Direct personal realisation, an increasingly take-no-prisoners approach to online abuse, and a considerable amount of evidence from elsewhere that such TLDs are almost entirely void of value.
My router doesn't have sufficient resources to list individual hosts, particularly where widespread abuse is found. Plus it's just too much fucking work.
BlueCoat Security (now part of Symantec) have been publishing a "Shady TLD series".
These lists, it should be pointed out, are quickly becoming outdated as more folks sign up for new domain names. For example, there’s this on .xyz https://www.symantec.com/connect/blogs/exploring-xyz-another... and then there’s actual usage of it: https://abc.xyz (completely not mentioned...) If you want to know the most popular/relevant sites on a TLD, search google for `site:xyz` to see a small list... E.g. .link often is used by websites with very long domains looki for a shorter one, like http://gcr.link/ Amazon has http://aws.science/ .country is mostly crap, but there is http://cma.country/ .click is indeed only slightly less spammy, but does have http://bbc.click/ And .rocks doesn’t deserve the ban. It’s used by fan sites, people promoting tech or events, and fun stuff like kqed.rocks for kqed.org ... I’ll admit though, it can be hard to tell with all the third party domains which sites are legitimate and which aren’t...
Given the risk/reward of, oh, say, finding my systems hosed or users scammed and/or bank accounts drained, vs. missing out on someone's link shortener, I think I'll err on the side of caution.
This being an assessment based on local awareness of circumstances.
In what way are you more secure then when someone uses a .com domain? In both cases it is easy to register a url and turn into a malicious site. It really seems you are blackholing parts of the web for no good reason except to exempt yourself from actually performing a security check on the sites on the assumption all other tld's are safe.
The first of these I blocked when I looked at the domain and realised that the TLD were registering any old line noise. I'm not going to bother sorting that. Search for other experience turned up Blue Coat.
I subscribe to blocklists, and they update periodically. There are other levels of protection.
When a TLD is 99.9% malware or scams, it's far easier to block it outright. Registrars should take responsibility for what they're registering. Not my problem.
My experiance with symantec web protection (which I assume will use the same blocklists they are talking about) is that it has a ridiculous false positive rate and when I was still in High School they had blue-coat installed and it had a worse false positive rate. I would be very careful about running blacklists from those companies aside from anti-ad blocklists.
As an aside, BlueCoat is not a very reputable company. They are responsible for the government-sponsored censorship of Burma's and Syria's internet[1]. Which means that Symantec is currently the (American) company responsible for the censorship blacklist of Syria and Burma.
Two points here, about both the advice and the people giving it.
Regarding the advice, personally I think the advice is bogus. A lot of Mastodon instances have started legitimately using unconventional newTLDs. And I seem to see more URI shorteners, .com and .ru in spam than all the newTLDs put together (zero, from a hacked site, costs less than free). Country K-lining, while attractive to the lazy network operator, only works as an extreme temporary measure in a crisis - spammers adapt, but blocklists tend to only grow. And perhaps Symantec, given their business dealings with Verisign, might not be a 100% neutral party in making recommendations seemingly targeted primarily at severely disrupting the present and future business of cheaply-available TLDs?
Regarding Blue Coat, research shows Blue Coat devices are also used in the censorship/mass surveillance programmes of: Russia, UAE, Bahrain, Iran, and even China. Please also remember Blue Coat devices intercept, log and parse near-everything that goes through them. That puts them at a significantly elevated security risk above a network which didn't have them at all. I know I would find it unethical to report any vulnerabilities to that vendor, and I know I am not the only one who thinks so. And middleboxes like that are incredibly frustrating to the interoperability of the internet and present probably the single biggest hurdle to progress in internet protocols - ask someone in the IETF TLS Working Group currently working on TLS 1.3 just exactly what they think of them!
The federated structure of Mastodon means that, so long as I'm accessing toots via my host instances, the source of the toots doesn't matter. That plumbing is managed by the instances, not my local network gateway.
(If I were locally hosting, the situation would be different.)
Punching holes as needed would be another alternative.
I'm aware of the various arguments in favour, and opposed to, various forms of security blocking or not. I've participated in those discussions for most of the past 30 years. There are times when the onslaught simply becomes sufficiently excessive that measures need to be taken.
DNS namespace is large. I'm not going to independently add every last damned host, or domain, by hand. And even with blocklist subscriptions, the overhead is substantial.
I suspect this is a situation which may come to a head in the not-too-distant future, though timing such matters is difficult. The consolidation of much Web activity to a relatively small number of sites already reflects this in part.
My router doesn't have sufficient resources to list individual hosts, particularly where widespread abuse is found. Plus it's just too much fucking work.
BlueCoat Security (now part of Symantec) have been publishing a "Shady TLD series".
https://www.symantec.com/connect/blogs/floating-down-stream-...
Basically: to 2-3 nines, these TLDs are nothing but trouble. If they can't clean up their own acts, fuck 'em.
And let that be warning to other TLD registrars.