Back

28 Abuse Prevention and Mitigation

gTLDFull Legal NameE-mail suffixDetail
.netbankCOMMONWEALTH BANK OF AUSTRALIAcba.com.auView
28 ABUSE PREVENTION AND MITIGATION

CBA, working with Afilias, will take the requisite operational and technical steps to promote WHOIS data accuracy, limit domain abuse, remove outdated and inaccurate data, and other security measures to ensure the integrity of the TLD. The specific measures include, but are not limited to:

- Posting a TLD Anti-Abuse Policy that clearly defines abuse, and provide point-of-contact information for reporting suspected abuse;

- Committing to rapid identification and resolution of abuse, including suspensions;

- Ensuring completeness of WHOIS information at the time of registration;

- Publishing and maintaining procedures for removing orphan glue records for names removed from the zone, and;

- Establishing measures to deter WHOIS abuse, including rate-limiting, determining data syntax validity, and implementing and enforcing requirements from the Registry-Registrar Agreement.

Furthermore CBA the registry operator intends to operate the .netbank gTLD with the strict eligibility requirements on registrants set out in the draft registration policy appended to the response to this question. The strict eligibility requirements mean that the scope for abuse in the TLD is low as the registry will operate as a single registrant registry.

As stated in response to Question 18, CBA’s registration policy will address the minimum requirements mandated by ICANN including rights abuse prevention measures. CBA will implement its draft registration policy as means of abuse prevention and mitigation ** (see end of document).


ABUSE POLICY

The Anti-Abuse Policy stated below will be enacted under the contractual authority of CBA as CBA, through the Registry-Registrar Agreement, and the obligations will be passed on to and made binding upon registrants. This policy will be posted on the TLD web site along with contact information for registrants or users to report suspected abuse.

The policy is designed to address the malicious use of domain names. CBA and its registrars will make reasonable attempts to limit significant harm to Internet users. This policy is not intended to take the place of the Uniform Domain Name Dispute Resolution Policy (UDRP) or the Uniform Rapid Suspension System (URS), and it is not to be used as an alternate form of dispute resolution or as a brand protection mechanism. Its intent is not to burden law-abiding or innocent registrants and domain users; rather, the intent is to deter those who use domain names maliciously by engaging in illegal or fraudulent activity.

Repeat violations of the abuse policy will result in a case-by-case review of the abuser(s), and CBA reserves the right to escalate the issue, with the intent of levying sanctions that are allowed under the TLD anti-abuse policy.

The below policy is a recent version of the policy that has been used by the .INFO registry since 2008, and the .ORG registry since 2009. It has proven to be an effective and flexible tool.

.netbank ANTI-ABUSE POLICY

The following Anti-Abuse Policy is effective upon launch of the TLD. Malicious use of domain names will not be tolerated. The nature of such abuses creates security and stability issues for the registry, registrars, and registrants, as well as for users of the Internet in general. CBA definition of abusive use of a domain includes, without limitation, the following:

- Illegal or fraudulent actions;

- Spam: The use of electronic messaging systems to send unsolicited bulk messages. The term applies to email spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of web sites and Internet forums;

- Phishing: The use of counterfeit web pages that are designed to trick recipients into divulging sensitive data such as personally identifying information, usernames, passwords, or financial data;

- Pharming: The redirecting of unknowing users to fraudulent sites or services, typically through, but not limited to, DNS hijacking or poisoning;

- Willful distribution of malware: The dissemination of software designed to infiltrate or damage a computer system without the ownerʹs informed consent. Examples include, without limitation, computer viruses, worms, keyloggers, and Trojan horses.

- Malicious fast-flux hosting: Use of fast-flux techniques with a botnet to disguise the location of web sites or other Internet services, or to avoid detection and mitigation efforts, or to host illegal activities.

- Botnet command and control: Services run on a domain name that are used to control a collection of compromised computers or ʺzombies,ʺ or to direct distributed denial-of-service attacks (DDoS attacks);

- Illegal Access to Other Computers or Networks: Illegally accessing computers, accounts, or networks belonging to another party, or attempting to penetrate security measures of another individualʹs system (often known as ʺhackingʺ). Also, any activity that might be used as a precursor to an attempted system penetration (e.g., port scan, stealth scan, or other information gathering activity).

Pursuant to the Registry-Registrar Agreement, CBA reserves the right at its sole discretion to deny, cancel, or transfer any registration or transaction, or place any domain name(s) on registry lock, hold, or similar status, that it deems necessary: (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of CBA, as well as its affiliates, subsidiaries, officers, directors, and employees; (4) per the terms of the registration agreement and this Anti-Abuse Policy, or (5) to correct mistakes made by CBA or any registrar in connection with a domain name registration. CBA also reserves the right to place upon registry lock, hold, or similar status a domain name during resolution of a dispute.

The policy stated above will be accompanied by notes about how to submit a report to CBA’s abuse point of contact, and how to report an orphan glue record suspected of being used in connection with malicious conduct (see below).

ABUSE POINT OF CONTACT AND PROCEDURES FOR HANDLING ABUSE COMPLAINTS

CBA will establish an abuse point of contact. This contact will be a role-based e-mail address of the form “abuse@registry.netbank”. This e-mail address will allow multiple staff members to monitor abuse reports on a 24x7 basis, and then work toward closure of cases as each situation calls for. For tracking purposes, CBA will have a ticketing system with which all complaints will be tracked internally. The reporter will be provided with the ticket reference identifier for potential follow-up. Afilias will integrate its existing ticketing system with CBA’s to ensure uniform tracking and handling of the complaint. This role-based approach has been used successfully by ISPs, e-mail service providers, and registrars for many years, and is considered a global best practice.

CBA’s designated abuse handlers will then evaluate complaints received via the abuse system address. They will decide whether a particular issue is of concern, and decide what action, if any, is appropriate.

In general, CBA will find itself receiving abuse reports from a wide variety of parties, including security researchers and Internet security companies, financial institutions such as banks, Internet users, and law enforcement agencies among others. Some of these parties may provide good forensic data or supporting evidence of the malicious behavior. In other cases, the party reporting an issue may not be familiar with how to provide such data or proof of malicious behavior. It is expected that a percentage of abuse reports to CBA will not be actionable, because there will not be enough evidence to support the complaint (even after investigation), and because some reports or reporters will simply not be credible.

The security function includes a communication and outreach function, with information sharing with industry partners regarding malicious or abusive behavior, in order to ensure coordinated abuse mitigation across multiple TLDs.

Assessing abuse reports requires great care, and CBA will rely upon professional, trained investigators who are versed in such matters. The goals are accuracy, good record-keeping, and a zero false-positive rate so as not to harm innocent registrants.

Different types of malicious activities require different methods of investigation and documentation. Further, CBA expects to face unexpected or complex situations that call for professional advice, and will rely upon professional, trained investigators as needed.

In general, there are two types of domain abuse that must be addressed:

a) Compromised domains. These domains have been hacked or otherwise compromised by criminals, and the registrant is not responsible for the malicious activity taking place on the domain. For example, the majority of domain names that host phishing sites are compromised. The goal in such cases is to get word to the registrant (usually via the registrar) that there is a problem that needs attention with the expectation that the registrant will address the problem in a timely manner. Ideally such domains do not get suspended, since suspension would disrupt legitimate activity on the domain.

b) Malicious registrations. These domains are registered by malefactors for the purpose of abuse. Such domains are generally targets for suspension, since they have no legitimate use.

The standard procedure is that CBA will forward a credible alleged case of malicious domain name use to the domain’s sponsoring registrar with a request that the registrar investigate the case and act appropriately. The registrar will be provided evidence collected as a result of the investigation conducted by the trained abuse handlers. As part of the investigation, if inaccurate or false WHOIS registrant information is detected, the registrar is notified about this. The registrar is the party with a direct relationship with—and a direct contract with—the registrant. The registrar will also have vital information that CBA will not, such as:

- Details about the domain purchase, such as the payment method used (credit card, PayPal, etc.);

- The identity of a proxy-protected registrant;

- The purchaser’s IP address;

- Whether there is a reseller involved, and;

- The registrant’s past sales history and purchases in other TLDs (insofar as the registrar can determine this).

Registrars do not share the above information with registry operators due to privacy and liability concerns, among others. Because they have more information with which to continue the investigation, and because they have a direct relationship with the registrant, the registrar is in the best position to evaluate alleged abuse. The registrar can determine if the use violates the registrar’s legal terms of service or the registry Anti-Abuse Policy, and can decide whether or not to take any action. While the language and terms vary, registrars will be expected to include language in their registrar-registrant contracts that indemnifies the registrar if it takes action, and allows the registrar to suspend or cancel a domain name; this will be in addition to the registry Anti-Abuse Policy. Generally, registrars can act if the registrant violates the registrar’s terms of service, or violates ICANN policy, or if illegal activity is involved, or if the use violates the registry’s Anti-Abuse Policy.

If a registrar does not take action within a time period indicated by CBA (usually 24 hours), CBA might then decide to take action itself. At all times, CBA reserves the right to act directly and immediately if the potential harm to Internet users seems significant or imminent, with or without notice to the sponsoring registrar.

CBA will be prepared to call upon relevant law enforcement bodies as needed. There are certain cases, for example, Illegal pharmacy domains, where CBA will contact the Law Enforcement Agencies to share information about these domains, provide all the evidence collected and work closely with them before any action will be taken for suspension. The specific action is often dependent upon the jurisdiction of which CBA, although the operator in all cases will adhere to applicable laws and regulations.

When valid court orders or seizure warrants are received from courts or law enforcement agencies of relevant jurisdiction, CBA will order execution in an expedited fashion. Compliance with these will be a top priority and will be completed as soon as possible and within the defined timelines of the order. There are certain cases where Law Enforcement Agencies request information about a domain including but not limited to:

- Registration information

- History of a domain, including recent updates made

- Other domains associated with a registrant’s account

- Patterns of registrant portfolio


Requests for such information is handled on a priority basis and sent back to the requestor as soon as possible. Afilias sets a goal to respond to such requests within 24 hours.

CBA may also engage in proactive screening of its zone for malicious use of the domains in the TLD, and report problems to the sponsoring registrars. CBA could take advantage of a combination of the following resources, among others:

- Blocklists of domain names and nameservers published by organizations such as SURBL and Spamhaus.

- Anti-phishing feeds, which will provide URLs of compromised and maliciously registered domains being used for phishing.

- Analysis of registration or DNS query data [DNS query data received by the TLD nameservers.

CBA will keep records and track metrics regarding abuse and abuse reports. These will include:

- Number of abuse reports received by the registry’s abuse point of contact described above;

- Number of cases and domains referred to registrars for resolution;

- Number of cases and domains where the registry took direct action;

- Resolution times;

- Number of domains in the TLD that have been blacklisted by major anti-spam blocklist providers, and;

- Phishing site uptimes in the TLD.


REMOVAL OF ORPHAN GLUE RECORDS

By definition, orphan glue records used to be glue records. Glue records are related to delegations and are necessary to guide iterative resolvers to delegated nameservers. A glue record becomes an orphan when its parent nameserver record is removed without also removing the corresponding glue record. (Please reference the ICANN SSAC paper SAC048 at: http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf.) Orphan glue records may be created when a domain (example.tld) is placed on EPP ServerHold or ClientHold status. When placed on Hold, the domain is removed from the zone and will stop resolving. However, any child nameservers (now orphan glue) of that domain (e.g., ns1.example.tld) are left in the zone. It is important to keep these orphan glue records in the zone so that any innocent sites using that nameserver will continue to resolve. This use of Hold status is an essential tool for suspending malicious domains.

Afilias observes the following procedures, which are being followed by other registries and are generally accepted as DNS best practices. These procedures are also in keeping with ICANN SSAC recommendations.

When a request to delete a domain is received from a registrar, the registry first checks for the existence of glue records. If glue records exist, the registry will check to see if other domains in the registry are using the glue records. If other domains in the registry are using the glue records then the request to delete the domain will fail until no other domains are using the glue records. If no other domains in the registry are using the glue records then the glue records will be removed before the request to delete the domain is satisfied. If no glue records exist then the request to delete the domain will be satisfied.

If a registrar cannot delete a domain because of the existence of glue records that are being used by other domains, then the registrar may refer to the zone file or the “weekly domain hosted by nameserver report” to find out which domains are using the nameserver in question and attempt to contact the corresponding registrar to request that they stop using the nameserver in the glue record. CBA does not plan on performing mass updates of the associated DNS records.

CBA will accept, evaluate, and respond appropriately to complaints that orphan glue is being used maliciously. Such reports should be made in writing to CBA, and may be submitted to the registry’s abuse point-of-contact. If it is confirmed that an orphan glue record is being used in connection with malicious conduct, CBA will have the orphan glue record removed from the zone file. Afilias has the technical ability to execute such requests as needed.

METHODS TO PROMOTE WHOIS ACCURACY

The creation and maintenance of accurate WHOIS records is an important part of registry management. As described in our response to question #26, WHOIS, CBA will manage a secure, robust and searchable WHOIS service for this TLD.

WHOIS DATA ACCURACY

CBA will offer a “thick” registry system. In this model, all key contact details for each domain name will be stored in a central location by the registry. This allows better access to domain data, and provides uniformity in storing the information. CBA will ensure that the required fields for WHOIS data (as per the defined policies for the TLD) are enforced at the registry level. This ensures that the registrars are providing required domain registration data. Fields defined by the registry policy to be mandatory are documented as such and must be submitted by registrars. The Afilias registry system verifies formats for relevant individual data fields (e.g. e-mail, and phone⁄fax numbers). Only valid country codes are allowed as defined by the ISO 3166 code list. The Afilias WHOIS system is extensible, and is capable of using the VAULT system, described further below.

Similar to the centralized abuse point of contact described above, CBA can institute a contact email address which could be utilized by third parties to submit complaints for inaccurate or false WHOIS data detected. This information will be processed by Afilias’ support department and forwarded to the registrars. The registrars can work with the registrants of those domains to address these complaints. Afilias will audit registrars on a yearly basis to verify whether the complaints being forwarded are being addressed or not. This functionality, available to all CBAs, is activated based on CBA’s business policy.

Afilias also incorporates a spot-check verification system where a randomly selected set of domain names are checked periodically for accuracy of WHOIS data. Afilias’ .PRO registry system incorporates such a verification system whereby 1% of total registrations or 100 domains, whichever number is larger, are spot-checked every month to verify the domain name registrant’s critical information provided with the domain registration data. With both a highly qualified corps of engineers and a 24x7 staffed support function, Afilias has the capacity to integrate such spot-check functionality into this TLD, based on CBA’s business policy. Note: This functionality will not work for proxy protected WHOIS information, where registrars or their resellers have the actual registrant data. The solution to that problem lies with either registry or registrar policy, or a change in the general marketplace practices with respect to proxy registrations.

Finally, Afilias’ registry systems have a sophisticated set of billing and pricing functionality which aids CBAs who decide to provide a set of financial incentives to registrars for maintaining or improving WHOIS accuracy. For instance, it is conceivable that CBA may decide to provide a discount for the domain registration or renewal fees for validated registrants, or levy a larger cost for the domain registration or renewal of proxy domain names. The Afilias system has the capability to support such incentives on a configurable basis, towards the goal of promoting better WHOIS accuracy.

ROLE OF REGISTRARS

As part of the RRA (Registry Registrar Agreement), CBA will require the registrar to be responsible for ensuring the input of accurate WHOIS data by their registrants. The Registrar⁄Registered Name Holder Agreement will include a specific clause to ensure accuracy of WHOIS data, and to give the registrar rights to cancel or suspend registrations if the Registered Name Holder fails to respond to the registrar’s query regarding accuracy of data. ICANN’s WHOIS Data Problem Reporting System (WDPRS) will be available to those who wish to file WHOIS inaccuracy reports, as per ICANN policy (http:⁄⁄wdprs.internic.net⁄ ).

CONTROLS TO ENSURE PROPER ACCESS TO DOMAIN FUNCTIONS

Several measures are in place in the Afilias registry system to ensure proper access to domain functions, including authentication provisions in the RRA relative to notification and contact updates via use of AUTH-INFO codes.

IP address access control lists, TLS⁄SSL certificates and proper authentication are used to control access to the registry system. Registrars are only given access to perform operations on the objects they sponsor.

Every domain will have a unique AUTH-INFO code. The AUTH-INFO code is a 6- to 16-character code assigned by the registrar at the time the name is created. Its purpose is to aid identification of the domain owner so proper authority can be established. It is the ʺpasswordʺ to the domain name. Registrars must use the domain’s password in order to initiate a registrar-to-registrar transfer. It is used to ensure that domain updates (update contact information, transfer, or deletion) are undertaken by the proper registrant, and that this registrant is adequately notified of domain update activity. Only the sponsoring registrar of a domain has access to the domain’s AUTH-INFO code stored in the registry, and this is accessible only via encrypted, password-protected channels.

Information about other registry security measures such as encryption and security of registrar channels are confidential to ensure the security of the registry system. The details can be found in the response to question #30b.

VALIDATION AND ABUSE MITIGATION MECHANISMS

Afilias has developed advanced validation and abuse mitigation mechanisms. These capabilities and mechanisms are described below. These services and capabilities are discretionary and may be utilized by CBA based on their policy and business need.

Afilias has the ability to analyze the registration data for known patterns at the time of registration. A database of these known patterns is developed from domains and other associated objects (e.g., contact information) which have been previously detected and suspended after being flagged as abusive. Any domains matching the defined criteria can be flagged for investigation. Once analyzed and confirmed by the domain anti-abuse team members, these domains may be suspended. This provides proactive detection of abusive domains.

Provisions are available to enable CBA to only allow registrations by pre-authorized and verified contacts. These verified contacts are given a unique code that can be used for registration of new domains.

REGISTRANT PRE-VERIFICATION AND AUTHENTICATION

One of the systems that could be used for validity and identity authentication is VAULT (Validation and Authentication Universal Lookup). It utilizes information obtained from a series of trusted data sources with access to billions of records containing data about individuals for the purpose of providing independent age and id verification as well as the ability to incorporate additional public or private data sources as required. At present it has the following: US Residential Coverage - 90% of Adult Population and also International Coverage - Varies from Country to Country with a minimum of 80% coverage (24 countries, mostly European).

Various verification elements can be used. Examples might include applicant data such as name, address, phone, etc. Multiple methods could be used for verification include integrated solutions utilizing API (XML Application Programming Interface) or sending batches of requests.

- Verification and Authentication requirements would be based on TLD operator requirements or specific criteria.

- Based on required WHOIS Data; registrant contact details (name, address, phone)

- If address⁄ZIP can be validated by VAULT, the validation process can continue (North America +25 International countries)

- If in-line processing and registration and EPP⁄API call would go to the verification clearinghouse and return up to 4 challenge questions.

- If two-step registration is required, then registrants would get a link to complete the verification at a separate time. The link could be
specific to a domain registration and pre-populated with data about the registrant.

- If WHOIS data is validated a token would be generated and could be given back to the registrar which registered the domain.

- WHOIS data would reflect the Validated Data or some subset, i.e., fields displayed could be first initial and last name, country of registrant and date validated. Other fields could be generic validation fields much like a “privacy service”.

- A “Validation Icon” customized script would be sent to the registrants email address. This could be displayed on the website and would be dynamically generated to avoid unauthorized use of the Icon. When clicked on the Icon would should limited WHOIS details i.e. Registrant: jdoe, Country: USA, Date Validated: March 29, 2011, as well as legal disclaimers.

- Validation would be annually renewed, and validation date displayed in the WHOIS.

ABUSE PREVENTION RESOURCING PLANS

Since its founding, Afilias is focused on delivering secure, stable and reliable registry services. Several essential management and staff who designed and launched the Afilias registry in 2001 and expanded the number of TLDs supported, all while maintaining strict service levels over the past decade, are still in place today. This experiential continuity will endure for the implementation and on-going maintenance of this TLD. Afilias operates in a matrix structure, which allows its staff to be allocated to various critical functions in both a dedicated and a shared manner. With a team of specialists and generalists, the Afilias project management methodology allows efficient and effective use of our staff in a focused way. Abuse prevention and detection is a function that is staffed across the various groups inside Afilias, and requires a team effort when abuse is either well hidden or widespread, or both. While all of Afilias’ 200+ employees are charged with responsibility to report any detected abuse, the engineering and analysis teams, numbering over 30, provide specific support based on the type of abuse and volume and frequency of analysis required. The Afilias security and support teams have the authority to initiate mitigation.

Afilias has developed advanced validation and abuse mitigation mechanisms. These capabilities and mechanisms are described below. These services and capabilities are discretionary and may be utilized by CBA based on their policy and business need.

This TLD’s anticipated volume of registrations in the first three years of operations is listed in response #46. Afilias and CBA’s anti-abuse function anticipates the expected volume and type of registrations, and together will adequately cover the staffing needs for this TLD. CBA will maintain an abuse response team, which may be a combination of internal staff and outside specialty contractors, adjusting to the needs of the size and type of TLD. The team structure planned for this TLD is based on several years of experience responding to, mitigating, and managing abuse for TLDs of various sizes. The team will generally consist of abuse handlers (probably internal), a junior analyst, (either internal or external), and a senior security consultant (likely an external resource providing CBA with extra expertise as needed). These responders will be specially trained in the investigation of abuse complaints, and will have the latitude to act expeditiously to suspend domain names (or apply other remedies) when called for.

The exact resources required to maintain an abuse response team must change with the size and registration procedures of the TLD. An initial abuse handler is necessary as a point of contact for reports, even if a part-time responsibility. The abuse handlers monitor the abuse email address for complaints and evaluate incoming reports from a variety of sources. A large percentage of abuse reports to CBA may be unsolicited commercial email. The designated abuse handlers can identify legitimate reports and then decide what action is appropriate, either to act upon them, escalate to a security analyst for closer investigation, or refer them to registrars as per the above-described procedures. A TLD with rare cases of abuse would conform to this structure.

If multiple cases of abuse within the same week occur regularly, CBA will consider staffing internally a security analyst to investigate the complaints as they become more frequent. Training an abuse analyst requires 3-6 months and likely requires the active guidance of an experienced senior security analyst for guidance and verification of assessments and recommendations being made.

If this TLD were to regularly experience multiple cases of abuse within the same day, a full-time senior security analyst would likely be necessary. A senior security analyst capable of fulfilling this role should have several years of experience and able to manage and train the internal abuse response team.

The abuse response team will also maintain subscriptions for several security information services, including the blocklists from organizations like SURBL and Spamhaus and anti-phishing and other domain related abuse (malware, fast-flux etc.) feeds. The pricing structure of these services may depend on the size of the domain and some services will include a number of rapid suspension requests for use as needed.

For a large TLD, regular audits of the registry data are required to maintain control over abusive registrations. When a registrar with a significant number of registrations has been compromised or acted maliciously, CBA may need to analyze a set of registration or DNS query data. A scan of all the domains of a registrar is conducted only as needed. Scanning and analysis for a large registrar may require as much as a week of full-time effort for a dedicated machine and team.

** .netbank’S DRAFT REGISTRATION POLICY

1. DOMAIN NAME LICENCES

Upon registration of a Domain Name, the Registrant holds a licence to use the Domain Name for a specified period of time in accordance with the Registry Rules. Domain Names may be registered and renewed for 1, 2, 3, 4, 5, 6, 7, 8, 9 or 10 years.

2. SELECTION OF REGISTRARS

Registrars eligible to register domain names must meet the following non-discriminatory criteria (in compliance with clause 2.9 (a) of the Registry Agreement):

(i) be an accredited ICANN Registrar;

(ii) demonstrate a level of understanding of the Domain Name registration policies of the Registry;

(iii) have experience of managing the Domain Names of major corporations;

(iv) have proven tools for domain name portfolio management;

(v) have business processes to perform automated validation (and any additional human checks as required by the Registry) of the eligibility of the domain name for registration according to the Domain Name policies of .netbank;

(vi) demonstrate a sufficient level of security to protect against unauthorised access to the Domain Name records;

(vii) demonstrate experience and have appropriate resources in managing abuse prevention, mitigation and responses;

(viii) provide multi-language support for the registration of IDNs;

(ix) comply with any re-validation of its Registry-Registrar agreement at such regular intervals as are determined by the Registry or as required by ICANN from time to time;

(x) meet applicable technical requirements of .netbank; and

(xi) comply with all conditions, dependencies, policies and other requirements reasonably imposed by CBA, including maintenance of suitable systems and applications that are capable of interacting with the Registry system.



3. ELIGIBLE REGISTRANTS

The Registrant must be:

(i) an Affiliate entity of CBA; or

(ii) an organisation explicitly authorised by CBA; or

(iii) a natural person explicitly authorised by CBA.

If the Registrant does not meet one of the above eligibility criteria, there is no entitlement to register a Domain Name under the .netbank TLD. If the Registrant ceases to be eligible at any time in the future, the .netbank Registry may cancel or suspend the licence to use the Domain Name immediately.



4. REGISTRY APPROVAL REQUIREMENT

Registration of Domain Names under the .netbank TLD must be approved by CBA in addition to meeting all requirements under the Registry Rules. CBA’s approval for a complete and validly submitted application will be authorised by:

(i) a head of appropriate department as nominated by CBA (“Authorisation Provider”); or

(ii) an authorised person as nominated by CBA (“Authorised Person”) and notified to the Registrar from time to time.

The Authorisation Provider will notify the Registrar of its decision.



5. REQUIRED CRITERIA FOR DOMAIN NAME REGISTRATION

An application for Domain Name registration must meet all the following criteria:

(i) availability;

a. the Domain Name is not already registered;

b. it is not reserved or blocked by the .netbank Registry; or

c. it meets all .netbank Registry’s technical requirements.

(ii) technical requirements;

a. a maximum of 63 characters (after its conversion into the ASCII for IDNs);

b. use of characters selected from the list of supported characters as nominated by the .netbank Registry; and

c. any additional technical requirements as required by the .netbank Registry from time to time.

(iii) the Domain Name must be consistent with the mission and purposes of the .netbank TLD and consistent with the Domain Name registration policy of .netbank, and include but not be limited to:

a. product name;

b. service name;

c. marketing term;

d. geographic identifier; or

e. any relevant name or term as approved by Authorisation Provider or Authorised Person.

(iv) compliance with all requirements under the Registry Rules: the Registrant must comply with all provisions contained in the Registry Rules.




6. OBLIGATION OF REGISTRANTS

The Registrant must enter into an agreement with the Registrar for Domain Name registration under which the Registrant will be bound by the Registry Rules specified through the Registry-Registrar agreement as amended by the Registry from time to time.

The Registrant must also agree to be bound by the minimum requirements in clause 3.7.7 of ICANNʹs Registrar accreditation agreement.

The Registrant must represent and warrant that:

(i) it meets, and will continue to meet, the eligibility criteria at all times and must notify the Registrar if it ceases to meet such criteria;

(ii) the registration, renewal and use of the Domain Name does not violate any third party intellectual property rights, applicable laws or regulation;

(iii) it is entitled to register the Domain Name;

(iv) the registration and use of the Domain Name is made in good faith and for a lawful purpose;

(v) if the use of registered Domain Name is licensed to a third party,

a. the Registrant must have a licencing agreement with the licensee for the use of the Domain Name that is not less onerous than the obligation of the Registrant contained in the Registry Rules; and

b. where there is a breach of any provisions contained in the Registry Rules by the licensee of the Domain Name, Registry may revoke the Domain Name at its sole discretion.

(vi) it owns or otherwise has the right to provide all registration data (including personal information) for each Domain Name registered and provision of such registrant data complies with all applicable data protection laws and regulations; and

(vii) it has appropriate consent and licences to allow for publication of registration data in the WHOIS database.




7. REGISTRANT CONTACT INFORMATION

The Registrant must provide complete and accurate contact information of the Registrant (in accordance with clause 3.7.7.1 of the ICANN’s Registrar accreditation agreement), including but not limited to the following;

(i) if the Registrant is a company or organisation:

a. name of a company or organisation;

b. registered office and principal place of business; and

c. contact details of the Registrant including e-mail address and telephone number;

(ii) if the Registrant is a natural person:

a. full name of the Registrant;

b. address of the Registrant; and

c. contact details of the Registrant including e-mail address and telephone number.


All Registrant contact information must be complete and accurate. Any changes to such Registrant information must be promptly notified to the Registrar, and no later than one (1) month of such change.




8. REVOCATION OF DOMAIN NAMES

The Registrant acknowledges that the .netbank Registry may revoke a Domain Name immediately at its sole discretion:

(i) in the event the Registrant breaches any .netbank Registry Rules;

(ii) to comply with applicable law, court order, government rule or under any dispute resolution processes;

(iii) where such Domain Name is used for any of the following prohibited activities (Prohibited Activities):

a. spamming;

b. intellectual property and privacy violations;

c. obscene speech or materials;

d. defamatory or abusive language;

e. forging headers, return addresses and internet protocol addresses;

f. illegal or unauthorised access to other computers or networks;

g. distribution of internet viruses, worms, Trojan horses or other destructive activities; and

h. any other illegal or prohibited activities as determined by the .netbank Registry.

(iv) in order to protect the integrity and stability of the domain name system and the .netbank Registry;

(v) where such Domain Name is placed under reserved names list at any time; and

(vi) where Registrant fails to make payment to the Registrar for registration, renewal or any other relevant services.



9. USE OF SECOND OR THIRD LEVEL IDNs

In addition to meeting all required criteria for registration of domain names above, an application for an IDN Domain Name must:

(i) comply with any additional registration policy on IDNs for each language;

(ii) meet all technical requirement for the applicable IDN;

(iii) comply with the IDN tables used by the .netbank Registry as amended from time to time; and

(iv) meet any other additional technical requirements as required by the .netbank Registry.




10. USE OF GEOGRAPHIC NAMES

All two-character labels and country and territory names will be initially reserved in accordance with specification 5 of the Registry Agreement.

Upon approval from ICANN and any other guidelines by applicable governments and ICANN’s Governmental Advisory Committee, the Registry may release the two-character labels and country and territory names in accordance with CBA’s response to Question 22 Geographic Names.




11. RESERVED NAMES

The .netbank Registry may place certain names in its reserved list from time to time where:

(i) the .netbank Registry believes in its sole discretion that use of such names may pose a risk to the operational stability or integrity of the .netbank Registry;

(ii) in accordance with ICANN’s specifications contained in the Registry Agreement, guidelines or recommendations;

(iii) there is a risk of trademark infringement or where the name otherwise may cause confusion taking into consideration the mission and purpose of the TLD; or

(iv) the .netbank Registry in its sole discretion decides certain names to be reserved for any reason.




12. ALLOCATION OF DOMAIN NAME

The .netbank Registry will register Domain Names on a first-come, first-served basis in accordance with the .netbank Registry Rules. The .netbank Registry does not provide pre-registration or reservation of Domain Names.




13. LIMITATION ON REGISTRATION ⁄ DOMAIN NAME LICENCES


There is no restriction on the number of Domain Names any Registrant may hold. The Registrant may further licence the use of the Domain Name to any third parties provided that the Registrant enters into an agreement with such third parties on the terms not less onerous than its obligations under the .netbank Registry Rules.



14. PROTECTION OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS

The .netbank Registry will implement all rights protection measures as required by ICANN in clause 2.8 of the Registry Agreement, including the use of the Uniform Rapid Suspension (URS) procedure, and Uniform Domain Name Dispute Resolution Policy (UDRP).




15. TERM OF REGISTRATION ⁄ RENEWAL

INITIAL TERM OF REGISTRATION:

A Domain Name can be registered for a period between one (1) to ten (10) years.


RENEWAL OF REGISTRATION:

(i) The term may be extended at any time for a period between one (1) to ten (10) years, provided that the total aggregate term of the Domain Name does not exceed ten (10) years at any time.

(ii) Upon change of sponsorship of the Domain Name from one Registrar to another, according to Part A of the ICANN Policy on Transfer of Registrations between Registrars, the term of registration of the registered Domain Name will be extended by one year, provided that the maximum term of registration at any time does not exceed ten (10) years.

(iii) The change of sponsorship of the registration of a Domain Name from one Registrar to another, accordingly to Part B of the ICANN Policy on Transfer of Registrations between Registrars will not result in the extension of the term of registration.



CANCELLATION OF REGISTRATION:

The Registrant may cancel a Domain Name registration at any time by submitting its request in writing with the Registrar.



AUTO-RENEWAL:

Upon expiry of the Domain Name, the .netbank Registry will auto-renew the Domain Name for a one year term (1) year term unless the Registrant submits its intention not to renew the Domain Name.

The .netbank Registry will implement the business rules for the renewal of Domain Names documented in appendix 7 of the .com Registry Agreement.



16. TRANSFER OF DOMAIN NAMES BETWEEN REGISTRANTS

Any transfer of a Domain Name between Registrants must be approved by the Registry through the Registrar. The legal heirs of the Registrant or purchaser of the Registrant may request the transfer provided that they meet the eligibility criteria for registration under the .netbank TLD. If the Registrant becomes subject to insolvency or any other proceeding, the administrator may request the transfer. The transferee must provide appropriate documentation as required by the .netbank Registry to approve such transfer.



17. CHANGE OF REGISTRAR

If the agreement between the Registry and the Registrar is terminated and if the Registrar has not transferred its Domain Name portfolio to another Registrar, the Registry will notify affected Registrants. The Registrants must select a new Registrar within one (1) month following such notice from the .netbank Registry. If the Registrant fails to appoint a new Registrar within the timeframe set out above, the .netbank Registry may suspend the Domain Name.

If the Registrant wishes to change the Registrar, the Registrant must obtain the auth-info code from the Registrantʹs current Registrar, and request a transfer through the gaining Registrar in compliance with ICANNʹs Inter-Registrar transfer policy.



18. PRIVACY AND DATA PROTECTION

By registering a Domain Name, the registrant authorises the .netbank Registry to process personal information and other data required for the operation of the .netbank TLD. The .netbank Registry will only use the data for the operation of the .netbank Registry including but not limited to its internal use, communication with the Registrant, and provision of WHOIS look-up facility.

The .netbank Registry may only transfer the data to third parties:

(i) with the Registrant’s consent;

(ii) in order to comply with laws, regulations or orders by a competent public authority and any Alternative Dispute Resolution (ADR) providers; or

(iii) for a publicly available and searchable WHOIS look-up facility, in accordance with specification 4 of the Registry Agreement.




19. WHOIS

The .netbank Registry provides a publicly available and searchable WHOIS look up facility, where information about the Domain Nameʹs status (including creation and expiry dates), and registrant, administrative and the technical contact administering the Domain Name can be found, in accordance with specification 4 of the Registry Agreement.

In order to prevent misuse of the WHOIS look up facility, the .netbank Registry requires that any person submitting a WHOIS database query will be required to read and agree to the terms and conditions, which will provide that:

(i) the WHOIS database is provided for information purposes only; and

(ii) the user agrees not to use the WHOIS information to allow or enable the transmission of unsolicited commercial advertising or other communication via email or other methods to the Registrants.




20. PRICING ⁄ PAYMENT

The .netbank TLD does not charge a separate fee for the Registrar to register domain names, as the TLD is used only for the specified mission and purpose of .netbank TLD. CBA shall bear the cost of operating the .netbank Registry.

The .netbank Registry will provide Registrars with 30 days’ notice of any price change for new registrations, and 180 days advance notice of any price change for renewals in accordance with clause 2.10 of the Registry Agreement.



21. DISPUTE RESOLUTION

The Registrant agrees to be bound by ICANN’s Dispute Resolution Policies in respect of all disputes in connection with the Domain Name.




22. COMPLIANCE WITH CONSENSUS AND TEMPORARY POLICIES

The Registrant agrees to be bound by all applicable consensus and temporary policies as required and mandated by ICANN.



23. DEFINITIONS

Affiliate means in relation to a party any corporation or other business entity controlling, controlled by, or under common control of that party and for the purposes of this definition, a corporation or other business entity shall be deemed to control another corporation or business entity if it owns directly or indirectly:

(i) fifty percent (50%) or more of the voting securities or voting interest in any such corporation or other entity; or

(ii) fifty percent (50%) or more of the interest in the profit or income in the case of a business entity other than a corporation; or

(iii) in the case of a partnership, any other compatible interest equal to at least a fifty percent (50%) share in the general partner.



Domain Name means a domain name registered directly under the .netbank TLD or for which a request or application for registration has been filed with the Registry;


ICANN’s Dispute Policy means the dispute policy currently known as the Uniform Domain Name Dispute Resolution Policy (UDRP) issued and as may be updated from time to time by the Internet Corporation of Assigned Names and Number (ICANN) and the Uniform Rapid Suspension (URS) (see Specification 7 of the Registry Agreement).


Registrar means an ICANN accredited registrar which enters into and is in compliance with the registry-registrar agreement for the TLD, and which provides domain name registration services to Registrants;


Registry Agreement means the agreement between CBA and ICANN;


Registry Rules mean:

(i) Registration terms and conditions agreed between the Registry and Registrant for registration of a Domain Name; and

(ii) Registration policies provided and amended by the Registry from time to time.



Registrant means a natural person, company or organisation who holds a Domain Name registration or who has requested or applied for the registration of a Domain Name.


gTLDFull Legal NameE-mail suffixDetail
.funOriental Trading Company, Inc.oriental.comView
28.1 ABUSE PREVENTION AND MITIGATION TO BE IMPLEMENTED BY OTC

OTC’s proposed use for .fun should, by its very nature, preclude abusive registrations from occurring, as all domains names may only be registered in the name of OTC and its affiliates (for the purposes of this response, “affiliates” means in relation to a party any corporation or other business entity controlling, controlled by, or under common control of that party and for the purposes of this definition, a corporation or other business entity shall be deemed to control another corporation or business entity if it owns directly or indirectly (i) fifty percent (50%) or more of the voting securities or voting interest in any such corporation or other entity; or (ii) fifty percent (50%) or more of the interest in the profit or income in the case of a business entity other than a corporation; or (iii) in the case of a partnership, any other compatible interest equal to at least a fifty percent (50%) share in the general partner).
OTC is intending to operate .fun for the benefit of Internet users that would like to interact with OTC. There is no incentive for OTC to confuse Internet users, nor otherwise use domain names in bad faith, since OTC’s branded keyword gTLD is inherently intertwined with all uses of .fun domain names.
Notwithstanding the above, OTC understands and agrees that it must comply with the different rights protection mechanisms such as the Uniform Domain Name Dispute Resolution Policy (UDRP) and the Uniform Rapid Suspension System (URS) as described in the gTLD Applicant Guidebook (as may be later amended via Consensus Policy) and the Registry Agreement. The aforementioned policies provide a strong incentive to ensure that relevant and effective checks are in place to ensure that all .fun domain names are only registered and used in an appropriate manner so as to benefit Internet users who would like to interact with OTC, rather than in any manner that may be deemed inappropriate or in bad faith.
OTC will implement a clear written policy which requires the relevant corporate authorization and approvals to be procured and evidenced in order for any .fun domain name to be registered for OTC’s use. In the event that OTC resolves to permit third parties (other than affiliates) that have a relationship with either OTC or its business, to register (or license) and use domain names within the top level domain (TLD), then additional corporate authorizations and approvals may be required to ensure internal responsibility for permitting and enforcing the terms of use of the .fun domain. In addition to these safeguards, all registered domain names in the TLD will be regularly monitored for abusive use.
28.2 .fun ANTI-ABUSE POLICIES

Although domain names will only be registered to OTC and its affiliates, all domain names will be subject to specific internal registration policy for .fun domain. The registration policy will set out in writing a methodology for corporate authorization, approval and evidence in order for any domain name to be registered for OTC’s use. This will prohibit any abusive use of a domain name. These policies include not only the required URS, but also the supplemental Anti-Phishing Takedown Process, OTC’s Acceptable Use Policy, and OTC’s strict controls on registration.
28.2.1 DEFINITION OF ABUSE

OTC defines abuse as an action that causes actual and substantial harm, or is a material predicate of such harm, and is illegal, illegitimate, or otherwise contrary to registration policy. Abuse includes, without limitation, the following:
- Content or actions that attempt to defraud members of the public in any way (for example, ʺphishingʺ sites);
- Content that is hateful, defamatory, derogatory or bigoted based on racial, ethnic, political grounds or which otherwise may cause or incite injury, damage or harm of any kind to any person or entity;
- Content that is threatening or invades another personʹs privacy or property rights or is otherwise in breach of any duty owed to a third party;
- Content or actions that infringe the trademark, copyright, patent rights, trade secret or other intellectual property rights, or any other legal rights of OTC or any third party;
- Content or actions that violate any applicable local, state, national or international law or regulation;
- Content or actions that promote, are involved in or assist in, the conduct of illegal activity of any kind or promote business opportunities or investments that are not permitted under applicable law;
- Content that advertises or offers for sale any goods or services that are unlawful or in breach of any national or international law or regulation; or
- Content or actions associated with the sale or distribution of prescription medication without a valid prescription;
- Content that depicts minors engaged in any activity of a sexual nature or which may otherwise harm minors;
- Activities that mislead or deceive minors into viewing sexually explicit material;
- Spam: The use of electronic messaging systems to send unsolicited bulk messages. The term applies to e-mail spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of Web sites and Internet forums. An example, for purposes of illustration, would be the use of email in denial-of-service attacks;
- Phishing: The use of counterfeit Web pages that are designed to trick recipients into divulging sensitive data such as usernames, passwords, or financial data;
- Pharming: The redirecting of unknowing users to fraudulent sites or services, typically through Domain Name System (DNS) hijacking or poisoning;
- Willful distribution of malware: The dissemination of software designed to infiltrate or damage a computer system without the ownerʹs informed consent. Examples include, without limitation, computer viruses, worms, keyloggers and trojan horses;
- Botnet command and control: Services run on a domain name that are used to control a collection of illegally compromised computers or ʺzombies,ʺ or to direct denial-of-service attacks (DDoS attacks); and
- Illegal Access to Other Computers or Networks: Illegally accessing computers, accounts, or networks belonging to another party, or attempting to penetrate security measures of another individualʹs system (often known as ʺhackingʺ). Also, any activity that might be used as a precursor to an attempted system penetration (e.g., port scan, stealth scan, or other information gathering activity)
As stated in response to Question 18, OTC’s registration policy will address the minimum requirements mandated by ICANN including rights abuse prevention measures. OTC will implement the following as means of abuse prevention and mitigation:
1. OTC’s draft registration policy ** (See end of document)

2. OTC’s draft procedure for management of trademark infringement claims *** (see end of document)

Any employee found to have violated any of OTC’s policies may be subject to disciplinary action, up to and including termination of employment.
Every OTC employee should be aware that the data they create on the corporate systems, including on any domain name hosted in .fun, remains the property of OTC. For security and network maintenance purposes, authorized individuals within OTC may monitor equipment, systems and network traffic at any time. OTC reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
OTC recognizes that, notwithstanding all of OTC’s internal policies having been meticulously followed by all employees and affiliates, the Internet remains an open and ubiquitous system that provides access and anonymity to participants around the world. This is one of the Internet’s strengths and also a source of difficulty as malicious or criminal perpetrators exploit these characteristics for their own benefit. The frequency of activities such as phishing, pharming, spam and DDoS attacks have increased dramatically on the Internet and there is strong evidence to suggest this will continue.
OTC has resolved to ensure that abusive use of the .fun domain names will not be permitted nor tolerated. The nature of such abuses creates security and stability issues for OTC, as well as for users of the Internet in general, and particularly those who wish to interact with OTC in a secure and reliable manner. The nature of such abuses also inherently creates negative publicity and loss of brand integrity and goodwill and, therefore, any such abuse must be swiftly and effectively addressed, and systems must continue to evolve in accordance with evolving threats.
Strong abuse prevention of a new gTLD is an important benefit to the internet community. OTC and its registry operator and back-end registry services provider, Neustar, agree that a registry must not only aim for the highest standards of technical and operational competence, but also needs to act as a steward of the space on behalf of the Internet community and ICANN in promoting the public interest. Neustar brings extensive experience establishing and implementing registration policies. This experience will be leveraged to help OTC combat abusive and malicious domain activity within the new gTLD space.

More specifically, although traditionally botnets have used Internet Relay Chat (IRC) servers to control the Registry and the compromised PCs, or bots, for DDoS attacks and the theft of personal information, an increasingly popular technique, known as fast-flux DNS, allows botnets to use a multitude of servers to hide a key host or to create a highly-available control network. This ability to shift the attacker’s infrastructure over a multitude of servers in various countries creates an obstacle for law enforcement and security researchers to mitigate the effects of these botnets. A point of weakness in this scheme, however, is its dependence on DNS for its translation services. By taking an active role in researching and monitoring these sorts of botnets, OTC, through its partner, Neustar, has developed the ability to work efficiently with various law enforcement and security communities to begin a new phase of mitigation of these types of threats.

Policies and Procedures to Minimize Abusive Registrations

By its very nature of being a restricted gTLD and one intended to benefit Internet users by ensuring increased trust, convenience and confidence through the elimination of user confusion and OTC authenticity, the .fun gTLD will be a space designed to prevent abuse. As stated in response to Question 18, it is initially intended that the .fun gTLD will only have a limited number of domain names registered and will not be available to the general public.

Registrations at the initial stage will be limited solely to OTC and its affiliated entities. Strict rules will be in place on the use that these entities may make of the domain names and they will have to all live up to the highest of corporate standards that are in place with respect to corporate domain name registrations in general. All domain name registrations shall be subject to immediate take down in the event that those corporate standards are violated.

To the extent that the use of the .fun gTLD expands and evolves, and OTC decides to allow the registration of .fun domain names to unaffiliated entities, OTC recognizes that it must have the policies, resources, personnel, and expertise in place to combat abusive practices such abusive DNS practices. In fact, OTC selected Neustar as its registry back-end services provider, because it recognizes that Neustar is at the forefront of the prevention of such as abusive practices and is one of the few operators of domain name registries to have actually developed and implemented an active “domain takedown” policy.

OTC recognizes that the active abuse prevention policies that must be implemented in connection with the .fun gTLD stem from the notion that Registrants have a reasonable expectation that they are in control of the data associated with their domain names, especially its presence in the DNS zone. Because domain names are sometimes used as a mechanism to enable various illegitimate activities on the Internet, often the best preventative measure to thwart these attacks is to remove the names completely from the DNS before they can impart harm, not only to the domain name Registrant, but also to millions of unsuspecting Internet users.

Removing the domain name from the zone has the effect of shutting down all activity associated with the domain name, including the use of all websites and e-mail. The use of this technique should not be entered into lightly. OTC has an extensive, defined, and documented process for taking the necessary action of removing a domain from the zone when its presence in the zone poses a threat to the security and stability of the infrastructure of the Internet or the Registry.

Abuse Point of Contact

As required by the Registry Agreement, OTC will establish and publish on its website a single abuse point of contact responsible for addressing inquiries from law enforcement and the public related to malicious and abusive conduct. OTC will also provide such information to ICANN prior to the delegation of any domain names in the TLD. This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of malicious conduct complaints, and a telephone number and mailing address for the primary contact. Such information will be kept accurate and up to date and will be provided to ICANN if and when changes are made. In addition, with respect to inquiries from ICANN-Accredited Registrars, OTC’s registry back-end services provider, Neustar, shall have an additional point of contact, as it does today, handling requests by Registrars related to abusive domain name practices.

28.3 Policies Regarding Abuse Complaints

OTC recognizes that one of the key policies each new gTLD registry will need to have is an Acceptable Use Policy that clearly delineates the types of activities that constitute “abuse” and the repercussions associated with an abusive domain name registration. This is especially the case in which domain name registrations will be accepted by unaffiliated entities.

In addition, if OTC allows registrations from unaffiliated entities, these abuse policies will be incorporated into the applicable Registry-Registrar Agreement. Such Agreements will reserve the right for the Registry to take the appropriate actions based on the type of abuse. This will include locking down the domain name preventing any changes to the contact and nameserver information associated with the domain name, placing the domain name “on hold” rendering the domain name non-resolvable, transferring to the domain name to another Registrar, and⁄or in cases in which the domain name is associated with an existing law enforcement investigation, substituting name servers to collect information about the DNS queries to assist the investigation.

OTC will adopt an Acceptable Use Policy that clearly defines the types of activities that will not be permitted in the TLD and reserves the right of OTC to cancel, transfer, or otherwise suspend or take down a domain name that violates the Acceptable Use Policy and allow OTC – where and when appropriate – to share information with law enforcement agencies. Each ICANN-Accredited Registrar must agree to pass through the Acceptable Use Policy to its Reseller(s) (if applicable) and ultimately to the domain name registrant(s) in the TLD.

Below is the proposed initial Acceptable Use Policy for the .fun registry:

“This Acceptable Use Policy gives the Registry the ability to quickly lock, cancel, transfer or take ownership of any domain name registered in the .fun TLD, either temporarily or permanently, if the domain name is being used in a manner that appears to threaten the stability, integrity or security of the Registry, or any of its Registrar partners – and⁄or that may put the safety and security of any Registrant or user at risk. The process also allows the Registry to take preventive measures to avoid any such criminal or security threats.

The Acceptable Use Policy may be triggered through a variety of channels, including, among other things, private complaint, public alert, government or enforcement agency outreach, and the on-going monitoring of Neustarʹs industry leading security monitoring labs. In all cases, OTC through its registry back-end services provider, Neustar, will first alert its Registrar partners about any identified threats, and will work closely with them to bring offending sites into compliance.”

The following are some (but not all) activities that may be subject to rapid domain compliance:
- Phishing: the attempt to acquire personally identifiable information by masquerading as a website other than OTC’s own website.
- Pharming: the redirection of Internet users to websites other than those the user intends to visit, usually through unauthorized changes to the Host;s file on a victim’s computer or DNS records in DNS servers.
- Dissemination of Malware: the intentional creation and distribution of ʺmaliciousʺ software designed to infiltrate a computer system without the owner’s consent, including, without limitation, computer viruses, worms, key loggers, and Trojans.
- Fast Flux Hosting: a technique used to shelter Phishing, Pharming and Malware sites and networks from detection and to frustrate methods employed to defend against such practices, whereby the IP address associated with fraudulent websites are changed rapidly so as to make the true location of the sites difficult to find.
- Botnetting: the development and use of a command, agent, motor, service, or software which is implemented: (1) to remotely control the computer or computer system of an Internet user without their knowledge or consent, or (2) to generate direct denial of service (DDOS) attacks.
- Malicious Hacking: the attempt to gain unauthorized access (or exceed the level of authorized access) to a computer, information system, user account or profile, database, or security system.
- Child Pornography: the storage, publication, display and⁄or dissemination of pornographic materials depicting individuals under the age of majority in the relevant jurisdiction.

The Registry reserves the right, in its sole discretion, to take any administrative and operational actions necessary, including the use of computer forensics and information security technological services, among other things, in order to implement the Acceptable Use Policy. In addition, the Registry reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion: (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of Registry as well as its affiliates, subsidiaries, officers, directors, and employees; (4) in accordance with the terms of the Registrant Registration Agreement; or (5) to correct mistakes made by the Registry or any Registrar in connection with a domain name registration. The Registry also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute.

Coordination with Law Enforcement

With the assistance of Neustar as its back-end registry services provider, OTC shall meet its obligations under Section 2.8 of the Registry Agreement where required to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of its TLD. OTC will respond to legitimate law enforcement inquiries within one business day from receiving the request. Such response shall include, at a minimum, an acknowledgement of receipt of the request, Questions or comments concerning the request, and an outline of the next steps to be taken by OTC for rapid resolution of the request.

In the event such request involves any of the activities which can be validated by OTC and involves the type of activity set forth in the Acceptable Use Policy, the sponsoring registrar is then given 12 hours to investigate the activity further and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the registry to keep the name in the zone. If the registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), the Registry will place the domain on “serverHold”.

28.4 Measures for Removal of Orphan Glue Records

As the Security and Stability Advisory Committee of ICANN (SSAC) rightly acknowledges, although orphaned glue records may be used for abusive or malicious purposes, the “dominant use of orphaned glue supports the correct and ordinary operation of the DNS.” See http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf.

While orphan glue records often support a correct and ordinary operation of the DNS, we understand that such glue records can be used maliciously, for instance to point to name servers that host domains used in illegal phishing, bot-nets, malware, and other abusive behaviors. Problems occur when the parent domain of the glue record is deleted but its children glue records still remain in the DNS. Therefore, when the Registry has written evidence of actual abuse of orphaned glue records, the Registry will take action to remove those records from the zone to mitigate such malicious conduct.

Neustar runs a daily audit of entries in its DNS systems and compares those with its provisioning system. This serves as an umbrella protection to make sure that items in the DNS zone are valid. Any DNS record that shows up in the DNS zone but not in the provisioning system will be flagged for investigation and removed if necessary. This daily DNS audit serves to not only prevent orphaned hosts but also other records that should not be in the zone.

In addition, if either OTC or Neustar become aware of actual abuse on orphaned glue after receiving written notification by a third party through its Abuse Contact or through its customer support, such glue records will be removed from the zone.

28.5 Measures to Promote WHOIS Accuracy

As the .fun gTLD will only be available to affiliate entities of OTC, initially, the WHOIS database should be by its very nature accurate. The only data in the WHOIS database for these initial registrations will be that of OTC and its affiliated entities. There will be little or no personal information in that database and the data will be that of the businesses themselves. Contact information for OTC and its affiliates are already widely known and there is no incentive, unlike in other gTLDs, for the provision of false or inaccurate WHOIS data.

To the extent that OTC decides subsequently to open up .fun gTLD to unaffiliated entities, maintaining an accurate, reliable and up-to-date WHOIS database will be of paramount concern. OTC will provide a publicly available and searchable WHOIS look up facility, where information about the domain name status, registrant information including administrative and technical contact details can be found in accordance with Specification 4 of the Registry Agreement. In order to prevent misuse of the WHOIS look up facility, OTC will utilize measures including a requirement where any person submitting a WHOIS database query is required to read and agree to the terms and conditions in accordance with the registration policy. This will include the terms of use that the WHOIS database is provided for information purposes only and that the user agrees not to use the information for any other purposes such as allowing or enabling the transmission of unsolicited commercial advertising or other communication.

OTC acknowledges that ICANN has developed a number of mechanisms over the past decade that are intended to address the issue of inaccurate WHOIS information. Such measures alone have not proven to be sufficient and OTC will offer a mechanism whereby third parties can submit complaints about inaccurate WHOIS data directly to the OTC (as opposed to ICANN or the sponsoring Registrar). Such information shall be forwarded to the sponsoring Registrar, who shall be required to address those complaints with their Registrants. Thirty days after forwarding the complaint to the Registrar, OTC will examine the current WHOIS data for names that were alleged to be inaccurate to determine if the information was corrected, the domain name was deleted, or there was some other disposition. If the Registrar has failed to take any action, or it is clear that the Registrant was either unwilling or unable to correct the inaccuracies, OTC reserves the right to suspend the applicable domain name(s) until such time as the Registrant is able to cure the deficiencies.

28.5.1 Authentication of Registrant Information

Initially, OTC will only allow domain name registrations from its own corporate entity and from other affiliated entities which it has authenticated. All information will be verified by OTC as complete and accurate at the time of registration.

28.5.2 Monitoring of Registration Data

As a restricted gTLD, initially, OTC will ensure that all registration data is kept accurate, reliable and up-to-date. To the extent that OTC subsequently allows registrations by unaffiliated third parties, OTC commits to conduct regular audits to monitor registration data for accuracy and completeness, and establish policies and procedures to address domain names with inaccurate or incomplete WHOIS data.

28.6 Resourcing Plans

Ordinarily, for an unrestricted gTLD, responsibility for abuse mitigation rests would rest with a variety of functional groups that would be tasked with providing analysis and conducting investigations of reports of abuse. Given that the .fun gTLD will be restricted for the internal use of OTC and its affiliated entities, the resource needs will be limited. That said, OTC has outsourced its domain name registry functions to Neustar, who has an extensive team of engineering, support, product and legal personnel that can handle any complaints received on malicious or abusive conduct.

The necessary resources will be pulled from the pool of available resources described in detail in the response to Question 31 as needed. The following resources are available from these teams:
- customer support – 12 employees;
- policy ⁄ legal – 2 employees.

In our view, these resources are more than adequate to support the abuse mitigation procedures of the .fun Registry.


CONCLUSION
The approach outlined in this answer clearly shows that the risk of abuse in the .fun TLD has been extensively mitigated and as a direct result is very low. OTC is committed to ensuring that abuse will not be tolerated. The proposed policies and methods for addressing any abuse exceed the standard outline in the gTLD Applicant Guidebook and is more than commensurate with the risks identified, OTC is, therefore, entitled to a score of two points for its response to Question 28.

** OTC’S DRAFT REGISTRATION POLICY
1. DOMAIN NAME LICENSES
Upon registration of a Domain Name, the Registrant holds a license to use the Domain Name for a specified period of time in accordance with the Registry Rules. Domain Names may be registered and renewed for 1, 2, 3, 4, 5, 6, 7, 8, 9 or 10 years.

2. SELECTION OF REGISTRARS
Registrars eligible to register domain names must meet the following non-discriminatory criteria (in compliance with clause 2.9 (a) of the Registry Agreement):
(i) be an accredited ICANN Registrar;
(ii) demonstrate a level of understanding of the Domain Name registration policies of the Registry;
(iii) have experience of managing the Domain Names of major corporations;
(iv) have proven tools for domain name portfolio management;
(v) have business processes to perform automated validation (and any additional human checks as required by the Registry) of the eligibility of the domain name for registration according to the Domain Name policies of OTC;
(vi) demonstrate a sufficient level of security to protect against unauthorized access to the Domain Name records;
(vii) demonstrate experience and have appropriate resources in managing abuse prevention, mitigation and responses;
(viii) provide multi-language support for the registration of IDNs;
(ix) comply with any re-validation of its Registry-Registrar agreement at such regular intervals as are determined by the Registry or as required by ICANN from time to time;
(x) meet applicable technical requirements of OTC; and
(xi) comply with all conditions, dependencies, policies and other requirements reasonably imposed by OTC, including maintenance of suitable systems and applications that are capable of interacting with the Registry system.

3. ELIGIBLE REGISTRANTS
The Registrant must be:
(i) an Affiliate entity of OTC; or
(ii) an organization explicitly authorized by OTC; or
(iii) a natural person explicitly authorized by OTC.
If the Registrant does not meet one of the above eligibility criteria, there is no entitlement to register a Domain Name under the .fun gTLD. If the Registrant ceases to be eligible at any time in the future, the Registry may cancel or suspend the license to use the Domain Name immediately.

4. REGISTRY APPROVAL REQUIREMENT
Registration of Domain Names under the .fun gTLD must be approved by OTC in addition to meeting all requirements under the Registry Rules. OTC’s approval for a complete and validly submitted application will be authorized by:
(i) Sr. Enterprise Architect - Information Technology Department (“Authorization Provider”); or
(ii) an authorized person as nominated by OTC (“Authorized Person”) and notified to the Registrar from time to time.
The Authorization Provider will notify the Registrar of its decision.

5. REQUIRED CRITERIA FOR DOMAIN NAME REGISTRATION
An application for Domain Name registration must meet all the following criteria:
(i) availability;
a. the Domain Name is not already registered;
b. it is not reserved or blocked by the Registry; or
c. it meets all Registry’s technical requirements.
(ii) technical requirements;
a. a maximum of 63 characters (after its conversion into the ASCII for IDNs);
b. use of characters selected from the list of supported characters as nominated by the Registry; and
c. any additional technical requirements as required by the Registry from time to time.
(iii) the Domain Name must be consistent with the mission and purposes of the gTLD and consistent with the Domain Name registration policy of OTC, and include but not be limited to:
a. product name;
b. service name;
c. marketing term;
d. geographic identifier; or
e. any relevant name or term as approved by Authorization Provider or Authorized Person.
(iv) compliance with all requirements under the Registry Rules: the Registrant must comply with all provisions contained in the Registry Rules.

6. OBLIGATION OF REGISTRANTS
The Registrant must enter into an agreement with the Registrar for Domain Name registration under which the Registrant will be bound by the Registry Rules specified through the Registry-Registrar agreement as amended by the Registry from time to time.

The Registrant must also agree to be bound by the minimum requirements in clause 3.7.7 of ICANNʹs Registrar accreditation agreement.

The Registrant must represent and warrant that:
(i) it meets, and will continue to meet, the eligibility criteria at all times and must notify the Registrar if it ceases to meet such criteria;
(ii) the registration, renewal and use of the Domain Name does not violate any third party intellectual property rights, applicable laws or regulation;
(iii) it is entitled to register the Domain Name;
(iv) the registration and use of the Domain Name is made in good faith and for a lawful purpose;
(v) if the use of registered Domain Name is licensed to a third party,
a. the Registrant must have a licensing agreement with the licensee for the use of the Domain Name that is not less onerous than the obligation of the Registrant contained in the Registry Rules; and
b. where there is a breach of any provisions contained in the Registry Rules by the licensee of the Domain Name, Registry may revoke the Domain Name at its sole discretion.
(vi) it owns or otherwise has the right to provide all registration data (including personal information) for each Domain Name registered and provision of such registrant data complies with all applicable data protection laws and regulations; and
(vii) It has appropriate consent and licenses to allow for publication of registration data in the WHOIS database.

7. REGISTRANT CONTACT INFORMATION
The Registrant must provide complete and accurate contact information of the Registrant (in accordance with clause 3.7.7.1 of the ICANN’s Registrar accreditation agreement), including but not limited to the following;
(i) if the Registrant is a company or organization:
a. name of a company or organization;
b. registered office and principal place of business; and
c. contact details of the Registrant including e-mail address and telephone number;
(ii) if the Registrant is a natural person:
a. full name of the Registrant;
b. address of the Registrant; and
c. contact details of the Registrant including e-mail address and telephone number.

All Registrant contact information must be complete and accurate. Any changes to such Registrant information must be promptly notified to the Registrar, and no later than one (1) month of such change.

8. REVOCATION OF DOMAIN NAMES
The Registrant acknowledges that the Registry may revoke a Domain Name immediately at its sole discretion:
(i) in the event the Registrant breaches any Registry Rules;
(ii) to comply with applicable law, court order, government rule or under any dispute resolution processes;
(iii) where such Domain Name is used for any of the following prohibited activities (Prohibited Activities):
a. spamming;
b. intellectual property and privacy violations;
c. obscene speech or materials;
d. defamatory or abusive language;
e. forging headers, return addresses and internet protocol addresses;
f. illegal or unauthorized access to other computers or networks;
g. distribution of internet viruses, worms, Trojan horses or other destructive activities; and
h. any other illegal or prohibited activities as determined by the Registry.
(iv) in order to protect the integrity and stability of the domain name system and the Registry;
(v) where such Domain Name is placed under reserved names list at any time; and
(vi) where Registrant fails to make payment to the Registrar for registration, renewal or any other relevant services.

9. USE OF SECOND OR THIRD LEVEL IDNS
In addition to meeting all required criteria for registration of domain names above, an application for an IDN Domain Name must:
(i) comply with any additional registration policy on IDNs for each language;
(ii) meet all technical requirement for the applicable IDN;
(iii) comply with the IDN tables used by the Registry as amended from time to time; and
(iv) meet any other additional technical requirements as required by the Registry.

10. USE OF GEOGRAPHIC NAMES
All two-character labels and country and territory names will be initially reserved in accordance with specification 5 of the Registry Agreement.
Upon approval from ICANN and any other guidelines by applicable governments and ICANN’s Governmental Advisory Committee, the Registry may release the two-character labels and country and territory names in accordance with OTC’s response to Question 22 Geographic Names.

11. RESERVED NAMES
The Registry may place certain names in its reserved list from time to time where:
(i) the Registry believes in its sole discretion that use of such names may pose a risk to the operational stability or integrity of the Registry;
(ii) in accordance with ICANN’s specifications contained in the Registry Agreement, guidelines or recommendations;
(iii) there is a risk of trademark infringement or where the name otherwise may cause confusion taking into consideration the mission and purpose of the gTLD; or
(iv) the Registry in its sole discretion decides certain names to be reserved for any reason.


12. ALLOCATION OF DOMAIN NAME
The Registry will register Domain Names on a first-come, first-served basis in accordance with the Registry Rules. The Registry does not provide pre-registration or reservation of Domain Names.

13. LIMITATION ON REGISTRATION ⁄ DOMAIN NAME LICENSES
There is no restriction on the number of Domain Names any Registrant may hold. The Registrant may further license the use of the Domain Name to any third parties provided that the Registrant enters into an agreement with such third parties on the terms not less onerous than its obligations under the Registry Rules.

14. PROTECTION OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS
The Registry will implement all rights protection measures as required by ICANN in clause 2.8 of the Registry Agreement, including the use of the Uniform Rapid Suspension (URS) procedure, and Uniform Domain Name Dispute Resolution Policy (UDRP).

15. TERM OF REGISTRATION ⁄ RENEWAL
Initial term of registration:
A Domain Name can be registered for a period between one (1) to ten (10) years.

Renewal of registration:
(i) The term may be extended at any time for a period between one (1) to ten (10) years, provided that the total aggregate term of the Domain Name does not exceed ten (10) years at any time.
(ii) Upon change of sponsorship of the Domain Name from one Registrar to another, according to Part A of the ICANN Policy on Transfer of Registrations between Registrars, the term of registration of the registered Domain Name will be extended by one year, provided that the maximum term of registration at any time does not exceed ten (10) years.
(iii) The change of sponsorship of the registration of a Domain Name from one Registrar to another, accordingly to Part B of the ICANN Policy on Transfer of Registrations between Registrars will not result in the extension of the term of registration.

Cancellation of registration:
The Registrant may cancel a Domain Name registration at any time by submitting its request in writing with the Registrar.

Auto-renewal:
Upon expiry of the Domain Name, the Registry will auto-renew the Domain Name for a one year term (1) year term unless the Registrant submits its intention not to renew the Domain Name.

The Registry will implement the business rules for the renewal of Domain Names documented in appendix 7 of the .com Registry Agreement.

16. TRANSFER OF DOMAIN NAMES BETWEEN REGISTRANTS
Any transfer of a Domain Name between Registrants must be approved by the Registry through the Registrar. The legal heirs of the Registrant or purchaser of the Registrant may request the transfer provided that they meet the eligibility criteria for registration under the .fun gTLD. If the Registrant becomes subject to insolvency or any other proceeding, the administrator may request the transfer. The transferee must provide appropriate documentation as required by the Registry to approve such transfer.

17. CHANGE OF REGISTRAR
If the agreement between the Registry and the Registrar is terminated and if the Registrar has not transferred its Domain Name portfolio to another Registrar, the Registry will notify affected Registrants. The Registrants must select a new Registrar within one (1) month following such notice from the Registry. If the Registrant fails to appoint a new Registrar within the timeframe set out above, the Registry may suspend the Domain Name.

If the Registrant wishes to change the Registrar, the Registrant must obtain the auth-info code from the Registrantʹs current Registrar, and request a transfer through the gaining Registrar in compliance with ICANNʹs Inter-Registrar transfer policy.

18. PRIVACY AND DATA PROTECTION
By registering a Domain Name, the registrant authorizes the Registry to process personal information and other data required for the operation of the .fun gTLD. The Registry will only use the data for the operation of the Registry including but not limited to its internal use, communication with the Registrant, and provision of WHOIS look-up facility.

The Registry may only transfer the data to third parties:
(i) with the Registrant’s consent;
(ii) in order to comply with laws, regulations or orders by a competent public authority and any Alternative Dispute Resolution (ADR) providers; or
(iii) for a publicly available and searchable WHOIS look-up facility, in accordance with specification 4 of the Registry Agreement.

19. WHOIS
The Registry provides a publicly available and searchable WHOIS look up facility, where information about the Domain Nameʹs status (including creation and expiry dates), and registrant, administrative and the technical contact administering the Domain Name can be found, in accordance with specification 4 of the Registry Agreement.

In order to prevent misuse of the WHOIS look up facility, the Registry requires that any person submitting a WHOIS database query will be required to read and agree to the terms and conditions, which will provide that:
(i) the WHOIS database is provided for information purposes only; and
(ii) the user agrees not to use the WHOIS information to allow or enable the transmission of unsolicited commercial advertising or other communication via email or other methods to the Registrants.

20. PRICING ⁄ PAYMENT

The new gTLD does not charge a separate fee for the Registrar to register domain names, as the gTLD is used only for the specified mission and purpose of OTC. OTC shall bear the cost of operating the Registry.

The Registry will provide Registrars with 30 days’ notice of any price change for new registrations, and 180 days advance notice of any price change for renewals in accordance with clause 2.10 of the Registry Agreement.

21. DISPUTE RESOLUTION
The Registrant agrees to be bound by ICANN’s Dispute Resolution Policies in respect of all disputes in connection with the Domain Name.

22. COMPLIANCE WITH CONSENSUS AND TEMPORARY POLICIES
The Registrant agrees to be bound by all applicable consensus and temporary policies as required and mandated by ICANN.

23. DEFINITIONS
Affiliate means in relation to a party any corporation or other business entity controlling, controlled by, or under common control of that party and for the purposes of this definition, a corporation or other business entity shall be deemed to control another corporation or business entity if it owns directly or indirectly:
(i) fifty percent (50%) or more of the voting securities or voting interest in any such corporation or other entity; or
(ii) fifty percent (50%) or more of the interest in the profit or income in the case of a business entity other than a corporation; or
(iii) in the case of a partnership, any other compatible interest equal to at least a fifty percent (50%) share in the general partner.

Domain Name means a domain name registered directly under the .fun gTLD or for which a request or application for registration has been filed with the Registry;
ICANN’s Dispute Policy means the dispute policy currently known as the Uniform Domain Name Dispute Resolution Policy (UDRP) issued and as may be updated from time to time by the Internet Corporation of Assigned Names and Number (ICANN) and the Uniform Rapid Suspension (URS) (see Specification 7 of the Registry Agreement).
Registrar means an ICANN accredited registrar which enters into and is in compliance with the registry-registrar agreement for the TLD, and which provides domain name registration services to Registrants;
Registry means Oriental Trading Company Inc. (OTC);
Registry Agreement means the agreement between OTC and ICANN;
Registry Rules mean:
(i) Registration terms and conditions agreed between the Registry and Registrant for registration of a Domain Name; and
(ii) Registration policies provided and amended by the Registry from time to time.

Registrant means a natural person, company or organization who holds a Domain Name registration or who has requested or applied for the registration of a Domain Name.


***

DRAFT PROCEDURE FOR MANAGEMENT OF TRADEMARK INFRINGEMENT CLAIMS:

It is almost impossible to devise a standard response⁄process for all claims made of trademark infringement, as the seemingly small individual differences between each complaint and between each domain name registration make the course of action potentially different in each case. This draft procedure is a guide to the general approach required, but thought should be given to the appropriateness of any action in each case, with assistance from designated senior manager where appropriate.
(a) DOMAIN NAME ITSELF IS CLAIMED TO BE AN INFRINGEMENT OF A PARTY’S TRADEMARK RIGHTS:
i. ACTIONS
- Determine if the name is being used for any “visible” fraudulent activity such as phishing. If so, follow the phishing process.
- If no fraudulent content , send “invalid whois” notice to the registrant of the domain name

ii. FORMULATING A RESPONSE TO COMPLAINANT
- It is outside of a registrar’s scope to determine if a domain name infringes a party’s rights
- Cannot transfer or delete a domain name based on complaint alone – will need to be issued with copies of relevant court orders or other appropriate documentation
- Outline invalid whois process and inform complainant that a notice has already been sent to the registrant in respect of this
- If applicable, inform the complainant that the complaint has also been forwarded to the reseller who may be able to take action.
- Suggest Uniform Dispute Resolution Policy action

(b) WEBSITE LOCATED AT THE DOMAIN NAME CONTAINS LOGOS OR TEXT WHICH ARE CLAIMED TO INFRINGE ANOTHER PARTIES RIGHTS:
i. ACTIONS (WHERE THE REGISTRAR IS NOT THE HOST)
- Determine if the name is being used for any “visible” fraudulent activity such as phishing. If so, follow the phishing process.
- If no fraudulent content, send “invalid whois” notice to the registrant of the domain name

ii. FORMULATING A RESPONSE TO COMPLAINANT (WHERE REGISTRAR IS NOT THE HOST):
- Inform complainant that the Registrar is not hosting the content, and therefore has no ability to access, modify or delete the content.
- Outline who the host is, and, if able to determine, steps to contact them.
- Outline invalid whois process and inform complainant that a notice has already been sent to the registrant in respect of this (use prepared template)
- If applicable, inform the complainant that the complaint has also been forwarded to the relevant third party Registrar

iii. WHERE REGISTRAR IS THE HOST:
- Review, formulate a proposed course of action based on the circumstances and applicable policies,
- Discuss proposed course of action with designated senior manager and base response to complainant around this.