• About the Institute
  • Innovation
  • Education
  • Collaboration
  • Events
  • Blog
  • Contact
    • Events
    • Contact
    • Blog
    • NetBeacon
    • DNSAI Compass
    DNS Abuse Institute

    ABOUT US

    Discover who we are and what we do

    INNOVATION

    Learn about our innovative solutions to strengthen the DNS.

    EDUCATION

    Access our resources and discover our projects and research.

    COLLABORATION

    Learn how to join, contribute, and participate!

    Article

    • Home
    • Blog
    • Article
    • The Current State of DNS Abuse Reporting

    The Current State of DNS Abuse Reporting

    • Posted by Graeme Bunton
    • Categories Article, News, Research
    • Date November 18, 2021

    By Graeme Bunton, Director of the DNS Abuse Institute

    INTRODUCTION

    The DNS Abuse Institute (DNSAI) is currently developing a Centralized Abuse Reporting Tool (CART).  This tool is intended to provide a single platform to report DNS Abuse by outlining the evidence requirements for each abuse type, properly formatting and enriching the request details provided, and then forwarding it to the appropriate registry or registrar.  The goal is to standardize reliable processes to improve both the act of reporting abuse and the abuse reports that registrars and registries receive.

    As part of it’s requirements gathering, the DNSAI researched the reporting processes of the largest registries and registrars in order to better understand how they accept reports of abuse.  Publicly available information from registry and registrar websites was collected to obtain data on their abuse reporting implementations and processes.  In an attempt to mimic the experience of an abuse reporter without prior knowledge of the registry or registrar, the search for information always started on each registrar or registry homepage, followed by more extensive site navigation when required, or a separate google search if insufficient information was found on the website.  

    Note that the data only reflects the information found at the time of searching and not necessarily what may currently exist. Factors such as language and large or complex websites may have effectively hidden some of the information sought, but in this case it could also be reasonably assumed that abuse reporters would be similarly impacted. 

    It should also be noted that this work was not intended as an audit, and was not conducted with an eye towards any applicable ICANN contractual obligations. Further, a substantial amount of the information we were looking for goes above and beyond what ICANN accredited registrars and registries are required to do. The data includes results from ccTLDs that are entirely outside of the ICANN contractual regime.

    FINDINGS

    Research was conducted on the top 50 registrars by the number of registered domains, comprising over a quarter of all registered domains, and a significant majority of gTLD domains.  

    Research was also conducted on the 32 registries that operate the 15 largest TLDs by names under management as well as the 30 largest gTLDs by names under management. This represents a majority of all domains.

    Remember, these results were gathered by beginning to search through the relevant registrar or registry sites and expanding from there, so it is possible that additional resources exist but were not found after reasonable diligence. That said, if we were unable to locate the resource after reasonable diligence, it is likely an abuse reporter would have the same experience. 

    The data collected from registrar and registry websites indicated the following:

    Information available on abuse reporting % of Registrars % of Registries
    Dedicated abuse reporting page 78% 47%
    Link to abuse reporting page from their homepage  46% 34%
    Required search beyond the homepage or a separate google search to find the abuse reporting page 32% 12%
    No abuse reporting page located  22% 53%
    Abuse contact email 74% 56%
    Abuse email contact was not listed on the abuse reporting page, but found via the contacts page, site search, or google search 20% 19%
    Webform for abuse reports 54% 25%
    Only webform is available (no email, etc) 14% 6%
    Webform has a single set of response fields for all abuse types 22% 19%
    Abuse contact mailing address 4% 22%
    Abuse contact telephone number 16%  12%
    No abuse contact 10% 34%
    Specification of abuse types  64% 25%
    Evidence requirements for each abuse type stipulated  40% 9%
    Separate processes for law enforcement and the use of court orders/subpoenas  22% 3%

    OBSERVATIONS

    A significant majority of the registrars, but only around half of the registries, provide an abuse reporting page and abuse email contact, which is likely due to the fact that registrars are normally the first point of contact when reporting DNS Abuse.  The data suggests that new gTLD registries have the most, and most accessible information on DNS abuse reporting, in comparison to legacy and ccTLDs.

    Where there was a homepage link to the abuse reporting page, it was almost always found in the footer. The abuse contact details (email or other) were often absent from the registry or registrar ‘Contacts’ page.   Likewise, the abuse reporting process, including expected timelines, was mostly not specified. 

    Notably more registrars than registries identified the abuse types that could be reported, but they almost all included abuse types go beyond the ICANN Contracted Party House’s agreed definition of DNS Abuse, such as inappropriate content and IP infringement. Some registrars also provided an ‘other’ option. Evidence requirements were less likely to be given by the smaller top 50 registrars and seldom provided by registries in general.

    Separate processes for law enforcement and court orders/subpoenas were largely not published by registrars or registries, though it is impossible to know how many have direct relationships with law enforcement agencies in their jurisdiction with which such information is shared.

    Overall, there appears to be an inconsistent handling of abuse reporting, by both registrars and registries.  A majority of registrars are providing more than just the basics of a contact, but useful information on how reports should be properly submitted and transparency around what to expect next is often missing. It is also a concern that a notable minority of registries, and a lesser, but still significant, minority of registrars, appeared to have no abuse contact at all.

    Conclusions

    Given the variety in business models, size, jurisdictional requirements, and approaches to abuse mitigation, it’s not at all surprising that we see a diversity in approaches to abuse reporting. Nor is it surprising that this ecosystem makes it difficult to report abuse in a meaningful way.  

    What’s not obvious is that building systems to accept useful reports is difficult. There are trade-offs between making a reporting mechanism easy to use, like simply providing an email address, and ensuring that a report is actionable by implementing mandatory evidentiary requirements. Perfecting this balance is not a core competency for most organizations, including registrars and registries. 

    A mechanism to report abuse that is both usable to a layperson, and useful to a registrar is the fundamental premise of the CART.  We’re deeply focused on ensuring the user experience for abuse reporters is simple and captures useful, relevant information.  We’re also ensuring that all reports that pass through the CART are sent to the relevant party, with helpful information that enables meaningful decisions on abuse. 

    The problems with reporting abuse are evident in the numbers above, and our work to resolve them is well underway.

     

     

    [1] https://domainnamestat.com/statistics/registrar/others

    [2] https://www.statista.com/statistics/265677/number-of-internet-top-level-domains-worldwide/

    [3] https://namestat.org

    [4] https://rrsg.org/wp-content/uploads/2020/10/CPH-Definition-of-DNS-Abuse.pdf

    Tag:DNS Abuse, DNS Abuse Institute, DNS reporting, online harms

    • Share:
    author avatar
    Graeme Bunton

    Previous post

    DNS Abuse Definition: Attributes of Mitigation
    November 18, 2021

    Next post

    Compromised Sites and Malicious Registrations: Best Practices for the Identification and Mitigation of DNS Abuse
    December 2, 2021

    You may also like

    bp phish reports useful
    Best Practice: Making Phishing Reports Useful
    13 December, 2022
    Anti Fraud Tools BP
    Best Practice: Anti-Fraud Tools and Registration Flows for Registrars
    6 December, 2022
    dnsai newsletter image smaller
    DNSAI Newsletter November 2022
    1 November, 2022

    Search

    Categories

    • Article
    • Best Practice
    • DNSAI Intelligence
    • News
    • Newsletter
    • Report
    • Research
    • Resources
    logo-public-interest-registry-dns-abuse-institute

    The DNS Abuse Institute

    Providing innovative solutions and information that ensure the DNS is safe and secure worldwide.

    Institute

    • About the Institute
    • Innovation
    • Education
    • Collaboration

    Quick Links

    • Blog
    • Contact
    • Privacy Policy
    • NetBeacon
    • DNSAI Compass

    Connect With Us

    Newsletter

    Get the latest DNS Abuse Institute news delivered to your inbox.


    PIR will only use the personal data you submit via this form to contact you regarding the DNS Abuse Institute Newsletter. The information will not be used for any other purpose.

    Please be aware that if you do not consent to the use of your email for this purpose we will not be able to fulfill your request.

    Opt-In *

    * indicates required

    © 2022 Public Interest Registry. All rights reserved.