March 8, 2025 23 minutes minutes read Admin

How Abandoned Public Suffix List (PSL) Entries Enable Security Bypasses, Spamming, and SEO Manipulation

What is the PSL?

One of the critically important but sometimes overlooked elements of web infrastructure that greatly influences domain security and browser behavior is the Public Suffix List (PSL). A "public suffix" is a domain where users of the Internet may register names directly.

Common examples include .com, .co.uk, and more complex cases like pvt.k12.ma.us.

Maintained by Mozilla and volunteers as a community resource, the PSL serves multiple essential functions across the internet ecosystem. When browsers encounter domains, they use the PSL to:

  1. Prevent privacy-compromising "supercookies" from being set for high-level domain suffixes
  2. Determine the most important part of a domain name to highlight in user interfaces
  3. Properly sort history entries by site
  4. Define where cookie boundaries should exist
  5. Allow certificate authorities to make appropriate decisions about wildcard certificate issuance

The PSL is an extensive list, probably the least shitty list of domain suffixes ever exist, with a little bit more complicated registration boundaries than just a list of top-level domains (TLDs) like .com or .org.

For instance, while .uk is a TLD, the PSL recognizes that users typically register domains under .co.uk or .org.uk rather than directly under .uk. This distinction is crucial for security - without the PSL, a malicious actor could potentially set cookies for all .co.uk domains, affecting countless websites.

ICANN Section vs. Private Section

The PSL is divided into two distinct sections, each with different purposes, verification processes, and security implications.

ICANN Section

The ICANN section contains domains delegated by ICANN or part of the IANA root zone database.

Well, technically, as noted in the PSL Wiki, "IANA would have been a better label, but changing it may break integrations that are built" - showcasing the technical debt inherent in core internet infrastructure.

Entries in this section are typically TLDs and their direct, affiliated subordinates that form registration boundaries. Examples include:

  • Generic TLDs (.com, .org)
  • Country-code TLDs (.us, .uk)
  • Special registration boundaries within these TLDs (.co.uk, .k12.us)

Updates to the ICANN section can be submitted by anyone but must be accompanied by documentation from the registry's website or verification from NIC administrators through DNS records.

Private Section

The private section contains domains submitted by domain holders as expressions of their domain security policy. These are typically privately registered domains where the owner issues subdomains to mutually-untrusting parties.

For example, if a company runs a service at example.com and allows users to create their own subdomains like user1.example.com and user2.example.com, listing example.com in the private section prevents user1 from setting cookies that would be accessible to user2.

Only authorized representatives of the domain registrant, following thorough verification, will allow updates to this section; they will be sure they know the consequences of being listed.

Inherent Issues with the PSL

Although internet security depends on the PSL, it has various structural issues that make it easy target for exploitation.

Outdated ICANN Section Domains

The ICANN section can contain outdated entries that no longer represent active registration boundaries. These entries may remain in the PSL long after they've ceased to function in their original capacity. The documentation acknowledges this issue: "Static list (akin to hosts.txt) vs Server-Based Solution... when updates occur it can lead to stale behavior."

When country-code TLDs reorganize their registration structures or change policies, the corresponding entries in the PSL might not be promptly updated. These "orphaned" entries - domains that exist in the PSL but are no longer actively maintained by their original registries - become prime targets for exploitation.

Registry Awareness Gap

Many domain registries, particularly those in developing regions or smaller countries, may be unaware of the PSL and its importance. As stated in the documentation: "In order to make the Public Suffix List as current and accurate as possible, we request that Top-Level Domain (TLD) registries put in place processes to keep their section of the list current and accurate."

To quote from a maintainer:

When submitting a PR, understand that we as the PSL maintainers are volunteers and are not resourced to chase up the NIC or adminstrators of domains; while there are some of us who participate in ICANN or who have the opportunity to make presentations inside the TLD registry community and regional ccTLD events to help with awareness of the PSL, and we describe what it is and isn't and all of the benefits to maintaining entries for a ccTLD or gTLD, it is ultimately they the registries who must be involved in at very least approving / showing validation in the DNS.

Finite Volunteer Resources

The PSL is maintained by volunteers who review submissions, verify ownership, and maintain the integrity of the list. This limited capacity creates bottlenecks in processing updates and addressing potential abuses.

dependency only a programmer would understand

From the documentation: "This project has a number of contributors, most all of whom are volunteering their spare time to process requests and maintain this resource." This volunteer-based model inherently lacks the resources to thoroughly vet every entry, particularly when dealing with complex international domain scenarios.

However, this request often goes unheeded, resulting in sections of the PSL becoming effectively abandoned while still influencing browser behavior globally.

Mis-usable Validation

Although the PSL mostly depends on domain ownership checks, once a domain is included to the list there is no automatic way to guarantee it stays in use. browsers will continue to treat a domain in the PSL according to its PSL status until the list is updated, should a domain in the PSL expire and then be registered by a new owner. This might take months or perhaps years.

Historical Context: The 2012 gTLD Expansion and PSL Management Challenges

A critical factor in understanding the vulnerability of the ICANN section is the history of managing TLD additions, particularly during the massive expansion of generic TLDs (gTLDs) that began in 2012. This process created technical debt that continues to impact PSL management today.

The internet underwent an unheard-of increase of its namespace as ICANN started the 2012 round of new gTLD additions. Up to 20 new TLDs were being added weekly during peak times, generating what PSL maintainers referred to as a "thundering herd" of additions that carried through 2017-2018. This rapid expansion exposed a critical timing problem: the significant gap between when a TLD contract is signed with ICANN and when it's actually delegated to the DNS root zone. This delegation process involves multiple phases including technical readiness assessments and intentional pacing by ICANN.

Meanwhile, browsers like Safari only updated their internal domain recognition systems with the pace of operating system updates (every 3-6 months). This created a problematic scenario where newly delegated domains would be treated as search terms rather than domain names when typed into browser address bars.

To address this issue, PSL maintainers made a strategic decision: they would add TLDs to the PSL based on ICANN contract signatures rather than actual root zone delegation. As a maintainer, Jothan Frakes, explained: "There was a need to get TLDs certain to be added by the ICANN (who are the authority) into the PSL at some advanced moment in time before delegation in order to offset the propogation delays that are beyond the PSL maintainers' control."

This approach created a persistent discrepancy between the data in ICANN's JSON feeds and what's actually present in the DNS root system. For example, domains like .merck appear in ICANN's registry JSON but don't yet have IANA database pages since they're not yet in the root.

This historical approach, while pragmatic, created an additional vector for potential exploitation. It established a precedent where domains could be listed in the PSL before they were actually operational, creating instances where the listed registration boundaries might not match the actual domains' current state or ownership. Jothan also mentioned, with another round of TLD applications on the horizon, these historical challenges remain relevant to understanding how abandoned or vulnerable PSL entries might appear and be exploited.

Case Study: Discovering the Exploitation of Abandoned PSL Entries

My investigation began when I was conducting a security research on domain patterns and noticed something unusual: several domains listed in the ICANN section of the PSL were resolving to the same set of nameservers, despite being associated with completely different country-code TLDs.

Initial Discovery: Pattern Recognition

Looking over the WHOIS records of several PSL domains, I noticed a worrying trend: all used the same Chinese DNS hosting provider, DNSPod, while multiple domains in the ICANN section had been registered by the same entity - "Asia Domain Name Registration Company Limited" based in Macau.

This was immediately suspicious because these domains were associated with various country-code TLDs from different regions of the world. Why would country-specific domain registration boundaries across various countries all use Chinese DNS infrastructure?

Technical Investigation: The Evidence

I documented several clear examples of this pattern:

  1. presse[.]ci (Press/Media suffix in Côte d'Ivoire)

    • Registrant: Asia Domain Name Registration Company Limited
    • Registration Date: April 15, 2020
    • Nameservers: a.dnspod.com, b.dnspod.com, c.dnspod.com
    • Administrative Email: abuse@macau[.]net

  2. md[.]ci (Medical suffix in Côte d'Ivoire)

    • Same administrative contacts
    • Same nameservers
    • Registered: June 26, 2023

  3. museum[.]mw (Museum suffix in Malawi)

    • Same registrant organization
    • Same nameservers
    • Registered: March 19, 2024

Other potential examples included domains like ne[.]pw, pro[.]na,name[.]na, andmobi[.]na` that showed similar patterns of DNS configuration.

The technical commonalities were unmistakable: all domains were:

  • Registered by the same China-based company
  • Using identical Chinese nameservers (DNSPod)
  • Using the same administrative email address
  • Registered relatively recently (between 2020-2024)

These were not coincidences - they represented a systematic pattern of registering abandoned PSL entries.

Case Study for ne[.]pw

The Google search found nothing for the ne.pw domain, while Bing search returned several sites under ne.pw. However, nearly all the results have the same site name and title, suggesting possible SEO manipulation, likely taking advantage of the fact that ne.pw is treated as a ccTLD (similar to .co.uk, .com.au, etc.) by search engines due to its inclusion in the ICANN section of the PSL.

Additionally, Certificate Transparency reveals numerous SSL certificates issued to subdomains with randomized characters, which looks suspicious at best. This likely indicates manipulation for either SEO or spamming activities.

Image description

Due to the specialty of this domain (as a PSL ICANN section domain), both VirusTotal and Subdomain Finder are unable to scan it, as VirusTotal treats it as a ccTLD. Consequently, no subdomains were found for ne.pw by these tools.

The domain ne.pw is being advertised and possibly sold on the website https://www.macau[.]net by "Asia Domain Name Registration Company Limited."

However, they do not appear to be an authorized registrar for .pw domains (List of registars: https://registry.pw/list-of-registrars/), and the advertising on their website is somewhat misleading.

"國際認可 無處不在的 .NE[.]PW 域名全球流通"

This claim on their website translates to "International Recognition: The ubiquitous .NE.PW domain is globally circulated." This is misleading because ne.pw is not widely recognized or globally established as a legitimate TLD. It suggests an attempt to legitimize the domain's visibility, possibly as a cover for back-end activities that may include SEO manipulation or spamming, taking advantage of its ccTLD status in search engines.

The ne.pw domain has a creation date of December 8, 2014, as per the WHOIS data. It is later than the original inclusion date in the PSL, meaning that it was previously allowed to expire by the original registry. It was then re-registered in 2014.

Domain Name: NE.PW
Registry Domain ID: D6614709-CNIC
Registrar WHOIS Server: whois.dynadot.com
Registrar URL: http://www.dynadot.com/
Updated Date: 2024-06-27T16:00:33.0Z
Creation Date: 2014-12-08T00:42:20.0Z
Registry Expiry Date: 2032-12-08T23:59:59.0Z
Registrar: Dynadot LLC
Registrar IANA ID: 472
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Email: https://whois.nic.pw/contact/ne.pw/registrant
Admin Email: https://whois.nic.pw/contact/ne.pw/admin
Tech Email: https://whois.nic.pw/contact/ne.pw/tech
Name Server: A.DNSPOD.COM
Name Server: B.DNSPOD.COM
Name Server: C.DNSPOD.COM
DNSSEC: unsigned
Billing Email: https://whois.nic.pw/contact/ne.pw/billing
Registrar Abuse Contact Email: [[email protected]](mailto:[email protected])
Registrar Abuse Contact Phone: +1.6502620100
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2024-10-05T23:44:57.0Z <<<

The SEO Advantage

The true SEO value of exploiting abandoned PSL entries lies in how search engines such as Google interpret domain relationships. This is a bit more sophisticated than simply acquiring "special" domains.

When a domain is listed in the Public Suffix List, search engines treat subdomains under it fundamentally differently than they would regular subdomains. This creates a powerful opportunity for backlink manipulation that would normally be impossible.

The Technical Distinction in Google's Eyes

Under normal circumstances, Google considers subdomains to be part of the same website. For example, blog.example.com and shop.example.com are typically treated as different sections of the same site—they share domain authority, and links between them are essentially treated as internal links, which carry significantly less SEO weight than external links.

However, when a domain appears in the PSL (like github.io or blogspot.com), Google treats each subdomain as an entirely separate website. This means that user1.github.io and user2.github.io are seen as completely different sites from completely different owners.

When an entity controls an abandoned PSL entry like presse[.]ci, they gain the ability to create what Google interprets as entirely separate websites through subdomains like:

  • news.presse[.]ci
  • sports.presse[.]ci
  • finance.presse[.]ci

Each of these is treated as a distinct website in Google's algorithm, not as sections of the same site.

Backlink Network Amplification

This technical distinction creates an extraordinary opportunity for artificial backlink network creation:

  1. Manufactured External Links: By creating multiple subdomains under the PSL entry, the entity can establish what appears to be a network of external websites linking to each other. A link from news.presse[.]ci to finance.presse[.]ci is treated as an external backlink with full SEO value, not an internal link.

  2. Authority Distribution: The entity can selectively funnel this artificial link authority to commercial target sites outside the network, amplifying their search rankings.

  3. Scaled Deployment: With sufficient automation, hundreds or thousands of seemingly separate "websites" can be created under a single PSL domain, each contributing to the backlink profile of target sites.

The Questionable Marketing Angle

Visiting the "Asia Domain Name Registration Company Limited" website at macau[.]net found that some of these PSL domains were currently under marketing. For example, the company was not an approved registrar for {.pw}, so {ne[.]pw} was being promoted for sale even though.

This marketing approach verified the commercial intention behind these registrations: these were not random domain acquisitions but rather a deliberate approach to acquire domains with a special technical status.

The Security Blind Spot: How Compromised PSL Entries Bypass Defense Systems

When an ICANN section PSL entry falls into the wrong hands, it creates a significant blind spot in security infrastructure that's difficult to address through conventional means. Security vendors, anti-spam filters, and malware detection systems inherently uses domains based on their PSL status to tell domain boundaries, making them reluctant to block entire public suffixes like .co.uk or .com due to the legitimate traffic that would be affected.

This creates a perfect storm: if a malicious actor gains control of an abandoned PSL entry (as seen with the ne[.]pw case), they effectively acquire a "trusted" domain structure that can spawn unlimited subdomains while flying under the radar of security tools.

When these "registry operators" then offer bulk subdomain sales by the thousands, they're essentially selling pre-whitewashed attack infrastructure that bypasses domain reputation systems, email security gateways, and URL filtering - all while maintaining the technical legitimacy conferred by the PSL.

The security implications are profound, as these domains exist in a privileged position where they're simultaneously recognized as legitimate registration boundaries by browsers while being operated as spam and malware distribution platforms.

Implications and Countermeasures

This discovery has several significant implications for internet security and the PSL:

  1. Trust Model Vulnerability: The PSL implicitly trusts that domains listed in the ICANN section remain under the control of legitimate registry operators. This assumption breaks down when domains expire and are re-registered.

  2. Registry Responsibility: Country-code TLD operators need to be more aware of their domains listed in the PSL and actively maintain them or request their removal if no longer used.

  3. Verification Improvements: The PSL needs more robust ongoing verification mechanisms, not just at the time of submission.

  4. Automated Monitoring: Implementing automated monitoring of PSL domains could help identify suspicious patterns of ownership or DNS changes.

As a result of my investigation, I submitted multiple pull requests to the PSL repository to address these specific cases, breaking down the changes by ccTLD to make the review process more manageable.

The Path Forward

The exploitation of abandoned PSL entries for SEO advantage represents a sophisticated understanding of web infrastructure. It targets a critical but often overlooked component of the web's security architecture - the Public Suffix List.

This vulnerability exists in the gap between domain registration systems (which are dynamic and commercial) and the PSL maintenance process (which is static and volunteer-driven). As long as this gap persists, similar exploitations remain possible.