Back

28 Abuse Prevention and Mitigation

gTLDFull Legal NameE-mail suffixDetail
.手表Richemont DNS Inc.valideus.comView
28.1 Abuse Prevention and Mitigation
Strong abuse prevention of a new gTLD is an important benefit to the Internet community. Richemont DNS and its back-end registry services provider, Neustar, agree that a registry must not only aim for the highest standards of technical and operational competence, but also needs to act as a steward of the space on behalf of the Internet community and ICANN in promoting the public interest. Neustar brings extensive experience establishing and implementing registration policies. This experience will be leveraged to help .手表 combat abusive and malicious domain activity within the new gTLD space.
One of those public interest functions for a responsible domain name registry includes working towards the eradication of abusive domain name registrations, including, but not limited to, those resulting from:
 Illegal or fraudulent actions
 Spam
 Phishing
 Pharming
 Distribution of malware
 Fast flux hosting
 Botnets
 Distribution of child pornography
 Online sale or distribution of illegal pharmaceuticals.
More specifically, although traditionally botnets have used Internet Relay Chat (IRC) servers to control registry and the compromised PCs, or bots, for DDoS attacks and the theft of personal information, an increasingly popular technique, known as fast-flux DNS, allows botnets to use a multitude of servers to hide a key host or to create a highly-available control network. This ability to shift the attacker’s infrastructure over a multitude of servers in various countries creates an obstacle for law enforcement and security researchers to mitigate the effects of these botnets. But a point of weakness in this scheme is its dependence on DNS for its translation services. By taking an active role in researching and monitoring these sorts of botnets Richemont DNS partner, Neustar, has developed the ability to efficiently work with various law enforcement and security communities to begin a new phase of mitigation of these types of threats.
Policies and Procedures to Minimize Abusive Registrations
A Registry must have the policies, resources, personnel, and expertise in place to combat such abusive DNS practices. As Richemont DNS’s registry provider, Neustar is at the forefront of the prevention of such abusive practices and has developed and implemented an active “domain takedown” policy. We also believe that a strong program is essential given that registrants have a reasonable expectation that they are in control of the data associated with their domains, especially its presence in the DNS zone. Because domain names are sometimes used as a mechanism to enable various illegitimate activities on the Internet often the best preventative measure to thwart these attacks is to remove the names completely from the DNS before they can impart harm, not only to the domain name registrant, but also to millions of unsuspecting Internet users.
Removing the domain name from the zone has the effect of shutting down all activity associated with the domain name, including the use of all websites and e-mail. The use of this technique, even in a private brand registry, should not be entered into lightly. Richemont DNS has an extensive, defined, and documented process for taking the necessary action of removing a domain from the zone when its presence in the zone poses a threat to the security and stability of the infrastructure of the Internet or the registry.
Abuse Point of Contact
As required by the Registry Agreement, Richemont DNS will establish and publish on its website a single abuse point of contact responsible for addressing inquiries from law enforcement and the public related to malicious and abusive conduct. Richemont DNS will also provide such information to ICANN prior to the delegation of any domain names in the TLD. This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of malicious conduct complaints, and a telephone number and mailing address for the primary contact. We will ensure that this information is kept accurate and up to date and will be provided to ICANN if and when changes are made. In addition, with respect to inquiries from ICANN-Accredited registrars, our registry services provider, Neustar, shall have an additional point of contact, as it does today, handling requests by registrars related to abusive domain name practices.

28.2 Policies Regarding Abuse Complaints
One of the key policies each new gTLD registry will need to have is an Acceptable Use Policy that clearly delineates the types of activities that constitute “abuse” and the repercussions associated with an abusive domain name registration. In addition, the policy will be incorporated into the applicable Registry-Registrar Agreement and reserve the right for the registry to take the appropriate actions based on the type of abuse. Even though .手表 will be a single entity registry, with all domains registered to Richemont DNS for use only in pursuit of commercial and strategic goals, strict policies will be established and enforced. These include locking down the domain name preventing any changes to the contact and nameserver information associated with the domain name, placing the domain name “on hold” rendering the domain name non-resolvable, transferring to the domain name to another registrar, and⁄or in cases in which the domain name is associated with an existing law enforcement investigation, substituting name servers to collect information about the DNS queries to assist the investigation.
Richemont DNS will adopt an Acceptable Use Policy that clearly defines the types of activities that will not be permitted in the TLD and reserves the right of Richemont DNS to lock, cancel, transfer or otherwise suspend or take down domain names violating the Acceptable Use Policy and allow the Registry where and when appropriate to share information with law enforcement. As there will be no re-sellers in .手表 and there will be no market in .手表 domains, opportunities for bad faith use are restricted. Below is the Registry’s initial Acceptable Use Policy that we will use in connection with the .手表 registry.
It is important to note that .手表 will be managed as a single entity registry, whose sole registrants will be internal stakeholders of the Richemont DNS or the Richemont DNS’s affiliates. Therefore, the potential for abusive registrations and other activities that have a negative impact on Internet users is minimal. In the unlikely event that such abuse should occur, Richemont DNS with its registry operator, Neustar, will implement the following policies and processes to manage such activities.
.手表 Acceptable Use Policy
This Acceptable Use Policy gives the Registry the ability to quickly lock, cancel, transfer or take ownership of any .手表 domain name, either temporarily or permanently, if the domain name is being used in a manner that appears to threaten the stability, integrity or security of the Registry, or any of its registrar partners – and⁄or that may put the safety and security of any registrant or user at risk. The process also allows the Registry to take preventive measures to avoid any such criminal or security threats.
The Acceptable Use Policy may be triggered through a variety of channels, including, among other things, private complaint, public alert, government or enforcement agency outreach, and the on-going monitoring by the Registry or its partners. In all cases, the Registry or its designees will alert Registry’s registrar partners about any identified threats, and will work closely with them to bring offending sites into compliance.
The following are some (but not all) activities that may be subject to rapid domain compliance:
 Phishing: the attempt to acquire personally identifiable information by masquerading as a website other than .手表’s own.
 Pharming: the redirection of Internet users to websites other than those the user intends to visit, usually through unauthorized changes to the Hosts file on a victim’s computer or DNS records in DNS servers.
 Dissemination of Malware: the intentional creation and distribution of ʺmaliciousʺ software designed to infiltrate a computer system without the owner’s consent, including, without limitation, computer viruses, worms, key loggers, and Trojans.
 Fast Flux Hosting: a technique used to shelter Phishing, Pharming and Malware sites and networks from detection and to frustrate methods employed to defend against such practices, whereby the IP address associated with fraudulent websites are changed rapidly so as to make the true location of the sites difficult to find.
 Botnetting: the development and use of a command, agent, motor, service, or software which is implemented: (1) to remotely control the computer or computer system of an Internet user without their knowledge or consent, (2) to generate direct denial of service (DDOS) attacks.
 Malicious Hacking: the attempt to gain unauthorized access (or exceed the level of authorized access) to a computer, information system, user account or profile, database, or security system.
 Child Pornography: the storage, publication, display and⁄or dissemination of pornographic materials depicting individuals under the age of majority in the relevant jurisdiction.
The Registry reserves the right, in its sole discretion, to take any administrative and operational actions necessary, including the use of computer forensics and information security technological services, among other things, in order to implement the Acceptable Use Policy. In addition, the Registry reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion; (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of Registry as well as its affiliates, subsidiaries, officers, directors, and employees; (4) per the terms of the registration agreement or (5) to correct mistakes made by the Registry or any Registrar in connection with a domain name registration. Registry also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute.

Taking Action Against Abusive and⁄or Malicious Activity
The Registry is committed to ensuring that those domain names associated with abuse or malicious conduct in violation of the Acceptable Use Policy are dealt with in a timely and decisive manner. These include taking action against those domain names that are being used to threaten the stability and security of the TLD, or is part of a real-time investigation by law enforcement.
Once a complaint is received from a trusted source, third-party, or detected by the Registry, the Registry will use commercially reasonable efforts to verify the information in the complaint. If that information can be verified to the best of the ability of the Registry, the sponsoring registrar will be notified and be given 12 hours to investigate the activity and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the Registry to keep the name in the zone. If the registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), the Registry will place the domain on “ServerHold”. (This is unlikely to be necessary, as Richemont DNS will be using a single, gateway registrar with whom it has a contract reflecting these policies). Although this action removes the domain name from the TLD zone, the domain name record still appears in the TLD WHOIS database so that the name and entities can be investigated by law enforcement should they desire to get involved.
Coordination with Law Enforcement
With the assistance of Neustar as its back-end registry services provider, Richemont DNS can meet its obligations under Section 2.8 of the Registry Agreement where required to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of its TLD. The Registry will respond to legitimate law enforcement inquiries within one business day from receiving the request. Such response shall include, at a minimum, an acknowledgement of receipt of the request, Questions or comments concerning the request, and an outline of the next steps to be taken by Richemont DNS for rapid resolution of the request.
In the event such request involves any of the activities which can be validated by the Registry and involves the type of activity set forth in the Acceptable Use Policy, the sponsoring registrar is then given 12 hours to investigate the activity further and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the registry to keep the name in the zone. If the registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), the Registry will place the domain on “serverHold”.


Richemont DNS is aware that Neustar provides additional monitoring for malicious activity upon request. Following Reveal Day, 2 May 2012, Richemont DNS will be talking to Neustar with the intention of determining how the following services and policies can be introduced.
Monitoring for Malicious Activity
Richemont DNS’s partner, Neustar is at the forefront of the prevention of abusive DNS practices. Neustar has developed and implemented an active “domain takedown” policy in which the registry itself takes down abusive domain names.
Neustar targets verified abusive domain names and removes them within 12 hours regardless of whether or not there is cooperation from the domain name registrar. This is because Neustar has determined that the interest in removing such threats from the consumer outweighs any potential damage to the registrar⁄registrant relationship. This is very unlikely to be required in Richemont DNS registry as it has rules or eligibility that exclude third parties beyond Richemont DNS and it will only be using one registrar with which it has a close contractual relationship with requirements to co-operate in stemming abusive behaviors.
Neustar’s active prevention policies stem from the notion that registrants in the TLD have a reasonable expectation that they are in control of the data associated with their domains, especially its presence in the DNS zone. Because domain names are sometimes used as a mechanism to enable various illegitimate activities on the Internet, including malware, bot command and control, pharming, and phishing, the best preventative measure to thwart these attacks is often to remove the names completely from the DNS before they can impart harm, not only to the domain name registrant, but also to millions of unsuspecting Internet users.
Rapid Takedown Process
Since implementing the program, Neustar has developed two basic variations of the process. The more common process variation is a light-weight process that is triggered by “typical” notices. The less-common variation is the full process that is triggered by unusual notices. These notices tend to involve the need for accelerated action by the registry in the event that a complaint is received by Neustar, which alleges that a domain name is being used to threaten the stability and security of the TLD, or is part of a real-time investigation by law enforcement or security researchers. These processes are described below:
Lightweight Process
In addition to having an active Information Security group that, on its own initiatives, seeks out abusive practices in the TLD, Neustar is an active member in a number of security organizations that have the expertise and experience in receiving and investigating reports of abusive DNS practices, including but not limited to, the Anti-Phishing Working Group, Castle Cops, NSP-SEC, the Registration Infrastructure Safety Group and others. Each of these sources are well-known security organizations that have developed a reputation for the prevention of harmful agents affecting the Internet. Aside from these organizations, Neustar also actively participates in privately run security associations whose basis of trust and anonymity makes it much easier to obtain information regarding abusive DNS activity.
Once a complaint is received from a trusted source, third-party, or detected by Neustar’s internal security group, information about the abusive practice is forwarded to an internal mail distribution list that includes members of the operations, legal, support, engineering, and security teams for immediate response (“CERT Team”). Although the impacted URL is included in the notification e-mail, the CERT Team is trained not to investigate the URLs themselves since often times the URLs in Question have scripts, bugs, etc. that can compromise the individual’s own computer and the network safety. Rather, the investigation is done by a few members of the CERT team that are able to access the URLs in a laboratory environment so as to not compromise the Neustar network. The lab environment is designed specifically for these types of tests and is scrubbed on a regular basis to ensure that none of Neustar’s internal or external network elements are harmed in any fashion.
Once the complaint has been reviewed and the alleged abusive domain name activity is verified to the best of the ability of the CERT Team, the sponsoring registrar is given 12 hours to investigate the activity and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the registry to keep the name in the zone.
If the registrar has not taken the requested action after the 12-hNeustar’s period (i.e., is unresponsive to the request or refuses to take action), Neustar places the domain on “ServerHold”. Although this action removes the domain name from the TLD zone, the domain name record still appears in the TLD WHOIS database so that the name and entities can be investigated by law enforcement should they desire to get involved.
Full Process
In the event that Neustar receives a complaint which claims that a domain name is being used to threaten the stability and security of the TLD or is a part of a real-time investigation by law enforcement or security researchers, Neustar follows a slightly different course of action.
Upon initiation of this process, members of the CERT Team are paged and a teleconference bridge is immediately opened up for the CERT Team to assess whether the activity warrants immediate action. If the CERT Team determines the incident is not an immediate threat to the security and the stability of critical Internet infrastructure, they provide documentation to the Neustar Network Operations Center to clearly capture the rationale for the decision and either refers the incident to the Lightweight process set forth above. If no abusive practice is discovered, the incident is closed.
However, if the CERT TEAM determines there is a reasonable likelihood that the incident warrants immediate action as described above, a determination is made to immediately remove the domain from the zone. As such, Customer Support will contact Richemont DNS‘s registrar immediately to communicate that there is a domain involved in a security and stability issue. The registrar is provided only the domain name in Question and the broadly stated type of incident. Given the sensitivity of the associated security concerns, it may be important that the registrar not be given explicit or descriptive information in regards to data that has been collected (evidence) or the source of the complaint. The need for security is to fully protect the chain of custody for evidence and the source of the data that originated the complaint.
Coordination with Law Enforcement & Industry Groups
Neustar has extensive experience of dealing with abusive and malicious domain name incidents. It has a close working relationship with a number of law enforcement agencies, both in the United States and internationally. For example, in the United States, Neustar is in constant communication with the Federal Bureau of Investigation, US CERT, Homeland Security, the Food and Drug Administration, and the National Center for Missing and Exploited Children.
Neustar is also a participant in a number of industry groups aimed at sharing information amongst key industry players about the abusive registration and use of domain names. These groups include the Anti-Phishing Working Group and the Registration Infrastructure Safety Group (where Neustar served for several years as on the Board of Directors). Through these organizations and others, Neustar shares information with other registries, registrars, ccTLDs, law enforcement, security professionals, etc. not only on abusive domain name registrations within its own TLDs, but also provides information uncovered with respect to domain names in other registries’ TLDs. Neustar has often found that rarely are abuses found only in the TLDs for which it manages, but also within other TLDs, such as .com and .info. Neustar routinely provides this information to the other registries so that it can take the appropriate action.
With the assistance of Neustar as its back-end registry services provider, Richemont DNS can meet its obligations under Section 2.8 of the Registry Agreement where it is required to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of its TLD. Richemont DNS and⁄or Neustar will respond to legitimate law enforcement inquiries within one business day from receiving the request. Such response shall include, at a minimum, an acknowledgement of receipt of the request, Questions or comments concerning the request, and an outline of the next steps to be taken by Richemont DNS and⁄or Neustar for rapid resolution of the request.
In the event such request involves any of the activities which can be validated by Richemont DNS and⁄or Neustar and involves the type of activity set forth in the Acceptable Use Policy, the sponsoring registrar is then given 12 hours to investigate the activity further and either take down the domain name by placing the domain name on hold or by deleting the domain name in its entirety or providing a compelling argument to the registry to keep the name in the zone. If the registrar has not taken the requested action after the 12-hour period (i.e., is unresponsive to the request or refuses to take action), Neustar places the domain on “serverHold”.
28.3 Measures for Removal of Orphan Glue Records
As the Security and Stability Advisory Committee of ICANN (SSAC) rightly acknowledges, although orphaned glue records may be used for abusive or malicious purposes, the “dominant use of orphaned glue supports the correct and ordinary operation of the DNS.” See http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf.
While orphan glue often support correct and ordinary operation of the DNS, we understand that such glue records can be used maliciously to point to name servers that host domains used in illegal phishing, bot-nets, malware, and other abusive behaviors. Problems occur when the parent domain of the glue record is deleted but its children glue records still remain in DNS. Therefore, when the Registry has written evidence of actual abuse of orphaned glue, the Registry will take action to remove those records from the zone to mitigate such malicious conduct.

Neustar run a daily audit of entries in its DNS systems and compares those with its provisioning system. This serves as an umbrella protection to make sure that items in the DNS zone are valid. Any DNS record that shows up in the DNS zone but not in the provisioning system will be flagged for investigation and removed if necessary. This daily DNS audit serves to not only prevent orphaned hosts but also other records that should not be in the zone.
In addition, if either Richemont DNS or Neustar become aware of actual abuse on orphaned glue after receiving written notification by a third party through its Abuse Contact or through its customer support, such glue records will be removed from the zone.
28.4 Measures to Promote WHOIS Accuracy
The Richemont DNS registry will implement several measures to promote Whois accuracy.

Whois service for Richemont DNS will operate as follows: all basic contact details for each domain name are kept in a unique internal system by the registry, which facilitates the access to the domain information. In addition, Richemont DNS will perform internal monitoring checks and procedures which will only allow accurate Whois information and remove outdated data.


28.4.1. Authentication of Registrant Information
As a single entity registry, the only registrant in .手表 will be Richemont DNS. However, Richemont DNS will guarantee the adequate authentication of registrant data, ensuring the highest levels of accuracy and diligence when dealing with Whois data. In doing so, Richemont DNS’s solid internal system will undertake the following, but not limited to, authentication measures: running checks against Whois internal records, regular verification of all contact details and other relevant registrant information. The Richemont DNS’s registrar will also be charged with regularly checking whois accuracy.
28.4.2. Regular Monitoring of Registration Data
Richemont DNS is strongly committed to implement specific policies and procedures to guarantee the adequate compliance with ICANN’s Whois requirements. Among other measures, Richemont DNS will regularly remind its internal personnel to meet the standards of ICANN’s Whois information Policy, including regular checks of Whois data against internal records, offering Whois accuracy services, evaluating claims of fraudulent Whois data and the cancellation of domain name registrations with outdated Whois details.

28.4.3. Policies and Procedures ensuring compliance
Only Richemont DNS and its Affiliates will be permitted to register and use Richemont DNS domain names. Accordingly, the duties of the Richemont DNS registrar will be very limited and closely defined. However, as part of the RRA (Registry Registrar Agreement), Richemont DNS will require the Richemont DNS registrar to take steps necessary to ensure Whois data is complete and accurate and to implement the Richemont DNS registration policies.

28.5 Resourcing Plans
Responsibility for abuse mitigation rests with a variety of functional groups. The Abuse Monitoring team is primarily responsible for providing analysis and conducting investigations of reports of abuse. The customer service team also plays an important role in assisting with the investigations, responded to customers, and notifying registrars of abusive domains. Finally, the Policy⁄Legal team is responsible for developing the relevant policies and procedures.
The necessary resources will be pulled from the pool of available resources described in detail in the response to Question 31. The following resources are available from those teams:
Customer Support – 12 employees
Policy⁄Legal – 2 employees
The resources are more than adequate to support the abuse mitigation procedures of the .手表 registry.
Furthermore, Richemont DNS dedicates significant financial and personnel resources to combating malicious and abusive behavior in the DNS. Richemont DNS will extend these resources to encompass the designation and maintenance of the unique abuse point of contact, regular monitoring of potential abusive and malicious activities with support from dedicated technical staff, analysis of reported abuse and malicious activity, and action to address such reported activity.

The designated abuse prevention staff will be subject to regular evaluations, receive adequate training and work under expert supervision. The abuse prevention resources will comprise both internal staff and external abuse prevention experts who would give extra advice and support when necessary. These external staff include experts in Richemont DNS’s registrar.


gTLDFull Legal NameE-mail suffixDetail
.WOWAmazon EU S.à r.l.valideus.comView
28.1 Abuse Prevention and Mitigation
Amazon EU S.à r.l. and its registry service provider, Neustar, recognize that preventing and mitigating abuse and malicious conduct in the .WOW registry is an important and significant responsibility. Amazon EU S.à r.l. will leverage Neustar’s extensive experience in establishing and implementing registration policies to prevent and mitigate abusive and malicious domain activity within the proposed .WOW space.
.WOW will be a single entity registry, with all domains registered to Amazon for use in pursuit of Amazon’s business goals. There will be no re-sellers in .WOW and there will be no market in .WOW domains. Amazon will strictly control the use of .WOW domains. Opportunities for abusive and malicious domain activity in .WOW are therefore very restricted but we will nonetheless abide by our obligations to ICANN. A responsible domain name registry works towards the eradication of abusive domain name registrations and malicious activity, which may include conduct such as:
 Illegal or fraudulent actions
 Spam
 Phishing
 Pharming
 Distribution of malware
 Fast flux hosting
 Botnets
 Malicious hacking
 Distribution of child pornography
 Online sale or distribution of illegal pharmaceuticals.

By taking an active role in researching and monitoring abusive domain name registration and malicious conduct, Neustar has developed the ability to efficiently work with various law enforcement and security communities to mitigate fast flux DNS-using botnets.
Policies and Procedures to Minimize Abusive Registrations
A registry must have the policies, resources, personnel, and expertise in place to combat such abusive registration and malicious conduct. Neustar, Amazon EU S.à r.l.’s registry services provider, has played a leading role in preventing of such abusive practices, and has developed and implemented a “domain takedown” policy. Amazon EU S.à r.l. also believes that combating abusive use of the DNS is important in protecting registrants.
Removing a domain name from the DNS before it can cause harm is often the best preventative measure for thwarting certain malicious conduct such as botnets and malware distribution. Because removing a domain name from the zone will stop all activity associated with the domain name, including websites and e-mail, the decision to remove a domain name from the DNS must follow a documented process, culminating in a determination that the domain name to be removed poses a threat to the security and stability of the Internet or the registry. Amazon EU S.à r.l., via Neustar, has an extensive, defined, and documented process for taking the necessary action of removing a domain from the zone when its presence in the zone poses a threat to the security and stability of the infrastructure of the Internet or the registry.
Abuse Point of Contact
As required by the Registry Agreement, Amazon EU S.à r.l. will establish and publish on its website a single abuse point of contact responsible for addressing inquiries from law enforcement and the public related to malicious and abusive conduct. Amazon EU S.à r.l. will also provide such information to ICANN before delegating any domain names in .WOW. This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of malicious conduct complaints, and a telephone number and mailing address for the primary contact. Amazon EU S.à r.l. will ensure that this information is accurate and current, and that updates are provided to ICANN if and when changes are made. In addition, the registry services provider for .WOW, Neustar, shall continue to have an additional point of contact for requests from registrars related to abusive domain name practices.

28.2 Policies Regarding Abuse Complaints
Amazon EU S.à r.l. will adopt an Acceptable Use Policy that (i) clearly defines the types of activities that will not be permitted in .WOW; (ii) reserves Amazon EU S.à r.l.’s right to lock, cancel, transfer or otherwise suspend or take down domain names violating the Acceptable Use Policy; and (iii) identify the circumstances under which Amazon EU S.à r.l. may share information with law enforcement. Amazon EU S.à r.l. will incorporate its .WOW Acceptable User Policy into its Registry-Registrar Agreement.
Under the .WOW Acceptable Use Policy, which is set forth below, Amazon EU S.à r.l. may lock down the domain name to prevent any changes to the domain name contact and nameserver information, place the domain name “on hold” rendering the domain name non-resolvable, transfer the domain name to another registrar and⁄or in cases in which the domain name is associated with an ongoing law enforcement investigation, Amazon EU S.à r.l. will coordinate with law enforcement to assist in the investigation as described in more detail below.

It is Amazon EU S.à r.l.’s intention that all .WOW domain names will be registered and used by it and its Affiliates and that only ICANN-accredited registrars that have signed a Registry-Registrar Agreement will be permitted to register .WOW domain names. Accordingly, the potential for abusive registrations and malicious conduct in the .WOW registry is expected to be limited. In the unlikely event that such abuse should occur, Amazon EU S.à r.l. will work with its registry services provider, Neustar, to implement the following policies and processes to prevent and mitigate such activities. Below is initial Acceptable Use Policy for the .WOW registry.
.WOW Acceptable Use Policy
This Acceptable Use Policy gives the .WOW registry the ability to quickly lock, cancel, transfer or take ownership of any .WOW domain name, either temporarily or permanently, if the domain name is being used in a manner that appears to threaten the stability, integrity or security of the .WOW registry, or any of its registrar partners – and⁄or that may put the safety and security of any registrant or user at risk. The process also allows the .WOW registry to take preventive measures to avoid any such criminal or security threats.
The Acceptable Use Policy may be triggered through a variety of channels, including, among other things, private complaint, public alert, government or enforcement agency outreach, and the on-going monitoring by the .WOW registry or its partners. In all cases, the .WOW registry or its designees will alert .WOW registry’s registrar partners about any identified threats and will work closely with them to bring offending sites into compliance.
The following are some (but not all) activities that may be subject to rapid domain compliance:
 Phishing: the attempt to acquire personally identifiable information by masquerading as a website other than .WOW’s own.
 Pharming: the redirection of Internet users to websites other than those the user intends to visit, usually through unauthorized changes to the Hosts file on a victim’s computer or DNS records in DNS servers.
 Dissemination of Malware: the intentional creation and distribution of ʺmaliciousʺ software designed to infiltrate a computer system without the owner’s consent, including, without limitation, computer viruses, worms, key loggers, and Trojans.
 Fast Flux Hosting: a technique used to shelter Phishing, Pharming and Malware sites and networks from detection and to frustrate methods employed to defend against such practices, whereby the IP address associated with fraudulent websites are changed rapidly so as to make the true location of the sites difficult to find.
 Botnetting: the development and use of a command, agent, motor, service, or software which is implemented: (1) to remotely control the computer or computer system of an Internet user without their knowledge or consent, (2) to generate direct denial of service (DDOS) attacks.
 Malicious Hacking: the attempt to gain unauthorized access (or exceed the level of authorized access) to a computer, information system, user account or profile, database, or security system.
 Child Pornography: the storage, publication, display and⁄or dissemination of pornographic materials depicting individuals under the age of majority in the relevant jurisdiction.
The .WOW registry reserves the right, in its sole discretion, to take any administrative and operational actions necessary, including the use of computer forensics and information security technological services, among other things, in order to implement the Acceptable Use Policy. In addition, the .WOW registry reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of the .WOW registry as well as its affiliates, subsidiaries, officers, directors, and employees; (4) per the terms of the registration agreement, or (5) to correct mistakes made by the .WOW registry or any Registrar in connection with a domain name registration. The .WOW registry also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute.

Taking Action Against Abusive and⁄or Malicious Activity
The .WOW registry is committed to acting in a timely manner against those domain names associated with abuse or malicious conduct in violation of the Acceptable Use Policy. After a complaint is received from a trusted source or third-party, or detected by the .WOW registry, the registry will use commercially reasonable efforts to verify the information in the complaint. If that information can be verified to the best of the registry’s ability, the sponsoring registrar will be notified and have 12 hours to investigate the activity and either (a) take down the domain name through a hold or deletion, or (b) provide the registry with a compelling argument why to keep the domain name in the zone. If the registrar has not acted when the 12-hour period ends (i.e., is unresponsive to the request or refuses to take action), the .WOW registry will place the domain on “ServerHold”. (It is unlikely the registrar will not timely act because Amazon EU S.à r.l. intends to use a single, gateway registrar with which it has a contract reflecting these policies). ServerHold removes the domain name from the .WOW zone, but the domain name record still appears in the TLD WHOIS database so that the name and entities can be investigated by law enforcement should they desire to get involved.
Coordination with Law Enforcement
Amazon EU S.à r.l. will obtain assistance from Neustar to meet its obligations under Section 2.8 of the Registry Agreement to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of the .WOW registry. The .WOW registry will respond to legitimate law enforcement inquiries promptly upon receiving the request.

The response shall include, at a minimum, an acknowledgement of receipt of the request, questions or comments concerning the request, and an outline of the next steps to be taken by Amazon EU S.à r.l. for rapid resolution of the request. If the request involves any of the activities that can be validated by the registry and implicates activity covered by the .WOW Acceptable Use Policy, the sponsoring registrar will have 12 hours to investigate the activity and either (a) take down the domain name through a hold or deletion, or (b) provide the registry with a compelling argument why to keep the domain name in the zone. The .WOW Registry will place the domain on “ServerHold” if the registrar has not acted within the 12-hour period.
Monitoring for Malicious Activity
Neustar, .WOW’s registry services provider, has developed and implemented an active “domain takedown” policy in which the registry itself takes down abusive domain names.
Neustar targets domain names verified to be abusive and removes them within 12 hours regardless of whether the domain name registrar cooperated. Neustar has determined that the benefit in removing such threats outweighs any potential damage to the registrar⁄registrant relationship. Amazon EU S.à r.l.’s restrictions on registration eligibility make it unlikely that any .WOW domains will be taken down. The .WOW registry rules are anticipated to exclude third parties beyond Amazon EU S.à r.l. and its Affiliates. Moreover, only registrars that contractually agree to cooperate in stemming abusive behaviors will be permitted to register .WOW domain names.
Neustar’s active prevention policies stem from the notion that registrants in .WOW have a reasonable expectation that they control the data associated with their domains, especially its presence in the DNS zone. Removing a domain name from the DNS before it can cause harm is often the best preventative measure for thwarting certain malicious conduct such as botnets and malware distribution that harms not only the domain name registrant, but also potentially millions of unsuspecting Internet users.
Rapid Takedown Process
Since implementing the program, Neustar has developed two basic variations of the process. The more common process variation is a lightweight process that is triggered by “typical” notices. The less common variation is the full process that is triggered by unusual notices, which generally allege that a domain name is being used to threaten the stability and security of the TLD, or is part of a real-time investigation by law enforcement or security researchers. In these cases, accelerated action by the registry is necessary. These processes are described below, though it is important to note that .WOW will be managed as a single entity registry, whose registrants will be internal stakeholders of Amazon or Amazon’s subsidiaries. Therefore, the potential for abusive registrations and other activities that have a negative impact on Internet users is minimal. In the unlikely event that such abuse should occur, Amazon with its registry operator, Neustar, will implement the following policies and processes to manage such activities.
Lightweight Process
In addition to having an active Information Security group that, on its own initiatives, seeks out abusive practices in the .WOW registry, Neustar is an active member in a number of security organizations that have the expertise and experience in receiving and investigating reports of abusive DNS practices, including but not limited to, the Anti-Phishing Working Group, Castle Cops, NSP-SEC, the Registration Infrastructure Safety Group and others. Each of these sources is a well-known security organization that has a reputation for preventing abuse and malicious conduct on the Internet. Aside from these organizations, Neustar also actively participates in privately run security associations that operate based on trust and anonymity, making it much easier to obtain information regarding abusive DNS activity.
Once a complaint is received from a trusted source or third-party, or detected by Neustar’s internal security group, information about the abusive practice is forwarded to an internal mail distribution list that includes members of Neustar’s operations, legal, support, engineering, and security teams for immediate response (“CERT Team”). Although the impacted URL is included in the notification e-mail, the CERT Team is trained not to investigate the URLs themselves because the URLs in question often have scripts, bugs, etc. that can compromise the individual’s own computer and the network safety. Rather, the investigation is conducted by CERT team members who can access the URLs in a laboratory environment to avoid compromising the Neustar network. The lab environment is designed specifically for these types of tests and is scrubbed on a regular basis to ensure that none of Neustar’s internal or external network elements are harmed in any fashion.
Once the complaint has been reviewed and the alleged abusive domain name activity is verified to the best of the ability of the CERT Team, the sponsoring registrar has 12 hours to investigate the activity and either (a) take down the domain name through a hold or deletion, or (b) provide the registry with a compelling argument why to keep the domain name in the zone.
The .WOW Registry will place the domain on “ServerHold” if the registrar has not acted within the 12-hour period.
ServerHold removes the domain name from the .WOW zone, but the domain name record still appears in the TLD WHOIS database so that the name and entities can be investigated by law enforcement.
Full Process
In the unlikely event with a single entity registry, whose registrants will be internal stakeholders of Amazon or Amazon’s subsidiaries, that Neustar receives a complaint that claims that a domain name is being used to threaten the stability and security of the .WOW registry, or is a part of a real-time investigation by law enforcement or security, Neustar follows a slightly different course of action.
Upon initiation of this process, members of the CERT Team are paged and a teleconference bridge is immediately opened up for the CERT Team to assess whether the activity warrants immediate action. If the CERT Team determines the incident is not an immediate threat to the security and the stability of critical Internet infrastructure, the CERT Team provides documentation to the Neustar Network Operations Center to clearly capture the rationale for the decision and either refers the incident to the Lightweight process set forth above or closes the incident.
However, if the CERT TEAM determines that there is a reasonable likelihood that the incident warrants immediate action, a determination is made to immediately remove the domain from the zone. As such, Customer Support will contact Amazon EU S.à r.l.’s registrar immediately to communicate that there is a domain involved in a security and stability issue. The registrar is provided only the domain name in question and the broadly stated type of incident. As .WOW is a Single Entity Registry using a single registrar whose work will be strictly controlled through a Service Level Agreement that includes the implementation of measures to prevent abusive registrations, the risk of evidence of abuse being compromised is minimized. Coordination with Law Enforcement & Industry Groups
Neustar has a close working relationship with a number of law enforcement agencies, both in the United States and Internationally. For example, in the United States, Neustar is in constant communication with the Federal Bureau of Investigation, US CERT, Homeland Security, the Food and Drug Administration, and the National Center for Missing and Exploited Children.
Neustar also participates in a number of industry groups aimed at sharing information among key industry players about the abusive registration and use of domain names. These groups include the Anti-Phishing Working Group and the Registration Infrastructure Safety Group (where Neustar served for several years on the Board of Directors). Through these organizations and others, Neustar proactively shares information with other registries, registrars, ccTLDs, law enforcement, security professionals, etc. not only on abusive domain name registrations within its own TLDs, but also with respect to information uncovered with respect to domain names in other registries’ TLDs. Neustar has often found that rarely are abuses found only in the TLDs for which it manages, but also within other TLDs, such as .com and .info. Neustar routinely provides this information to the other registries so that the relevant registry can take the appropriate action.
With the assistance of Neustar as its registry services provider, Amazon EU S.à r.l. can meet its obligations under Section 2.8 of the Registry Agreement to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of its .WOW registry. Amazon EU S.à r.l. and⁄or Neustar will respond to legitimate law enforcement inquiries promptly upon receiving the request. Such response shall include, at a minimum, an acknowledgement of receipt of the request, questions or comments concerning the request, and an outline of the next steps to be taken by Amazon EU S.à r.l. and⁄or Neustar for rapid resolution of the request.
If the request involves any of the activities that can be validated by the registry and⁄or Neustar and implicates the type of activity set forth in the Acceptable Use Policy, the sponsoring registrar will have 12 hours to investigate the activity further and either (a) take down the domain name through a hold or deletion, or (b) provide the registry with a compelling argument why to keep the domain name in the zone. The .WOW registry will place the domain on “ServerHold” if the registrar has not acted within the 12-hour period.
28.3 Measures for Removal of Orphan Glue Records
As the Security and Stability Advisory Committee of ICANN (SSAC) rightly acknowledges, although orphaned glue records may be used for abusive or malicious purposes, the “dominant use of orphaned glue supports the correct and ordinary operation of the DNS.” See http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf.
While orphan glue often support correct and ordinary operation of the DNS, such glue records can be used maliciously to point to name servers that host domains used in illegal phishing, bot-nets, malware, and other abusive behaviors. Problems occur when the parent domain of the glue record is deleted but its children glue records still remain in DNS. Therefore, when the .WOW registry has written evidence of actual abuse of orphaned glue, the .WOW registry will act to remove those records from the zone to mitigate such malicious conduct.

Neustar runs a daily audit of entries in its DNS systems and compares those with its provisioning system, which serves as an umbrella protection that items in the DNS zone are valid. Any DNS record that shows up in the DNS zone but not in the provisioning system is flagged for investigation and removed if necessary. This daily DNS audit prevents not only orphaned hosts but also other records that should not be in the zone.
In addition, if either Amazon EU S.à r.l. or Neustar becomes aware of actual abuse on orphaned glue after receiving written notification from a third party through its Abuse Contact or through its customer support, such glue records will be removed from the zone.
28.4 Measures to Promote WHOIS Accuracy
The .WOW registry will implement several measures to promote Whois accuracy.
Whois service for Amazon EU S.à r.l. will operate as follows. The registry will keep all basic contact details for each domain name in a unique internal system, which facilitates access to the domain information. In addition, Amazon EU S.à r.l. will perform internal monitoring checks and procedures that will only allow accurate Whois information and remove outdated data.

28.4.1. Authentication of Registrant Information
Amazon EU S.à r.l. will guarantee the adequate authentication of registrant data, ensuring the highest levels of accuracy and diligence when dealing with Whois data. In doing so, Amazon EU S.à r.l.’s solid internal system will undertake, but not be limited to the following measures: running checks against Whois internal records and regular verification of all contact details and other relevant registrant information. The Amazon EU S.à r.l.’s registrar will also be charged with regularly checking Whois accuracy.
Amazon EU S.à r.l. will have a well-defined registration policy that will include a requirement that complete and accurate registrant details are provided by the requestor for a domain. These details will be validated by the Amazon EU S.à r.l. registrar who will have a contractual duty to comply with Amazon EU S.à r.l.’s registration policy. The full details of every domain requestor will be kept in Amazon EU S.à r.l.’s on-line registry management dashboard which can be accessed by Amazon EU S.à r.l.’s Domain Management Team at any time.


28.4.2. Regular Monitoring of Registration Data
Amazon EU S.à r.l. will comply with ICANN’s Whois requirements. Among other measures, Amazon EU S.à r.l. will regularly remind its internal personnel to comply with ICANN’s Whois information Policy through regularly checking Whois data against internal records, offering Whois accuracy services, evaluating claims of fraudulent Whois data, and cancelling domain name registrations with outdated Whois details.

28.4.3. Policies and Procedures ensuring compliance
Only Amazon EU S.à r.l. and its Affiliates will be permitted to register and use Amazon EU S.à r.l. domain names. Accordingly, the duties of the Amazon EU S.à r.l. registrar will be very limited and closely defined. Regardless, Amazon EU S.à r.l.’s Registry-Registrar Agreement will require Amazon EU S.à r.l.’s registrar to take steps necessary to ensure Whois data is complete and accurate and to implement the .WOW registration policies.

28.5 Resourcing Plans
Responsibility for abuse mitigation rests with a variety of functional groups at Neustar. The Neustar Abuse Monitoring team is primarily responsible for providing analysis and conducting investigations of reports of abuse. The Neustar Customer Service team also plays an important role in assisting with investigations, responding to customers, and notifying registrars of abusive domains. Finally, the Neustar Policy⁄Legal team is responsible for developing the relevant policies and procedures.
The necessary resources will be pulled from the pool of available resources described in detail in the response to Question 31. The following resources are available from those teams:
Customer Support – 12 employees
Policy⁄Legal – Two employees
The resources are more than adequate to support the abuse mitigation procedures of the .WOW registry.
Furthermore, Amazon EU S.à r.l. dedicates significant financial and personnel resources to combating malicious and abusive behavior in the DNS and across the internet. Amazon EU S.à r.l. will extend these resources to designating the unique abuse point of contact, regularly monitoring potential abusive and malicious activities with support from dedicated technical staff, analyzing reported abuse and malicious activity, and acting to address such reported activity.
The designated abuse prevention staff within Neustar and Amazon EU S.à r.l. will be subject to regular evaluations, receive adequate training and work under expert supervision. The abuse prevention resources will comprise both internal staff and external abuse prevention experts who would give extra advice and support when necessary. This external staff includes experts in Amazon EU S.à r.l.’s registrar where one legal manager and four operational experts will be available to support Amazon EU S.à r.l.

Please note that in the above answer the terms “We”, “Our” and “Amazon” may refer to either the applicant Amazon EU S.à r.l. or Amazon.com Inc., the ultimate parent, or sometimes NeuStar, the registry services provider.