Latest news of the domain name industry

Recent Posts

Spam is not our problem, major domain firms say ahead of ICANN 66

Kevin Murphy, October 21, 2019, Domain Policy

Eleven of the largest domain name registries and registrars have denied that spam is something they should have to deal with, unless it’s used to proliferate other types of abuse such as phishing or malware.

In a newly published “Framework to Address Abuse” (pdf), the companies attempt to define the term “DNS abuse” narrowly to capture only five (arguably only four and a half) specific types of online threat.

That abuse comprises malware, phishing, botnets, pharming and spam.

The companies agree that these are activities which registrars and registries “must” act upon.

But the document notes that not all spam is its responsibility, stating:

While Spam alone is not DNS Abuse, we include it in the five key forms of DNS Abuse when it is used as a delivery mechanism for the other four forms of DNS Abuse. In other words, generic unsolicited e-mail alone does not constitute DNS Abuse, but it would constitute DNS Abuse if that e-mail is part of a phishing scheme.

In other words, registrars and registries should not feel responsible for the billions of spams sent every day using their domains, unless the spam runs further malware, phishing, pharming or botnet abuse.

The signatories of the framework are Public Interest Registry, GoDaddy, Donuts, Tucows, Amazon Registry Services, Blacknight, Afilias, Name.com, Amazon Registrar, Neustar, and Nominet UK.

It may seem like they’ve presented a surprisingly narrow definition, but it’s in line with what current ICANN contracts dictate.

Neither the standard Registry Agreement nor Registrar Accreditation Agreement mention spam at all. Six years ago, ICANN specifically said that spam is “outside of ICANN’s scope and authority”.

Under the RA, registries have to oblige their registrars to ban registrants from “distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law”.

They also have to maintain statistical reports on the amount of “pharming, phishing, malware, and botnets” in their zones, and provide those reports to ICANN upon demand. A recent audit found that 5% of registries, mainly dot-brands, were not doing this.

However, ICANN’s Domain Abuse Activity Reporting system, an effort to provide some transparency into how gTLDs are being abused, does in fact track spam. It does not track pharming, which is a fairly obscure and little-used form of DNS attack.

The DAAR report for September shows that spam constituted 73% of all tracked abuse.

The ICANN board of directors today identified DAAR as one of a few dozen priorities for the coming year.

Similarly, the cross-community working group known as the CCT Review Team, which was tasked with looking into how the new gTLD program has impacted competition and consumer trust, had harsh words for spam-friendly registries, and provided a definition of “DNS Security Abuse” that specifically included “high volume spam”.

The review recommended that ICANN introduce more measures to force contracted parties to deal with this type of abuse. This could include incentives for registries to clean up their zones and abuse volume thresholds that would automatically trigger compliance actions.

The new framework document comes in the context of an ongoing debate within the ICANN community about what “DNS abuse” is.

Two partners at Interisle, a security consultancy that often works for ICANN, recently guest-posted on DI to say that this term has become meaningless and should be abandoned in favor of “security threat”.

They argued that the definition should include not only spam, but also stuff like IP infringement, election interference, and terrorism.

But the main threat to contracted parties probably comes from the Governmental Advisory Committee, backed by law enforcement, which is pushing for stronger rules covering abusive content.

During a webinar last week, the US Federal Trade Commission, the FBI, and Europol argued that registries and registrars should be obliged to do more to combat abuse, specifically including spam.

“Whether or not you call it phishing or spam or whether it has a malware payload or not, ultimately it’s all email, and email remains the most common tool of cybercriminals to ensnare their victims, and that’s why we in law enforcement care about the domains used to send emails,” said Gabriel Andrews of the FBI’s Cyber Initiative Resource Fusion Unit, on the call.

Registries and registrars countered, using the same language found in the new framework, that generic spam is a content issue, and outside of their remit.

The two sides are set to clash again at ICANN’s annual general meeting in Montreal next month, in a November 6 face-to-face session.

While 11 entities signed the new framework, it’s arguably only nine companies. Name.com is owned by Donuts and both Amazon firms obviously have the same parent.

But it does include the two largest registrars, and registries responsible for running several hundred commercial gTLDs, dot-brands and ccTLDs.

While none of the signatories of the framework have a particular reputation for being spam-friendly, other companies in the industry — particularly some of the newest and cheapest new gTLDs — tend to attract spammers like flies to a turd.

Some of the signatories are perhaps surprising, given their past or ongoing behavior to tackle content-based abuse in their own zones.

Nominet, notably, takes down tens of thousands of domains ever year based on little more than police assurances that the domains are being used to sell counterfeit merchandise or infringe copyright.

The .uk registry also preemptively suspends domains based on algorithms that guess whether they’re likely to be seen as encouraging sexual violence or could be used in phishing attacks.

Donuts also has a trusted notifier relationship with the movie and music industries that has seen it take down dozens of names being used for mass copyright infringement.

PIR has previous endorsed, then unendorsed, the principal of a “UDRP for copyright”, a method of giving Big Content a way of going through due process to have domains taken or suspended.

Outside the spam issue, while the new registry-registrar framework says that registries and registrars should not get involved in matters related to web site content, it also says they nevertheless “should” (as opposed, one assumes based on the jargon usually found in internet standards, to “must”) suspend domains when they’re being used to distribute:

(1) child sexual abuse materials (“CSAM”); (2) illegal distribution of opioids online; (3) human trafficking; and (4) specific and credible incitements to violence.

These are exceptions because they constitute “the physical and often irreversible threat to human life”, the framework says.

Ultimately, this all boils down to a religious debate about where the line is drawn between “DNS” and “content”, it seems to me.

The contracted parties draw the line at threats to human life, whereas others want action on other forms of abuse largely because registries and registrars are in the best position to help.

.icu joins the million-domains club in one year, but spam triples

Another new gTLD has joined the exclusive list of those to enter seven figures in terms of domains under management.

.icu, managed by ShortDot, topped one million names this week, according to COO Kevin Kopas.

It’s taken about a month for DUM to increase from 900,000 names, and if zone files are any guide half of that growth seems to have happened in the last week.

.icu domains currently sell for between $1 and $2 for the first year at the cheap end of the market, where most regs are concentrated, with renewals closer to the $10 mark.

The gTLD joins the likes of .club, .xyz, .site and .online to cross the seven-figure threshold.

When we reported on the 900,000-reg mark at the end of May, we noted that .icu had a SpamHaus “badness” rating of 6.4%, meaning that 6.4% of all the emails coming from .icu addresses that SpamHaus saw were classified as spam.

That score was roughly the same as .com, so therefore pretty respectable.

But in the meantime, .icu’s badness score has almost tripled, to 17.4%, while .com’s has stayed about the same.

Picking through the Google search results and Alexa list for .icu domains, it appears that high-quality legit web sites are few and far between.

Whether that’s a fixable symptom of .icu’s rapid growth — it’s only about 13 months post-launch — or a predictor of poor long-term potential remains to be seen.

Rumors swirl as AlpNames suffers “days” of downtime

Kevin Murphy, March 12, 2019, Domain Registrars

The web site of controversial registrar AlpNames has been offline for “days”, and rumors have started to circulate that it might not just a technical problem.

At time of writing, alpnames.com resolves to a Cloudflare error page, warning that the AlpNames web server has an invalid SSL certificate. Cloudflare may also show an ugly, bare-bones cached version of the site.

This means that AlpNames customers are unable to log in to manage their domains, according to threads on Namepros and Reddit, and conversations I’ve had with some of those affected.

It’s said that customers are able to manage their domains by logging in directly to LogicBoxes, AlpNames’ registrar-in-a-box provider, but I’ve been unable to personally verify this.

AlpNames is believed to have almost 700,000 names under management, double the size it was last June but well below its peak, at the height of its deep-discounting period in 2017, of over three million.

It’s not known how many individual registrants are affected. The company tends to attract what one might charitably call “bulk-buyers”, so it will be substantially lower than the number of registered domains.

It’s also not entirely clear when the web site went down. It’s not been loading here for at least 12 hours, but the first reference to downtime on Namepros was on Sunday. Multiple other sources have told me today that it’s been unavailable “for a few days”.

A separate AlpNames-owned web site focused on marketing .icu domains to the Chinese market is still online.

But it seems a lot of AlpNames customers have been left hanging in uncertainty, unsure how or when they will be able to manage their domains.

I’ve been unable to reach any of AlpNames’ senior executives for comment on the situation today.

An email sent to CEO Iain Roache this morning, at the address he was using in December, bounced back with a “disabled account” error message. I have received no response to messages I sent to two other email addresses he is known to use.

I understand that fellow AlpNames exec Geir Rasmussen who, with Roache, was enthusiastically pitching grand plans for AlpNames as recently as October, is no longer with the company.

Chief operating officer Damon Barnard also left the company last October and ceased work as a director around the same time.

Records show the salesperson due to represent AlpNames at this week’s ICANN 64 meeting in Japan did not show up and is believed to have also left the company in January.

The company’s Twitter and Facebook accounts, which are not usually particularly active anyway, have not yet addressed the downtime problem.

If it is simply a case of an expired or misconfigured SSL cert, why is it taking so long to fix, and why has there been radio silence from AlpNames?

Opponents and competitors are putting the word around that there may be a more serious problem with the company, but I’ve not seen any conclusive evidence that this is the case.

It’s possible there’s some confusion between AlpNames and Famous Four Media, the now-defunct Roache/Rasmussen venture that managed the portfolio of new gTLDs owned by Domain Venture Partners, an investment vehicle set up by Roache prior to ICANN’s 2012 gTLD application round.

DVP is no longer affiliated with AlpNames and its gTLDs are managed by a new DVP-controlled entity, GRS Domains, after an investor revolt.

Phishing still on the decline, despite Whois privacy

Kevin Murphy, March 5, 2019, Domain Policy

The number of detected phishing attacks almost halved last year, despite the fact that new Whois privacy rules have made it cheaper for attackers to hide their identities.

There were 138,328 attacks in the fourth quarter of 2018, according to the Anti-Phishing Working Group, down from 151,014 in Q3, 233,040 in Q2, and 263,538 in Q1.

That’s a huge decline from the start of the year, which does not seem to have been slowed up by the introduction in May of the General Data Protection Regulation and ICANN’s Temp Spec, which together force the redaction of most personal data from public Whois records.

The findings could be used by privacy advocates to demonstrate that Whois redaction has not lead to an increase in cybercrime, as their opponents had predicted.

But the data may be slightly misleading.

APWG notes that it can only count the attacks it can find, and that phishers are becoming increasingly sophisticated in how they attempt to avoid detection. The group said in a press release:

There is growing concern that the decline may be due to under-detection. The detection and documentation of some phishing URLs has been complicated by phishers obfuscating phishing URLs with techniques such as Web-spider deflection schemes – and by employing multiple redirects in spam-based phishing campaigns, which take users (and automated detectors) from an email lure through multiple URLs on multiple domains before depositing the potential victim at the actual phishing site.

It also speculates that criminals once involved in phishing may have moved on to “more specialized and lucrative forms of e-crime”.

The Q4 report (pdf) also breaks down phishing attacks by TLD, though comparisons here are difficult because APWG doesn’t always release this data.

The group found .com to still have the most phishing domains — 2,098 of the 4,485 unique domains used in attacks, or about 47%. According to Verisign’s own data, .com only has 40% market share of total registered domains.

But new, 2012-round gTLDs had phishing levels below their market share — 4.95% of phishing on a 6.83% share. This is actually up compared to the 3% recorded by APWG in Q3 2017, the most recent available data I could find.

Only two of the top 20 most-abused TLDs were new gTLDs — .xyz and .online, which had just 70 attack domains between them. That’s good news for .xyz, which in its early days saw 10 times as much phishing abuse.

After .com, the most-abused TLD was .pw, the ccTLD for Palau run by Radix as an unrestricted pseudo-gTLD. It had 374 attack domains in Q4, APWG said.

Other ccTLDs with relatively high numbers included several African zones run as freebies by Freenom, as well as the United Kingdom’s .uk and Brazil’s .br.

Phishing is only one form of cybercrime, of course, and ICANN’s own data shows that when you take into account spam, new gTLDs are actually hugely over-represented.

According to ICANN’s inaugural Domain Abuse Activity Reporting report (pdf), which covers January, over half of cybercrime domains are in the new gTLDs.

That’s almost entirely due to spam. One in 10 of the threats ICANN analyzed were spam, as identified by the likes of SpamHaus and SURBL. DAAR does not include ccTLD data.

The takeaway here appears to be that spammers love new gTLDs, but phishers are far less keen.

ICANN did not break down which gTLDs were the biggest offenders, but it did say that 52% of threats found in new gTLDs were found in just 10 new gTLDs.

This reluctance to name and shame the worst offenders prompted one APWG director, former ICANN senior security technologist Dave Piscitello, to harshly criticize his former employer in a personal blog post last month.

Spammy .loan makes Alibaba fastest-growing and fastest-shrinking registrar in June

Kevin Murphy, October 5, 2018, Domain Registrars

Chinese registrar Alibaba was both the fastest-growing and fastest-shrinking registrar in June, purely due to its dalliance with hundreds of thousands of cheap .loan domain names.

Stats compiled by DI from the latest monthly registry reports show that Alibaba’s Singapore-based registrar — which has only been active for a year — grew its domains under management by 720,669 in June, almost four times as many as second-placed NameCheap.

The huge increase was due to Alibaba’s DUM in .loan doubling in June, going from from 621,851 to 1,274,532. Another 50,000 extra domains came from .win.

Both .loan and .win are run by registry GRS Domains, the company that replaced Famous Four Media as manager of the Domain Venture Partners gTLD portfolio.

According to SpamHaus, .loan has a “badness” of just shy of 90%, based on a sample size of 45,000 observed domains. SpamHaus has .win at almost 39% bad.

GRS has promised to turn its portfolio around and cut off its deep-discounting promotions effective August 20. The June figures reflect a time when discounts were still in place.

The Singapore Alibaba had DUM of 1,771,730 at the end of June.

At the bottom end of the June league table was a second Alibaba accrediation, Beijing-based Alibaba Cloud Computing (aka HiChina or net.cn), which had a net DUM loss of 266,411, after seeing 345,268 deletes in .loan (along with 45,000 deletes in .xyz and 35,000 in .xin).

The second biggest loser was AlpNames, which is owned by the same people as Famous Four, which deleted over 114,000 names in the month. The vast majority of these names were in FFM/GRS gTLDs, including .loan.

The main, earliest Alibaba accreditation, Alibaba Cloud Computing (Beijing), which has zero exposure to new gTLDs, grew by 69,794 domains to end June as the seventh fastest-growing registrar with DUM of 7,672,594.

As of a couple weeks ago, Alibaba has a fourth ICANN accreditation, Alibaba Cloud US LLC, but that obviously does not figure into the June numbers.

Here’s the top 10 registrars for June by DUM growth:

Registrar (IANA ID)DUMTransfers InTransfers OutNet TransfersAddsDeletesChange
Alibaba.com Singapore E-commerce Private Ltd (3775)1771730230017228339416345720669
NameCheap, Inc. (1068)862443322140891613224418008253219187827
GoDaddy.com, LLC (146)59208467703796893114481131439951837153910
NameSilo, LLC (1479)1670604144276041838613653932107111151
Xin Net Technology Corporation (120)262370941275041-91415315466679102744
Google LLC (895)231378010763169190721253194944079148
Alibaba Cloud Computing (Beijing) Co., Ltd. (420)76725941907811732734622080515525869794
Network Solutions, LLC (2)708437552854143003855412243811062853712
GMO Internet, Inc. d/b/a Onamae.com (49)47051283043209195214625917494644668
TLD Registrar Solutions Ltd. (1564)12186886858-77239315232535877

And the bottom 10:

Registrar (IANA ID)DUMTransfers InTransfers OutNet TransfersAddsDeletesChange
Alibaba Cloud Computing Ltd. d/b/a HiChina (www.net.cn) (1599)446845116192891330202094509820-266411
Alpnames Limited (1857)3613027165366314273114254-112825
Chengdu West Dimension Digital Technology Co., Ltd. (1556)2270000422719452282148101269286-94937
Bizcn.com, Inc. (471)9202431203336-3216603663268-69862
eNom, LLC (48)6824378915328741-1958875665101336-52205
Domain.com, LLC (886)197492715348827-72932361958695-37594
Todaynic.com, Inc. (697)13652775154-79138527795-26771
Register.com, Inc. (9)197625412953484-21891918737626-26231
Wild West Domains, LLC (440)300078434777346-38693101546045-18883
Ascio Technologies, Inc. Danmark - Filial af Ascio technologies, Inc. USA (106)157968313143803-24891183828246-16839

You may notice that in both tables the net change column is not equal to the sum of adds and net transfers minus deletes. This is because, per ICANN contract, domains still in their five-day Add Grace Period are counted in DUM but not in adds, so many adds slip over into the following month.

.CLUB sees spam double after China promotion

Kevin Murphy, September 11, 2018, Domain Registries

.CLUB Domains has seen the amount of spam in .club double a month after seeing a huge registration spike prompted by a deep discount deal.

The registry saw its domains under management go up by about 200,000 names over a few days in early August, largely as a result of a promotion at Chinese registrar AliBaba.

AliBaba sold .club domains for CNY 3 ($0.44) during the promotion, helping it overtake GoDaddy as the top .club registrar.

At that time, spam tracker SpamHaus was reporting that 17.9% of the .club domains it was seeing in the wild were being used in spam.

SpamHaus statToday, that number is 35.4%, almost double the August 7 level. SpamHaus does not publish the actual number of spammy domains for .club; that honor is only bestowed upon the top 10 “bad” TLDs.

Correlation does not equal causation, of course. There could be factors other than the AliBaba promotion that contributed to the increase, but I believe there’s probably a link here.

.CLUB chief marketing officer Jeff Sass told DI:

When registrars have domains “on sale”, there is always the chance that low-cost domains will be attractive to abusers. We monitor abuse proactively, and respond promptly to complaints, as well as monitor our registrar partners collectively and individually.

It’s almost certainly unfair of me to single out fluctuations in .club here, rather than take a comparative look at multiple TLDs. There are certainly many worse TLDs per SpamHaus’ statistics — .men leads among the gTLDs, with 87.2% spam.

But, given the industry truism that cheaper domains leads to more abuse, I think such a large increase correlating with such a successful promotion is a useful data point.

Whois privacy did NOT increase spam volumes

Kevin Murphy, August 31, 2018, Domain Tech

The advent of more-or-less blanket Whois privacy has not immediately led to the feared uptick in spam, according to researchers.

Data from Cisco’s Talos email data service, first highlighted by security company Recorded Future this week, shows spam levels have been basically flat to slightly down since ICANN’s GDPR-inspired new Whois policy came into effect May 25.

Public Talos data shows that on May 1 this year there were 433.9 billion average daily emails and 370.04 billion spams — 85.28% spam.

This was down to 361.83 billion emails and 308.05 billion spams by August 1, an 85.14% spam ratio, according to Recorded Future.

So, basically no change, and certainly not the kind of rocketing skyward of spam levels that some had feared.

Cisco compiles its data from customers of its various security products and services.

Looking at Talos’ 18-month view, it appears that spam volume has been on the decline since February, when the ratio of spam to ham was pretty much identical to post-GDPR levels.

It also shows a similar seasonal decline during the northern hemisphere’s summer 2017.

Talos graph

There had been a fear in some quarters that blanket Whois privacy would embolden spammers to register more domains and launch more ambitious spam campaigns, and that the lack of public data would thwart efforts to root out the spammers themselves.

While that may well transpire in future, the data seems to show that GDPR has not yet had a measurable impact on spam volume at all.

Could crypto solve the Whois crisis?

Kevin Murphy, July 10, 2018, Domain Tech

Could there be a cryptographic solution to some of the problems caused by GDPR’s impact on public Whois databases? Security experts think so.

The Anti-Phishing Working Group has proposed that hashing personal information and publishing it could help security researchers carry on using Whois to finger abusive domain names.

In a letter to ICANN, APWG recently said that such a system would allow registries and registrars to keep their customers’ data private, but would still enable researchers to identify names registered in bulk by spammers and the like.

“Redacting all registration records which were formerly publicly available has unintended and undesirable consequences to the very citizens and residents that electronic privacy legislation intends to protect,” the letter (pdf) says.

Under the proposed system, each registry or registrar would generate a private key for itself. For each Whois field containing private data, the data would be added to the key and hashed using a standard algorithm such as SHA-512.

For items such as physical addresses, all the address-related fields would be concatenated, with the key, before hashing the combined value.

The resulting hash — a long string of gibberish characters — would then be published in the public Whois instead of the [REDACTED] notice mandated by current ICANN policy.

Security researchers would then be able to identify domains belonging to the same purported registrant by searching for domains containing the same hash values.

It’s not a perfect solution. Because each registry or registrar would have their own key, the same registrant would have different hash values in different TLDs, so it would not be possible to search across TLDs.

But that may not be a huge problem, given that bad guys tend to bulk-register names in TLDs that have special offers on.

The hashing system may also be beneficial to interest groups such as trademark owners and law enforcement, which also look for registration patterns when tracking down abuse registrants.

The proposal would create implementation headaches for registries and registrars — which would actually have to build the crypto into their systems — and compliance challenges for ICANN.

The paper notes that ICANN would have to monitor its contracted parties — not all of which may necessarily be unfriendly to spammers — to make sure they’re hashing the data correctly.

Tech giants gunning for AlpNames over new gTLD “abuse”

A small group of large technology companies including Microsoft and Facebook have demanded that ICANN Compliance take a closer look at AlpNames, the budget registrar regularly singled out as a spammers’ favorite.

The ad hoc coalition, calling itself the Independent Compliance Working Party, wrote to ICANN last week to ask why the organization is not making better use of statistical data to bring compliance actions against the small number of companies that see the most abuse.

AlpNames, the Gibraltar-based registrar under common ownership with new gTLD portfolio registry Famous Four Media, is specifically singled out in the group’s letter.

The letter, sourcing the August 2017 Statistical Analysis of DNS Abuse in gTLDs (pdf), says there “is a clear problem with one particular contracted party”.

AlpNames was the registrar behind over half of the new gTLD domains blacklisted by SpamHaus over the study period, for example, the letter states.

The tiny territory of Gibraltar also frequently ranks unusually highly on abuse lists due to AlpNames presence there, the letter and report say.

The ICWP letter also says that the four gTLDs .win, .loan, .top, and .link were used by over three quarters of abusive domains over the SADAG study period.

The letter calls the abuse rates “troublesome” and says:

We are alarmed at the levels of DNS abuse among a few contracted parties, and would appreciate further information about how ICANN Compliance is using available data to proactively address the abusive activity amongst this subset of contracted parties in order to improve the situation before it further deteriorates.

It goes on to wonder whether high levels of unaddressed abuse could amount to violations of new gTLD Registry Agreements and Registrar Accreditation Agreements, and to ask whether there any barriers to ICANN Compliance pursuing breach claims against such potential violations.

The ICWP comprises Adobe, DomainTools, eBay, Facebook, Microsoft and Time Warner. It’s represented by Fabricio Vayra of Perkins Coie.

Other than the letter (pdf), the Independent Compliance Working Party does not appear to have any web presence, and a spokesperson has not yet responded to DI’s request for more information.

The SADAG report also singled out Chinese registrar Nanjing Imperiosus Technology Co, aka DomainersChoice.com, as having particularly egregious levels of abuse, but noted that this abuse disappeared after ICANN terminated its RAA last year.

AlpNames has not to date had any public breach notices issued against it, but this is certainly not the first time it’s been singled out for public censure.

In November last year, ICANN’s Competition, Consumer Trust, and Consumer Choice Review Team (CCT) named it in a report that claimed: “Certain registries and registrars appear to either positively encourage or at the very least willfully ignore DNS abuse.”

AlpNames seems to have been used often by abusers due to its bargain-basement, often sub-$1 prices — making disposable domains more cost effective — and its tool that allowed up to 2,000 domains to be registered simultaneously.

If not actively soliciting abusive behavior, these factors certainly don’t make abuse any more difficult.

But will ICANN Compliance take action in response to the criticism leveled by CCT and now ICWP?

The main problem with the ICWP letter, and the SADAG report it is based upon, is that the data it uses is now rather old.

The SADAG report sourced abuse databases only up to January 2017, a time when AlpNames’ total gTLD domains under management was at its peak of around three million names.

Since then, the company has been hemorrhaging DUM, losing hundreds of thousands of domains every month. At the end of November 2017, the most recent data compiled by DI shows that it was down to around 838,000 domains.

It’s quite possible that AlpNames’ customer base is no longer the den of abuse it once was, whether due to natural attrition or a proactive purge of bad actors.

A month ago, in a press release connected with a $5.4 million buy-out of an co-founder, AlpNames chairman Iain Roache said he has a “10-year strategic plan” to turn AlpNames into a “Tier-1” registrar and “bring the competition to the incumbents”.

Registries reject lower fees for anti-abuse prowess

Kevin Murphy, February 16, 2018, Domain Policy

Registries have largely rejected a proposal for them to be offered financial incentives to lower the amount of abuse in their gTLDs.

That’s despite the idea gaining broad support from governments, intellectual property interests and restricted-registration registries.

The concept of ICANN offering discounted fees to registries that proactively fight abuse was floated by the Competition, Consumer Trust, and Consumer Choice Review Team (CCT) back in November.

It recommended in its draft report, among other things:

Consider directing ICANN org, in its discussions with registries, to negotiate amendments to existing Registry Agreements, or in negotiations of new Registry Agreements associated with subsequent rounds of new gTLDs to include provisions in the agreements providing incentives, including financial incentives for registries, especially open registries, to adopt proactive anti-abuse measures.

“Proactive” in this case would mean measures such as preventing known bad actors from registering domains, rather than just waiting for complaints to be filed.

Given that registries have been calling for lower ICANN fees in other instances, one might expect to see support from that constituency.

However, the Registries Stakeholder Group said in a document filed to ICANN’s public comment period on the CCT’s latest recommendations that, it “opposes” the idea of such financial incentives. It said:

The RySG supports recognizing and supporting the many [registry operators] that take steps to discourage abuse, but opposes amending the RA as recommended, to mandate or incentivize ‘proactive’ anti-abuse measures.

The RySG complained that such a system would require lots of complex work to arrive at a definition of abuse and what kinds of measures would qualify as “proactive”.

Even if such definitions could be found, and amendments to the standard RA successfully negotiated, there’s still no guarantee that bad registries would sign up for the incentives or stick to their promises, “resulting in no net improvement to the current situation”, the RySG said.

The group is also concerned that adding more anti-abuse clauses to the RA could increase registries’ risk of liability should they be sued over abuse carried out by their customers.

Not all registries agreed with the RySG position, however.

The informal Verified Top-Level Domains Consortium, which comprises the two registries behind .bank, .insurance and .pharmacy, filed comments supporting the proposal.

It said that gTLDs with vetted eligibility requirements see no abuse but have lower registration volumes and therefore pay higher ICANN fees on a per-domain basis. It said:

ICANN should help to offset these costs to create a more level playing field with high-volume unrestricted registries, i.e., to enhance competition as well as consumer trust. If ICANN made it more financially advantageous to verify eligibility, other registries may be encouraged to adopt this model. The outcome would be the elimination of abuse in these verified TLDs.

Outside of the industry itself, the Governmental Advisory Committee and IP interests such as the Intellectual Property Constituency and INTA, filed comments supporting anti-abuse incentives.

The IPC “strongly” supported the recommendation, but added that the finer details would need to be worked out to ensure that lower ICANN fees did not translate automatically to lower registration fees and therefore more abuse.

Shocking nobody, it added that “abuse” should include intellectual property infringements.

Conversely, the Non-Commercial Stakeholders Group said it “strongly” opposes the recommendation, on the basis that it would push ICANN into a “content policeman” role in violation of its technical mandate:

ICANN is not a US Federal Trade Commission or an anti-fraud unit or regulatory unit of any government. Providing guidance, negotiation and worse yet, financial incentives to ICANN-contracted registries for anti-abuse measures is completely outside of our competence, goals and mandates. Such acts would bring ICANN straight into the very content issues that passionately divide countries — including speech laws, competition laws, content laws of all types. It would invalidate ICANN commitments to ourselves and the global community. It would make ICANN the policemen of the Internet, not the guardians of the infrastructure. It is a role we have sworn not to undertake; a role beyond our technical expertise; and a recommendation we must not accept.

Also opposed to incentivizing anti-abuse measures was the Messaging, Malware and Mobile Anti-Abuse Working Group (an independent entity, not an ICANN working group), which said there’s no data to support such a recommendation.

The reports provide no data that showcase what the implications of altering the economic underpinnings of a highly competitive market may entail, including inadvertent side effects such as registries that already sell low price domains being rewarded with lower ICANN fees. In fact, it may ultimately result in a race to the bottom and higher rates of domain abuse.

Instead, M3AAWG said that ICANN should concentrate is contractual compliance efforts on those registries that the data shows already have large amounts of abuse — presumably meaning the likes of .top, .gdn and the Famous Four Media stable.

ICANN itself filed a comment on the proposal, pointing out that it is not able to unilaterally impose anti-abuse measures into registry agreements.

One imagines that lowering fees at a time when its own budget is under a lot of pressure would probably not be something ICANN would be eager to implement.

These comments and more were summarized in ICANN’s report on the CCT public comment period, published yesterday. The comments themselves can be found here.

The comments feed back into the CCT review team’s work ahead of its final report, which is due to be published some time during Q1.

Under its bylaws, the CCT review is one of the things that ICANN has to complete before it opens the next round of new gTLD applications.