28 Abuse Prevention and Mitigation

Prototypical answer:

Response to Question 28 - Abuse Prevention and Mitigation

28.1 Abuse Prevention and Mitigation

Strong abuse prevention of a new gTLD is an important benefit to the internet community. Your Dot PhD, Inc. and back-end registry services provider, Neustar, agree that a registry must not only aim for the highest standards of technical and operational competence, but also needs to act as a steward of the space on behalf of the Internet community and ICANN in promoting the public interest. Neustar brings extensive experience establishing and implementing registration policies and will assist Your Dot PhD, Inc., in implementing an active takedown procedure which is discussed in detail below. The active takedown procedure is based partly on Your Dot PhD, Inc.’s founders’ considerable experiencing in combating fraud online after nearly 15 years of operating and managing an online advertising network. Both Neustar’s and Your Dot PhD, Inc.’s experience will be leveraged to help .MBA combat abusive and malicious domain activity within the new gTLD space.

One of those public interest functions for a responsible domain name registry includes working towards the eradication of abusive domain name registrations, including, but not limited to, those resulting from:

* Illegal or fraudulent actions

* Spam

* Phishing

* Pharming

* Distribution of malware

* Fast flux hosting

* Botnets

* Distribution of child pornography

* Online sale or distribution of illegal pharmaceuticals.

More specifically, although traditionally botnets have used Internet Relay Chat (IRC) servers to control registry and the compromised PCs, or bots, for DDoS attacks and the theft of personal information, an increasingly popular technique, known as fast-flux DNS, allows botnets to use a multitude of servers to hide a key host or to create a highly-available control network. This ability to shift the attacker’s infrastructure over a multitude of servers in various countries creates an obstacle for law enforcement and security researchers to mitigate the effects of these botnets. But a point of weakness in this scheme is its dependence on DNS for its translation services. By taking an active role in researching and monitoring these sorts of botnets, Applicant’s partner, Neustar, has developed the ability to efficiently work with various law enforcement and security communities to begin a new phase of mitigation of these types of threats.

Policies and Procedures to Minimize Abusive Registrations

A Registry must have the policies, resources, personnel, and expertise in place to combat such abusive DNS practices. As .MBA’s registry provider, Neustar is at the forefront of the prevention of such abusive practices and has advised Your Dot PhD, Inc. in developing and implementing an active “domain takedown” policy. Your Dot PhD, Inc. believes that a strong program is essential given that registrants have a reasonable expectation that they are in control of the data associated with their domains, especially its presence in the DNS zone. Because domain names are sometimes used as a mechanism to enable various illegitimate activities on the Internet often the best preventative measure to thwart these attacks is to remove the names completely from the DNS before they can impart harm, not only to the domain name registrant, but also to millions of unsuspecting Internet users.

Removing the domain name from the zone has the effect of shutting down all activity associated with the domain name, including the use of all websites and e-mail. The use of this technique should not be entered into lightly. As discussed in detail herein, .MBA and Neustar have a defined and documented process for taking the necessary action of removing a domain from the zone when its presence in the zone poses a threat to the security and stability of the infrastructure of the Internet or the registry.

Abuse Point of Contact

As required by the Registry Agreement, .MBA will establish and publish on its website a single abuse point of contact responsible for addressing inquiries from law enforcement and the public related to malicious and abusive conduct. .MBA will also provide such information to ICANN prior to the delegation of any domain names in the TLD. This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of malicious conduct complaints, and a telephone number and mailing address for the primary contact. Your Dot PhD, Inc., will ensure that this information will be kept accurate and up to date and will be provided to ICANN if and when changes are made. In addition, with respect to inquiries from ICANN-Accredited registrars, our registry services provider, Neustar, shall have an additional point of contact, as it does today, handling requests by registrars related to abusive domain name practices.

28.2 Policies Regarding Abuse Complaints

One of the key policies each new gTLD registry will need to have is an Acceptable Use Policy that clearly delineates the types of activities that constitute “abuse” and the repercussions associated with an abusive domain name registration. In addition, the policy will be incorporated into the applicable Registry-Registrar Agreement and reserve the right for the registry to take the appropriate actions based on the type of abuse. This will include locking down the domain name preventing any changes to the contact and name server information associated with the domain name, placing the domain name “on hold” rendering the domain name non-resolvable, transferring to the domain name to another registrar, and⁄or in cases in which the domain name is associated with an existing law enforcement investigation, substituting name servers to collect information about the DNS queries to assist the investigation.

.MBA will adopt an Acceptable Use Policy that clearly defines the types of activities that will not be permitted in the TLD and reserves the right to lock, cancel, transfer or otherwise suspend or take down domain names violating the Acceptable Use Policy and where and when appropriate to share information with law enforcement. Each ICANN-Accredited Registrar must agree to pass through the Acceptable Use Policy to its Resellers (if applicable) and ultimately to the TLD registrants. Below is the Your Dot PhD, Inc.’s initial Acceptable Use Policy that we will use in connection with the .MBA.

.MBA Acceptable Use Policy

This Acceptable Use Policy gives the Your Dot PhD, Inc., the ability to quickly lock, cancel, transfer or take ownership of any .MBA domain name, either temporarily or permanently, if the domain name is being used in a manner that appears to threaten the stability, integrity or security of the registry, or any of its registrar partners – and⁄or that may put the safety and security of any registrant or user at risk. The process also allows Your Dot PhD, Inc. to take preventive measures to avoid any such criminal or security threats.

The Acceptable Use Policy may be triggered through a variety of channels, including, among other things, private complaint, public alert, government or enforcement agency outreach, and the on-going monitoring and random audits by Your Dot PhD, Inc. or its service providers. In all cases, Your Dot PhD, Inc. or its designees will alert its registrar partners about any identified threats, and will work closely with them to bring offending sites into compliance.

The following are some (but not all) activities that may be subject to rapid domain compliance:

* Phishing: the attempt to acquire personally identifiable information by masquerading as a website other than .MBA’s own.

* Pharming: the redirection of Internet users to websites other than those the user intends to visit, usually through unauthorized changes to the Hosts file on a victim’s computer or DNS records in DNS servers.

* Dissemination of Malware: the intentional creation and distribution of ʺmaliciousʺ software designed to infiltrate a computer system without the owner’s consent, including, without limitation, computer viruses, worms, key loggers, and Trojans.

* Fast Flux Hosting: a technique used to shelter Phishing, Pharming and Malware sites and networks from detection and to frustrate methods employed to defend against such practices, whereby the IP address associated with fraudulent websites are changed rapidly so as to make the true location of the sites difficult to find.

* Botnetting: the development and use of a command, agent, motor, service, or software which is implemented: (1) to remotely control the computer or computer system of an Internet user without their knowledge or consent, (2) to generate direct denial of service (DDOS) attacks.

* Malicious Hacking: the attempt to gain unauthorized access (or exceed the level of authorized access) to a computer, information system, user account or profile, database, or security system.

* Child Pornography: the storage, publication, display and⁄or dissemination of pornographic materials depicting individuals under the age of majority in the relevant jurisdiction.

The Your Dot PhD, Inc., reserves the right, in its sole discretion, to take any administrative and operational actions necessary, including the use of computer forensics and information security technological services, among other things, in order to implement the Acceptable Use Policy. In addition, Your Dot PhD, Inc. reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion; (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of the registry as well as its affiliates, subsidiaries, officers, directors, and employees; (4) to enforce the terms of the registration agreement [See response to Question 29] or (5) to correct mistakes made by the Your Dot PhD, Inc., or any Registrar in connection with a domain name registration. Your Dot PhD, Inc., also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute.

Taking Action Against Abusive and⁄or Malicious Activity By Your Dot PhD, Inc. and Neustar

Your Dot PhD, Inc. is committed to ensuring that those domain names associated with abuse or malicious conduct in violation of the Acceptable Use Policy are dealt with in a timely and decisive manner. The founders of Your Dot PhD, Inc., have spent nearly 15 years combating fraud online while operating and managing a pay-per-click advertising network and in turn intend to use their experience and knowledge to help oversee the process described herein. Your Dot PhD, Inc.’s response will include taking action against those domain names that are being used to threaten the stability and security of the TLD, or is part of a real-time investigation by law enforcement.

Once a complaint is received from a trusted source, third-party, or detected by Neustar or Your Dot PhD, Inc., Your Dot PhD, Inc., will then use commercially reasonable efforts to verify the information in the complaint. If that information can be verified to the best of the ability of Your Dot PhD, Inc., the sponsoring Registrar will be notified and be given 12 hours to investigate the activity and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the Your Dot PhD, Inc., to keep the name in the zone. If the registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), Your Dot PhD, Inc., will place the domain on “Server Hold”. Although this action removes the domain name from the TLD zone, the domain name record still appears in the TLD WHOIS database so that the name and entities can be investigated by law enforcement should they desire to get involved.

Monitoring for Malicious Activity

Your Dot PhD, Inc. has developed and implemented an active domain takedown policy in which it will take down abusive domain names.

Generally speaking, Your Dot PhD, Inc.’s approach is to target verified abusive domain names and removes them within 12 hours regardless of whether or not there is cooperation from the sponsoring Registrar. Because domain names are sometimes used as a mechanism to enable various illegitimate activities on the Internet, including malware, bot command and control, pharming, and phishing, the best preventative measure to thwart these attacks is often to remove the names completely from the DNS before they can impart harm, not only to the domain name registrant, but also to millions of unsuspecting Internet users.

Rapid Takedown Process

Your Dot PhD, Inc. will employ two basic variations of the process. The more common process variation is a light-weight process that is triggered by typical notices. The less-common variation is the full process that is triggered by unusual notices (i.e., notices which allege that a domain name is being used to threaten the stability and security of the TLD, or is part of a real-time investigation by law enforcement or security researchers). These processes are described below:

Lightweight Process

Once a complaint is received from a trusted source, third-party, or detected by Your Dot PhD, Inc.’s back-end registry provider, information about the abusive practice is forwarded internally for immediate response. Although the impacted URL is included in the notification e-mail, the internal contact is trained not to investigate the URLs directly since often times the URLs in question have scripts, bugs, etc. that can compromise the individual’s own computer and the network safety. Rather, the investigation will be conducted through the use a controlled environment so as to not compromise the network. The lab environment is designed specifically for these types of tests to ensure that none of Your Dot PhD, Inc.’s internal or external network elements are harmed in any fashion. Your Dot PhD, Inc.’s founders have used a lab environment to test the functionality of nearly 1,000 downloadable applications in conjunction with such third parties as TRUSTe and are therefore familiar with the process.

Once the complaint has been reviewed and the alleged abusive domain name activity is verified to the best of the ability of Your Dot PhD, Inc., the sponsoring Registrar is given 12 hours to investigate the activity and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the registry to keep the name in the zone.

If the sponsoring Registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), Your Dot PhD, Inc. will ask Neustar to place the domain on “Server Hold”. Although this action removes the domain name from the TLD zone, the domain name record still appears in the TLD WHOIS database so that the name and entities can be investigated by law enforcement should they desire to get involved.

Full Process

In the event that Your Dot PhD, Inc. receives a complaint which claims that a domain name is being used to threaten the stability and security of the TLD or is a part of a real-time investigation by law enforcement or security researchers, Your Dot PhD, Inc. will follow a slightly different course of action.

Upon initiation of this process, Your Dot PhD, Inc.’s abuse monitoring staff will confer with company founders to assess whether the activity warrants immediate action. If it is determined that the incident is not an immediate threat to the security and the stability of critical internet infrastructure then Your Dot PhD, Inc. will refer the incident to the Lightweight process set forth above. If no abusive practice is discovered, the incident is closed.

However, if it is determined there is a reasonable likelihood that the incident warrants immediate action, a determination will be made to request that Neustar immediately remove the domain from the zone. As such, Your Dot PhD, Inc. will contact the sponsoring Registrar immediately to communicate that there is a domain involved in a security and stability issue. The registrar is provided only the domain name in question and the broadly stated type of incident. Given the sensitivity of the associated security concerns, it may be important that the sponsoring Registrar not be given explicit or descriptive information in regards to data that has been collected (evidence) or the source of the complaint. The need for security is to fully protect the chain of custody for evidence and the source of the data that originated the complaint.

Coordination with Law Enforcement

With the assistance of Neustar as its back-end registry services provider, .MBA can meet its obligations under Section 2.8 of the Registry Agreement where required to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of its TLD. Your Dot PhD, Inc.’s founders have worked closely with such law enforcement and governmental agencies as the Federal Bureau of Investigation and National Aeronautics and Space Administration in an attempt to combat online fraud. .MBA and⁄or Neustar will respond to legitimate law enforcement inquiries within one business day from receiving the request. Such response shall include, at a minimum, an acknowledgement of receipt of the request, questions or comments concerning the request, and an outline of the next steps to be taken by .MBA and⁄or Neustar for rapid resolution of the request.

In the event such request involves any of the activities which can be validated by .MBA and⁄or Neustar and involves the type of activity set forth in the Acceptable Use Policy, the sponsoring Registrar is then given 12 hours to investigate the activity further and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the registry to keep the name in the zone. If the registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), Neustar places the domain on “Server Hold”.

28.3 Measures for Removal of Orphan Glue Records

As the Security and Stability Advisory Committee of ICANN (SSAC) rightly acknowledges, although orphaned glue records may be used for abusive or malicious purposes, the “dominant use of orphaned glue supports the correct and ordinary operation of the DNS.” See http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf.

While orphan glue often support correct and ordinary operation of the DNS, we understand that such glue records can be used maliciously to point to name servers that host domains used in illegal phishing, bot-nets, malware, and other abusive behaviors. Problems occur when the parent domain of the glue record is deleted but its children glue records still remain in DNS. Therefore, when the Registry has written evidence of actual abuse of orphaned glue, the Registry will take action to remove those records from the zone to mitigate such malicious conduct.

Neustar run a daily audit of entries in its DNS systems and compares those with its provisioning system. This serves as an umbrella protection to make sure that items in the DNS zone are valid. Any DNS record that shows up in the DNS zone but not in the provisioning system will be flagged for investigation and removed if necessary. This daily DNS audit serves to not only prevent orphaned hosts but also other records that should not be in the zone.

In addition, if either .MBA or Neustar become aware of actual abuse on orphaned glue after receiving written notification by a third party through its Abuse Contact or through its customer support, such glue records will be removed from the zone.

28.4 Measures to Promote WHOIS Accuracy

Your Dot PhD, Inc, will offer a mechanism whereby third parties can submit complaints directly to Your Dot PhD, Inc. (as opposed to ICANN or the sponsoring Registrar) about inaccurate or incomplete WHOIS data. Such information shall be forwarded to the sponsoring Registrar, who shall be required to address those complaints with their registrants. Thirty days after forwarding the complaint to the registrar, Your Dot PhD, Inc., will examine the current WHOIS data for names that were alleged to be inaccurate to determine if the information was corrected, the domain name was deleted, or there was some other disposition. If the sponsoring Registrar has failed to take any action, or it is clear that the Registrant was either unwilling or unable to correct the inaccuracies, Your Dot PhD, Inc., reserves the right to suspend the applicable domain name(s) until such time as the Registrant is able to cure the deficiencies.

In addition, .MBA shall on its own initiative, no less than once per month, perform a manual review of a random sampling of .MBA domain names to test the accuracy of the WHOIS information. Although this will not include verifying the actual information in the WHOIS record, .MBA will be examining the WHOIS data for prima facie evidence of inaccuracies. In the event that such evidence exists, it shall be forwarded to the sponsoring Registrar, who shall be required to address those complaints with their Registrants. According to the procedure set forth above, thirty days after forwarding the complaint to the sponsoring Registrar, Your Dot PhD, Inc., will examine the current WHOIS data for names that were alleged to be inaccurate to determine if the information was corrected, the domain name was deleted, or there was some other disposition. If the sponsoring Registrar has failed to take any action, or it is clear that the Registrant was either unwilling or unable to correct the inaccuracies, Your Dot PhD, Inc. reserves the right to suspend the applicable domain name(s) until such time as the Registrant is able to cure the deficiencies.

28.4.1 Monitoring of Registration Data

As mentioned above Your Dot PhD, Inc., will regularly monitor registration data for accuracy and completeness and if necessary employ authentication methods to address domain names with inaccurate or incomplete WHOIS data. As discussed in more detail in response to Question 29, Your Dot Phd, Inc., will send an introduction email to all new registrants upon the purchase of a .MBA domain name in order to verify all contact information in the WHOIS database as well as to inquire about whether or not the registrant meets the Eligibility Requirements. In addition, any time a registrant updates, transfers or deletes their information which results in a modification of their WHOIS contact information, Your Dot PhD, Inc., will contact said registrant by email in order to confirm that a change has been made to their contact information and in order to verify any updated contact information. In certain circumstance, in order to verify Eligibility Requirements, Your Dot PhD, Inc. may require the registrant to provide verifiable proof that they possess the requisite education background, which may be provided by a third party such as the National Student Clearinghouse or another third party service for international degrees, which will in turn be useful to verify WHOIS database information.

28.4.2 Policies and Procedures Ensuring Compliance

Although, the requirements of the Registrar Accreditation Agreement will continue to apply to all ICANN-accredited registrars, Your Dot PhD, Inc., intends to work hand and hand with registrars to maintain and establish policies and procedures to ensure compliance. As mentioned above, regular monitoring on monthly basis will be used to confirm and verify WHOIS contact information. In addition, Your Dot PhD, Inc. may choose to offer discounts and financial incentives to registrars in exchange for regular and timely responses to requests described above, if necessary.

28.5 Resourcing Plans

Responsibility for abuse mitigation rests with a variety of functional groups from both Your Dot Phd, Inc. and Neustar.  The abuse monitoring and customer service staff member from Your Dot Phd, Inc., coupled with the executive team will be primarily responsible for providing analysis and conducting investigations of reports of abuse. As mentioned throughout this application, Your Dot Phd, Inc., intends to employ one full time employee for purposes of monitoring abuse mitigation, registration eligibility and customer service. In addition, Your Dot PhD, Inc.’s founders have considerable experience assessing and monitoring fraudulent activities online after operating and managing a pay-per-click advertising network for nearly 15 years. The founders’ real world experience coupled with the technical capabilities and resources of Neustar will serve as a benefit to .MBA in various facets of abuse monitoring. For example, the customer service team from Neustar, will play an important role in assisting Your Dot PhD, Inc. with the investigations, responding to customers, and notifying registrars of abusive domains.  In addition, the Policy⁄Legal team from Neustar along with Your Dot PhD., Inc.’s legal team will be responsible for developing and fine tuning the relevant policies and procedures. 

The necessary resources from Neustar will be pulled from the pool of available resources described in detail in the response to Question 31. The following resources are available from Neustar:

Customer Support – 12 employees

Policy⁄Legal – 2 employees

The following resources are available from Your Dot Phd, Inc.:

Customer Support⁄Customer Service - 1 full time employee

Policy⁄Legal – 1 employee and outside counsel.

The resources are more than adequate to support the abuse mitigation procedures of the .MBA registry. 

Similar gTLD applications: (1)