Home / Blogs

Domain Name Abuse Is a 4 Letter Word

Michael Young

There has been a lot of back and forth recently in the ICANN world on what constitutes domain abuse; how it should be identified and reported AND how it should be addressed. On one side of the camp, we have people advocating for taking down a domain that has any hint of misbehaviour about it, and on the other side we have those that still feel Registries and Registrars have no responsibility towards a clean domain space. (Although that side of the camp is in steady decline and moving toward the middle ground). Domain abuse by the most common definition means domains registered for phishing, malware, botnets and domains advertised in spam. These activities are commonly recognized in most countries and jurisdictions as illegal or at least harmful. It's important to note, however, that many Internet stakeholders consider other types of domain misuse just as abusive, and in some cases just as illegal. Common examples include intellectual property infringement, copyright violations, and certain types of highly offensive content display.

My own opinions on abuse mitigation are rooted in 14 years of experience that include the launch of TLDs such as .Info, .Mobi and .Me and the transition of others such as .Org, and .In. Specifically in managing the technical and operational aspects for the good and bad outcomes of fast growth, various pricing schemes and promos, and registrar and registrant behavior. My opinion at the end of the day can be summarized in a few statements:

  • Abuse causes well-defined harm to many organizations and individuals — both economic and reputational (this includes Registries and Registrars)
  • Spam is not less harmful than other forms of abuse since it's used to advertise phishing and malware sites
  • It is possible to identify almost all abusive domains, with high levels of confidence, for suspensions where the number of occurrences of truly innocent domains being suspended is extremely low — even where there is an active suspension program
  • Reducing the time to harm is the key. And that means removing the domain from the DNS -QUICKLY- after identifying it as harmful.

But let me tell you how I got to this position over the last 14 years.

From their inception, virtually none of the gTLD or ccTLD registries had any contractual obligations to mitigate abuse. Therefore, for many years, the most pervasive argument for TLD registries, taking proactive measures against abusive domain registrations, was an altruistic one, focused on protecting the Internet end-users from some of the more egregious cases — with documented exploitation and/or blatant illegality. During this time, most TLDs handed over the responsibility of legitimate use solely to their retail level resellers (Registrars). If a TLD registry did take action on abuse mitigation, it did so at a slow pace of engagement — often missing the opportunity to mitigate active harms.

Now in the post new gTLD era, there is more active involvement on the part of many legacy TLD registries. Registries are starting to take down abusive domains quite regularly and even aggressively, while others operate at a slower pace but still take action. Why? What changed? While regulatory changes and increased pressures are doubtless factors, what has changed is the realization that the altruistic rationale for protecting the end-users was also in fact good for protecting their business.

By mid 2000s when some TLD registries experimented with low cost domains, they also attracted registrants with nefarious intentions. We also learned that over time, the Internet community recognized patterns and key habitats for abusive domains and in turn began to progressively shut those habitats out of community participation. What does this mean practically? A TLD with unmanaged abuse that rises above a certain saturation point will eventually find that email associated with its domain names won't work, and that websites and web services associated with those domains will be shunned and not trusted. This results in abysmal renewal rates on 1 year registrations (sometimes dropping to well below 10%). The question to ask then is "how financially viable is a registry with tanking renewals and non-working names?" The only exception we've seen in this regard is .com, but that's because such a large portion of the Internet operates on .com names. Infrastructure operators do not believe they can afford to shut out .com traffic generically. They are, of course, right today, but as registrations disperse across more TLDs such as the country code TLDs and the new TLDs, this will likely change over the course of the next decade.

But this isn't always a low cost domain problem — sometimes it's the high cost TLDs that are at risk. While large scale domain abuse campaigns do tend to focus on using lower cost domains, smaller and/or more expensive TLDs are often used in sophisticated campaigns with low numbers of domains, sometimes resulting in far more economic harm than the large scale, volume-based campaigns. This represents a significant reputational risk for the registry operator. It's also important to remember, a significant number of abusive domains are marked as abusive because they are associated with "compromised" web services. Someone has hijacked a legitimate service site for abusive use. Therefore, high domain prices alone are not an adequate abuse management strategy.

Self-regulate or be regulated:

At the end of the day, a domain is a consumer product, and people want their products to work as expected, in a safe manner. A registry that does not manage its abuse is not managing their reputation OR protecting their own or their customers' economic interests. This is reason enough to actively manage abuse, but legal and regulatory environments are currently catching up to this problem. Why? Because consumers want safe products! We are at a classic point that all developing infrastructure industries eventually reach; we can either solve domain abuse voluntarily, or wait for regulation on domain abuse to be mandated to us on the basis of public safety, and then incrementally increased. In other words — we can self-regulate or be regulated.

At the end of the day I am a product developer and believe in building good products with great value to the end customer. If I build no safeguards for a product that has the potential to be used in harmful ways, then my punishment is manifold: my consumers will stop buying my product, regulatory rules will be brought to bear, and I will fail economically to build a sustainable business. You don't have to look very far to see the severe consequences of even low statistical levels of product failures, just look at the recent General Motor ignition switch failures as an example. Domains are infrastructure products — key services and sometimes even safety systems depend on them. As an industry, we need to have the discipline and commitment to build safe products.

By Michael Young He built the first modern EPP Top Level Domain registry in 2001 (.info) and subsequently built and operated the backend systems for numerous gTLDs, ccTLDs, IDN enabled registries and sponsored TLDs such as .org, .mobi, .in, .me and others. Architelos provides new gTLD application guidance and registry management services for clients in the DNS and IP industry. Mr. Young can be reached directly at myoung@architelos.comVisit Page
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

This entire thing applies in spades to the RIRs as well Suresh Ramasubramanian  –  Nov 12, 2014 7:53 PM PDT

unfortunately, rhe "we are not the internet police" trope has a much stronger hold on parts of that community, and the number of abusive registrations gaming their system has been rather high over the past years and remains so

To post comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias