DNS abuse is a prevalent topic right now that deserves attention given how broad the definition of the term is and the far-reaching effects it can have on victims of DNS abuse.
ShortDot is one of the largest domain registrars in the world. We currently manage .icu, .bond and .cyou. We use multiple internal and external tools and sources to actively monitor our zone files for DNS abuse and other domains that may violate our Terms and Conditions found here: https://nic.icu/terms/. We do not tolerate any abusive domains, and when we’re alerted to DNS abuse on Domain(s) in one of our zones, we promptly take action. Usually, this means placing the Domain(s) on ServerHold status, and sometimes we’ll first notify the Registrar, giving them time to investigate the issue. Registrants that believe this action was taken by mistake can always reach out to us, and we will review the case; however, as you will learn, most of our tools are built to reduce false positives.
In 2019 we explained our process for handling DNS abuse here at ShortDot and the .icu registry; https://nic.icu/how-.icu-handles-abusive-domain-names/. In 2020 as the digital environment evolves, so has our process for handling reports of DNS abuse. For this article, we’re going to use the types of DNS abuse as defined in the ‘Framework for DNS Abuse’ letter put together by Domain Industry Leaders found here: http://dnsabuseframework.org/.
Malware is malicious software, installed on a device without the user’s consent, which disrupts the device’s operations, gathers sensitive information, and/or gains access to private computer systems. Malware includes viruses, spyware, ransomware, and other unwanted software.
Botnets are collections of Internet-connected computers that have been infected with malware and commanded to perform activities under the control of a remote administrator.
Phishing occurs when an attacker tricks a victim into revealing sensitive personal, corporate, or financial information (e.g. account numbers, login IDs, passwords), whether through sending fraudulent or ‘look-alike’ emails, or luring end users to copycat websites. Some phishing campaigns aim to persuade the user to install software, which is in fact malware.
Pharming is the redirection of unknowing users to fraudulent sites or services, typically through DNS hijacking or poisoning. DNS hijacking occurs when attackers use malware to redirect victims to [the attacker’s] site instead of the one initially requested. DNS poisoning causes a DNS server [or resolver] to respond with a false IP address bearing malicious code. Phishing differs from pharming in that the latter involves modifying DNS entries, while the former tricks users into entering personal information.
Spam is unsolicited bulk email, where the recipient has not granted permission for the message to be sent, and where the message was sent as part of a larger collection of messages, all having substantively identical content.
These definitions and their sources sourced in the Framework letter at the link above.
The next factor in DNS abuse is how abusive domain names are reported to Registrars and Registries. At ShortDot and with the .icu domain extension, there are two primary avenues for DNS abuse reports to reach our abuse team. Trusted Sources and Publicly Reported Domains.
Trusted Sources are typically companies in the cybersecurity industry that monitor the internet for DNS Abuse. When we receive a report of DNS abuse from a Trusted Source, we immediately take action, typically this involves placing the Domain (s) on ServerHold status and notifying the Registrar where the Domain is registered that there is an issue. Some of the Trusted Sources that we use to monitor the .icu zone are below, keep in mind that this is not a comprehensive list.
SpamHaus.org is one of the most well known non-profit organizations that actively monitors more than 3 Billion1 mailboxes globally for Spam emails. ShortDot uses a third party service that pulls domains from an API into SpamHaus and notifies us when Domain (s) violate our Terms and Conditions. According to SpamHaus, their Domain Block List is compiled by:
The DBL’s reputation database is maintained by a dedicated team of specialists using various data from many sources to craft and maintain a large set of rules controlling an automated system that constantly analyses a large portion of the world’s email flow and the domains in it. Most DBL listings occur automatically, although where necessary Spamhaus researchers will add or remove listings manually. DBL data is exchanged with other Spamhaus systems which can result in further listings in the DBL, or in IP addresses being listed in other Spamhaus zones.2
PhishTank is an information clearinghouse operated by OpenDNS. While their data is reported by users around the internet, they have a verification system that significantly reduces false positives making their reports accurate. Anytime PhishTank reports an abusive domain to ShortDot we take immediate action as described above. More information about PhishTank can be found by visiting: https://www.phishtank.com/
Google Safe Browsing (GSB) helps protect over four billion devices every day by showing warnings to users when they attempt to navigate to dangerous sites or download dangerous files. ShortDot’s third-party monitoring software also pulls data from GSB, anytime a .icu or other ShortDot Domain is reported by GSB we take immediate action by placing the Domain on ServerHold status and notifying the Registrar.
- Self-reported from https://www.spamhaus.org/organization/
2. Compilation method as defined by SpamHaus: https://www.spamhaus.org/dbl/
3. Description of Google Safe Browsing from: https://safebrowsing.google.com/
Publicly Reported Domains is the classification we give domains that are reported by the general public. These reports come to ShortDot in multiple ways, some of which are: our abuse reporting form located at www.nic.icu/reportabuse, by internet users forwarding abusive domains to email@example.com, or by reports filed via phone by calling our toll free or international phone numbers +1 (844) 447-4678 or +1 (512) 596-2935. When domains fall into this category we notify the Registrar where the Domain is registered that there may be an issue, give them 48 hours to investigate and report their findings and any actions taken back to ShortDot. If we have not received a response or can verify that the Domain violates our Terms and Conditions, we place the Domain(s) on ServerHold.
What is ServerHold, and once a domain is placed on ServerHold, how is it removed?
ServerHold is a mechanism available to Registries that removes all DNS records from a domain name. It also eliminates the ability for a Registrar to modify the domain name until the Registry removes the ServerHold status. Essentially Your Domain is not activated in the DNS.1
If you are the registrant of a .icu or other ShortDot Registry Domain and want to request that the ServerHold status be removed, send an email to firstname.lastname@example.org with an explanation of the issue, and the actions you have taken to remedy the issue. It is also important to confirm that the issue will not happen again. Our abuse team will review all requests to remove ServerHold and respond within 48 hours.
- ICANN’s definitions can be found: https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
ShortDot is proud to be one of the largest new domain registries on the planet. Our extensions include .icu, .bond and .cyou. We are constantly looking to acquire more extensions and to continue being a leader in the domain name space. The DNS abuse information and process outlined here is meant to not only be informative as to how ShortDot handles DNS abuse but also to demonstrate our commitment to combating abusive content on the internet.
Thank you for reading, we’re happy to answer questions or provide further clarification.
-The ShortDot Team
.icu | .bond | .cyou