Domain Abuse
TLDR
- ICANN defines DNS abuse to include malware, botnets, phishing, pharming, and spam.
- Registrars and registries are both obligated to handle DNS abuse.
- Registrars and registries have broad authority when taking action against abuse.
- Abuse handling side effects can cause collateral damage.
- Setting up RFC 2142 email addresses can be useful.
Overview
This page contains some of the more common types of abuse that may put your domain at risk of revocation.
Complex Topics Omitted
This page does not cover topics such as cyber squatting, typo squatting, trademark infringement, reverse domain name hijacking, etc. These are risks to be aware of, but are complex topics that are beyond the scope of this website and typically do not impact most good-faith registrants. Always defer to the requirements and recommendations of your registrar to ensure you are not violating any terms of service / use that may put your domain at risk.
Abuse Types
ICANN has an excellent, comprehensive advisory that details abuse handling. It defines abuse as follows:
DNS Abuse
Malware is malicious software, installed and/or executed on a device without the user’s consent, which disrupts the device’s operations, gathers sensitive information, and/or gains access to private computer systems. Malware includes viruses, spyware, ransomware, and other unwanted software.
Botnets are collections of Internet-connected computers that have been infected with malware and can be commanded to perform activities under the control of a remote attacker.
Phishing occurs when an attacker tricks a victim into revealing sensitive personal, corporate, or financial information (e.g., account numbers, login IDs, passwords), whether through sending fraudulent or look-alike emails, or luring end users to copycat websites. Some phishing campaigns aim to persuade the user to install malware.
Pharming is the redirection of unknowing users to fraudulent sites or services, typically through DNS hijacking or poisoning. DNS hijacking can occur when attackers use malware to redirect victims to the perpetrator’s site instead of the one initially requested. DNS poisoning causes a DNS server (or resolver) to respond with a false Internet Protocol address bearing malware. Phishing differs from pharming in that pharming involves modifying DNS entries, while phishing tricks users into entering personal information.
Spam is unsolicited bulk email, where the recipient has not granted permission for the message to be sent, and where the message is sent as part of a larger collection of messages, all having substantively identical content. Spam is only considered to be DNS Abuse when it is being used as a delivery mechanism for at least one of the other types of DNS abuse described above.
Responsibilities
Both registrars and registries are obligated to take action against DNS abuse.
Registrars
Registrars’ obligation to take action against abuse is defined in section 3.18 of the ICANN’s registrar accreditation agreement. In part:
Section 3.18.2 of ICANN’s RAA
When Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, Registrar must promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse. Action(s) may vary depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage.
Registries
Registries’ obligation to take action against abuse is defined in specification 6 of the ICANN’s base registry agreement. In part:
Section 4.2 of Specification 6 of ICANN’s RA
Where a Registry Operator reasonably determines, based on actionable evidence, that a registered domain name in the TLD is being used for DNS Abuse, Registry Operator must promptly take the appropriate mitigation action(s) that are reasonably necessary to contribute to stopping, or otherwise disrupting, the domain name from being used for DNS Abuse. Such action(s) shall, at a minimum, include: (i)the referral of the domains being used for the DNS Abuse, along with relevant evidence, to the sponsoring registrar; or (ii) the taking of direct action, by the Registry Operator, where the Registry Operator deems appropriate. Action(s) may vary depending on the circumstances of each case, taking into account the severity of the harm from the DNS Abuse and the possibility of associated collateral damage.
Broad Authority
The above quoted sections of the registry accreditation agreement and the base registry agreement demonstrate the broad authority given to registrars and registries when it comes to investigating and mitigating DNS abuse. For example, terms like appropriate mitigation action(s), combined with the acknowledgement that action(s) may vary depending on the circumstances, make it clear that registrars and registries have significant latitude when handling abuse.
This means abuse handling may vary from registrar to registrar or from registry to registry. The abuse handling policies of a registry will always be the same since they are the sole operator of any given TLD, but registrar policies may vary significantly. It is important to understand the specific abuse handling policies of any given registrar because they may, in their terms of service, grant themselves the right to terminate registrants’ entire accounts if there is a pattern of repeated abuse.
Collateral Damage
Both registrars and registries are obligated to take action against abuse. This means the consequences of having a domain flagged for abuse can extend beyond an individual domain. For example, a registrar may suspend a registrant’s entire account if the abuse is deemed severe enough. That could result in the loss of multiple domains, websites, email hosting, etc. It is important to assess the collateral damage that may be caused by the loss of a registrar account.
Collateral damage is a recurring theme when describing abuse handling expectations and ICANN often advises that collateral damage be a consideration when taking action against abuse. This helps to provide some protection for registrants that may be the victim of bad actors. For example, ICANN’s advisory for abuse handling states, in part, the following in relation to section 3.18.2 of the registrar accreditation agreement:
After Actionable Evidence, Prompt Action Is Required
Collateral damage is a particularly important consideration when an otherwise legitimate or benign domain name is used as a vector for DNS Abuse without the knowledge or consent of the registrant. This is often referred to as a “compromised domain” and sometimes is a result of an exploited website content management system. In these compromise situations, direct suspension of the domain by the registrar or registry operator may not be the appropriate mitigation, as suspension will cut off access to all legitimate content as well as render any associated email and other services with the domain inaccessible.
ICANN’s UDRP
Beyond the simple abuse described here, ICANN provides the Uniform Domain-Name Dispute-Resolution Policy (archived) to resolve disputes that may arise as a result of more complex issues such as trademark infringement, cyber squatting, etc. Those topics skew towards the need for legal advice and are beyond the scope of this site.
RFC 2142 Emails
RFC 2142 describes common email addresses that others may try to use to contact you if there are issues with your domain. Setting up these email addresses may give you an opportunity to work directly with a complainant rather than having them complain to your registrar, so setting them up is beneficial given the minimal effort required to do so.
The most important ones to consider are (replace example.com with your domain):
abuse@example.com - Others may use this to report inappropriate public behavior, but is often used to report generic abuse that does not fit a more specific category.hostmaster@example.com - Others may use this to report DNS issues. Since ICANN defines domain abuse as DNS abuse, others may view this as the most appropriate contact point for all domain related issues.postmaster@example.com - Others may use this to report SMTP (aka email) issues. High volumes of email SPAM may put your domain at risk of revocation.