28 Abuse Prevention and Mitigation

Prototypical answer:

gTLDFull Legal NameE-mail suffixDetail
.MTRMTR Corporation Limitedhkirc.hkView

Abuse of domain name includes abusive registration and abusive use of domain name. Abusive registration may result in using the domain name in bad faith or even maliciously. Though a high percentage of domain names used for malicious purposes were registered using abusive means, we also understand that many domain names put to abusive uses were registered normally by legitimate registrants. The policy and procedure we formulated encompasses both scenarios. The below is provided despite the fact that this is a brand TLD for internal use by the MTR only

Our plan will include the procedure and policies, as below, to minimise the possibilities of abusive registration and any other activities that have a negative impact on Internet users:

Procedure for handling reports on abusive use of domain names
When the registrar receive a report of abuse, the registrar shall liaise with HKCERT (Hong Kong Computer Emergency Response Team), or law enforcement agencies (depending its nature) to confirm if the report is valid. If it is valid, the registrar shall send notification to the domain name holder (Annex A in attachment 1) for the immediate suspension. The registrar shall suspend the domain in the zone. The registry operator shall remove its orphan glue records. This procedure shall be checked by at least 2 staff who are from different departments in the registrar and registry operator. This is to minimize the possibility of wrongly taking down domain name.

Document is required for domain name application – at the time the applicant applied for a domain name, the applicant shall provide document that can prove the eligibility for vetting. The domain name registration will be accepted only if the vetting result satisfied the registrar. This requirement of document vetting will be stated in the Registry-Registrar agreement. Manpower shall be arranged to vet the document before activating the domain registration. This can also help to enhance WHOIS accuracy.

Domain name pattern warning – If the domain name to be applied contains pattern in the string that may connote that the registrant has authority from the local government, or the pattern contains the words ‘bank’, ‘insurance’ etc. We would either send the request to the government to verify the application, or require the applicant to provide consent letter issued by the relevant authority to prove that the applicant is authorised to use the specific pattern of domain name.

Random verification of domain name registration – random verification is conducted periodically. If the registrant is a company, we will check the government or company record to see whether the applicant is still live and solvent. If it is not, we will inform the registrant for the deletion of the domain name. For any outdated information, e.g. change of company name, the registrar shall confirm with the registrant and update WHOIS information. If it is found that the registrant no longer exists, the domain name shall be recovered by the registrar. This is also the measure to enhance WHOIS accuracy.

Periodic reminder for WHOIS accuracy
Registrar shall send reminders to all the registrants periodically to remind them to update WHOIS record if there are changes. This is a measure to promote WHOIS accuracy.

Recognition of “trustworthy” registrar – the registry will conduct audit check by picking samples every quarter. Registrars are awarded the recognition of “Trustworthy Registrar” if they did well on abuse prevention and mitigation. The recognition may include having a trusted logo on their website etc.

Rapid suspension of domain name if its use is illegal – In the registration policies, which the registrar has to obtain the registrant’s agreement and acceptance, we will state clearly that the registrar shall monitor status of domain names registered and shall at its own initiative or on receipt of any complaint, conduct checks and verify if any domain name is being used for phishing, spam advertising or any other unlawful or illegitimate purpose. The registrar shall delete or suspend a domain name if so directed by the registry, upon registry’s request, or upon receipt of any notice from any government or law enforcement authority (including without limitation the HKSAR Police Force, or the Office of Telecommunications Authority) that the use of the domain name or the website referenced by the domain name is in breach of any laws, directives, guidelines, codes of practice or regulations issued by such local authorities, is used for or in connection with illegal activities The registrar or the registry has the right to suspend and delete the domain name immediately. The registry operator shall also remove the orphan glue records. The letter in Annex A in Attachment 1 will be sent to the domain name holder telling the immediate deletion of domain name registration right before the action.

Provide a contact point to report abuse case – a contact point (including a dedicated email address and the provision of phone no.) is provided for the reporting of abuse case. This contact information will also be indicated on the website of the registrars and registry. The searchable WHOIS information also contains registrar contact information. A service pledge of responding to the report within a specific time e.g. one working day will also be set up. If the registrar is having resellers, the registrar shall also require the reseller to provide the single abuse report contact point and publish this contact information on their website for abuse matters related to this new gTLD.

Set up specific contact channel with CERT and law enforcement agencies – special contact channel is set up. When receiving report of abuse that the registrar ⁄ registry may not be able to identify, the case will be sent to CERT or law enforcement agency for investigation. When the investigation result has been received from the law enforcement agency who also requests the registrar ⁄ registry to cancel the domain name registration, the registrar ⁄ registry shall do so within one day. In case the registrar has not taken the action to suspend ⁄ delete the domain name, the registry shall have the right to suspend ⁄ delete the domain name.

Cooperate with the industry to combat abuse – registrars and registry shall share the information, in a way not breaching any laws, of abusive case to the independent, non commercial association e.g. CERT or Anti-Phishing Working Group. This would help the industry identify abusive cases easily and in a timely manner.

Requiring unique point of contact for requesting and approving requests – besides using password to do online request, any other request made via off line shall be from a dedicated person and be confirmed by the dedicated person too. This arrangement applies to some critical transactions like update of domain name information and name server, transfer of domain name holding right, transfer of registrar and the deletion of domain name.

Password Management - password is needed for the registrant to login to manage the domain name.
a) Reminders will be sent out periodically to the registrants reminding them to change their password periodically.
b) Password setting shall be strong. The password shall contain upper and lower case, English letter, Arabic number and punctuation mark.
c) When there are 5 incorrect attempts of login, subsequent login attempts will be blocked. Registrant has to wait for some hours before they can try to login again. Or the registrant shall contact the registrar to release the suspension.
d) When the registrant reset the password, the registrar will send him⁄her a temporary password that will expire in 2-day. The registrant has to login with the temporary password to set the permanent password.
e) If there is a change of email address that the password is sent to, the registrant has to fill out a form of request and to provide document that can prove the legal existence of the registrant in order for the registrar to send the password to the specified email address.

Monitoring of abnormal activities – a daily report will be served to the registrar ⁄ registry reporting which domain name is having 〉7 modification of name server attempts within one day (the number of time may changes as needed). This will help the registrar ⁄ registry to identify if the domain name was hacked by somebody.

Notification of change – notification will be sent for any changes of service e.g. for the change of email address, the notification of change will be sent to both the new and old email addresses. For the transfer of domain name holding right, the notification will be sent to both the transferor and the transferee. For the deletion of domain name, notification will be sent to the registrant 7 days before the deletion day and inviting the registrant to object. If no objection is received, the domain name will be deleted 7 days afterwards.

Policies to handle complaint and objection regarding dispute – Policies shall be formulated to handle complaint regarding dispute in a fairly and timely way. This includes a turnaround time to the complainant of 1 working day after receiving complaint, the internal checking and approval procedure by different staff in different department to avoid wrong decision being made, the availability of objection policy (attachment 2) is also important to let victim provide proof to prove their innocent. The same as other complaint, we will use a continuous development approach to handle complaint i.e. we will review what areas we can put more effort on to enhance the abuse prevention and mitigation (Attachment 1)

Information Security Policies
The registry operator has set up an Information Security Management System (ISMS) according to the international standard ISO-27001 to the proposed new gTLD operations. The registry operator will conduct security audits by independent parties every two years. The process of the information technology security policy used is based on the PDCA model i.e. Plan, Do, Check and Act. The process approach emphasises the importance of (a) understanding an organisation’s information security requirements and the need to establish policy and objectives for information security, (b) implementing and operating controls to manage an organization’s information security risks in the context of the organisation’s overall business risks, (c) monitoring and reviewing the performance and effectiveness of the ISMS, and (d) continual improvement based on objective measurement.

Resources Plan – As the .MTR TLD is for internal use only with only 10 or less domain name registrations, 1 to 2 HKIRC staff (multifunctional) shall be arranged to handle the following including the initial set-up and on-going maintenance with cost included in the finance of the registry operations:
i) warning pattern alert and handling
ii) document vetting
iii) random verification
iv) handle abuse report
v) audit the registrars’ compliance
vi) liaise with CERT and law enforcement agencies for the abuse case and its follow up.
vii) handle password changes
viii) notification of applications


WHOIS accuracy
WHOIS accuracy is very important. Enhancing WHOIS accuracy would reduce abusive registration. Also law enforcement agencies could more easily identify, locate and arrest offender. In order to maintain WHOIS accuracy, we will:
a) authenticate registrant information at the time of domain name application. The applicant shall provide document to prove its eligibility that can satisfy the registrar before the domain is accepted by the registrar. Registrar is required to do this vetting which would be stated in the Registry Registrar Agreement.
b) Random checking periodically should be conducted by the registrar. If the registrant is a company, we will check the government or company record to see whether the applicant is still live and solvent. If it is not, we will inform the registrant for the deletion of the domain name. For any outdated information, e.g. change of company name, the registrar shall confirm with the registrant and update WHOIS information. If it is found that the registrant is no longer in existence, the domain name shall be recovered by the registrar. This is also the measure to enhance WHOIS accuracy.
c) Recognition of “trustworthy” registrar - the registry will conduct audit check by picking samples every quarter. Registrars are awarded the recognition if they did well on abuse prevention and mitigation. The award may include having a trusted logo on their website etc.
d) Periodical reminders to registrants – registrar shall send periodically reminders to registrants reminding them to keep the WHOIS data update.
e) Audit the registrars’ compliance by the registry operator – the registry operator will send people to the registrar periodically to audit the compliance of document vetting, random checking, sending reminders to registrants to keep WHOIS data update.

Similar gTLD applications: (0)

gTLDFull Legal NameE-mail suffixzDetail