latin IDNs had a slightly higher report rate (0.33%) than Chinese IDNs (0.29%).

Key findings

  • ASCII domains were reported for abuse more often than IDNs, both in raw numbers and relative to total registrations.
  • Spam and phishing remain the dominant categories of reported threats for both ASCII and IDNs.
  • Chinese (Han) and Latin scripts make up the majority of reported IDNs, reflecting their prevalence among IDN registrations.

Next Steps

ICANN has indicated plans to integrate IDN-related abuse reporting into Domain Metrica, its monitoring platform. This would allow stakeholders to track the security threat landscape for IDNs more consistently over time.

Civil Society Alliances for Digital Empowerment (CADE) is a project co-funded by the European Union.

Civil Society Alliances for Digital Empowerment (CADE) 2024. All rights reserved.

This website is co-funded by the European Union. Its contents are the sole responsibility of CADE and do not necessarily reflect the views of the European Union.

Web accessibility | Privacy policy

Go to Top