Following the widely-reported www3.forbes.com MFA Subdomain issue, The Trade Desk partnered with Sincera to explore methods of programmatically proactive detection which could be used to avoid these arbitrage-driven sinkholes at scale.
This research has led us to observe that there is actually two typical patterns to so-called MFA subdomains: Homegrown and Resold. While both methods demonstrate similar characteristics around variable ad load and a reliance on paid traffic, they are quite different, with material implications to media buyers.
Homegrown MFA subdomains, such www3.forbes.com example, are operated by the domain's parent company (even if they are separate teams within the company). Resold MFA subdomains, in contrast, are operated by third-parties. The parent domain must grant access to the third-party by pointing their subdomain to the right place, but they do not directly manage traffic acquisition and ad arbitrage.
Resold Subdomains are particularly concerning for buyers, because it effectively unlocks MFA subdomains at scale. Homegrown MFA subdomains require a significant investment from a publisher to generate - that effort acts as a natural barrier, keeping the number of homegrown MFA subdomains relatively low.
In contrast, Resold subdomains are turnkey for publishers - they just need to just update a URL to point to the third party, and collect a share of ad spend that subdomain generates. Resold subdomains almost universally share the following characteristics:
A subdomain being operated by a third-party does not alone make it a resold MFA subdomain; it must also exhibit the behaviors described above.
Let's dive into this a bit deeper, and learn how buyers and sellers can programmatically detect resold subdomains before they generate any ad spend.
A subdomain is a resource under an "apex" domain. For example, corp.sincera.io is a subdomain of sincera.io. Subdomains can “point” to other locations, to effectively push traffic from one server to another, all linked by the same top level, apex domain.
Many buyers and sellers consider MFA, and by extension, MFA subdomains, to be poor quality ad inventory. The users, while often "real" people (and thus distinguishing MFA from fully invalid traffic) have no affinity to the property they're visiting - they are "rented" from paid traffic, in effect, pure arbitrage on low value, "clickbait" style content. Finally, MFA properties actively try to obscure their aggressive ad experience via variable ad loading (VAL), which dynamically changes ad load depending on the traffic source.
MFA subdomains add a new, undesirable behavior to the mix: they have an association with a legitimate, high value top level domain, like forbes.com or spin.com, so MFA subdomains trojan-horse their way into programmatic campaigns, because media buyers consider Forbes and Spin to be high value properties (and Forbes.com + Spin.com are!) - with the media buyers not realizing that recommended.spin.com is a completely different ad and content experience, effectively laundering an entirely different property under the cloak of a respectable, well-known media property.
ContentIQ (CIQ) is the owner of well-known MFA sites, such as boredomtherapy.com and eternallysunny.com. CIQ is a fully-owned subsidiary of Perion, a publicly-traded adtech company. In the course of investigating unusual variations across same-domain publishers with our customers, we discovered that a number of well-known publishers pointed one or more subdomains to CIQ via the CNAME proxy-fallback.ciq-partners.com. This effectively means that these URLs, such as https://recommended.spin.com and https://social.refinery29.com were hosted and controlled by Content IQ, and not by the owner of the top level domain (Spin, Refinery29.)
While not all of the subdomains are currently active, the content + advertising experience is markedly different from the typical experience you see on the parent or “apex” domain of the premium publisher. Let's look at one particular example of social.ibtimes.com to illustrate how these resold subdomain properties exhibit the four behaviors associated with resold subdomains mentioned earlier:
social.ibtimes.com uses the CNAME proxy-fallback.ciq-partners.com, which directs traffic to servers operated by CIQ. The look and feel of articles under social.ibtimes.com is completely different than those under the top-level domain.
The content itself is republished from CIQ's owned and operated domains - in this case, the content on IBTimes is pulled from https://www.absolutehistory.com/en/man-oldest-dna-native-to-america. All sites operated by CIQ share a similar layout and infrastructure with their next.js code loaded from a CDN running on the domain boredomfiles.com.
Ads were purchased and promoted primarily on Facebook, with various Facebook Pages such as "Weird Little Tales" or "Best Projects", operated by Content IQ, purchasing the ads and driving users to the property.
The same Facebook pages also promote many of the "fully owned" MFA domains operated by CIQ, including boredomtherapy.com.
Sincera is able to detect ad density on a given URL and compare across subdomains or when a visit arrives from a paid traffic source versus organically. "Variable ad load" is a valuable signal for MFA detection.
Both The Trade Desk and IAS worked with Sincera to verify the detection methodology of Resold Subdomains, and reviewed the list of detected properties; we can confirm that IAS is flagging these resold subdomains as MFA, and The Trade Desk does not transact on any of these on sub domains listed in this article. Going forward, The Trade Desk will be programmatically ingesting this from Sincera to ensure that buyers do not transact on newly-created Resold MFA Subdomains.
“We’re focused on building tools that help advertisers and brands buy quality media. Recent subdomain issues are unlikely to be a one off. Technology like this advances the health of the Open Internet, and The Trade Desk is proud to lean into these critical focus areas with Sincera.” - Adam Markey, Director of Product Management, The Trade Desk.
If you want to remove these properties from your pool of eligible ad inventory, Sincera Enterprise customers can download the full list of resold subdomains, which include subdomains controlled by ContentIQ and others. This will be updated as Sincera identifies additional subdomains.
Curious to learn more about Sincera? You can reach us via hello (at) sincera.io.
There appear to be a number of large publishers who previously worked with CIQ for subdomain services. We did not direct observe these domains, but many are still configured in DNS records and there are additional third-party observations. These additional publishers include:
Gannett (USA Today) -social.thelistwire.usatoday.com
Newsweek - bolt/abolt.newsweek.com
Vice (Refinery29) - social.refinery29.com
Group Nine / (now Vox Media, Popsugar) - social.popsugar.com
Dailymotion - spread.dailymotion.com
[1] Note: While this blog post was in production, a number of previously live CIQ subdomains were abruptly pulled offline around April 11th.
Following the widely-reported www3.forbes.com MFA Subdomain issue, The Trade Desk partnered with Sincera to explore methods of programmatically proactive detection which could be used to avoid these arbitrage-driven sinkholes at scale.
This research has led us to observe that there is actually two typical patterns to so-called MFA subdomains: Homegrown and Resold. While both methods demonstrate similar characteristics around variable ad load and a reliance on paid traffic, they are quite different, with material implications to media buyers.
Homegrown MFA subdomains, such www3.forbes.com example, are operated by the domain's parent company (even if they are separate teams within the company). Resold MFA subdomains, in contrast, are operated by third-parties. The parent domain must grant access to the third-party by pointing their subdomain to the right place, but they do not directly manage traffic acquisition and ad arbitrage.
Resold Subdomains are particularly concerning for buyers, because it effectively unlocks MFA subdomains at scale. Homegrown MFA subdomains require a significant investment from a publisher to generate - that effort acts as a natural barrier, keeping the number of homegrown MFA subdomains relatively low.
In contrast, Resold subdomains are turnkey for publishers - they just need to just update a URL to point to the third party, and collect a share of ad spend that subdomain generates. Resold subdomains almost universally share the following characteristics:
A subdomain being operated by a third-party does not alone make it a resold MFA subdomain; it must also exhibit the behaviors described above.
Let's dive into this a bit deeper, and learn how buyers and sellers can programmatically detect resold subdomains before they generate any ad spend.
A subdomain is a resource under an "apex" domain. For example, corp.sincera.io is a subdomain of sincera.io. Subdomains can “point” to other locations, to effectively push traffic from one server to another, all linked by the same top level, apex domain.
Many buyers and sellers consider MFA, and by extension, MFA subdomains, to be poor quality ad inventory. The users, while often "real" people (and thus distinguishing MFA from fully invalid traffic) have no affinity to the property they're visiting - they are "rented" from paid traffic, in effect, pure arbitrage on low value, "clickbait" style content. Finally, MFA properties actively try to obscure their aggressive ad experience via variable ad loading (VAL), which dynamically changes ad load depending on the traffic source.
MFA subdomains add a new, undesirable behavior to the mix: they have an association with a legitimate, high value top level domain, like forbes.com or spin.com, so MFA subdomains trojan-horse their way into programmatic campaigns, because media buyers consider Forbes and Spin to be high value properties (and Forbes.com + Spin.com are!) - with the media buyers not realizing that recommended.spin.com is a completely different ad and content experience, effectively laundering an entirely different property under the cloak of a respectable, well-known media property.
ContentIQ (CIQ) is the owner of well-known MFA sites, such as boredomtherapy.com and eternallysunny.com. CIQ is a fully-owned subsidiary of Perion, a publicly-traded adtech company. In the course of investigating unusual variations across same-domain publishers with our customers, we discovered that a number of well-known publishers pointed one or more subdomains to CIQ via the CNAME proxy-fallback.ciq-partners.com. This effectively means that these URLs, such as https://recommended.spin.com and https://social.refinery29.com were hosted and controlled by Content IQ, and not by the owner of the top level domain (Spin, Refinery29.)
While not all of the subdomains are currently active, the content + advertising experience is markedly different from the typical experience you see on the parent or “apex” domain of the premium publisher. Let's look at one particular example of social.ibtimes.com to illustrate how these resold subdomain properties exhibit the four behaviors associated with resold subdomains mentioned earlier:
social.ibtimes.com uses the CNAME proxy-fallback.ciq-partners.com, which directs traffic to servers operated by CIQ. The look and feel of articles under social.ibtimes.com is completely different than those under the top-level domain.
The content itself is republished from CIQ's owned and operated domains - in this case, the content on IBTimes is pulled from https://www.absolutehistory.com/en/man-oldest-dna-native-to-america. All sites operated by CIQ share a similar layout and infrastructure with their next.js code loaded from a CDN running on the domain boredomfiles.com.
Ads were purchased and promoted primarily on Facebook, with various Facebook Pages such as "Weird Little Tales" or "Best Projects", operated by Content IQ, purchasing the ads and driving users to the property.
The same Facebook pages also promote many of the "fully owned" MFA domains operated by CIQ, including boredomtherapy.com.
Sincera is able to detect ad density on a given URL and compare across subdomains or when a visit arrives from a paid traffic source versus organically. "Variable ad load" is a valuable signal for MFA detection.
Both The Trade Desk and IAS worked with Sincera to verify the detection methodology of Resold Subdomains, and reviewed the list of detected properties; we can confirm that IAS is flagging these resold subdomains as MFA, and The Trade Desk does not transact on any of these on sub domains listed in this article. Going forward, The Trade Desk will be programmatically ingesting this from Sincera to ensure that buyers do not transact on newly-created Resold MFA Subdomains.
“We’re focused on building tools that help advertisers and brands buy quality media. Recent subdomain issues are unlikely to be a one off. Technology like this advances the health of the Open Internet, and The Trade Desk is proud to lean into these critical focus areas with Sincera.” - Adam Markey, Director of Product Management, The Trade Desk.
If you want to remove these properties from your pool of eligible ad inventory, Sincera Enterprise customers can download the full list of resold subdomains, which include subdomains controlled by ContentIQ and others. This will be updated as Sincera identifies additional subdomains.
Curious to learn more about Sincera? You can reach us via hello (at) sincera.io.
There appear to be a number of large publishers who previously worked with CIQ for subdomain services. We did not direct observe these domains, but many are still configured in DNS records and there are additional third-party observations. These additional publishers include:
Gannett (USA Today) -social.thelistwire.usatoday.com
Newsweek - bolt/abolt.newsweek.com
Vice (Refinery29) - social.refinery29.com
Group Nine / (now Vox Media, Popsugar) - social.popsugar.com
Dailymotion - spread.dailymotion.com
[1] Note: While this blog post was in production, a number of previously live CIQ subdomains were abruptly pulled offline around April 11th.