Last week we detailed the various things that are grouped under the name of “fraudulent or abusive use” in domain name management.Let’s take a look at the various measures that the registry can consider taking when faced with such fraudulent activity.
There are several important points to keep in mind:
- The registry is not necessarily responsible for fraudulent or abusive use of domain names by registrants. On the contrary, registration rules often specify that the registrant is solely responsible.
That responsibility can be difficult to assess. For example, if a company’s website is hacked, which is a relatively commonplace occurrence, and a phishing site is installed on it, is it fair to delete the domain name? And if a name is used for spam, given the lack of authentication of email, should we take action against the registrant of the name, when the latter cannot do much? We therefore have to avoid behaving like the superheroes of American films, who shoot first and think afterwards.
- There is no magic technical solution to solve all of these problems at once, without causing any inconvenience.
It is important that the registry takes action, both because of its contractual obligations, and also to maintain its reputation. A registry that is perceived, rightly or wrongly, as a haven for criminals would risk seeing its domain names frequently blocked, as suggested by Brian Krebs in a recent article. But the registry must not act without thinking, for example by deleting innocent domain names without good reason.
An important part of a registry’s work involves the monitoring of “black” lists, managed by various stakeholders, which list addresses or domain names that are problematic in one way or another. Regular monitoring of these lists can alert the registry, for example, that criminals have suddenly decided to make massive use of its TLD.
Among the measures that are possible, the register must first read the reports addressed to it. This is not as simple as it sounds, because a large majority of these reports are too vague, do not always concern the registry (hacking a website in a delegated subdomain), written in excessively brutal terms, or claim things that are impossible, such as the application of an untranslated ruling by a foreign court. Nevertheless, the degree to which the register is seen to be responsive depends very much on the response it provides to reports of this type.
The registry can also enable DNSSEC security technology, and encourage its customers to use it. It is important to understand that DNSSEC does not protect against all the types of fraudulent activity mentioned above. But it would have protected, for example, MyEtherWallet from being hacked, which also activated DNSSEC after the attack occurred.
Finally, the registry can check the social data submitted when registering a domain name, such as verifying that the city indicated in the address exists in the country in question. (Such verifications are tricky, especially in an international environment, because there may be more than one way of spelling the name of a city.)
Our abuse detection service: Abuse Report
Abuse Report is an Afnic service which compares the list of domain names registered in a TLD with certain databases of domain names used for malicious purposes (Spamhaus, Google Safebrowsing, SURBL).
Abuse Report has two main functions:
- Sending, by e-mail, an alert to the registry, to the registrar and to the registrant if potential fraudulent or abusive use of a domain name has been detected,
- Sending a monthly report to the registry detailing the potential abusive activity in the previous month.
The monthly report includes the following data:
- An overview of the registry’s activity in terms of abusive use (number of domains, number of potential abusive uses detected in the month, number of abusive uses per type of abuse, per abuse base, etc.),
- The distribution per registrar,
- The history file of fraudulent activity over the past 12 months, and the history file of types of fraudulent activity over the past 12 months,
- The types of actions performed. By default, the report is sent by mail to the registry and to the registrars. On option: sends a message to registrants. The message indicates the exact data related to the domains that are the subject of potential fraudulent use (domain, date of creation, date of detection, age of the domain, abuse base in which the domain was detected),
- A glossary that details the abuse bases monitored by the Abuse Report service, as well as a definition of the types of fraudulent use detected and the actions taken into account.