This Advisory provides guidance on the interpretation of and compliance with the 5 April 2024 amendments to the Registrar Accreditation Agreement (RAA) and the Base Generic Top-Level Domain (gTLD) Registry Agreement (RA) regarding Domain Name System (DNS) Abuse mitigation obligations (DNS Abuse Amendments).
Unless specifically modified by the DNS Abuse Amendments, all RAA and RA obligations that were in effect prior to these Amendments remain applicable and in force.
All capitalized terms that are not defined in this Advisory have the meanings given to them in the RAA and the RA.
Registrars and registries that use the practices set forth in this Advisory would likely meet the obligations set forth in the DNS Abuse Amendments, but adherence to one or more of these practices will not automatically result in a determination that the registrar or registry operator has complied with its obligations. The examples set forth below are illustrative only and are not intended to limit the possible mitigation actions. In all cases, whenever ICANN Contractual Compliance initiates an investigation, registrars and registry operators must provide evidence demonstrating compliance with the relevant RAA and RA requirements.
Background
The ICANN organization contracts with registries to operate gTLDs through an RA. The RA specifies the responsibilities of the registry operator, which include maintaining the authoritative database of all registered domain names in the gTLD and publishing the DNS zone for the gTLD.
ICANN also enters into an RAA with each registrar, which allows the registrar to offer domain name registration services in gTLDs. The RAA outlines the responsibilities of the registrar, such as verifying registrant (or Registered Name Holder) information and maintaining accurate records. The roles and obligations of registrars and registries are distinct and are reflected in their respective agreements, the RAA and the RA.
ICANN has the authority to enforce rules related to domain name registration services and domain names as outlined in the RAA and the RA. This Advisory focuses on domain names (or Registered Names) in gTLDs that are used as vehicles or mechanisms for DNS Abuse. The requirements of the DNS Abuse Amendments in the RAA and RA are based on the actions that registrars and registry operators, respectively, can take to minimize the scope and intensity of the harm and victimization caused by DNS Abuse. These requirements also consider that registrars and registry operators represent only a portion of the DNS ecosystem, which is composed of many actors1. Depending on the specific circumstances of an instance of DNS Abuse, the most appropriate actor to detect, assess, verify, and stop the abusive activity may vary, and sometimes may be an actor other than a registrar or registry operator.
DNS Abuse
For the purposes of the RAA, the RA, and this Advisory, DNS Abuse means malware, botnets, phishing, pharming, and spam (when spam is used as a delivery mechanism for any of the other four types of DNS Abuse) as these terms are defined in Section 2.1 of the Security and Stability Advisory Committee Report on an Interoperable Approach to Addressing Abuse Handling in the DNS (SAC 1152):
Malware is malicious software, installed and/or executed on a device without the user's consent, which disrupts the device's operations, gathers sensitive information, and/or gains access to private computer systems. Malware includes viruses, spyware, ransomware, and other unwanted software.
Botnets are collections of Internet-connected computers that have been infected with malware and can be commanded to perform activities under the control of a remote attacker.
Phishing occurs when an attacker tricks a victim into revealing sensitive personal, corporate, or financial information (e.g., account numbers, login IDs, passwords), whether through sending fraudulent or look-alike emails, or luring end users to copycat websites. Some phishing campaigns aim to persuade the user to install malware.
Pharming is the redirection of unknowing users to fraudulent sites or services, typically through DNS hijacking or poisoning. DNS hijacking can occur when attackers use malware to redirect victims to the perpetrator's site instead of the one initially requested. DNS poisoning causes a DNS server (or resolver) to respond with a false Internet Protocol address bearing malware. Phishing differs from pharming in that pharming involves modifying DNS entries, while phishing tricks users into entering personal information.
Spam is unsolicited bulk email, where the recipient has not granted permission for the message to be sent, and where the message is sent as part of a larger collection of messages, all having substantively identical content. Spam is only considered to be DNS Abuse when it is being used as a delivery mechanism for at least one of the other types of DNS abuse described above.
Registrar Obligations
Section 3.18 of the RAA
Prior to the enactment of the DNS Abuse Amendments, Section 3.18 required registrars to maintain and publish contact details to receive reports of abuse, including Illegal Activity. This provision also outlined requirements relating to the investigation of and response to reports of abuse involving Registered Names sponsored by a registrar, and the related records a registrar must maintain. The requirements in RAA Section 3.18 have been amended as follows:
Requirements Relating to the Publication and Maintenance of Abuse Contacts (RAA 3.18.1)
Where to Report Abuse3
To facilitate submission of reports from any party alleging abuse and/or Illegal Activity, the registrar must publish an email address or web form that is readily accessible on the homepage of the registrar's website4. Web forms must not require a login to submit abuse reports.
A registrar's homepage that clearly displays a link to a "Report Abuse'' or a "Contact Us" page (which clearly includes the abuse contact) and that allows reporters to easily submit reports from the linked page will be deemed compliant.
Confirmation of Receipt of a Report of Abuse
Additionally, the registrar must provide the abuse reporter with confirmation that the report has been received. This receipt confirmation may be sent to the abuse reporter or displayed on the screen upon completion of the submission to the registrar. This receipt confirmation must contain enough information for the reporter to be able to demonstrate that it submitted the abuse report. At a minimum, the receipt confirmation must identify the registrar, the reported Registered Name(s), and the date the report was submitted.
Contacts for Law Enforcement Agencies
The requirements related to contacts dedicated to receiving reports from Law Enforcement Agencies (LEA) and other authorities within the registrar's jurisdiction previously described in Section 3.18.2 of the RAA are now in RAA Section 3.18.3; these requirements remain unchanged.
Requirements Relating to Taking Mitigation Actions Upon Receipt of Actionable Reports of DNS Abuse (RAA 3.18.2)
Section 3.18.2 of the RAA, as modified by the DNS Abuse Amendments, now reads:
When Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, Registrar must promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse. Action(s) may vary depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage.
Actionable Evidence
The evidence must be actionable. This means that the information that is readily available to the registrar must be sufficient to enable the registrar to make a reasonable determination as to whether the Registered Name is being used for one or more forms of DNS Abuse. Registrars are encouraged to proactively monitor the Registered Names that they sponsor to identify potential DNS Abuse. A registrar's assessment of actionable evidence will vary depending on the circumstances of each case.
Obtaining Actionable Evidence From an External Party
The Contracted Parties House (CPH) published guidelines to assist with the submission of complete and actionable abuse reports to registrars (CPH Guidelines). The CPH Guidelines describe the evidence that tends to make an abuse report actionable. For example, a screenshot showing a phishing attempt with an indication of what the phish is against (a financial institution, for example); and the complete URL where the abuse is located (e.g., example[.]tld/badpage[.]html)5. Abuse reporters are encouraged to review and follow the CPH Guidelines, and to provide as much information as possible within their reports, to enable the registrar to conduct an investigation into potential DNS Abuse.
In instances where a registrar receives an abuse report that does not contain all necessary information to be considered actionable evidence of DNS Abuse, the registrar must investigate per Section 3.18 of the RAA. In some cases, the registrar may have access to information that was not provided by an abuse reporter but is necessary or helpful to determine that the Registered Name is being used for DNS Abuse. In such cases, the registrar should consider information that it can reasonably access and is relevant to the investigation (e.g., name servers, account information and activity, and contents of at least the primary webpage or specific URL in the abuse report, if provided).
After Actionable Evidence, Prompt Action Is Required
Upon obtaining actionable evidence, the registrar must promptly take appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse. To determine the mitigation actions that are prompt and appropriate, the registrar will consider the specific circumstances of the case, which may include balancing the scope and intensity of the harm caused by the DNS Abuse against the possibility of associated collateral damage.
Collateral damage is a particularly important consideration when an otherwise legitimate or benign domain name is used as a vector for DNS Abuse without the knowledge or consent of the registrant. This is often referred to as a "compromised domain" and sometimes is a result of an exploited website content management system. In these compromise situations, direct suspension of the domain by the registrar or registry operator may not be the appropriate mitigation, as suspension will cut off access to all legitimate content as well as render any associated email and other services with the domain inaccessible6. This is also the case when the DNS Abuse is associated with a third-level or subdomain. Registrars and registries can only act at the second-level domain level. Therefore, if they suspend the second-level domain, all third-level domains would be suspended as well, not just the one associated with DNS Abuse. In these situations, a registrar might elect to provide notification to the registrant, site operator, and/or web host.
What Makes an Action Prompt
As noted above, the appropriate mitigation action to stop or disrupt an instance of DNS Abuse will vary depending on the specific circumstances. Consequently, the appropriate amount of time to investigate and take action will also vary, making it impossible to prescribe a fixed amount of time for an action to be considered "prompt." Instead, registrars must demonstrate an ongoing attentiveness to allegations of sponsored names being used for DNS Abuse. The attentiveness should be commensurate with the potential harm that DNS Abuse causes victims.
Accordingly, in response to an inquiry by ICANN Contractual Compliance, registrars will be required to explain how the actions were prompt considering the specific circumstances. ICANN Contractual Compliance will then review the explanation and the relevant circumstances to make a case-by-case determination as to whether the actions were reasonably prompt. The timelines in the examples included in this Advisory are not contractual requirements, but illustrative only. A registrar taking more time to investigate and take action against a case similar to the examples will not necessarily be indicative of noncompliance. Conversely, other circumstances may require the registrar to act more quickly, such as instances of DNS Abuse that carry the potential of causing imminent harm to end users. A registrar is expected to investigate and take action as soon as possible following the registrar's reasonable attempt to confirm an instance of DNS Abuse.
Putting It All Together – Registrar Examples of Compliance
The examples below illustrate reasonable and prompt mitigation actions taken to stop the Registered Name from being used for DNS Abuse (Scenario One) and to disrupt the course of the DNS Abuse in relation to the Registered Name (Scenario Two). These scenarios contain specific factual circumstances. Under different circumstances, individual registrars may take different actions and within a different time frame to stop, or otherwise disrupt, individual cases of DNS Abuse. In all instances, registrars must be able to demonstrate that any approach taken is compliant with the relevant requirements in Section 3.18 of the RAA.
Scenario One: A registrar receives a complete and actionable abuse report alleging that a Registered Name sponsored by the registrar is used for phishing. The report includes evidence that a URL containing the Registered Name sponsored by the registrar is being sent via email or SMS representing itself as a large bank requesting the recipients unlock their accounts. The registrar initiates an investigation considering all relevant information included in the abuse report. The registrar's investigation reveals the Registered Name has no publicly available website and only displays a direct URL with what appears to be a login screen for a large bank. The same URL is the one being sent via emails or SMS. The registrar also considers that the customer is new and the Registered Name was registered five days prior.
Appropriate Mitigation Actions: The registrar reasonably concludes the Registered Name is being used for DNS Abuse and stops the DNS Abuse by suspending the Registered Name, applying the clientHold Extensible Provisioning Protocol (EPP) status code7. The investigation and mitigation action occur within two business days of receipt of the report of abuse. The registrar may also decide to apply a transfer lock to the Registered Name to prevent the registrant from attempting to evade the mitigation action and resume using the domain name for DNS Abuse, so long as the registrar complies with the applicable requirements in ICANN's Transfer Policy.
Scenario Two: A registrar receives a complete and actionable abuse report alleging that a Registered Name sponsored by the registrar, autobrand.tld, is being used for phishing. The report of abuse includes evidence of a specific URL being used for phishing. The registrar investigates, considering all relevant information included in the abuse report as well as information readily and reasonably accessible to the registrar. The investigation confirms that the URL in the report of abuse is being used for phishing. The investigation also reveals that the URL belongs to a subdomain (city.autobrand.tld), and appears to be used by a franchisee. The registrar acknowledges that the Registered Name autobrand.tld was registered three years ago and has a robust set of content for an automobile dealership franchise. The registrar is able to confirm the Registered Name is used for Autobrand's corporate emails and subdomains for multiple franchisees.
Appropriate Mitigation Actions: The registrar reasonably concludes that the Registered Name is being used for DNS Abuse, but that it is likely the result of domain compromise and that the registrant is not knowingly using the Registered Name for DNS Abuse. The registrar assesses the potential collateral damage that suspending the domain n
