Demand Excellence! DNS Abuse Research Methodology and Data Advocacy
Building on our editorial series (“Do RBLs Still Cut It?” and “Trust & Safety?: Try Mistrust and Spin”), we established that policy-informing research must measure both problems and solutions with equal rigor. This analysis examines methodological gaps affecting DNS abuse research broadly, using the Interisle Phishing Landscape 2025 report and .xin as a case study to demonstrate these principles. The Interisle report highlights .xin as having achieved “the highest phishing score (10,810.2) [they] have ever reported”—a dramatic statement presented almost entirely without assessment, validation or mitigation context. This exemplifies how discourse in our industry, particularly in connection with DNS Abuse policy, consistently glosses over or omits key data points vital to understanding the bigger picture. Using this example from the recent report, we explore the research related to this abusive campaign with the intention of considering the full picture—including mitigation response. As an abuse management provider serving a backend service provider that operates infrastructure for multiple TLDs including .xin, CleanDNS is uniquely situated to demonstrate data points other research efforts typically omit: validation, escalation, and remediation efforts that are necessary to transform raw abuse reports into meaningful policy-relevant outcomes.
Methodological Concerns: Why is this an issue?
In the ICANN multistakeholder model, our actions and inputs form global policy impacting billions of internet users daily. For those who contribute data and research outcomes to this discourse, that responsibility demands data that is verifiable, open and transparent. Core methodological integrity should be paramount. CleanDNS has commented previously on Interisle data for this reason; at ICANN 83 (Prague, June 2025), during a presentation to the Governmental Advisory Committee (GAC) on DNS Abuse, Interisle representatives characterized domains at “Registrar of Last Resort” (RoLR) as an “arsenal of domains” awaiting weaponization, which was a fundamental mischaracterization of RoLR’s role and purpose (see our prior editorial for detailed analysis). Although this article also considers an Interisle report, we have chosen it for some key reasons:
- It is recently published, and is prominent;
- we expect it to be part of the discourse at ICANN 84 in Dublin, and it shall be referenced in more than one session; and
- It covers TLDs and makes recommendations based on data which we can actually compare and validate.
Our objective is not to target, but purely to assess. Our goal remains ensuring fidelity in the data we are seeking to add to the discourse, and seeking the best possible outcome of DNS Abuse related policy developments efforts at ICANN 84, and beyond.
Comparing DNS Abuse Research Methodology
Purpose
CleanDNS’ purpose comes from being an abuse management service—our statistics and research are aimed at reducing impact to victims (end users and clients alike). As a service provider to registries, registrars and backend infrastructure operators across multiple TLDs, our statistics emerge from operational abuse management. With our data set, we seek to identify and share practical improvements and data-driven change while maintaining transparency and due process. We see benefit in sharing data where our observations will help guide responsible policy creation.
The stated purpose of the Interisle report is to provide “analysis of phishing attack data” and “recommendations on how resource abuse prevention and mitigation efforts can curb criminal exploitation.” However, beyond quarterly deduplication and wholesale acceptance of data at face value from limited sources, it is hard to conclude how the report meaningfully “analyzed” the data beyond identifying temporal spikes and absolute volumes of reports over the year. More critically, data relating to existing mitigation efforts remained wholly absent from the paper and underlying research. Research cannot credibly recommend “mitigation improvements” without first measuring the mitigation efforts that actively occurred. It is unclear how such a report supports the recommendations, and how it adds to the policy discourse.
Sources & Data Used
Interisle’s report acknowledges that they collect data from “four widely respected data threat providers (APWG, OpenPhish, PhishTank, and Spamhaus)” Deduplication is operated at the quarterly level. The report provides no commentary on the methodology used for validating the sources i.e. whether these reports represent current, actionable threats, or simply accepts the reports based on the ‘wide respect’ for the sources. The report also does not include any visible consideration of undelegated or resolved/mitigated domains.
During May 2024–April 2025 , the report notes that they processed “nearly 4 million phishing reports,” and identified “nearly two million distinct phishing attacks.” Interisle noted 42,724 phishing domains reported in 2025 relating to .xin. 42,681 out of the 42,724 domains (per Interisle, 100%) were maliciously registered. There is no explanation as to methodology in this determination. The report notes that “nearly all .xin phishing domains were registered at Dominet (HK) (IANA ID 3775)”. No data relation to response or mitigation is presented.
CleanDNS’ work draws on over 70 reporter sources spanning security researchers, incident responders, detection systems, and operational intelligence (our sources includes APWG, Openphish, Phishtank, but not Spamhaus). All our DNS Abuse data is processed with a view to escalation, mitigation and disruption, thus regardless of origin, all reports are subject to validation; we understand that incorrect recommendations or actions would cause more harm than good to clients and end-users therefore well-evidenced reports are our minimum expectation.
During May 2024–April 2025 (mirroring Interisle’s study period), CleanDNS processed 93,071 abuse reports relating to .xin. This covered 46,216 distinct domains. Reports are deduplicated in real time , however all reports are nonetheless reviewed for any additional evidence not previously received/considered. Escalations are based on the strongest report or combination of reports. CleanDNS’ 93,071 reports became 45,304 ‘cases’ after deduplication and validation. 44,326 validated cases underwent escalation (within one day of receipt) while 978 cases were ultimately closed for lacking sufficient evidence upon further review. 79% of the escalations resulted in registry-level intervention and 21% were remediated by other parties (registrar, hosting provider, etc.). We also noted a registrar concentration with 85,493 (92%) reports involved domains being registered through a single registrar, Dominet (HK) Limited.
Peak Statistics versus Complete Temporal Analysis
Complete research methodology must also call out peak abuse volumes, response effectiveness, and temporal trajectories. Both Interisle and CleanDNS data confirmed, a DNS abuse event of some magnitude occurred.
CleanDNS data noted that In H1 2025, the average report per month was ~16,000 (averaging 8,700 unique domains monthly); however, what this average does not show, was that the reports were primarily concentrated in March 2025, spiking to over 62,000 reports (32,000 unique domains). This number dropped to ~7k in April, ~3k in May, and continued to decline. By July, this number had dropped to 451 reports (246 distinct domains, 214 validated cases). Interestingly, October saw another spike in reports of nearly 3k, however, post deduplication and validation, 3k reports only related to 213 unique domains.
The Interisle report did not provide any further breakdown.
The data shows that concentration of abuse has lessened greatly. Interisle’s statement of the “highest phishing score ever reported” claim is fair, especially considering their measurement period included March 2025. However, considering the report’s September 2025 publication date—four months after the study period concluded and five months after the March peak—this raises questions about whether Interisle observed the subsequent 93% decline (from 32,000 domains in March to 2,100 in July). This is still a significant campaign requiring study and action, but presenting peak abuse without acknowledging its decline by publication time risks creating policy panic over a campaign that had substantially diminished. This does not take away from the need to consider the campaign, its origin and devising means to prevent such abuse in future, but the temporal nature of the campaign is essential context for policy discussions.
Patterns of DNS Abuse Research
A systemic pattern emerges across DNS Abuse research: studies measuring abuse volume without corresponding validation and studies that ignore mitigation data simply create incomplete pictures. These issue is that incomplete pictures are being widely used and referenced to advocate for more stringent policy. While research resource constraints and data access challenges contribute to these gaps, the resulting incompleteness affects policy development regardless of cause. DNS abuse policy discourse has repeatedly elevated research built on unvalidated data sources while ignoring operational evidence. This actively misinforms policymakers, misdirecting resource allocation and creates false impressions requiring refutation rather than collaboration.
Current ICANN GNSO policy work seeking to enhance Contracted Party response to DNS Abuse should be supported by robust statistics and data. Methodological gaps fuel community frustration, erode stakeholder trust, damage credibility, and risk policy paralysis— for those who have followed ICANN policy development closely over the years, these would be very familiar criticisms, as they are the criticisms often levelled at the ICANN community, in particular regarding the topic of DNS Abuse and the need to ‘do better’.
What “Better” Should Look Like
The Stakes for ICANN 84 and Beyond: Abuse happens—and anything preventing it should be considered. The contracted parties have actively worked through ICANN, the CPH, and the GNSO, developing both minimum expectations and voluntary best practices—efforts that should be applauded, not ignored. As the ICANN community prepares for Dublin, the community should establish (if not demand) stronger methodological standards. When the GAC, the ICANN Board, regulators, and national policymakers receive robust data capturing both problems and mitigation responses, policy development becomes more targeted and effective – when they receive poor data – everything grinds to a contentious halt.
This ICANN 84, being in Ireland, remember the old Irish proverb “Tús maith, leath na h-oibre”—”A good start is half the work.” To those presenting, remember the huge responsibility we hold to faithfully provide data to support and guide policy development. To those listening, demand complete data, require transparent methodologies, and seek a full picture of our anti-DNS abuse ecosystem, to establish a strong foundation for constructive progress in these new PDPs.
Our work matters to billions of people, so please, let’s demand excellence!
This analysis builds upon CleanDNS’ editorial series examining DNS abuse research methodologies (“Do RBLs Still Cut It?” and “Going Beyond the Numbers”), collectively establishing that research methodology standards—validation, temporal analysis, mitigation measurement, and complete data sets—apply to DNS abuse research broadly. We remain committed to advancing evidence-based policy through transparent methodologies and invite ongoing dialogue with researchers, policymakers, and the broader community about establishing shared standards.
By Alan Woods, CleanDNS Chief Legal Officer
* Cases may contain multiple domains