A registrar’s TLD lineup looks like pure optionality: stock more extensions, capture more registrations, collect more margin on the ones that move. The data Spamhaus publishes twice a year says the optionality has a hidden price, and that price is concentrated in exactly the cheap, high-volume new gTLDs that look most attractive on a margin sheet. In the extension .bond, over the six months from October 2025 to March 2026, the number of newly registered domains, 1.13 million, was almost equal to the entire size of the zone, 1.15 million, meaning nearly the whole namespace turned over in half a year. That is not growth; it is churn, the register-and-discard pattern that is the operational signature of disposable abuse infrastructure, and Spamhaus flags it as such. This publication has covered the policy side of domain abuse through the ICANN86 outcomes and the Interisle market-failure findings. This is the other half of the same problem, expressed as a question every registrar’s product team can act on directly: which TLDs are worth carrying, once you price in what their abuse costs you.
Key facts, TLD churn and abuse (Spamhaus Domain Reputation Update, October 2025 to March 2026)
- The churn signal: Spamhaus measures the share of a TLD’s zone that is newly-observed domains; a level above roughly 10 to 20 percent is “unusually high,” and three quarters of the top 20 gTLDs exceed it
- The worst offenders are near-total turnover: .bond at 98.6 percent (new registrations 1.13M against a 1.15M zone, up 375 percent and showing “abnormal registration patterns”), .lol at 71.7 percent, .cyou 56.3 percent, .sbs 52.6 percent, .click 45.3 percent, .cfd 42.8 percent, all low-cost, high-volume extensions
- The pattern concentrates by registry: Spamhaus names Identity Digital, Radix, and Shortdot S.A among operators showing the high-churn pattern, while large mainstream operators do not appear in the top 20 despite running more TLDs
- gTLDs carry the bulk of it: generic TLDs account for 76 percent of new registrations and the disposable-domain behavior is concentrated there, not in the country-code space
- It is becoming a compliance obligation, not just a reputation cost: in January 2026 ICANN’s GNSO launched a “DNS Abuse Mitigation” initiative that would have registrars identify and review “associated domains” when responding to an abuse report, the portfolio-level accountability this publication flagged at ICANN86
- The cost is externalized today: the blocklisting, deliverability damage, and abuse-desk load created by these domains fall on the registrar’s reputation, the host’s mail reputation, and the legitimate customer on the same extension, not on the abuser who already moved on

In the worst extensions, almost the entire zone is registered and discarded within months.
Source: Spamhaus Domain Reputation Update, Oct 2025-Mar 2026.
The same six extensions, by absolute volume (the raw counts behind the rates above):
| TLD | New domains (Oct 2025-Mar 2026) | Zone size |
|---|---|---|
| .bond | 1,130,779 | 1,147,185 |
| .sbs | 744,244 | 1,414,674 |
| .click | 332,132 | 732,673 |
| .lol | 326,607 | 455,492 |
| .cyou | 256,455 | 455,512 |
| .cfd | 229,379 | 535,716 |
Ranked by volume, the order shifts: .sbs is the second-largest by new registrations even though it sits fourth by rate, a reminder that the churn is happening at real scale, not just in small zones.
Source: Spamhaus Domain Reputation Update, Oct 2025-Mar 2026.
What the Churn Number Actually Measures
The metric deserves precision, because it is easy to misread as a direct abuse rate and it is not one. Spamhaus tracks, for each TLD, the proportion of the current zone that consists of newly-observed domains over the reporting period. A healthy, stable extension turns over slowly: most of its domains persist year to year, and new registrations are a modest fraction of the whole. An extension where new registrations approach the size of the entire zone is one where domains are being created and abandoned almost as fast as they are counted, and that velocity is the tell. Legitimate businesses do not register a domain, build on it, and discard it within weeks; abuse operations do exactly that, burning through disposable domains to stay ahead of blocklists, which is why Spamhaus treats extreme churn as the leading indicator of abuse infrastructure rather than a sign of commercial demand. The 98.6 percent figure for .bond does not mean 98.6 percent of .bond domains are malicious; it means the extension’s population is almost entirely transient, the condition under which abuse thrives and legitimate use does not. The honest reading is that these TLDs are dominated by throwaway registrations, and the proportion that is outright malicious sits inside that transient majority.
The concentration by registry is the part that turns this from a security observation into a business one. Spamhaus names specific registry operators, Identity Digital, Radix, and Shortdot S.A, whose extensions show the high-churn pattern, and notes pointedly that some large mainstream operators do not appear in the top 20 despite managing more TLDs. That contrast is the same one the Interisle study drew at ICANN86: abuse at this scale is not an inevitable cost of running a TLD, because some operators run large, clean namespaces. It is a function of how an extension is priced and policed. The cheap, promotion-driven, weakly-verified extension attracts the disposable-domain trade; the disciplined one does not. For a registrar deciding what to stock and how to price it, that means the abuse profile of a TLD is knowable in advance from public data, and is a property of the registry’s choices rather than bad luck.
The Carrying Cost Registrars Do Not Book
The reason this belongs on a CFO’s desk and not only a CISO’s is that the cost of carrying an abuse-heavy TLD is real, recurring, and currently unbooked. When an extension fills with disposable abuse domains, several costs land on the registrar and the hosts downstream of it, none of which appear on the registration’s margin line:
- Reputation by association: the extension’s reputation degrades, so legitimate customers on it hit deliverability problems and blocklisting, generating support tickets and churn the registrar pays for
- Abuse-desk labor: the registrar’s abuse desk absorbs the takedown requests, law-enforcement inquiries, and complaint volume these extensions generate, a cost that scales with the abuse, not the revenue
- Downstream deliverability: the mail and hosting providers that accept these domains inherit the blocklist and filtering damage, so a host’s deliverability posture is partly hostage to which TLDs its customers register
The registration fee is collected once; the externalized costs recur for as long as the domain churns and the reputation stays poor.
The inputs for that calculation are all public. Spamhaus publishes the churn and abuse data; registry wholesale prices are published or knowable; and blocklist exposure is observable. Crossing them would score each extension on revenue per registration against its abuse-driven carrying cost, the same net-margin reframing this publication applied to renewal pricing and to capital structure. The data and the cost logic point the same way, and the direction is uncomfortable for the discount end of the registrar business: several of the cheapest, highest-volume extensions look likely to come out net margin-negative once the abuse-desk labor, the deliverability damage to legitimate customers, and the reputation cost are counted, carried not because they are demonstrably profitable but because the costs are externalized and therefore invisible on the current ledger. Putting hard numbers on that is the test worth running.
The Policy Clock Is Closing the Externality
The strategic timing is what makes this urgent rather than merely interesting, and it connects directly to the ICANN developments this publication covered recently. The externality that lets registrars carry abuse-heavy TLDs profitably exists because accountability has historically operated at the level of the individual bad domain: a domain is reported, it is suspended, and the registrar’s obligation ends. ICANN’s GNSO “DNS Abuse Mitigation” initiative, launched in January 2026, would change the unit of accountability to the portfolio, requiring registrars to identify and review the “associated domains” around an abuse report rather than treating each in isolation. Spamhaus’s data is the evidence base for why that shift matters: when an extension’s zone is 98 percent transient, the associated-domains review is not noise, it is the whole picture, and a registrar that profits from a high-churn extension can no longer treat each takedown as an isolated event divorced from the pattern feeding it. The regulatory direction is to internalize the cost that the churn data has been measuring all along.
For a registrar’s leadership, the three threads pull together: a TLD’s abuse profile is public and predictable, its carrying cost is real and recurring even though it never sits next to the registration fee, and the policy environment is now moving to make that cost explicit at the portfolio level. The registrars that get ahead of this will be the ones that have already scored their own catalog the way Spamhaus scores the zone, and have decided, with the net cost in view, which extensions are worth carrying and which are quietly subsidized losses dressed as a wide product range.
About the Data
All churn figures, thresholds, per-TLD percentages and named registry operators come from the Spamhaus Domain Reputation Update covering October 2025 to March 2026, read directly and verified on June 23, 2026. The newly-observed share is presented as Spamhaus frames it, a churn and disposable-domain indicator, not a percentage of malicious domains. The ICANN GNSO initiative is described from the same report and our ICANN86 reporting. The net-margin-negative conclusion is a hypothesis to be tested against registry wholesale prices, not a completed calculation.
Sources
- Domain Reputation Update, October 2025 to March 2026 - Spamhaus (official, primary)
- Spamhaus IP and Domain Reputation resource hub (recurring methodology) - Spamhaus (official)
- GNSO DNS Abuse Mitigation initiative, associated-domains review (January 2026) - ICANN GNSO (official)
- Domain Abuse Activity Reporting (DAAR) - ICANN Office of the CTO (corroborating registry-level abuse data)