ICANN gunning for Tencent over abuse claims
ICANN Compliance is taking on one of the world’s largest technology companies over claims that a registrar it owns turns a blind eye to DNS abuse and phishing.
The Org has published a breach of contract notice against a Singapore registrar called Aceville Pte Ltd, which does business as DNSPod and is owned by and shares its headquarters with $86-billion-a-year Chinese tech conglomerate Tencent.
ICANN says that DNSPod essentially has turned a blind eye to recent abuse reports, allowing phishing sites to stay online long after they were reported, and makes life difficult for people trying to report abuse.
It also has failed to upgrade from the Whois protocol to RDAP and failed to migrate its registration data escrow service provider from NCC to DENIC, according to the notice.
According to ICANN, DNSPod received abuse reports about several domains in July and August but failed to take action at all or until ICANN itself got in touch to investigate. Compliance wants to know why.
ICANN adds that the registrar seems to be requiring reporters to create user accounts and use a web form to submit their reports, even after they’ve already used the abuse@ email address.
Stricter rules on DNS abuse came into force on registrars this April. They’re now required to take action on abuse reports.
“Aceville does not appear to have a process in place to promptly, comprehensively, and reasonably investigate and act on reports of DNS Abuse,” the notice reads.
ICANN has given DNSPod until October 11 to answer its questions or risk escalation.
While DNSPod says it has been around for 17 years, it only received its ICANN accreditation in 2020. Since then, it’s grown to almost 200,000 domains under management in gTLDs.
It’s primarily a DNS resolution service provider, saying it hosts over 20 million domains, and does not appear to operate as a retail registrar in the usual sense.
Owner Tencent may not be a household name in the Anglophone world, but it’s the company behind some of China’s leading social media brands, including QQ and WeChat, as well as a formidable force in gaming and one of the world’s richest companies in any sector.
It’s the second huge Chinese tech firm to find itself publicly shamed by ICANN in recent months. Compliance went after Tencent’s primary competitor, Alibaba, on similar grounds in March. Alibaba has since resolved the complaints.
We grassed up .TOP, says free abuse outfit
A community-run URL “blacklist” project has claimed credit for the complaints that led to .TOP Registry getting hit by an ICANN Compliance action earlier this week.
.TOP was told on Tuesday that it has a month to sort of its abuse-handing procedures or risk losing the .top gTLD, which has over three million domains.
ICANN said the company had failed to respond to an unspecified complainant that had reported multiple phishing attacks, and now the source of that complaint has revealed itself in a news release.
URLAbuse says it was the party that reported the attacks to .TOP, which according to ICANN happened in mid April.
“Despite repeated notifications, the .TOP Registry Operator failed to address these issues, prompting URLAbuse to escalate the matter to ICANN,” URLAbuse said, providing a screenshot of ICANN’s response.
URLAbuse provides a free abuse blocklist that anyone is free to incorporate into their security setup. Domain industry partners include Radix, XYZ.com and Namecheap.
First registry gets breach notice over new abuse rules
.TOP Registry allegedly ignored reports about phishing attacks and has become the first ICANN contracted party to get put on the naughty step over DNS abuse rules that came into effect a few months ago.
ICANN has issued a public breach notice claiming that the registry, which runs .top, has also been ignoring the results of Uniform Rapid Suspension cases, enabling cybersquatting to take place.
The notice says that .TOP breached new rules, which came into effect April 5, that require it to act on reports of DNS abuse (such as malware or phishing attacks) by suspending the domains or referring them to the responsible registrar.
The registry didn’t do this with respect to a report of April 18, concerning “multiple .top domain names allegedly used to conduct phishing attacks”. It didn’t even read the report until contacted by ICANN, according to the notice.
As of yesterday, only 33% of the phishing domains have been suspended by their registrars, some three months after the attacks were reported, ICANN says.
Compliance is also concerned that .TOP seems to be ignoring notices from Forum, the company that processes URS cases, requiring domains to be locked within 24 hours when they’ve been hit with a charge of cybersquatting.
The registry “blatantly and repeatedly violated” these rules, according to ICANN.
.TOP has been given until August 15 to get its act together or risk having its Registry Agreement suspended or terminated.
The registry has about three million .top domains under management, having long been one of the most successful new gTLDs of the 2012 round in volume terms. It typically sells domains very cheaply, which of course attracts bad actors.
Alibaba hit with ICANN breach notice
One of the companies in the Alibaba Group, China’s biggest registrar and one of the largest technology companies in the world, has been handed a breach notice, containing a long list of complaints including abuse failures and non-payment of fees, by ICANN Compliance.
Alibaba.com Singapore E-Commerce, one of Alibaba’s four accredited registrars, failed to respond to abuse reports and failed to respond to ICANN’s requests for information about its failure to respond to abuse reports, the notice claims.
The breach notice will likely to be the last to be sent out for claims under the current version of the Registrar Accreditation Agreement. In two days, April 5, stricter domain takedown rules approved earlier this year will become effective on all registrars.
The abuse claims seem to cover four domains in .com and .vip that look like typos that could have been used in phishing attacks.
ICANN Compliance says that Alibaba also hasn’t published the names of its officers or its redemption fees, as the RAA also requires. It says the registrar also owes it an unspecified amount of past-due fees.
The chronologies reported in the notice claim Alibaba has been giving Compliance the run-around, failing to respond to calls and emails, since early November.
All four registrars in the Alibaba Group have the same published email and phone details, but it’s not clear whether the same ones are listed in ICANN’s internal directory.
Alibaba.com Singapore is one of four accredited registrars owned by Alibaba, the Chinese e-commerce giant. The parent is not short of a bob or two, reporting revenue equivalent to $126 billion last year. It can afford to pay its ICANN fees.
Of the three Alibaba registrars that have domains the “Singapore” one is the smallest, with about 660,000 domains under management. The other two have 3.2 million and 2.6 million domains to their accreditations.
The company has been told it has until April 17 to come back into compliance or risk getting terminated.
UK gov takes its lead from ICANN on DNS abuse
The UK government has set out how it intends to regulate UK-related top-level domain registries, and it’s taken its lead mostly from existing ICANN policies.
The Department for Science, Innovation and Technology said last year that it was to activate the parts of the Digital Economy Act of 2010 that allow it to seize control of TLDs such as .uk, .london, .scot, .wales and .cymru, should those registries fail to tackle abuse in future.
It ran a public consultation that attracted a few dozen responses, but has seemingly decided to stick to its original definitions of abuse and cybersquatting, which were cooked up with .uk registry Nominet and others and closely align to industry norms.
DSIT plans to define abuse in the same five categories as ICANN does — phishing, pharming, botnets, malware and vector spam (spam that is used to serve up the first four types of attack) — in its response to the consultation, published yesterday (pdf).
But it’s stronger on child sexual abuse material than ICANN. While registries and registrars have developed a “Framework to Address Abuse” that says they “should” take down domains publishing CSAM, ICANN itself has no contractual prohibitions on such content.
DSIT said it will require UK-related registries to have “adequate policies and procedures” to combat CSAM in their zones. The definition of CSAM follows existing UK law in being broader than elsewhere in the world, including artworks such as cartoons and manga where no real children are harmed.
DSIT said it will define cybersquatting as “the pre-emptive, bad faith registration of trade marks as domain names by third parties who do not possess rights in such names”. The definition omits the “and is being used in bad faith” terminology used in ICANN’s UDRP. DSIT’s definition includes typosquatting.
In response to the new document, Nominet tweeted:
The response highlights that Government recognises the work registries already do to support law enforcement agencies prevent the registration of domains to carry out illegal activity and "expect the existing voluntary arrangements to be used as the first port of call".
— Nominet (@Nominet) February 23, 2024
DSIT said it will draft its regulations “over the coming months”.
Registries and registrars vote ‘Yes’ to new DNS abuse rules
ICANN’s contracted registries and registrars have voted to accept new rules requiring them to take action on DNS abuse.
The new rules come after a vote lasting a few months with some quite high thresholds for success.
The current Registrar Accreditation Agreement merely requires registrars to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse”, which is pretty vague and barely enforceable.
The amendments, which still need to be rubber-stamped by the ICANN board, make it much clearer what registrars are expected to do in which circumstances. A new paragraph is added that reads:
3.18.2 When Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, Registrar must promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse. Action(s) may vary depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage.
For registries, the new text for the base gTLD Registry Agreement is similar, but with a little more wiggle-room:
Where a Registry Operator reasonably determines, based on actionable evidence, that a registered domain name in the TLD is being used for DNS Abuse, Registry Operator must promptly take the appropriate mitigation action(s) that are reasonably necessary to contribute to stopping, or otherwise disrupting, the domain name from being used for DNS Abuse. Such action(s) shall, at a minimum, include: (i)the referral of the domains being used for the DNS Abuse, along with relevant evidence, to the sponsoring registrar; or (ii) the taking of direct action, by the Registry Operator, where the Registry Operator deems appropriate. Action(s) may vary depending on the circumstances of each case, taking into account the severity of the harm from the DNS Abuse and the possibility of associated collateral damage.
In both cases, DNS abuse is defined by the now industry standard line: “malware, botnets, phishing, pharming, and spam (when spam serves as a delivery mechanism for the other forms of DNS Abuse listed in this Section)”.
There are a few other quality of life updates, such as the requirement for registrars to acknowledge receipt of abuse reports and to have their abuse reporting mechanism “conspicuously and readily accessible from” their home pages.
ICANN needed registrars representing over 90% of registered gTLD domains (adjusted slightly to make GoDaddy’s voice less powerful). That threshold was passed last week, with 94% of domains voting in favor of the amendments.
For registries, ICANN required a simple majority of registries (counted by contract rather than company) and for all registries voting in favor to have been responsible for two thirds of all registry fees paid last year.
Judging by the financial thresholds, .com and .net, which are not on the base RA, were not involved.
ICANN rejects a whole bunch of new gTLD policy stuff
ICANN has delivered some bad news for dot-brands, applicants from poorer countries, and others, at the weekend rejecting several items of new gTLD policy advice that the community spent years cooking up.
The board of directors on Sunday approved a scorecard of determinations, including the rejection (or non-adoption) of seven GNSO recommendations that it deems “would not be in the best interests of the ICANN community or ICANN”.
In reality, it’s the latter that seems to have been foremost in the board’s mind; most of the rejections appear to be geared toward reducing ICANN Org’s legal or financial exposure.
Notably, dot-brands are denied some of the relief from cumbersome or expensive requirements that the GNSO had wanted rid of.
The board rejected a recommendation that would exempt them from the Continued Operations Instrument — a financial bond used to pay an Emergency Back-End Registry Operator should the applicant go out of business.
“[T]he Board is concerned that an exemption from an COI for Spec 9 applications would have financial impact on ICANN since there would be no fund to draw from if such a registry went into EBERO,” the board wrote.
It also rejected a request to exempt dot-brands from rules requiring them to contractually ban and monitor abuse in their TLDs. The GNSO had argued that single-registrant TLDs do not suffer abuse, but the board said this could lead to abuse from compromised domains going unaddressed.
“The Board concludes that Recommendation 9.2, if implemented, could lead to DNS abuse for second-level registrations in a single-registrant TLD going unaddressed, unobserved, and unmitigated,” it said.
Applicants hoping to benefit from the Applicant Support Program — which in 2012 offered heavily discounted application fees to poorer applicants — also got some bad news.
The GNSO wants the support to extend to other costs such as application-writing services and lawyers, which naturally enough put the frighteners on the board, which noted “such expansion of support could raise the possibility of inappropriate use of resources (e.g. inflated expenses, private benefit concerns, and other legal or regulatory concerns)”.
The board also rejected a couple of recommendations that could be seen as weakening its role as ultimate authority over all things gTLD.
It rejected a proposal to remove the controversial covenant not to sue (CNTS) from the application process unless other recommendations related to appeals processes are implemented.
ICANN said that because it has not yet approved these other recommendations, it has rejected this recommendation.
The board also rejected a recommendation that would have limited its ability to reject a gTLD application to only when permitted to do so by the rules set out in the Applicant Guidebook.
The idea was to prevent applications being arbitrarily rejected, but the board said this “may unduly limit ICANN’s discretion to reject an application in yet-to-be-identified future circumstance(s)”.
The rejections invoke part of the ICANN bylaws that now requires the GNSO Council to convene and either affirm or amend its recommendations before discussing them with the board. Presumably this could happen at ICANN 78 next month.
The bylaws process essentially gives the board the ultimately authority to throw out the GNSO recommendations if it can muster up a two-thirds supermajority vote, something it rarely has a problem achieving.
Government to regulate UK-related domain names
The UK government is to trigger a law that would allow it to take control of .uk, .wales, .cymru, .scot and .london if their registries get thoroughly abused and they fail to do anything about it.
The Department for Science, Innovation and Technology said today it is to activate (or “commence”) the parts of the Digital Economy Act of 2010 that give it the power to appoint a new manager for any “UK-related” TLDs.
DSIT would only be able to exercise these powers if the registry in question had let DNS abuse or cybersquatting run amok and failed to follow government orders to fix it. I don’t believe any of the affected registries are currently in such a state.
The government has now launched a consultation, running until the end of August, to get industry and public feedback on its definitions of abuse and what it called “unfair domain use”, meaning cybersquatting.
Nominet, which runs .uk, .wales and .cymru, said in a statement:
The proposed prescribed requirements are consistent with Nominet’s current voluntary procedures, which Government has made clear it believes Nominet operates in a perfectly satisfactory manner. As the Government has had a reserve power to “step in” ever since the DEA was introduced, the purpose of the new provisions is to give Government a formal mechanism to do so, should it ever be required. Our understanding is that Government is enacting these provisions now to ensure the UK meets international best practice on governance of country code top-level domains in line with key global trading partners and future global trading commitments.
Based on my first read, I expect registries and registrars will think it looks generally pretty palatable. It seems DSIT has followed ICANN and the industry’s lead in terms of what qualifies as abuse, and Nominet said in a statement tonight that all three affected registries have been meeting with DSIT to craft the consultation.
Domain investors may take issue with the precise wording of the cybersquatting definition, however.
The definitions of abuse cover the industry standard five bases: malware, phishing, botnets, pharming and spam (insofar as it facilitates any of the other four) and cybersquatting is defined thus:
the pre-emptive, bad faith registration of trade marks as domain names by third parties who do not possess rights in such names. This includes ‘typosquatting’, when an end user takes advantage of common misspellings made by Internet users who are looking for a particular site or a particular provider of goods or services, in order to obtain some benefit.
Domainers will notice the document talks about “bad faith registration”, whereas UDRP talks about bad faith “registration and use”, which is sometimes an important edge-case distinction in cybersquatting disputes. Nominet’s DRS uses bad faith registration “or” use.
Where the consultation gets vague, and the potential for debate arises, is when it talks in general, high-level terms about how dispute resolution procedures should be designed.
Failure to deal with child sexual abuse material, as defined in the Convention on the Rights of the Child, in an affected TLD could also result in the government appointing a new registry.
The four gTLDs affected by the legislation all are considered geographic under ICANN rules and had to secure local government support when they applied for their strings. ICANN has a contractual right to terminate them if that government says so.
After the consultation is complete, DSIT intends to make its definitions law through secondary legislation.
This post was updated shortly after publication to add Nominet comments.
Identity Digital sees abuse up a bit in Q3
Identity Digital has published its second quarterly abuse review, showing abuse reports up slightly overall.
The report, which covers the third quarter 2022, also shows that the registry only released the private Whois information for a single domain during the period.
ID said it closed 3,225 abuse cases in Q3, up from 3,007 in Q2, covering 4,615 domains, up from 3,816. The vast majority — almost 93% — related to phishing. That’s in line with the previous quarter.
In about 1,500 cases, the domains in question where suspended by the registry or registrar in the first 24 hours, the report says. In 630 cases, the registry took action after the registrar failed to act within 72 hours.
The company received five complaints about child sexual abuse material from the Internet Watch Foundation during the period, up a couple on Q2, but all were remediated by the registrars in question.
It received four takedown notices from the Motion Picture Association under the registry’s Trusted Notifier Program, all of which resulted in suspended domains.
There were requests for private Whois information for 20 domains, three of which were intellectual property related, but only one resulted in disclosure. In 12 cases ID took the decision not to disclose.
The company has over 260 gTLDs in its stable and over 5.5 million registered domains.
The full slide deck can be viewed here (pdf).
Abuse crackdown likely in next gTLD registrar contract
ICANN and its accredited registries and registrars have formally kicked off contract renegotiations designed to better tackle DNS abuse.
The aim is to create a “baseline obligation” for contracted parties to “take reasonable and appropriate action to mitigate or disrupt malicious registrations engaged in DNS Abuse”, according to recent correspondence.
This may close the loophole in the contracts identified this year that hinder ICANN Compliance’s ability to take action against registrars that turn a blind eye to abuse.
The current contracts require registrars to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse”, which lacks clarity because there’s no agreement on what an appropriate response is.
The registries and registrars stakeholder groups (RySG and RrSG) note that there won’t be an expansion of the term “DNS abuse” to expand into web site content, nor will the talks cover Whois policy.
As is the norm for contract negotiations, they’ll be bilateral between ICANN and a select group of representative contracted parties, and conducted in private.
Talks are expected to take three to six months and the resulting amendments to the Registrar Accreditation Agreement and base Registry Agreement will be published for 30 days of public comment.
It’s been almost 10 years since the RAA was last updated.
Recent Comments