28 Abuse Prevention and Mitigation

Prototypical answer:

Abuse within the TLD will not be tolerated. Coach, Inc. (“Applicant” or “Coach”) will implement very strict policies and procedures to minimize abusive registrations and other activities that have a negative impact on Internet users. Applicant has resolved to ensure that abusive use of the .coach domain names will not be permitted nor tolerated. The nature of such abuses creates security and stability issues for Applicant, as well as for users of the Internet in general, and particularly those who wish to interact with Applicant in a secure and reliable manner. The nature of such abuses also inherently creates negative publicity and loss of brand integrity and goodwill and, therefore, any such abuse must be swiftly and effectively addressed, and systems must continue to evolve in accordance with evolving threats.

One of Applicant’s primary abuse prevention and mitigation strategies is to ensure that only Applicant registers and Applicant and⁄or its Affiliates (as defined in Applicant’s registration policy) use domain names in the TLD under strict guidelines as set by Applicant. In order to ensure that Applicant does not register abusive domain names, Applicant has appointed a single group of employees as authorized to register, acquire, and⁄or monitor domain names in the TLD.

As stated elsewhere, Applicant will not allow the registration of any domain names, except for those required by ICANN and for internal business or testing purposes, for likely one (1) to five (5) years while it conducts marketing and technical studies on how to best operate the TLD. For example, Applicant will initially register and use only two (2) domain names, namely, [NIC.COACH] and [WHOIS.COACH] to provide access to the TLD’s Whois database and its abuse policy and contact.

Anti-Abuse Policy

Applicant will implement a Domain Name Anti-Abuse Policy (“Abuse Policy”) in its internal policies and its Registrar and Registration agreements that all registered domain names in the TLD will be subject to

The Abuse Policy will provide Applicant with broad power to suspend, cancel, or transfer domain names that violate the Abuse Policy. Applicant will publish the Abuse Policy on its home website and clearly provide Applicant’s Abuse Point of Contact (“Abuse Contact”) and its contact information. This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of abuse complaints, and a telephone number and mailing address for the Abuse Contact. Applicant will ensure that this information will be kept accurate and up to date and will be provided to ICANN if and when changes are made. In addition, with respect to inquiries from ICANN-Accredited registrars, Applicant’s registry services provider, Verisign, shall have an additional point of contact to handle requests by registrars related to abusive domain name practices.

Inquiries addressed to the Abuse Contact will be forwarded to the Registry Services Liaison(s) and, if applicable, remedy any Complaint regarding an alleged violation of the Abuse Policy as described in more detail below.

The Abuse Policy will state, at a minimum, that Applicant reserves the right to deny, cancel, or transfer any registration or transaction, or place any domain name(s) on registry lock, hold, or similar status, that it deems necessary, in its discretion: (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of Applicant, as well as its affiliates, subsidiaries, officers, directors, and employees; (4) per the terms of the registration agreement or any agreement Applicant has with any party; (5) to correct mistakes made by the Applicant, registry services provider, or any registrar in connection with a domain name registration; (6) during resolution of any dispute regarding the domain; and (7) if a registrant’s pre-authorization or payment fails.

The Abuse Policy will define the abusive use of domain names to include, but not be limited to, the following activities:

• Illegal or fraudulent actions: use of the Applicant’s or Registrarʹs services to violate the laws or regulations of any country, state, or other applicable jurisdiction, or in a manner that adversely affects the legal rights of any other person;
• Spam: use of electronic messaging systems from email addresses from domains in the TLD to send unsolicited bulk messages in violation of applicable laws. The term applies to e-mail spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of Web sites and Internet forums;
• Phishing: use of counterfeit Web pages within the TLD that are designed to trick recipients into divulging sensitive data such as usernames, passwords, or financial data;
• Pharming: redirecting of unknowing users to fraudulent Web sites or services, typically through DNS hijacking or poisoning;
• Willful distribution of malware: dissemination of software designed to infiltrate or damage a third-party computer system without the ownerʹs consent. Examples include, without limitation, computer viruses, worms, key loggers, and trojan horses.
• Fast flux hosting: use of fast-flux techniques to disguise the location of Web sites or other Internet services, or to avoid detection and mitigation efforts, or to host illegal activities. Fast-flux techniques use DNS to frequently change the location on the Internet to which the domain name of an Internet host or name server resolves. Fast flux hosting may be used only with prior permission of PIR;
• Botnet command and control: services run on a domain name that are used to control a collection of compromised computers or ʺzombies,ʺ or to direct denial-of-service attacks (DDoS attacks);
• Illegal Access to Other Computers or Networks: illegally accessing computers, accounts, or networks belonging to another party, or attempting to penetrate security measures of another individualʹs system (often known as ʺhackingʺ). Also, any activity that might be used as a precursor to an attempted system penetration (e.g., port scan, stealth scan, or other information gathering activity);
• Non-intended Use: use of the domain name other than that which was stated during the registration, without a change of intended use accepted by Applicant;
• Cybersquatting: registration of a domain name confusingly similar to a third party’s name or trademark without any legitimate interest in the name and in bad faith;
• Domain Kiting⁄Tasting: registration of domain names to test their commercial viability before returning them during a Grace Period.

Domain Anti-Abuse Procedure

Applicant will provide a domain name anti-abuse procedure (“Abuse Procedure”) modeled after the Digital Millennium Copyright Act’s notice-and-takedown procedure.

At all times, Applicant will publish on its home website the Abuse Policy and Abuse Procedure and the contact information for the Abuse Contact. Inquiries addressed to the Abuse Contact will be addressed to and received by Applicant’s Registry Services Liaison(s) who will review and, if applicable, remedy any Complaint regarding an alleged violation of the Abuse Policy.

Applicant’s Registry Services Liaison(s) will first review the Complaint and give it a “quick look” to see if the Complaint reasonably falls within an abusive use as defined by the Abuse Policy. If not, Abuse Contact will write a timely correspondence to Complainant stating that the subject of the complaint clearly does not fall within one of the delineated abusive uses as defined by the Abuse Policy and that Applicant considers the matter closed.

If the quick look does not resolve the matter, the Registry Services Liaison(s) will timely give the Complaint a full review. If an abusive use is determined, the Abuse Contact will alert the registry services provider to immediately suspend the resolution of the domain name. The Registry Services Liaison(s) will then immediately notify the registrant of the suspension of the domain name, the nature of the complaint, and provide the registrant with the option to respond within a timely fashion or the domain name will be canceled.

If the registrant responds within a timely period, its response will be further reviewed by the Registry Services Liaison(s). If the Registry Services Liaison(s) are satisfied by the registrant’s response that the use is not abusive, the Registry Services Liaison(s) will submit a timely request to the registry services provider to unsuspend the domain name. The Abuse Contact will then timely notify the Complainant that its complaint was ultimately denied and provide the reasons for the denial. If the registrant does not respond within a timely fashion, the Abuse Contact will notify the registry services provider to cancel the abusive domain name.

This Abuse Procedure will not prejudice either party’s election to pursue another dispute mechanism, such as URS or UDRP.

With the assistance of its back-end registry services provider, Applicant will meet its obligations under Section 2.8 of the Registry Agreement to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of its TLD. Accordingly, Applicant will timely respond to legitimate law enforcement inquiries. Any such response shall include, at a minimum, a timely acknowledgement of receipt of the request, questions or comments concerning the request, and an outline of the next steps to be taken by Applicant for a timely resolution of the request.

In the event such request involves any of the activities which can be validated by Applicant’s Registry Services Liaison(s) and involves the type of activity set forth in the Abuse Policy, Abuse Contact will timely notify the registry services provider to either suspend or cancel the domain name. If the Registry Services Liaison(s) determine that it is not an abusive activity, Abuse Contact will timely provide the relevant law enforcement, governmental and⁄or quasi-governmental agency a compelling argument to keep the name in the zone.

Whois Accuracy

Applicant will provide WHOIS accessibility in a reliable, consistent, and predictable fashion in order to promote Whois accuracy.

Applicant will offer thick WHOIS services, in which all authoritative WHOIS data—including contact data—is maintained at the registry. Through Applicant’s registrar and registry services operators, Applicant will maintain timely, unrestricted, and public access to accurate and complete WHOIS information, including all data objects as specified in Specification 4. Moreover, prior to the release of any domain names, Applicant’s registrar will provide Applicant with an authorization code to verify eligible registrants, and Applicant will provide registrar with proper registrant contact information. Upon registration, registrar will verify the authorization code and contact information before the prospective registrant is allowed to proceed.

In order to further promote WHOIS accuracy, Applicant will offer a mechanism whereby third parties can submit complaints directly to the Applicant’s Registry Services Liaison(s) (as opposed to ICANN or the sponsoring Registrar) about inaccurate or incomplete WHOIS data. Such information shall be forwarded to the registrar, who shall be required to address those complaints with their registrants. Within a reasonable time period after forwarding the complaint to the registrar, Applicant’s Registry Liaison(s) will examine the current WHOIS data for names that were alleged to be inaccurate to determine if the information was corrected, the domain name was deleted, or there was some other disposition. If the registrar has failed to take any action, or it is clear that the registrant was either unwilling or unable to correct the inaccuracies, Applicant reserves the right to suspend the applicable domain name(s) until such time as the registrant is able to cure the deficiencies.

In addition, Applicant’s Registry Services Liaison(s) will at least twice per year perform a manual review of a random sampling of domain names within the applied-for TLD to test the accuracy of the WHOIS information. Through this review, the Registry Services Liaison(s) will examine the WHOIS data for evidence of inaccurate or incomplete Whois information. In the event that such errors or missing information exists, it shall be forwarded to the registrar, who shall be required to address such deficiencies with their registrants. Within a reasonable time period, the Registry Services Liaison(s) will examine the current WHOIS data for names that were alleged to be inaccurate or incomplete to determine if the information was corrected, the domain name was deleted, or there was some other disposition. If the registrar has failed to take any action, or it is clear that the registrant was either unwilling or unable to correct the inaccuracies, Applicant reserves the right to suspend the applicable domain name(s) until such time as the Registrant is able to cure the deficiencies.

Abuse Prevention and Mitigation – Domain Name Access

All domain name registrants will have adequate controls to ensure proper access to domain functions. In addition to the above, all domain name registrants in the applied-for TLD will be required to name at least two (2) unique points of contact who are authorized to request and⁄or approve update, transfer, and deletion requests. The points of contact will establish strong passwords with the registrar that must be authenticated before a point of contact will be allowed to process updates, transfer, and deletion requests. Once a process update, transfer, or deletion request is entered, the points of contact will automatically be notified when a domain has been updated, transferred, or deleted through an automated system run by Applicant’s registrar.

Resourcing Plans.

Details related to resourcing plans for the initial implementation and ongoing maintenance of Applicant’s abuse plan are provided in Section 2 of this response.

ENSURING WHOIS ACCURACY

A complete and accurate Whois database promotes the prevention of identity theft, fraud and other on-line crime, promotes the public’s ability to police its rights against unlawful copyright and trademark infringement, and minimizes technical errors. Coach has a compelling interest in accounting to itself and the public for the use of Applicant assets, and in ensuring those assets are only used by persons or entities authorized by Coach. That interest is especially strong with respect to the .coach and all domain names registered or used therein, since it is a core component of Coach’s online branding and technological platform.

Coach will enforce the Whois data accuracy provisions in ICANN’s Registry Agreement, Registrar Accreditation Agreement and all relevant Consensus Policies. Those agreements generally require all registrants to provide accurate and reliable contact details and promptly update any changes made during the registration term. Coach’s registrars must present to the registrant the current Whois information, and remind the registrant that provision of false Whois information can be grounds for cancellation of the domain name registration. Coach and⁄or its affiliates (as defined in this response) will be listed as the sole registrant of all domains within the .coach. Coach’s clear written policy which requires the relevant corporate authorisation and approvals to be procured and evidenced for any .coach domain name to be registered for Coach’s use, and the subsequent verification through a registrar will ensure thorough pre-verification of all Whois data. Therefore, all Whois information will be complete and accurate at the time of registration. In the event of any change in the Whois contact information for a domain name, that change will be promptly updated in the Whois database.

Verisign, Applicant’s selected backend registry services provider, has established policies and procedures to encourage registrar compliance with ICANN’s Whois accuracy requirements. Verisign provides the following services to Applicant for incorporation into its full-service registry operations.
1) Registrar self-certification.
The self-certification program consists, in part, of evaluations applied equally to all operational ICANN accredited registrars and conducted from time to time throughout the year. Process steps are as follows:
Verisign sends an email notification to the ICANN primary registrar contact, requesting that the contact go to a designated URL, log in with his⁄her Web ID and password, and complete and submit the online form. The contact must submit the form within 15 business days of receipt of the notification.
When the form is submitted, Verisign sends the registrar an automated email confirming that the form was successfully submitted.
Verisign reviews the submitted form to ensure the certifications are compliant.
Verisign sends the registrar an email notification if the registrar is found to be compliant in all areas.
If a review of the response indicates that the registrar is out of compliance or if Verisign has follow-up questions, the registrar has 10 days to respond to the inquiry.
If the registrar does not respond within 15 business days of receiving the original notification, or if it does not respond to the request for additional information, Verisign sends the registrar a Breach Notice and gives the registrar 30 days to cure the breach.
If the registrar does not cure the breach, Verisign terminates the Registry-Registrar Agreement (RRA).

2) Whois data reminder process. Verisign regularly reminds registrars of their obligation to comply with ICANN’s Whois Data Reminder Policy, which was adopted by ICANN as a consensus policy on 27 March 2003 (http:⁄⁄www.icann.org⁄en⁄registrars⁄wdrp.htm). Verisign sends a notice to all registrars once a year reminding them of their obligation to be diligent in validating the Whois information provided during the registration process, to investigate claims of fraudulent Whois information, and to cancel domain name registrations for which Whois information is determined to be invalid.
Resource Planning Specific to Backend Registry Activities.
Coach has effectively mitigated the risk of abuse in the gTLD and foresees dedicating a member of staff to act as the primary points of contact for handling inquiries relating to malicious or abusive conduct in the TLD. Coach is committed to ensuring that sufficient resources are made available at all times. Coach may engage its third party registrar(s) and its selected back end registry services provider, Verisign, to perform some or all of the tasks associated with abuse issues. This will ensure that highly skilled, specialized and scalable resources are on hand to address any possible abuse issues both during the startup phase of the TLD and continually during operations of the TLD.

Verisign, Coach’s selected backend registry services provider, is an experienced backend registry provider that has developed a set of proprietary resourcing models to project the number and type of personnel resources necessary to operate a TLD. Verisign routinely adjusts these staffing models to account for new tools and process innovations. These models enable Verisign to continually right-size its staff to accommodate projected demand and meet service level agreements as well as Internet security and stability requirements. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its staffing models, Verisign derived the necessary personnel levels required for this gTLD’s initial implementation and ongoing maintenance. Verisign’s pricing for the backend registry services it provides to Coach fully accounts for cost related to this infrastructure, which is included in the registry services provider costs in Section I.K “Outsourcing Operating Costs” within the Question 46 financial projections response.

Verisign employs more than 1,040 individuals of which more than 775 comprise its technical work force. (Current statistics are publicly available in Verisign’s quarterly filings.) Drawing from this pool of on-hand and fully committed technical resources, Verisign has maintained DNS operational accuracy and stability 100 percent of the time for more than 13 years for .com, proving Verisign’s ability to align personnel resource growth to the scale increases of Verisign’s TLD service offerings.

Verisign projects it will use the following personnel roles, which are described in Section 5 of the response to Question 31, Technical Overview of Proposed Registry, to support abuse prevention and mitigation:

- Application Engineers: 19
- Business Continuity Personnel: 3
- Customer Affairs Organization: 9
- Customer Support Personnel: 36
- Information Security Engineers: 11
- Network Administrators: 11
- Network Architects: 4
- Network Operations Center (NOC) Engineers: 33
- Project Managers: 25
- Quality Assurance Engineers: 11
- Systems Architects: 9

To implement and manage the .coach gTLD as described in this application, Verisign, Coach’s selected backend registry services provider, scales, as needed, the size of each technical area now supporting its portfolio of TLDs. Consistent with its resource modeling, Verisign periodically reviews the level of work to be performed and adjusts staff levels for each technical area.

When usage projections indicate a need for additional staff, Verisign’s internal staffing group uses an in-place staffing process to identify qualified candidates. These candidates are then interviewed by the lead of the relevant technical area. By scaling one common team across all its TLDs instead of creating a new entity to manage only this proposed gTLD, Verisign realizes significant economies of scale and ensures its TLD best practices are followed consistently. This consistent application of best practices helps ensure the security and stability of both the Internet and this proposed gTLD, as Verisign holds all contributing staff members accountable to the same procedures that guide its execution of the Internet’s largest TLDs (i.e., .com and .net). Moreover, by augmenting existing teams, Verisign affords new employees the opportunity to be mentored by existing senior staff. This mentoring minimizes start-up learning curves and helps ensure that new staff members properly execute their duties.
SCANNING TO IDENTIFY MALICIOUS OR ABUSIVE BEHAVIOR
[Coach currently invests in and utilizes third party anti-phishing and abuse solutions to monitor potentially malicious conduct over the Internet, against Coach’s websites, brands and other online business areas. Coach fully intends to continue its support and deployment of these solutions to monitor the .coach domain on an on-going basis. These solutions include:

- All computer systems accessible through .coach shall be continually executing approved virus-scanning software with a current virus database, unless overridden by departmental or group policy for legitimate business reason;
- Coach will conduct automated and regular scanning for malware of all computer systems accessible via domain names in the Registry through its selected back end Registry services provider, Verisign. Registrants are often unknowing victims of malware exploits. Verisign has developed proprietary code to help identify malware in the zones it manages, which in turn helps registrars by identifying malicious code hidden in their domain names. Verisign’s malware scanning service helps prevent websites from infecting other websites by scanning web pages for embedded malicious content that will infect visitors’ websites. Verisign’s malware scanning technology uses a combination of in-depth malware behavioral analysis, anti-virus results, detailed malware patterns, and network analysis to discover known exploits for the particular scanned zone. If malware is detected, the service sends the registrar a report that contains the number of malicious domains found and details about malicious content within its TLD zones. Reports with remediation instructions are provided to help registrars and registrants eliminate the identified malware from the registrant’s website;
- Coach will establish and act upon the results of a regular poll against one or more trusted databases for phishing sites operating (in second level or subordinate domain names) within the TLD.
ADDITIONAL PROCESSES TO ADDRESS ABUSIVE USE OF REGISTERED DOMAIN NAMES

SUSPENSION PROCESSES CONDUCTED BY BACKEND REGISTRY SERVICES PROVIDER. In the case of domain name abuse, Coach or Coach’s approved registrar(s) will determine whether to take down the subject domain name. Verisign, Coach’s selected backend registry services provider, will follow the auditable processes to comply with the suspension request as set out in Diagram 1 of the Attachment.

VERISIGN SUSPENSION NOTIFICATION. Coach or Coach’s approved registrar(s) submits the suspension request to Verisign for processing, documented by:
- Threat domain name
- Registry incident number
- Incident narrative, threat analytics, screen shots to depict abuse, and⁄or other evidence
- Threat classification
- Threat urgency description
- Recommended timeframe for suspension⁄takedown
- Technical details (e.g., Whois records, IP addresses, hash values, anti-virus detection results⁄nomenclature, name servers, domain name status that are relevant to the suspension)
- Incident response, including surge capacity

VERISIGN NOTIFICATION VERIFICATION. When Verisign receives a suspension request from Coach or Coach’s approved registrar(s), it performs the following verification procedures:
- Validate that all the required data appears in the notification
- Validate that the request for suspension is for a registered domain name
- Return a case number for tracking purposes

SUSPENSION REJECTION. - If required data is missing from the suspension request, or the domain name is not registered, the request will be rejected and returned to Coach or Coach’s approved registrar(s) with the following information:
- Threat domain name
- Registry incident number
- Verisign case number
- Error reason

Coach will notify the registrar of record in relation to a complaint.

CONCLUSION

The approach outlined in this answer clearly shows that the risk of abuse in the .coach TLD has been extensively mitigated and as a direct result is very low. Applicant is committed to ensuring that abuse will not be tolerated. The proposed policies and methods for addressing any abuse exceed the standard outline in the gTLD Applicant Guidebook and is more than commensurate with the risks identified, Applicant is, therefore, entitled to a score of two points for its response to Question 28.

Similar gTLD applications: (3)