A concrete counterexample: plantura.garden is a large, reputable German-language gardening magazine / brand, and probably exactly the kind of legitimate site one would expect on .garden.
So while the abuse numbers may well justify treating newly registered / low-reputation .garden domains with suspicion, blanket-blocking the entire TLD seems like it would create real collateral damage.
For businesses, it's not a valid reason to not block .garden simply because a gardening site exists. If a site is important enough, exceptions to the blanket rule can be applied.
In general though, if you want Fortune 500s to utilize your service/company, don't utilize a novelty TLD.
I don't think that anyone claims that there aren't any legitimate sites on .garden, but the risk of using an abuse-prone TLD is that Bayesians are going to assign you an increased prior risk of abuse. Honestly the TLD is making more money from the abusers than from Plantura so they're not going to tighten up their ship, Plantura should probably move to a different TLD.
I had no idea the .garden TLD even existed. Having just checked Porkbun, it seems like they go for $1.54 which is pretty cheap. No wonder they're being abused.
If you have a cheap TLD of course bad actors will buy a bunch.
It is absurd to consider a TLD bad just because it's cheap and its names were registered by some bad people. It's a bad case of stereotyping. Filters need to be better than this. There are plenty of good names within a TLD.
Like is it stereotyping to say Black people tend to have darker skin than whites?
At some point, it’s not stereotyping, it’s intrinsic. And if the domain is super cheap to register, is overrun by bad actors, and is generally a nuisance… is it really stereotyping?
Collateral damage I get. Like if you’re running a convenience store and observe that teenagers in track suits and bandanas are robbing you blind (hey look I’m stereotyping), banning these kids will also ban the totally legit kid who happens to dress that way.
But? Isn’t that ok? Should the shop owner just eat continued losses for fear that eventually someone might dress like that and not be a risk?
I fear that I sound snarky, but I really don’t mean to. My point is that at a macro level stereotyping is absolutely wrong. But at a tactical, day-to-day lived experience level, how much abuse do we all have to put up with? An unlimited amount ?
> is it stereotyping to say Black people tend to have darker skin
Your analogy is altogether misplaced.
> But? Isn’t that ok?
No, it never is. The hallmark of civilization avoiding collateral damage and protecting the innocent, without which we're animals.
> And if the domain is super cheap to register, is overrun by bad actors,
That is not established. The bad actors merely make noise, and get reported. The good actors stay out of the news.
Your argument is bogus because filters absolutely can be nuanced, operating at the name level. It is a non sequitur for a filter to operate at the TLD level.
> My point is that at a macro level stereotyping is absolutely wrong. But at a tactical, day-to-day lived experience level
Huh. That is just laughable and sad. Stereotyping is wrong at every level, and it's even more wrong at the everyday level.
Further to your point, it harms the existing wonderful sites like https://radio.garden/—which has been featured on HN several times over the past few years.
> First-year TLDs under $2 is one of the best indicators of likely abuse. Some TLDs like .xyz are truly fighting abuse while others feign ignorance.
I don't understand this. The first year being discounted (or free) helped .me, and .xyz in the past. This is one year of data. Surely more time is needed?
> It is unlikely that there are valid business reasons for network environments to allow .garden domains;
What do you mean? What is this likelihood based off of?
> highly recommend defenders completely block the .garden top-level domain, and allowlist items as needed.
Just another data point about this, not an argument for (or against) blocking a TLD, but personally I wouldn't register an .xyz again, due to what I presume is related to them having to fight abuse. I still have one site on there and have migrated another off.
My domain was flagged for abuse (it's a static site with a daily word game, no ads or anything else) and the TLD took it down. Not my registrar or host, the TLD itself. There was no communication on this, it took some effort to work out what even happened, and appealing was a pretty blind process of claiming to have fixed the issue and issuing proof (which felt a bit strange to fabricate proof that it was fixed, since no issue existed to begin with) and hoping they'd unblock it, with no communication at all beyond a place to send such a claim.
They did unblock it, and while I am sympathetic to them having to fight abuse, I still moved away from them.
On a corporate network, blocking lesser-used TLDs combined with an aggressive use of DNS and web reputation filters is recommended. I work for a company that provides both services. Makes sense to keep Internet traffic on a sensitive network limited to the sites most likely to have a business case.
For end-users, less so - stick to DNS blocklists and uBlock filters for malware domains which are freely available.
It's not just the price, but also how "legitimate" the registrars are and how well they deal with abuse.
Here's an anecdote: I know someone who insisted on using a .tk domain for legitimate business purposes for many years. When I heard of this, I immediately asked "isn't that the TLD managed by a shady company that gives domains away for free and then steals them back if they become popular?" He insisted this did not affect him, as he was a legitimate customer who had been paying for the domain for over a decade.
Fast forward a few years, the company behind the TLD (Freenom/OpenTLD) went under due to their shady business practices, he lost the domain, and was told he had to register it again at a new registrar for a much higher price to recover it.
So while the abuse numbers may well justify treating newly registered / low-reputation .garden domains with suspicion, blanket-blocking the entire TLD seems like it would create real collateral damage.
In general though, if you want Fortune 500s to utilize your service/company, don't utilize a novelty TLD.
If you have a cheap TLD of course bad actors will buy a bunch.
¹As in abuse of planet's resources, economy, job market and on human sanity and patience.
Like is it stereotyping to say Black people tend to have darker skin than whites?
At some point, it’s not stereotyping, it’s intrinsic. And if the domain is super cheap to register, is overrun by bad actors, and is generally a nuisance… is it really stereotyping?
Collateral damage I get. Like if you’re running a convenience store and observe that teenagers in track suits and bandanas are robbing you blind (hey look I’m stereotyping), banning these kids will also ban the totally legit kid who happens to dress that way.
But? Isn’t that ok? Should the shop owner just eat continued losses for fear that eventually someone might dress like that and not be a risk?
I fear that I sound snarky, but I really don’t mean to. My point is that at a macro level stereotyping is absolutely wrong. But at a tactical, day-to-day lived experience level, how much abuse do we all have to put up with? An unlimited amount ?
Nah. But it’s stereotyping to say black people tend to commit more crimes than whites.
Which is a lot closer an analogy here, and just as wrong.
Your analogy is altogether misplaced.
> But? Isn’t that ok?
No, it never is. The hallmark of civilization avoiding collateral damage and protecting the innocent, without which we're animals.
> And if the domain is super cheap to register, is overrun by bad actors,
That is not established. The bad actors merely make noise, and get reported. The good actors stay out of the news.
Your argument is bogus because filters absolutely can be nuanced, operating at the name level. It is a non sequitur for a filter to operate at the TLD level.
> My point is that at a macro level stereotyping is absolutely wrong. But at a tactical, day-to-day lived experience level
Huh. That is just laughable and sad. Stereotyping is wrong at every level, and it's even more wrong at the everyday level.
> First-year TLDs under $2 is one of the best indicators of likely abuse. Some TLDs like .xyz are truly fighting abuse while others feign ignorance.
I don't understand this. The first year being discounted (or free) helped .me, and .xyz in the past. This is one year of data. Surely more time is needed?
> It is unlikely that there are valid business reasons for network environments to allow .garden domains;
What do you mean? What is this likelihood based off of?
> highly recommend defenders completely block the .garden top-level domain, and allowlist items as needed.
Holy overreaction, Batman.
My domain was flagged for abuse (it's a static site with a daily word game, no ads or anything else) and the TLD took it down. Not my registrar or host, the TLD itself. There was no communication on this, it took some effort to work out what even happened, and appealing was a pretty blind process of claiming to have fixed the issue and issuing proof (which felt a bit strange to fabricate proof that it was fixed, since no issue existed to begin with) and hoping they'd unblock it, with no communication at all beyond a place to send such a claim.
They did unblock it, and while I am sympathetic to them having to fight abuse, I still moved away from them.
For end-users, less so - stick to DNS blocklists and uBlock filters for malware domains which are freely available.
I don't see it as that much different than people setting up IP blocks at the country/ASN level.
Here's an anecdote: I know someone who insisted on using a .tk domain for legitimate business purposes for many years. When I heard of this, I immediately asked "isn't that the TLD managed by a shady company that gives domains away for free and then steals them back if they become popular?" He insisted this did not affect him, as he was a legitimate customer who had been paying for the domain for over a decade.
Fast forward a few years, the company behind the TLD (Freenom/OpenTLD) went under due to their shady business practices, he lost the domain, and was told he had to register it again at a new registrar for a much higher price to recover it.