Back

28 Abuse Prevention and Mitigation

gTLDFull Legal NameE-mail suffixDetail
.手表Richemont DNS Inc.valideus.comView
28.1 Abuse Prevention and Mitigation
Strong abuse prevention of a new gTLD is an important benefit to the Internet community. Richemont DNS and its back-end registry services provider, Neustar, agree that a registry must not only aim for the highest standards of technical and operational competence, but also needs to act as a steward of the space on behalf of the Internet community and ICANN in promoting the public interest. Neustar brings extensive experience establishing and implementing registration policies. This experience will be leveraged to help .手表 combat abusive and malicious domain activity within the new gTLD space.
One of those public interest functions for a responsible domain name registry includes working towards the eradication of abusive domain name registrations, including, but not limited to, those resulting from:
 Illegal or fraudulent actions
 Spam
 Phishing
 Pharming
 Distribution of malware
 Fast flux hosting
 Botnets
 Distribution of child pornography
 Online sale or distribution of illegal pharmaceuticals.
More specifically, although traditionally botnets have used Internet Relay Chat (IRC) servers to control registry and the compromised PCs, or bots, for DDoS attacks and the theft of personal information, an increasingly popular technique, known as fast-flux DNS, allows botnets to use a multitude of servers to hide a key host or to create a highly-available control network. This ability to shift the attacker’s infrastructure over a multitude of servers in various countries creates an obstacle for law enforcement and security researchers to mitigate the effects of these botnets. But a point of weakness in this scheme is its dependence on DNS for its translation services. By taking an active role in researching and monitoring these sorts of botnets Richemont DNS partner, Neustar, has developed the ability to efficiently work with various law enforcement and security communities to begin a new phase of mitigation of these types of threats.
Policies and Procedures to Minimize Abusive Registrations
A Registry must have the policies, resources, personnel, and expertise in place to combat such abusive DNS practices. As Richemont DNS’s registry provider, Neustar is at the forefront of the prevention of such abusive practices and has developed and implemented an active “domain takedown” policy. We also believe that a strong program is essential given that registrants have a reasonable expectation that they are in control of the data associated with their domains, especially its presence in the DNS zone. Because domain names are sometimes used as a mechanism to enable various illegitimate activities on the Internet often the best preventative measure to thwart these attacks is to remove the names completely from the DNS before they can impart harm, not only to the domain name registrant, but also to millions of unsuspecting Internet users.
Removing the domain name from the zone has the effect of shutting down all activity associated with the domain name, including the use of all websites and e-mail. The use of this technique, even in a private brand registry, should not be entered into lightly. Richemont DNS has an extensive, defined, and documented process for taking the necessary action of removing a domain from the zone when its presence in the zone poses a threat to the security and stability of the infrastructure of the Internet or the registry.
Abuse Point of Contact
As required by the Registry Agreement, Richemont DNS will establish and publish on its website a single abuse point of contact responsible for addressing inquiries from law enforcement and the public related to malicious and abusive conduct. Richemont DNS will also provide such information to ICANN prior to the delegation of any domain names in the TLD. This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of malicious conduct complaints, and a telephone number and mailing address for the primary contact. We will ensure that this information is kept accurate and up to date and will be provided to ICANN if and when changes are made. In addition, with respect to inquiries from ICANN-Accredited registrars, our registry services provider, Neustar, shall have an additional point of contact, as it does today, handling requests by registrars related to abusive domain name practices.

28.2 Policies Regarding Abuse Complaints
One of the key policies each new gTLD registry will need to have is an Acceptable Use Policy that clearly delineates the types of activities that constitute “abuse” and the repercussions associated with an abusive domain name registration. In addition, the policy will be incorporated into the applicable Registry-Registrar Agreement and reserve the right for the registry to take the appropriate actions based on the type of abuse. Even though .手表 will be a single entity registry, with all domains registered to Richemont DNS for use only in pursuit of commercial and strategic goals, strict policies will be established and enforced. These include locking down the domain name preventing any changes to the contact and nameserver information associated with the domain name, placing the domain name “on hold” rendering the domain name non-resolvable, transferring to the domain name to another registrar, and⁄or in cases in which the domain name is associated with an existing law enforcement investigation, substituting name servers to collect information about the DNS queries to assist the investigation.
Richemont DNS will adopt an Acceptable Use Policy that clearly defines the types of activities that will not be permitted in the TLD and reserves the right of Richemont DNS to lock, cancel, transfer or otherwise suspend or take down domain names violating the Acceptable Use Policy and allow the Registry where and when appropriate to share information with law enforcement. As there will be no re-sellers in .手表 and there will be no market in .手表 domains, opportunities for bad faith use are restricted. Below is the Registry’s initial Acceptable Use Policy that we will use in connection with the .手表 registry.
It is important to note that .手表 will be managed as a single entity registry, whose sole registrants will be internal stakeholders of the Richemont DNS or the Richemont DNS’s affiliates. Therefore, the potential for abusive registrations and other activities that have a negative impact on Internet users is minimal. In the unlikely event that such abuse should occur, Richemont DNS with its registry operator, Neustar, will implement the following policies and processes to manage such activities.
.手表 Acceptable Use Policy
This Acceptable Use Policy gives the Registry the ability to quickly lock, cancel, transfer or take ownership of any .手表 domain name, either temporarily or permanently, if the domain name is being used in a manner that appears to threaten the stability, integrity or security of the Registry, or any of its registrar partners – and⁄or that may put the safety and security of any registrant or user at risk. The process also allows the Registry to take preventive measures to avoid any such criminal or security threats.
The Acceptable Use Policy may be triggered through a variety of channels, including, among other things, private complaint, public alert, government or enforcement agency outreach, and the on-going monitoring by the Registry or its partners. In all cases, the Registry or its designees will alert Registry’s registrar partners about any identified threats, and will work closely with them to bring offending sites into compliance.
The following are some (but not all) activities that may be subject to rapid domain compliance:
 Phishing: the attempt to acquire personally identifiable information by masquerading as a website other than .手表’s own.
 Pharming: the redirection of Internet users to websites other than those the user intends to visit, usually through unauthorized changes to the Hosts file on a victim’s computer or DNS records in DNS servers.
 Dissemination of Malware: the intentional creation and distribution of ʺmaliciousʺ software designed to infiltrate a computer system without the owner’s consent, including, without limitation, computer viruses, worms, key loggers, and Trojans.
 Fast Flux Hosting: a technique used to shelter Phishing, Pharming and Malware sites and networks from detection and to frustrate methods employed to defend against such practices, whereby the IP address associated with fraudulent websites are changed rapidly so as to make the true location of the sites difficult to find.
 Botnetting: the development and use of a command, agent, motor, service, or software which is implemented: (1) to remotely control the computer or computer system of an Internet user without their knowledge or consent, (2) to generate direct denial of service (DDOS) attacks.
 Malicious Hacking: the attempt to gain unauthorized access (or exceed the level of authorized access) to a computer, information system, user account or profile, database, or security system.
 Child Pornography: the storage, publication, display and⁄or dissemination of pornographic materials depicting individuals under the age of majority in the relevant jurisdiction.
The Registry reserves the right, in its sole discretion, to take any administrative and operational actions necessary, including the use of computer forensics and information security technological services, among other things, in order to implement the Acceptable Use Policy. In addition, the Registry reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion; (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of Registry as well as its affiliates, subsidiaries, officers, directors, and employees; (4) per the terms of the registration agreement or (5) to correct mistakes made by the Registry or any Registrar in connection with a domain name registration. Registry also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute.

Taking Action Against Abusive and⁄or Malicious Activity
The Registry is committed to ensuring that those domain names associated with abuse or malicious conduct in violation of the Acceptable Use Policy are dealt with in a timely and decisive manner. These include taking action against those domain names that are being used to threaten the stability and security of the TLD, or is part of a real-time investigation by law enforcement.
Once a complaint is received from a trusted source, third-party, or detected by the Registry, the Registry will use commercially reasonable efforts to verify the information in the complaint. If that information can be verified to the best of the ability of the Registry, the sponsoring registrar will be notified and be given 12 hours to investigate the activity and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the Registry to keep the name in the zone. If the registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), the Registry will place the domain on “ServerHold”. (This is unlikely to be necessary, as Richemont DNS will be using a single, gateway registrar with whom it has a contract reflecting these policies). Although this action removes the domain name from the TLD zone, the domain name record still appears in the TLD WHOIS database so that the name and entities can be investigated by law enforcement should they desire to get involved.
Coordination with Law Enforcement
With the assistance of Neustar as its back-end registry services provider, Richemont DNS can meet its obligations under Section 2.8 of the Registry Agreement where required to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of its TLD. The Registry will respond to legitimate law enforcement inquiries within one business day from receiving the request. Such response shall include, at a minimum, an acknowledgement of receipt of the request, Questions or comments concerning the request, and an outline of the next steps to be taken by Richemont DNS for rapid resolution of the request.
In the event such request involves any of the activities which can be validated by the Registry and involves the type of activity set forth in the Acceptable Use Policy, the sponsoring registrar is then given 12 hours to investigate the activity further and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the registry to keep the name in the zone. If the registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), the Registry will place the domain on “serverHold”.


Richemont DNS is aware that Neustar provides additional monitoring for malicious activity upon request. Following Reveal Day, 2 May 2012, Richemont DNS will be talking to Neustar with the intention of determining how the following services and policies can be introduced.
Monitoring for Malicious Activity
Richemont DNS’s partner, Neustar is at the forefront of the prevention of abusive DNS practices. Neustar has developed and implemented an active “domain takedown” policy in which the registry itself takes down abusive domain names.
Neustar targets verified abusive domain names and removes them within 12 hours regardless of whether or not there is cooperation from the domain name registrar. This is because Neustar has determined that the interest in removing such threats from the consumer outweighs any potential damage to the registrar⁄registrant relationship. This is very unlikely to be required in Richemont DNS registry as it has rules or eligibility that exclude third parties beyond Richemont DNS and it will only be using one registrar with which it has a close contractual relationship with requirements to co-operate in stemming abusive behaviors.
Neustar’s active prevention policies stem from the notion that registrants in the TLD have a reasonable expectation that they are in control of the data associated with their domains, especially its presence in the DNS zone. Because domain names are sometimes used as a mechanism to enable various illegitimate activities on the Internet, including malware, bot command and control, pharming, and phishing, the best preventative measure to thwart these attacks is often to remove the names completely from the DNS before they can impart harm, not only to the domain name registrant, but also to millions of unsuspecting Internet users.
Rapid Takedown Process
Since implementing the program, Neustar has developed two basic variations of the process. The more common process variation is a light-weight process that is triggered by “typical” notices. The less-common variation is the full process that is triggered by unusual notices. These notices tend to involve the need for accelerated action by the registry in the event that a complaint is received by Neustar, which alleges that a domain name is being used to threaten the stability and security of the TLD, or is part of a real-time investigation by law enforcement or security researchers. These processes are described below:
Lightweight Process
In addition to having an active Information Security group that, on its own initiatives, seeks out abusive practices in the TLD, Neustar is an active member in a number of security organizations that have the expertise and experience in receiving and investigating reports of abusive DNS practices, including but not limited to, the Anti-Phishing Working Group, Castle Cops, NSP-SEC, the Registration Infrastructure Safety Group and others. Each of these sources are well-known security organizations that have developed a reputation for the prevention of harmful agents affecting the Internet. Aside from these organizations, Neustar also actively participates in privately run security associations whose basis of trust and anonymity makes it much easier to obtain information regarding abusive DNS activity.
Once a complaint is received from a trusted source, third-party, or detected by Neustar’s internal security group, information about the abusive practice is forwarded to an internal mail distribution list that includes members of the operations, legal, support, engineering, and security teams for immediate response (“CERT Team”). Although the impacted URL is included in the notification e-mail, the CERT Team is trained not to investigate the URLs themselves since often times the URLs in Question have scripts, bugs, etc. that can compromise the individual’s own computer and the network safety. Rather, the investigation is done by a few members of the CERT team that are able to access the URLs in a laboratory environment so as to not compromise the Neustar network. The lab environment is designed specifically for these types of tests and is scrubbed on a regular basis to ensure that none of Neustar’s internal or external network elements are harmed in any fashion.
Once the complaint has been reviewed and the alleged abusive domain name activity is verified to the best of the ability of the CERT Team, the sponsoring registrar is given 12 hours to investigate the activity and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the registry to keep the name in the zone.
If the registrar has not taken the requested action after the 12-hNeustar’s period (i.e., is unresponsive to the request or refuses to take action), Neustar places the domain on “ServerHold”. Although this action removes the domain name from the TLD zone, the domain name record still appears in the TLD WHOIS database so that the name and entities can be investigated by law enforcement should they desire to get involved.
Full Process
In the event that Neustar receives a complaint which claims that a domain name is being used to threaten the stability and security of the TLD or is a part of a real-time investigation by law enforcement or security researchers, Neustar follows a slightly different course of action.
Upon initiation of this process, members of the CERT Team are paged and a teleconference bridge is immediately opened up for the CERT Team to assess whether the activity warrants immediate action. If the CERT Team determines the incident is not an immediate threat to the security and the stability of critical Internet infrastructure, they provide documentation to the Neustar Network Operations Center to clearly capture the rationale for the decision and either refers the incident to the Lightweight process set forth above. If no abusive practice is discovered, the incident is closed.
However, if the CERT TEAM determines there is a reasonable likelihood that the incident warrants immediate action as described above, a determination is made to immediately remove the domain from the zone. As such, Customer Support will contact Richemont DNS‘s registrar immediately to communicate that there is a domain involved in a security and stability issue. The registrar is provided only the domain name in Question and the broadly stated type of incident. Given the sensitivity of the associated security concerns, it may be important that the registrar not be given explicit or descriptive information in regards to data that has been collected (evidence) or the source of the complaint. The need for security is to fully protect the chain of custody for evidence and the source of the data that originated the complaint.
Coordination with Law Enforcement & Industry Groups
Neustar has extensive experience of dealing with abusive and malicious domain name incidents. It has a close working relationship with a number of law enforcement agencies, both in the United States and internationally. For example, in the United States, Neustar is in constant communication with the Federal Bureau of Investigation, US CERT, Homeland Security, the Food and Drug Administration, and the National Center for Missing and Exploited Children.
Neustar is also a participant in a number of industry groups aimed at sharing information amongst key industry players about the abusive registration and use of domain names. These groups include the Anti-Phishing Working Group and the Registration Infrastructure Safety Group (where Neustar served for several years as on the Board of Directors). Through these organizations and others, Neustar shares information with other registries, registrars, ccTLDs, law enforcement, security professionals, etc. not only on abusive domain name registrations within its own TLDs, but also provides information uncovered with respect to domain names in other registries’ TLDs. Neustar has often found that rarely are abuses found only in the TLDs for which it manages, but also within other TLDs, such as .com and .info. Neustar routinely provides this information to the other registries so that it can take the appropriate action.
With the assistance of Neustar as its back-end registry services provider, Richemont DNS can meet its obligations under Section 2.8 of the Registry Agreement where it is required to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of its TLD. Richemont DNS and⁄or Neustar will respond to legitimate law enforcement inquiries within one business day from receiving the request. Such response shall include, at a minimum, an acknowledgement of receipt of the request, Questions or comments concerning the request, and an outline of the next steps to be taken by Richemont DNS and⁄or Neustar for rapid resolution of the request.
In the event such request involves any of the activities which can be validated by Richemont DNS and⁄or Neustar and involves the type of activity set forth in the Acceptable Use Policy, the sponsoring registrar is then given 12 hours to investigate the activity further and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the registry to keep the name in the zone. If the registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), Neustar places the domain on “serverHold”.
28.3 Measures for Removal of Orphan Glue Records
As the Security and Stability Advisory Committee of ICANN (SSAC) rightly acknowledges, although orphaned glue records may be used for abusive or malicious purposes, the “dominant use of orphaned glue supports the correct and ordinary operation of the DNS.” See http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf.
While orphan glue often support correct and ordinary operation of the DNS, we understand that such glue records can be used maliciously to point to name servers that host domains used in illegal phishing, bot-nets, malware, and other abusive behaviors. Problems occur when the parent domain of the glue record is deleted but its children glue records still remain in DNS. Therefore, when the Registry has written evidence of actual abuse of orphaned glue, the Registry will take action to remove those records from the zone to mitigate such malicious conduct.

Neustar run a daily audit of entries in its DNS systems and compares those with its provisioning system. This serves as an umbrella protection to make sure that items in the DNS zone are valid. Any DNS record that shows up in the DNS zone but not in the provisioning system will be flagged for investigation and removed if necessary. This daily DNS audit serves to not only prevent orphaned hosts but also other records that should not be in the zone.
In addition, if either Richemont DNS or Neustar become aware of actual abuse on orphaned glue after receiving written notification by a third party through its Abuse Contact or through its customer support, such glue records will be removed from the zone.
28.4 Measures to Promote WHOIS Accuracy
The Richemont DNS registry will implement several measures to promote Whois accuracy.

Whois service for Richemont DNS will operate as follows: all basic contact details for each domain name are kept in a unique internal system by the registry, which facilitates the access to the domain information. In addition, Richemont DNS will perform internal monitoring checks and procedures which will only allow accurate Whois information and remove outdated data.


28.4.1. Authentication of Registrant Information
As a single entity registry, the only registrant in .手表 will be Richemont DNS. However, Richemont DNS will guarantee the adequate authentication of registrant data, ensuring the highest levels of accuracy and diligence when dealing with Whois data. In doing so, Richemont DNS’s solid internal system will undertake the following, but not limited to, authentication measures: running checks against Whois internal records, regular verification of all contact details and other relevant registrant information. The Richemont DNS’s registrar will also be charged with regularly checking whois accuracy.
28.4.2. Regular Monitoring of Registration Data
Richemont DNS is strongly committed to implement specific policies and procedures to guarantee the adequate compliance with ICANN’s Whois requirements. Among other measures, Richemont DNS will regularly remind its internal personnel to meet the standards of ICANN’s Whois information Policy, including regular checks of Whois data against internal records, offering Whois accuracy services, evaluating claims of fraudulent Whois data and the cancellation of domain name registrations with outdated Whois details.

28.4.3. Policies and Procedures ensuring compliance
Only Richemont DNS and its Affiliates will be permitted to register and use Richemont DNS domain names. Accordingly, the duties of the Richemont DNS registrar will be very limited and closely defined. However, as part of the RRA (Registry Registrar Agreement), Richemont DNS will require the Richemont DNS registrar to take steps necessary to ensure Whois data is complete and accurate and to implement the Richemont DNS registration policies.

28.5 Resourcing Plans
Responsibility for abuse mitigation rests with a variety of functional groups. The Abuse Monitoring team is primarily responsible for providing analysis and conducting investigations of reports of abuse. The customer service team also plays an important role in assisting with the investigations, responded to customers, and notifying registrars of abusive domains. Finally, the Policy⁄Legal team is responsible for developing the relevant policies and procedures.
The necessary resources will be pulled from the pool of available resources described in detail in the response to Question 31. The following resources are available from those teams:
Customer Support – 12 employees
Policy⁄Legal – 2 employees
The resources are more than adequate to support the abuse mitigation procedures of the .手表 registry.
Furthermore, Richemont DNS dedicates significant financial and personnel resources to combating malicious and abusive behavior in the DNS. Richemont DNS will extend these resources to encompass the designation and maintenance of the unique abuse point of contact, regular monitoring of potential abusive and malicious activities with support from dedicated technical staff, analysis of reported abuse and malicious activity, and action to address such reported activity.

The designated abuse prevention staff will be subject to regular evaluations, receive adequate training and work under expert supervision. The abuse prevention resources will comprise both internal staff and external abuse prevention experts who would give extra advice and support when necessary. These external staff include experts in Richemont DNS’s registrar.


gTLDFull Legal NameE-mail suffixDetail
.CEOCEOTLD Pty Ltdrodenbaugh.comView
28.1 Abuse Prevention and Mitigation

Strong abuse prevention within a new gTLD is an important benefit to the internet community. The TLD is intended to be operated as a “Single Registrant” TLD within the meaning of the Registry Agreement, Specification 9. All domain name registrations in the TLD are intended to be registered to and maintained by us in our capacity as the registry operator, for our own exclusive use. This is likely to guarantee that abusive registrations do not occur. However, .CEO will comply with all measures required by the Registry Agreement, plus will provide additional mechanisms to thwart any abusive behavior, if any. These measures are further described in response to Q29.

.CEO and its registry operator and back-end registry services provider, Neustar, intend to implement resources and policies designed to minimize the negative effects of any abusive domain name registrations. Neustar brings extensive experience establishing and implementing registration anti-abuse policies. This experience will be leveraged to help .CEO combat abusive domain registrations and malicious domain activity within this new TLD, including, but not limited to:

Illegal or fraudulent actions
- Spam
- Phishing
- Pharming
- Distribution of malware
- Fast flux hosting
- Botnets
- Distribution of child pornography
- Online sale or distribution of illegal pharmaceuticals.

More specifically, although traditionally botnets have used Internet Relay Chat (IRC) servers to control registry servers and the compromised PCs, or bots, for DDoS attacks and the theft of personal information, an increasingly popular technique, known as fast-flux DNS, allows botnets to use a multitude of servers to hide a key host or to create a highly-available control network. This ability to shift the attacker’s infrastructure over a multitude of servers in various countries creates an obstacle for law enforcement and security researchers to mitigate the effects of these botnets. But a point of weakness in this scheme is its dependence on DNS for its translation services. By taking an active role in researching and monitoring these sorts of botnets, Neustar has developed the ability to efficiently work with various law enforcement and security communities to begin a new phase of mitigation of these types of threats.

Policies and Procedures to Minimize Abusive Registrations

A Registry must have the policies, resources, personnel, and expertise in place to combat such abusive DNS practices. As .CEO’s registry provider, Neustar is at the forefront of the prevention of such abusive practices and is one of the few registry operators to have actually developed and implemented an active “domain takedown” policy. We also believe that a strong program is essential given that registrants have a reasonable expectation that they are in control of the data associated with their domains, especially its presence in the DNS zone. Because domain names are sometimes used as a mechanism to enable various illegitimate activities on the Internet, often the best preventative measure to thwart these attacks is to remove the names completely from the DNS before they can impart harm, not only to the domain name registrant, but also to millions of unsuspecting Internet users.

Removing the domain name from the zone has the effect of shutting down all activity associated with the domain name, including the use of all websites and e-mail. The use of this technique should not be entered into lightly. .CEO has an extensive, defined, and documented process for taking the necessary action of removing a domain from the zone when its presence in the zone poses a threat to the security and stability of the infrastructure of the Internet or the registry.

Abuse Point of Contact

As required by the Registry Agreement, .CEO will establish and publish on its website a single abuse point of contact responsible for addressing inquiries from law enforcement and the public related to malicious and abusive conduct. .CEO will also provide such information to ICANN prior to the delegation of any domain names in the TLD. This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of malicious conduct complaints, and a telephone number, fax number, and mailing address for the primary contact. We will ensure that this information will be kept accurate and up to date and will be provided to ICANN if and when changes are made. In addition, with respect to inquiries from ICANN-Accredited registrars, our registry services provider, Neustar, shall have an additional point of contact, as it does today, handling requests by registrars related to abusive domain name practices.

28.2 Policies Regarding Abuse Complaints

.CEO will implement and enforce an Acceptable Use Policy that clearly delineates the types of activities that constitute “abuse” -- and the repercussions associated with any abusive domain name registration or malicious activity. In addition, the policy will be incorporated into the applicable Registry-Registrar Agreement and will reserve the right for the registry to take the appropriate actions based on the type of abuse. This may include locking down the domain name, thus preventing any changes to the contact and nameserver information associated with the domain name, placing the domain name “on hold” rendering the domain name non-resolvable, and⁄or in cases in which the domain name is associated with an existing law enforcement investigation and at the request of such law enforcement entity, substituting name servers to collect information about the DNS queries to assist the investigation.

.CEO will adopt an Acceptable Use Policy that clearly defines the types of activities that will not be permitted in the TLD and reserves the right of the registry operator to lock, cancel, transfer or otherwise suspend or take down domain names violating the Acceptable Use Policy. Furthermore, it will allow the Registry to share information with law enforcement. Each ICANN-Accredited Registrar must agree to pass through the Acceptable Use Policy to its Resellers (if applicable) and ultimately to all domain name registrants within the .CEO TLD. Below is the Registry’s draft Acceptable Use Policy intended for use in connection with the .CEO.

.CEO Acceptable Use Policy

This Acceptable Use Policy gives the Registry the ability to quickly lock, cancel, transfer or take ownership of any .CEO domain name, either temporarily or permanently, if the domain name is being used in a manner that appears to threaten the stability, integrity or security of the Registry, or any of its registrar partners – and⁄or that may put the safety and security of any registrant or user at risk. The Acceptable Use Policy also allows the Registry to take preventive measures to avoid any such criminal or security threats.

The Acceptable Use Policy may be triggered through a variety of channels, including, among other things, private complaint, public alert, government or enforcement agency outreach, and the on-going monitoring by the Registry or its contractors. In all cases, the Registry or its designees will alert Registry’s registrars about any identified threats, and will work closely with them to bring offending domains registered by them into compliance.

The following are some (but not all) activities that may be subject to rapid compliance actions:

- Phishing: the attempt to trick Internet users into divulging personal data such as usernames, passwords, or financial data.

- Pharming: the redirection of Internet users to websites other than those the user intends to visit, usually through unauthorized changes to the Hosts file on a victim’s computer or DNS records in DNS servers.

- Dissemination of Malware: the intentional creation and distribution of ʺmaliciousʺ software designed to infiltrate a computer system without the owner’s consent, including, without limitation, computer viruses, worms, key loggers, and Trojans.

- Fast Flux Hosting: a technique used to shelter Phishing, Pharming and Malware sites and networks from detection and to frustrate methods employed to defend against such practices, whereby the IP address associated with fraudulent websites are changed rapidly so as to make the true location of the sites difficult to find.

- Botnetting: the development and use of a command, agent, motor, service, or software which is implemented: (1) to remotely control the computer or computer system of an Internet user without their knowledge or consent, (2) to generate direct denial of service (DDOS) attacks.

- Malicious Hacking: the attempt to gain unauthorized access (or exceed the level of authorized access) to a computer, information system, user account or profile, database, or security system.

- Child Pornography: the storage, publication, display and⁄or dissemination of pornographic materials depicting individuals under the age of majority in the relevant jurisdiction.

The Registry reserves the right, in its sole discretion, to take any administrative and operational actions necessary, including the use of computer forensics and information security technological services, among other things, in order to implement the Acceptable Use Policy. In addition, the Registry reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion; (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of Registry as well as its affiliates, subsidiaries, officers, directors, and employees; (4) per the terms of the registration agreement or (5) to correct mistakes made by the Registry or any Registrar in connection with a domain name registration. Registry also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute.

Monitoring for Malicious Activity

.CEO’s registry services provider, Neustar Inc., is at the forefront of the prevention of abusive DNS practices. Neustar is one of only a few registry operators to have actually developed and implemented an active “domain takedown” policy in which the registry itself takes down abusive domain names.

Neustar’s approach is quite different from a number of other gTLD Registries, and the results have been unmatched. Neustar targets verified abusive domain names and removes them within 12 hours regardless of whether or not there is cooperation from the domain name registrar. This is because Neustar has determined that the interest in removing such threats of consumer harm outweighs any potential damage to the registrar⁄registrant relationship.

Neustar’s active prevention policies stem from the notion that registrants in the TLD have a reasonable expectation that they are in control of the data associated with their domains, especially its presence in the DNS zone. Because domain names are sometimes used as a mechanism to enable various illegitimate activities on the Internet, including malware, bot command and control, pharming, and phishing, the best preventative measure to thwart these attacks is often to remove the names completely from the DNS in order to mitigate any harm, not only to the domain name registrant, but also to other unsuspecting Internet users.

Rapid Takedown Process

Since implementing its monitoring and takedown program, Neustar has developed two basic variations of the process. The more common process variation is a light-weight process that is triggered by “typical” notices. The less-common variation is the full process that is triggered by unusual notices. These notices tend to involve the need for accelerated action by the registry in the event that a complaint is received by Neustar which alleges that a domain name is being used to threaten the stability and security of the TLD, or is part of an investigation by law enforcement or security researchers. These processes are described below:

Lightweight Process

In addition to having an active Information Security group that, on its own initiatives, seeks out abusive practices in the TLD, Neustar is an active member in a number of security organizations that have expertise and experience in receiving and investigating reports of abusive DNS practices, including but not limited to, the Anti-Phishing Working Group, Castle Cops, NSP-SEC, the Registration Infrastucture Safety Group and others. Each of these sources are well-known security organizations that have developed a reputation for the prevention of harmful agents affecting the Internet. Aside from these organizations, Neustar also actively participates in privately run security associations whose basis of trust and anonymity makes it much easier to obtain information regarding abusive DNS activity.

Once a complaint is received from a trusted source, law enforcement entity or other third-party, or malicious activity is detected by Neustar’s internal security group, information about the abusive practice is forwarded to an internal mail distribution list that includes members of the operations, legal, support, engineering, and security teams for immediate response (“CERT Team”). Although the impacted URL is included in the notification e-mail, the CERT Team is trained not to investigate the URLs themselves since often times the URLs in Question have scripts, bugs, etc. that can compromise the individual’s own computer and the network safety. Rather, the investigation is done by a few members of the CERT team that are able to access the URLs in a laboratory environment so as to not compromise the Neustar network. The lab environment is designed specifically for these types of tests and is scrubbed on a regular basis to ensure that none of Neustar’s internal or external network elements are harmed in any fashion.

Once the complaint has been reviewed and the alleged abusive domain name activity is verified to the best of the ability of the CERT Team, the sponsoring registrar is given 12 hours to investigate the activity and either 1) take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or 2) provide a compelling argument to the registry to keep the name in the zone.

If the registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), then Neustar may place the domain on “ServerHold”. Although this action removes the domain name from the TLD zone, the domain name record still appears in the TLD WHOIS database so that the name and entities can be investigated by law enforcement should they desire to get involved.

Full Process.

In the event that Neustar receives a complaint which claims that a domain name is being used to threaten the stability and security of the TLD or is a part of an investigation by law enforcement or security researchers, Neustar follows a slightly different course of action.

Upon initiation of this process, members of the CERT Team are paged and a teleconference bridge is immediately opened up for the CERT Team to assess whether the activity warrants immediate action. If the CERT Team determines the incident is not an immediate threat to the security and the stability of critical internet infrastructure, then they provide documentation to the Neustar Network Operations Center to clearly capture the rationale for the decision. They either refer the incident to the Lightweight Process set forth above; or if no abusive practice is discovered, then the incident is closed.

However, if the CERT Team determines there is a reasonable likelihood that the incident warrants immediate action as described above, then a determination may be made to immediately remove the domain from the zone. In such event, Neustar’s Customer Support team would contact the responsible registrar immediately to communicate that there is a domain involved in a security and stability issue. The registrar is provided only the domain name in Question and the broadly stated type of incident. Given the sensitivity of the associated security concerns, it may be important that the registrar not be given explicit or descriptive information in regards to data that has been collected (evidence) or the source of the complaint. This helps to protect the chain of custody for evidence and the source of the data that originated the complaint.

Coordination with Law Enforcement & Industry Groups

One of the reasons for which Neustar was selected to serve as the back-end registry services provider by .CEO is Neustar’s extensive experience with its industry-leading abusive domain name and malicious monitoring program and its close working relationship with a number of law enforcement agencies, both in the United States and internationally. For example, in the United States, Neustar is in constant communication with the Federal Bureau of Investigation, US CERT, Homeland Security, the Food and Drug Administration, and the National Center for Missing and Exploited Children.

Neustar is also a participant in a number of industry groups aimed at sharing information amongst key industry players about the abusive registration and use of domain names. These groups include the Anti-Phishing Working Group and the Registration Infrastructure Safety Group (where Neustar served for several years on the Board of Directors). Through these organizations and others, Neustar shares information with other registries, registrars, ccTLDs, law enforcement, security professionals, etc. not only on abusive domain name registrations within its own TLDs, but also provides information uncovered with respect to domain names in other registries’ TLDs. Neustar has often found that rarely are abuses found only in the TLDs for which it manages, but also within other TLDs, such as .com and .info. Neustar routinely provides this information to the other registries so that it can take the appropriate action.

With the assistance of Neustar as its back-end registry services provider, .CEO can meet its obligations under Section 2.8 of the Registry Agreement where required to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of its TLD. .CEO and⁄or Neustar will endeavor to respond to legitimate law enforcement inquiries within one business day from receiving the request. Such response shall include, at a minimum, an acknowledgement of receipt of the request, questions or comments concerning the request, and an outline of the next steps to be taken by .CEO and⁄or Neustar for rapid resolution of the request.

In the event such request involves any of the activities which can be commercially reasonably validated by .CEO and⁄or Neustar and involves the type of activity set forth in the Acceptable Use Policy, the sponsoring registrar is then given 12 hours to investigate the activity further and either 1) take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or 2) provide a compelling argument to the registry to keep the name in the zone. If the registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), Neustar may place the domain on “serverHold”.

28.3 Measures for Removal of Orphan Glue Records

As the Security and Stability Advisory Committee of ICANN (SSAC) rightly acknowledges, although orphaned glue records may be used for abusive or malicious purposes, the “dominant use of orphaned glue supports the correct and ordinary operation of the DNS.” See http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf.

While orphan glue records often support correct and ordinary operation of the DNS, we understand that such glue records can be used maliciously to point to name servers that host domains used in illegal phishing, bot-nets, malware, and other abusive behaviors. Problems occur when the parent domain of the glue record is deleted but its children glue records still remain in DNS. Therefore, when the Registry has written evidence of actual abuse of orphaned glue, the Registry will take action to remove those records from the zone to mitigate such malicious conduct.

Neustar runs a daily audit of entries in its DNS systems and compares those with its provisioning system. This serves as an umbrella protection to make sure that items in the DNS zone are valid. Any DNS record that shows up in the DNS zone, but not in the provisioning system, will be flagged for investigation and removed if necessary. This daily DNS audit serves to not only prevent orphaned hosts but also other records that should not be in the zone.

In addition, if either .CEO or Neustar become aware of actual abuse of any orphaned glue record after receiving notification by a third party through its Abuse Contact or through its customer support, then such glue records will be removed from the zone.
28.4 Measures to Promote WHOIS Accuracy

As a single-registrant TLD, .CEO will have perfectly accurate and available WHOIS information at all times. Still .CEO will offer a mechanism whereby third parties can submit complaints directly to the Registry Operator (as opposed to ICANN or the sponsoring Registrar) about inaccurate or incomplete WHOIS data and they will be addressed. Furthermore, the provision of Searchable WHOIS, as described in Response to Question 26, will allow security researchers, IP professionals and law enforcement to more quickly determine if a known bad actor has also registered names in .CEO, and thus notify us of false WHOIS information that has been supplied by .CEO registrants.

28.4.3 Policies and Procedures Ensuring Compliance

When .CEO or any .CEO registrar receives a notice of false WHOIS information or other activity which violates our Acceptable Use Policy, we will promptly acknowledge the notice, conduct a reasonable investigation, and report to the complainant the results of such investigation – whether appropriate action was taken, whether further information is required in order to evaluate the complaint, or whether the complaint was found invalid.

28.5 Resourcing Plans
Responsibility for abuse mitigation rests with a variety of functional groups. Neustar’s Abuse Monitoring team is primarily responsible for providing analysis and conducting investigations of reports of abuse. Neustar’s customer service team also plays an important role in assisting with the investigations, responded to the registry operator and registrars, and notifying registrars of abusive domains. Finally, Neustar’s Policy⁄Legal team, in conjunction with Registry Operator, is responsible for developing the relevant policies and procedures.

The necessary resources will be pulled from the pool of available resources described in detail in the response to Question 31. The following resources are available from those teams:
Customer Support – 12 employees
Policy⁄Legal – 2 employees

These Neustar resources, coupled with .CEO’s own resources, are more than adequate to support the abuse mitigation procedures of the .CEO registry.