How .icu Handles Abusive Domain Names
When we initially launched .icu in May of 2018, it was a brand new domain extension. We acquired it from the registry that had initially applied for .icu in ICANN’s first found of new domain extensions, and there was one domain in the zone, nic.icu. One year later, we have grown to over 800k domains under management, 295k of which have SSL certificates installed and nearly 100k have MX records attached. Any registry knows that while there are some great use cases in an extension there are also bad actors that do malicious things on the internet and they need domains to do that. Nearly every extension has had its fair share of abusive domains, and .icu is no stranger. We have a zero tolerance policy towards abuse, and while that does work, the challenge is often in identifying the issue. It is similar to playing a game of ‘Wack-a-Mole.’ When you discover a potential problematic domain and then take action, a few others pop up in its place. Our goal is to have a proactive approach when identifying potential or actual abuse and to take corrective measures quickly and accurately.
A few important things to know about abusive domains:
- Technically speaking the registrar has a relationship and an agreement with the registrant. While the .icu registry does ultimately control and have the final decision to suspend a domain, it is standard practice for the registry to refer any complaints to the registrar to give them a chance to reach out to the registrant and remedy the situation.
- Not all abusive names are abusive. Recently we had a case where someone registered a .icu domain, we flagged it as a potentially abusive domain and subsequently suspended it for sending a large number of emails that appeared to be spam. The registrant reached out to .icu and the registrar to let us know that they had a legitimate business and had misconfigured their mail server settings which caused some issues. This case was a great example of a false positive. The name was promptly restored once the situation was explained and the incorrect settings were changed.
- Not all reporting services are the same. There are quite a few publicly available tools that can be used to check a domain for malware, phishing, spam, etc. We have found that not all these services are created equal, and not all are as accurate as they seem to be. This tends to create some confusion when people are reporting issues, and when the registry or registrar are verifying issues. We have found that using a combination of services, checks, and other tools, along with a set of human eyes is the best way to be accurate.
What is abuse?
Generally speaking, any time a domain is sending SPAM emails, impersonating another site to get your login info, trying to spread malware or anything similar is considered abuse. It is tricky sometimes; however, because as the registry, we try not to get into the realm of being ‘content police.’ Meaning that sometimes when a website may “look” like it is doing something nefarious it could be entirely within reason. A great example of this is when it comes to adult sites. Child pornography is very clearly a violation of international law and our terms and conditions, so that is pretty clear cut, but when it comes to legal sexual activities, it is difficult to penalize one site over another because they are all catering to an audience and we aren’t here to get into the details like that. The main takeaway here is that when a name contains content or is involved in activities that we determine violate our terms and conditions, we will first refer the domain to the registrar where it is registered. Giving the Registrar time to reach the registrant and try to remedy the situation, and if that does not fix the issue, we may suspend the domain. When a domain is suspended, it is not deleted from the zone. It is put on a server hold so that none of the registrant’s DNS information can resolve. If they reach out to either the registrar or the registry notifying us that the issue has been resolved, we will investigate and could reactivate the domain.
How does .icu handle abuse?
The .icu Abuse Tool is actively patrolling the streets of the .icu namespace. While I’m not going to give any specifics, it is a secret recipe; I can tell you that it is designed to be semi-automated, is continually scanning the zone and uses a tiered escalation system to reduce false positives. Every domain in the .icu zone is examined on a schedule that our machine learning determines is necessary. Once a domain is determined to be safe, its next scan may be delayed to save computer resources and API calls. If a domain is thought to be risky it may move up the ladder for some more intense scanning and once we determine that a name is genuinely violating our terms and conditions we will follow the usual process of notifying the registrar, giving them time to work with the registrant and then taking action if we are not satisfied with the outcome.
What you should know:
- If you are receiving spam from a .icu domain, come across a phishing site or other potentially malicious .icu domain report it to us by visiting www.nic.icu/reportabuse. We monitor these messages continuously, and that page feeds directly into our abuse tool so even if we don’t get to a report for a few hours our system picks up what is submitted there and will escalate the domain into a higher priority so that we can get it on our radar quickly.
- When folks report abusive domains, they often think there will be an instant response. Or that the domain will be instantly suspended. I can tell you with certainty that outside of legal notice from a Law Enforcement Agency, or us being able to very clearly determine, at our sole discretion, that a domain is in violation we will not be making any instant decisions. An example here would be for Child Pornography. Some services can quickly identify whether or not the content is illegal, some organizations protect the rights of children that work to notify registries, and if we receive a report of Child Pornography on a .icu domain, we take it very seriously and will likely be taking swift and decisive action.
- When we receive a report from the general public, we will always handle it appropriately, but we may not communicate with the person that sent in the report. This could be because of privacy laws, time and resource constraints, or many other reasons. However, it is essential to know that all reports are taken seriously and handled appropriately.
In closing, .icu is a domain extension like all of the rest. We have tons of great domains under management, and with a high volume of registrations will come a small amount of abuse. We aren’t here to judge the content on a domain, unless it is illegal, speculate on why someone would register a particular string and what they could do with it or make any other qualitative assumptions about the usage of a domain. We are here to maintain a healthy and growing namespace for .icu and take necessary action when appropriate.