28 Abuse Prevention and Mitigation

Prototypical answer:

28.1 Abuse Prevention and Mitigation

Strong abuse prevention in a new gTLD is an important benefit to the Internet community. Fox Registry, LLC (“Applicant”) and its registry operator and back-end registry services provider, Neustar, Inc. (“Neustar”) understand that a registry must not only aim for the highest standards of technical and operational competence, but must also act as a steward of the namespace on behalf of the Internet community and ICANN in promoting the public interest. Neustar brings extensive experience establishing and implementing registration policies. Applicant will leverage this experience to combat abusive and malicious domain activity within the .FOX TLD, including, but not limited to, abuse resulting from:

• Illegal or fraudulent actions
• Spam
• Phishing
• Pharming
• Distribution of malware
• Fast flux hosting
• Botnets
• Illegal or fraudulent activity

One of Applicant’s primary abuse prevention and mitigation strategies is that Applicant intends to operate a single registrant⁄single user registry. Second level domain names within the .FOX TLD will be registered to, and maintained by Applicant for the use by Applicant and its Affiliates (as defined in the Draft New gTLD Registry Agreement contained in the Applicant Guidebook dated 2012-01-11 (“Draft Registry Agreement”)). Applicant does not intend to sell, distribute or transfer control or use of any second level registrations in the .FOX TLD to any third party that is not an Affiliate of Applicant. Accordingly, members of the general public will not be able to register or use second level domain names under the .FOX TLD. This operating model by its very nature will eliminate or at least significantly reduce potential abuse as envisaged by question 28.

Even though there is a minimal risk of abuse, Applicant, in conjunction with its partner, Neustar, will work to identify and mitigate certain abusive or malicious activity. For example, although traditionally botnets have used Internet Relay Chat (IRC) servers to control registry and the compromised PCs, or bots, for DDoS attacks and the theft of personal information, an increasingly popular technique, known as fast-flux DNS, allows botnets to use a multitude of servers to hide a key host or to create a highly-available control network. This ability to shift the attacker’s infrastructure over a multitude of servers in various countries creates an obstacle for law enforcement and security researchers to mitigate the effects of these botnets. A point of weakness in this scheme is its dependence on DNS for its translation services. By taking an active role in researching and monitoring these sorts of botnets, Neustar has developed the ability to efficiently work with various law enforcement and security communities to begin a new phase of mitigation of these types of threats.

A registry operator must have the policies, resources, personnel, and expertise in place to combat potential abusive DNS practices. Applicant believes that a strong abuse prevention and mitigation program is essential and will implement all necessary policies and procedures needed to meet its obligations as a registry operator.

28.2 Policies Regarding Abuse Complaints

In order to prevent and mitigate abuse in the .FOX TLD, Applicant will adopt an Acceptable Use Policy (1) that clearly defines the types of activities that will not be permitted in the TLD; (2) that reserves Applicant’s right to lock, cancel, or otherwise suspend or take down domain names that violate the Acceptable Use Policy; and (3) that reserves Applicant’s right to share information with law enforcement when necessary. Applicant will implement through its internal policies and in its registrar and registration agreements a requirement that all registered domain names in the TLD will be subject to the Acceptable Use Policy. As Applicant intends to operate a single registrant⁄single user registry, second-level domain names within the .FOX TLD will be registered to, and maintained by Applicant. Therefore Applicant will agree to its own Acceptable Use Policy for each second-level domain name registered in the .FOX TLD.

The Acceptable Use Policy will be published at NIC.FOX and will provide Applicant with broad power to lock, suspend or cancel domain names that violate it. Actions Applicant may take against a domain name in violation of the Acceptable Use Policy include:

• Locking the domain name to prevent any changes to the contact and name server information associated with the domain name,
• Placing the domain name “on hold” to render the domain name non-resolvable,
• Transferring the domain name to another registrar,
• Removing the domain name from the DNS entirely,
• Substituting name servers to collect information about the DNS queries to assist an existing law enforcement investigation related to the domain name.

Abuse Point of Contact

As required by the Draft Registry Agreement, Applicant will establish and publish on its website at NIC.FOX a single abuse point of contact (“Abuse Contact”) responsible for addressing inquiries that relate to malicious and abusive conduct and Applicant’s Acceptable Use Policy, including inquiries from law enforcement, the public, or any other party. Applicant will also provide its Abuse Contact information to ICANN prior to the delegation of any domain names in the .FOX TLD. This information shall consist of, at a minimum, a valid e-mail address dedicated solely to the handling of malicious conduct complaints, and a mailing address for the primary contact. Applicant will ensure that this information will be kept accurate and up to date and will provide ICANN with any updates to the information. In addition, with respect to inquiries from ICANN-Accredited registrars, Neustar shall have an additional point of contact, as it does today, handling requests by registrars related to abusive domain name practices.

Procedure for Taking Action Against Abusive and⁄or Malicious Activity

Applicant is committed to ensuring that complaints against domain names associated with abusive or malicious conduct in violation of the Acceptable Use Policy are addressed in a timely and decisive manner. Once a complaint is received by the Abuse Contact--whether from a third-party tip, from Applicant’s own monitoring, or from another source--Applicant will use commercially reasonable efforts to review the complaint and verify the information therein.

Within a commercially reasonable period of time after receipt and review of the complaint, Applicant will provide a response to the complainant that (1) requests additional information about the complaint; (2) denies that a violation of the Acceptable Use Policy has occurred and explains why; or (3) confirms that a violation of a the Acceptable Use Policy has occurred and explains the actions taken by Applicant to remedy it.

If Applicant finds a violation of its Acceptable Use Policy, the Abuse Contact will alert the registry services provider and⁄or the sponsoring registrar to immediately suspend the resolution of the domain name. Applicant will then notify the registrant of the suspension of the domain name, the nature of the complaint, and provide the registrant with the option to respond within a timely fashion or the domain name will be canceled. If the registrant responds within a timely period, its response will be reviewed by Applicant. If Applicant is satisfied by the registrant’s response that the use is not abusive, Applicant will submit a timely request to the registry services provider and⁄or the sponsoring registrar to unsuspend the domain name. If the registrant does not respond within a timely fashion, the Abuse Contact will notify the registry services provider and⁄or the sponsoring registrar to cancel the abusive domain name.

In addition, because domain names are sometimes used as a mechanism to enable various illegitimate activities on the Internet, often the best preventative measure to thwart these attacks is to remove the names completely from the DNS before they can impart harm, not only to the domain name registrant, but also to millions of unsuspecting Internet users. Removing the domain name from the zone has the effect of shutting down all activity associated with the domain name, including the use of all websites and e-mail. The use of this technique should not be entered into lightly. Applicant, in conjunction with Neustar, has an extensive, defined, and documented process for taking the necessary action of removing a domain from the zone when its presence in the zone poses a threat to the security and stability of the infrastructure of the Internet or the registry. In conjunction with Neustar, Applicant will employ such removal of the domain name from the zone as circumstances dictate.

Coordination with Law Enforcement

With the assistance of Neustar as its back-end registry services provider, Applicant will meet its obligations under Section 2.8 of the Draft Registry Agreement to take reasonable steps to investigate and respond to reports from law enforcement and governmental and quasi-governmental agencies of illegal conduct in connection with the use of the .FOX TLD. Applicant will respond to legitimate law enforcement inquiries within a commercially reasonable period of time, and such responses shall include, at a minimum, an acknowledgement of receipt of the request, questions or comments concerning the request, and an outline of the next steps to be taken by Applicant for rapid resolution of the request.

In the event such request involves any of the activities that can be validated by Applicant and involves the type of activity set forth in the Acceptable Use Policy, Applicant will promptly notify the registry services provider and⁄or the sponsoring registrar and direct that the domain name be placed on hold or deleted from the DNS entirely. If Applicant determines that it is not an abusive activity, Applicant will provide the relevant law enforcement, governmental and⁄or quasi-governmental agency a compelling argument to keep the name in the zone within a commercially reasonable period of time.

.FOX TLD Acceptable Use Policy

Applicant will adopt, publish, and enforce the below Acceptable Use Policy, or a similar policy, to prevent and mitigate abuse in the .FOX TLD and to meet all other requirements of ICANN:

This Acceptable Use Policy gives the .FOX registry (the ʺRegistryʺ) the ability to quickly lock, cancel, transfer or take ownership of any .FOX domain name, either temporarily or permanently, if the domain name is being used in a manner that appears to threaten the stability, integrity or security of the Registry, or any of its registrar partners – and⁄or that may put the safety and security of any registrant or user at risk. The process also allows the Registry to take preventive measures to avoid any such criminal or security threats.

The Acceptable Use Policy may be triggered through a variety of channels, including, among other things, private complaint, public alert, government or enforcement agency outreach, and the ongoing monitoring by the Registry or its partners. In all cases, the Registry or its designees will alert Registry’s registrar partners about any identified threats, and will work closely with them to bring offending sites into compliance.
The following are some (but not all) activities that may be subject to rapid domain compliance:

• Phishing:The use of counterfeit Web pages that are designed to trick recipients into divulging sensitive data such as usernames, passwords, or financial data.
• Pharming: the redirection of Internet users to websites other than those the user intends to visit, usually through unauthorized changes to the Hosts file on a victim’s computer or DNS records in DNS servers.
• Willful Dissemination of Malware: the intentional creation and distribution of ʺmaliciousʺ software designed to infiltrate a computer system without the owner’s consent, including, without limitation, computer viruses, worms, key loggers, and Trojans.
• Fast Flux Hosting: a technique used to shelter Phishing, Pharming and Malware sites and networks from detection and to frustrate methods employed to defend against such practices, whereby the IP address associated with fraudulent websites are changed rapidly so as to make the true location of the sites difficult to find.
• Botnetting: the development and use of a command, agent, motor, service, or software which is implemented: (1) to remotely control the computer or computer system of an Internet user without their knowledge or consent, (2) to generate direct denial of service (DDOS) attacks.
• Malicious Hacking: the attempt to gain unauthorized access (or exceed the level of authorized access) to a computer, information system, user account or profile, database, or security system.
• Illegal or Fraudulent Actions: use of the Registry’s or Registrarʹs services to violate the laws or regulations of any country, state, or other applicable jurisdiction, or in a manner that adversely affects the legal rights of any other person;

The Registry reserves the right, in its sole discretion, to take any administrative and operational actions necessary, including the use of computer forensics and information security technological services, among other things, in order to implement the Acceptable Use Policy. In addition, the Registry reserves the right to deny, cancel or transfer any registration or transaction, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, in its discretion; (1) to protect the integrity and stability of the Registry; (2) to comply with any applicable laws, government rules or requirements, requests of law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of Registry as well as its affiliates and their respective subsidiaries, officers, directors, and employees; (4) per the terms of the registration agreement or (5) to correct mistakes made by the Registry or any Registrar in connection with a domain name registration. Registry also reserves the right to place upon registry lock, hold or similar status a domain name during resolution of a dispute.

28.3 Measures for Removal of Orphan Glue Records

As the Security and Stability Advisory Committee of ICANN (SSAC) rightly acknowledges, although orphaned glue records may be used for abusive or malicious purposes, the “dominant use of orphaned glue supports the correct and ordinary operation of the DNS.” See http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf.

While orphan glue often support correct and ordinary operation of the DNS, Applicant understands that such glue records can be used maliciously to point to name servers that host domains used in illegal phishing, bot-nets, malware, and other abusive behaviors. Problems occur when the parent domain of the glue record is deleted but its children glue records still remain in DNS. Therefore, when Applicant has written evidence of actual abuse of orphaned glue, Applicant will take action to remove those records from the zone to mitigate such malicious conduct.

Neustar will run a daily audit of entries in its DNS systems and compares those with its provisioning system. This serves as an umbrella protection to make sure that items in the DNS zone are valid. Any DNS record that shows up in the DNS zone but not in the provisioning system will be flagged for investigation and removed if necessary. This daily DNS audit not only prevents orphaned hosts but also identifies other records that should not be in the zone.

In addition, if either Applicant or Neustar become aware of actual abuse on orphaned glue after receiving written notification by a third party through its Abuse Contact or through its customer support, such glue records will be removed from the zone.

28.4 Measures to Promote WHOIS Accuracy

As Applicant intends to operate a single registrant⁄single user registry, second level domain names within the .FOX TLD will be registered to, and maintained by Applicant. Therefore all domain names within the .FOX TLD will share the same WHOIS information, namely, that of Applicant. Therefore, there is a very low risk of inaccurate WHOIS data.

Nevertheless, Applicant acknowledges that ICANN has developed a number of mechanisms over the past decade intended to address the issue of inaccurate WHOIS information. In addition to those mechanisms and to ensure WHOIS accuracy, Applicant will offer a mechanism whereby third parties can submit complaints directly to Applicant (as opposed to ICANN or the sponsoring registrar) about inaccurate or incomplete WHOIS data. Such information shall be forwarded to the sponsoring registrar, who shall be required to address those complaints in a timely manner. Within a commercially reasonable period of time after forwarding the complaint to the sponsoring registrar, Applicant will examine the current WHOIS data for names that were alleged to be inaccurate to determine if the information was corrected, the domain name was deleted, or there was some other disposition. If the registrar has failed to take any action, Applicant reserves the right to suspend the applicable domain name(s) or take any other appropriate action necessary to effectuate accurate WHOIS information.

In addition, Applicant shall on its own initiative, no less than twice per year, perform a manual review of a random sampling of domain names within the .FOX TLD to test the accuracy of the WHOIS information, namely, that it reflects Applicant’s information as the single registrant⁄single user of the .FOX TLD. Although this manual review will not include verifying the actual information in the WHOIS record, Applicant will be examining the WHOIS data for evidence of inaccuracies. In the event that such evidence exists, it shall be forwarded to the sponsoring registrar, who shall be required to address those complaints. Within a commercially reasonable period of time after forwarding the complaint to the sponsoring registrar, Applicant will examine the current WHOIS data for names that were alleged to be inaccurate to determine if the information was corrected, the domain name was deleted, or there was some other disposition. If the registrar has failed to take any action, Applicant reserves the right to suspend the applicable domain name(s) or take any other appropriate action necessary to effectuate accurate WHOIS information.

28.4.1 Authentication of Registrant Information

As Applicant intends to operate a single registrant⁄single user registry, second-level domain names within the .FOX TLD will be registered to, and maintained by Applicant. Therefore all domain names within the .FOX TLD will share the same WHOIS information, namely, that of Applicant. In order to ensure WHOIS data accuracy, Applicant will verify and provide confirmation to the sponsoring registrar in writing that its own contact information is accurate for purposes of the registration and should be included in the WHOIS record.

28.5 Resourcing Plans

Responsibility for abuse mitigation rests with a variety of functional groups. Applicant’s parent and other Affiliates have extensive pre-existing in-house resources dedicated to identifying and mitigating online abuse of its sites, and will leverage these resources in the operation of the .FOX TLD. Applicant’s full-time employee will help coordinate between Neustar’s and Affiliates’ resources. In addition, Neustar’s customer service team plays an important role in assisting with the investigations, responded to customers, and notifying registrars of abusive domains.

The necessary resources will be pulled from the pool of available resources described in detail in the response to Question 31. The following resources are available from those teams:

• Neustar Customer Support – 12 employees
• Applicant Resource – 1 employee
• Applicant’s Affiliates’ Resources – 4 employees

These resources are more than adequate to support the abuse mitigation procedures of the .FOX TLD.

Similar gTLD applications: (0)