28 Abuse Prevention and Mitigation

Prototypical answer:

gTLDFull Legal NameE-mail suffixDetail
.totalTotal SAtotal.comView

Abusive registration and other activities that have a negative impact on Internet users

1. Overview
2. Definitions of what constitutes abuse in the TLD
3. Whois Abuse Prevention Policies
3.1 Whois Accuracy
3.1.1 Syntactic and semantic registration constraints
3.1.2 Verification tools
3.1.3 Whois Data Reminder Policy (WDRP)
3.2 Protection against potential abusive use of Whois service
3.2.1 Protection against Data Mining Captcha Rate-limiting
3.2.2 Prevention of Unauthorized data modification
4. Prevention from other abusive conducts
4.1 DNSSEC (cache poisoning)
4.2 Domain name Sniping (grabbing)
4.3 Domain name tasting
5. Disposal of Orphan Glue Records
6. Complaints Point of Contact
7. Policies for handling complaints regarding abuse
7.1 Abuse case response
7.2 Rapid Takedown Policy for Cases of General Malicious Activity
7.3 Rapid Takedown Policy for Cases of Phishing
7.4 Trademark abuse
8. Resourcing Plans

1. Overview

Our objective in answering Question 28 is to provide a thorough explanation of our policies and procedures to minimize abuse registration and other activities that have a negative impact on Internet users.

Protection of Internet users is a core value of the project and is key to insure the user experience as described in question 18 (b) iii. By implementing anti-abuse policy the registry will also contribute and protect the integrity, security and stability of the DNS.

In its online presentation of Registration Abuse Policy (RAP - available at http:⁄⁄www.icann.org⁄en⁄resources⁄policy⁄background⁄rap), ICANN offers the following definition:

“In general, the term covers a broad variety of illegal or illegitimate behaviors considered contrary to the intent and design of normal domain registration processes. Registration abuse often involves malicious actors trying to register in ways that avoid lawful authorities or conceal a registrantʹs identity. Registration abuse can also enable other kinds of abuses, such as phishing and spam.”

The .TOTAL registry is committed to create and implement policies and procedures that prevent abusive registrations and other activities that have a negative impact on Internet users. According to the industry best practices presented in the Registration Abuse Policies Issues Report (ICANN 2008), the .TOTAL registry will offer a wide range of effective safeguards to prevent abusive uses of domain names, in particular phishing, spamming, and other unlawful or fraudulent actions. The Registry Operator will regularly update these policies and procedures in order to maximize its readiness to deal with new threats at all levels and new forms of abuse.

For that purpose, the .TOTAL registry will implement policies in order to prevent, mitigate and resolve abusive behavior in the .TOTAL TLD.

Prevention starts at the time of registration.

The first measure that will be implemented by Total SA, considering the fact that the .TOTAL extension will be a single-registrant TLD, is to restrict the creation of contacts and the registration of domain names that are not verified by Total SA. In the opinion of Total SA, this will already prevent any abusive behavior in connection with domain names that have been registered in the .TOTAL TLD, since all governance and oversight over the operation of the .TOTAL gTLD will be centralized with Total SA.

Secondly, Total SA will implement processes in order to guarantee the accuracy of the information contained in the Whois (2). The following answer describes in details the mechanisms in place to maximize Whois accuracy. Others mechanisms (3) will be implemented and described here, including management of orphan glue records (4).

In addition to strong preventive measure against various forms of abuse, .TOTAL will implement mitigation policies to address cases of abuse that may occur. This answer will describe these mitigation measures in detail: Complaints point of contact (5), complaint handling policy and takedown procedures (6).

Resources allocated to handle prevention and mitigation (7) will be described at the end of this answer.

2. Definitions of what constitutes abuse in the Total TLD (based on the “Domain Name Anti-Abuse Policy” of PIR http:⁄⁄www.pir.org⁄why⁄anti_abuse_policy)

*Spam*: The use of electronic messaging systems to send unsolicited bulk messages. The term applies to e-mail spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of Web sites and Internet forums. An example, for purposes of illustration, would be the use of email in denial-of-service attacks;

*Phishing*: The use of counterfeit Web pages that are designed to trick recipients into divulging sensitive data such as usernames, passwords, or financial data;

*Pharming*: The redirecting of unknowing users to fraudulent sites or services, typically through DNS hijacking or poisoning;

*Willful distribution of malware*: The dissemination of software designed to infiltrate or damage a computer system without the ownerʹs informed consent. Examples include, without limitation, computer viruses, worms, keyloggers, and trojan horses.

*Fast flux hosting*: Use of fast-flux techniques to disguise the location of Web sites or other Internet services, or to avoid detection and mitigation efforts, or to host illegal activities. Fast-flux techniques use DNS to frequently change the location on the Internet to which the domain name of an Internet host or name server resolves. Fast flux hosting may be used only with prior permission of PIR;

*Botnet command and control*: Services run on a domain name that are used to control a collection of compromised computers or ʺzombies,ʺ or to direct denial-of-service attacks (DDoS attacks);

*Distribution of child pornography*;

*Illegal Access to Other Computers or Networks*: Illegally accessing computers, accounts, or networks belonging to another party, or attempting to penetrate security measures of another individualʹs system (often known as ʺhackingʺ). Also, any activity that might be used as a precursor to an attempted system penetration (e.g., port scan, stealth scan, or other information gathering activity).

*Unlawful content*or any content that contravene public order according to French law and in particular to Law on the Freedom of the Press of 29 July 1881 (crimes against humanity apology⁄promotion or contestation, incitement to discrimination, hatred or violence).

3. Whois Abuse Prevention Policies

3.1 Whois Accuracy

RFC3912 specifies the Whois protocol and explain it as follows:

Whois is a TCP-based transaction-oriented query⁄response protocol that is widely used to provide information services to Internet users. While originally used to provide ʺwhite pagesʺ services and information about registered domain names, current deployments cover a much broader range of information services. The protocol delivers its content in a human-readable format.

Information about registered domain names is very sensitive. A Registry Operator shall insure the accuracy of the registrant contact information, including administrative, technical and billing contact details. In case of malicious or abusive activity, the Whois contact is usually the first and most important source of information. Whois accuracy is therefore a major step to counter malicious conducts. These information may be required by law-enforcement authorities to identify individuals and organizations responsible for domain names.

The .TOTAL registry will make a firm commitment to obtaining true and accurate registration details from each registrant in order to maintain a consistent Whois accuracy throughout the registry.

3.1.1 Syntactic and semantic registration constraints:

The .TOTAL registry is firmly committed to run a “thick-registry” with high quality of data. The first step to accuracy is achieved through syntactic and semantic checks which are being carried out at the time of registration of the domain name.

Standard EPP checks: a first set of tests is implemented in compliance with standards :
- RFC 5733, the Extensible Provisioning Protocol (EPP) Contact Mapping, requires contact data to contain a name, a city, a country code and an e-mail address in order to allow or perform a syntactically complete EPP request
- Additional checks: the following syntactic checks are implemented:
- a test to ensure that the domain name has the proper number of labels (which is two for a traditional registry that allows only second level domains to be registered),
- a test to ensure that no hyphens occur in position 3 and 4 of any of the domainʹs U-labels (to protect ʺxn--ʺ and future ACE prefixes),
- a test to disallow hyphens at the beginning or end of the name,
- a test to find ASCII characters which are neither a letter, nor a digit or a hyphen,
- a test to find invalid IDN characters, i.e. characters not contained in any of the support IDN character tables
- a test to validate IP address format using the following scheme :
〈ipv4-addr〉 [1-255](\.[0-255]){3,3}
〈ipv6-addr〉 [a-fA-F0-9:]+(:〈ipv4-addr〉)?
- a test to validate telephone and mail format using the following scheme (with specific tests for fr numbers):
〈num tel〉 \+[1-9][0-9]{0,3}〈sp〉[1-9]([〈sp〉\.-]?[0-9])+
〈num tel fr〉 \+33〈sp〉[1-9]([〈sp〉\.-]?[0-9]){8}
〈e-mail〉 (([^\s\(\)\[\]\.\\〉〈,;:ʺ@]+(\.[^\s\(\)\[\]\.\\〉〈,;:ʺ@]+)*)|(ʺ[^ʺ@\\\r\n]+ʺ))@〈label〉(\.〈label〉)*

Additional checks: the following semantic checks are implemented :
- a test to disallow reserved names if authorisation code is not present
- a test to disallow registry reserved names if authorisation code is not present
- a test to disallow ICANN reserved names
- a test to disallow otherwise reserved or unsuitable names, and
- a test to ensure that at least one address element is given

3.1.2 Verification tools

This verification procedure is designed to guarantee the reliability and the accuracy of the Whois database.

The .TOTAL registry will conduct Whois accuracy verification for compliance with criteria concerning the reliability of registrants identification: the registry will verify whether the information provided by the registrant when registering the domain name contains inaccurate or false information about the registrantʹs identity.

Those verifications will be carried out on a random basis or following a third-party request with the Complaints Point of Contact.

The registry may be led to ask registrars (or registrants) for additional information or documents, including the production of documentary evidence of compliance with the reliability of the data provided by the registrant if the registry is in possession of documentary evidence to the contrary (mail returned marked “Not Known at This Address”, bailiff’s report, unidentifiable address, etc.).

A domain name may be blocked under the following circumstances: when a check of the identification data provided by the registrant shows that it is inaccurate or that the registrant appears not to be eligible to register domain names in the .TOTAL TLD in accordance with the policies that have been set by Total SA.

If the investigation that is carried out by the Complaints Point of Contact shows that the registrant is not compliant with such registration policies, the Registry Operator (by way of the Complaints Point of Contact) shall be entitled to outright delete such domain name and, as the case may be, put such domain name on a blocked list. However, the deletion of a domain name can only occur after the registrant has been formally asked to rectify the situation and to modify its registration data to comply with eligibility criteria.

During the redemption period, the domain name can be reactivated with the same configuration. Once deleted, the domain name will become available again, unless permanently blocked by the Registry Operator.

3.1.3 Whois Data Reminder Policy (WDRP)

In 2003, ICANN adopted the ʺWhois Data Reminder Policyʺ (WDRP, http:⁄⁄www.icann.org⁄en⁄registrars⁄wdrp.htm) which obliges ICANN-accredited registrars to send yearly Whois data reminder notices to registrants. These notices contain the Whois data currently on file for the respective domain, as well as instructions for the registrant about ways to correct the data if required. While the .total Registry does not intend to replicate this reminder procedure on the registry level, the .total registry will require that ICANN accredited registrar comply with WDRP.

3.2 Protection against unfair use of Whois service

As stated above, Whois Service gives access to sensitive data, including contact details of registrants. The .TOTAL registry is committed to insure the protection of these data against abusive behaviors. Firstly, the .TOTAL registry will implement technical measures to prevent data mining on the Whois, such as automated collection of registrants’ email addresses, which may on their turn be used by third parties for the purposes of spamming. Secondly, the .TOTAL registry and its registry backend service provider, AFNIC, will deploy all necessary means to secure access to its database, specifically by implementing procedures in order to prevent Unauthorized Data Modifications. These procedures will reinforce the security of both EPP and Web-based access to Whois data.

3.2.1 Protection against Data Mining

The .TOTAL registry database user commits to using the published data according to the laws and regulations in effect. Besides, the user shall respect the provisions of the French Data Protection Acts. Violation of this act carries criminal penalties.

As the user is accessing personal data, he must refrain from any collection, misuse or any act that could lead to invasion of privacy or damaging the reputation of individuals.

The Registry can at any time filter the access to its services in case of malevolent use suspicions. Captcha: users shall pass a Captcha before access is granted to the web based RDDS. Rate-limiting: The registry has chosen limitation measures for the number of requests in order to prevent abuse in the use of personal data and to guarantee the quality of the service.
By a transparent parameter adjustment policy, the registry guarantees quality of service to the punctual users and professionals. The rates and thresholds of this system are described in the registry use case of question Q26. White list: The white list mechanism offers specific access for registrars to the port 43 Whois, considering that the incoming traffic must come from two pre-defined IP address. This white list access offers higher thresholds of rate limiting for the users.

3.2.2 Prevention of Unauthorized data modification

Data modification is managed through strict authentication and access policies:
- SSL⁄TLS protocol is used on all interfaces with clients (both EPP and web based SRS).
- a password policy is applied both on the password itself (minimum length, mandatory digits and non-alphanumerical characters), and on the validity term of the password
- use of an SSL client certificate pre-installed by the registry for EPP access.
- IP authentication is limited to two addresses.

The .TOTAL registry backend service provider, AFNIC, will share its experience in the .fr with a view to ensuring effective, timely and sufficient Domain Data Access Control.

4 Prevention from other abusive conducts

4.1 DNSSEC (cache poisoning):

One of the main authentication issue encountered on the DNS is cache poisoning issue. This directly affects DNS data integrity without the attacker having to corrupt or modify data in the registry database.

The answer to this issue is implementation and deployment of DNSSEC. The Registry Operator already successfully manages DNSSEC-enabled zones: on September, 29th 2010, the .TOTAL registry back-end service provider, AFNIC, finished adding its 6 ccTLDs key materials (DS records) into the IANA root zone, ending with .FR after extensive tests with its other TLDs. Since then, related DNSSEC operations and monitoring are spread inside the organization, alongside all other standard day-to-day operations, so that DNSSEC is a core service enabled by default.

4.2 Domain name Sniping (grabbing):

Domain name sniping refers to the practice of trying to re-register potentially interesting domain names immediately after they are deleted.

The .TOTAL Registry Operator supports the Redemption Grace Period as proposed by ICANN and implements it in full compliance with RFC 3915 (ʺDomain Registry Grace Period Mapping for the Extensible Provisioning Protocol (EPP)ʺ). This greatly reduces the possibility of a domain name being “forgotten” by its registrant.

4.3 Domain name tasting:
Domain name testing is a practice using the 5-days Add Grace Period (AGP) during which a newly created domain name may be deleted with a refund of the domain fee to check if the domain name is of interest or not. Also for the .TOTAL gTLD, the AGP is will be implemented; however, considering the fact that the .TOTAL gTLD is intended to be a single registrant-TLD, the chances that this process will be effectively used is rather limited, although the AGP is common practice and corresponds to the policies of almost all existing generic top-level domains.

In 2008, ICANN introduced the ʺAGP Limits Policyʺ (http:⁄⁄ www.icann.org⁄en⁄tlds⁄agp-policy-17dec08-en.htm) which addresses these issues resulting from the Add Grace Period. The .total registry will fully implement this policy by restricting Add Grace Period refunds to registrars according to the limits specified by the policy.

The number of operations concerned are included in ICANN reports and related report columns are :
number of AGP deletes (ʺdomains-deleted-graceʺ)
number of exemption requests (ʺagp-exemption-requestsʺ)
number of exemptions granted (ʺagp-exemptions-grantedʺ)
number of names affected by granted exemption request (ʺagp- exempted-domainsʺ)

5. Disposal of Orphan Glue Records

According to the definition found in the ʺSSAC Comment on the Orphan Glue Records in the Draft Applicant Guidebook”, a glue record becomes an ʺorphanʺ when the delegation point NS record (the ʺparent NS recordʺ) that references is removed while retaining the glue record itself in the zone. Consequently, the glue record becomes ʺorphanedʺ since it no longer has a parent NS record. In such a situation, registrars and registrants usually lose administrative control over the record, and the recordʹs attribution to a certain registrar may become unclear, which makes it a potential vector for abuse.

The glue record policy in effect for the .TOTAL TLD avoids this situation entirely by disallowing orphan glue records altogether. This corresponds to policy #3 mentioned in section 4.3 (page 6) of the SSAC document mentioned above. The technical implementation within the .TOTAL registry and its associated zone generation process ensure this by implementing the following measures :

- Any host object which is a glue record can be created only if the domain name exists and is sponsored by the registrar creating the host;
- A domain name that has subordinate hosts can only be deleted when these hosts have been deleted. If these hosts are used in delegations for other domain names registered in .TOTAL, these delegations have to be removed to delete the host objects before the domain name can be deleted. If the sponsoring registrar of the domain name is unable to remove these delegations (explicit refusal or inactivity from subordinate host’s registrar), a specific request can be submitted with the Registry Operator. Consequently, the Registry Operator will contact the domain name(s) registrar that has been used in order to delegate the host object(s) and ask them to remove these delegations. By default, registrars have 10 days to remove these delegations. Upon expiry of this term, the delegation is not removed, but the Registry Operator will directly deactivate the DNS configuration of the domain name(s) concerned. At the end of the procedure, the Registry Operator will contact the sponsoring registrar and confirm that the host object(s) and the domain name can be deleted.

6. Complaints Point of Contact

To avoid abusive registration practices, the .TOTAL registry will provide Internet users access to a Complaints Point of Contact on its website, where all kinds of abuse of the TLD or domain names registered therein can be reported.

This Complaints Point of Contact includes a contact web interface offering the possibility to internet users to report any abuse concerning a name registered in the .TOTAL registry.

Such contact web interface will be displayed on the registry’s website (phishing, spamming, trademark abuse etc.)

This Complaints Point of Contact will enable a quicker and better management of complaints and resolution of any issues arising. Complaints will be addressed by filling out a form that will be made available on the .TOTAL registry web site.

A dedicated team will be in charge of handling these complaints in a due time. All requests should be acknowledged and processed within one business day. According to the nature of the reported abuse (phishing, spamming, trademark abuse, etc.), an appropriate response and, where possible, even a resolution of the issue will be given by the .TOTAL registry.

Moreover, Internet users will be given access to all necessary information regarding remedies to abusive online conducts on the registry Complaints Point of Contact webpage. The Complaints Point of Contact webpage will also contain links to all the relevant organizations addressing these issues.

7. Policies for handling complaints regarding abuse

7.1 Abuse case response

The Registry Operator will process each complaint within one business day, will take all the necessary steps to offer a satisfying answer to the complainants, and where possible, already provide for a (temporary) solution.

Should immediate action be taken by competent authorities, the .TOTAL registry is committed to alert such authorities without delay. This may concern the following cases (but limited to):

Court orders
Inquiries from law enforcement bodies (e.g, OCLCTIC - The Office central de lutte contre la criminalité liée aux technologies de lʹinformation et de la communication is the French Police unit specialized in cybercrime)
Anti-phishing groups (e.g, CERTs)

7.2 Rapid Takedown Policy for Cases of General Malicious Activity

In addition to the tasks to be assumed by the Complaints Point of Contact for the .TOTAL registry under the Registry Operator Agreement and the relevant Specifications thereof, Total SA will also allow any third party to contact its Complaints Point of Contact

7.3 Rapid Takedown Policy for Cases of Phishing

In addition to the various tools and processes that have been established in practice, including the use of information contained in mailing lists where malicious activity and in particular phishing have been reported, the Complaints Point of Contact will closely monitor the .TOTAL TLD for abusive behavior, and intervene where necessary.

Furthermore, the Registry Operator will continuously monitor security and anti-phishing feeds, and intervene in the unlikely event that a .TOTAL domain name is used in connection with such abusive behavior, and block or even promptly delete the domain name.

7.4 Trademark abuse

Detailed and complete information will be provided to trademark owners with respect to the safeguards that Total SA will be implementing for the .TOTAL.

Considering the fact that .TOTAL is intended to be a single registrant-TLD, no opportunities will be provided to third parties to register domain names in the .TOTAL TLD. Depending on the way how the Trademark Clearinghouse will function, Total SA may provide for the opportunity for brand owners included in the Trademark Clearinghouse to block the domain names for which they hold validated rights from registration.

In addition to the implementation of the Uniform Dispute Resolution Policy, as a Consensus Policy, and the Uniform Rapid Suspension policy set out in the Applicant Guidebook, Total SA will also allow third parties to file complaints on the basis of trademark rights directly with the Registry Operator’s Complaints Point of Contact, as indicated above.

8. Resourcing Plans

The Complaints Point of Contact will be a sub-department within Total SA who will review complaints made in connection with the above. This department already deals with complaints on existing Tlds and will therefore be available to manage issues, which, in regards to the policies in place should be very limited. Random verification will also occur.

The .total back-end registry services provider AFNIC, provides the following resources:

- Initial Implementation : Thanks to the experience and prior investment by its Registry Back-end Service Provider (AFNIC), the .total Registry already supports the above mentioned technical abuse prevention and mitigation measures. No additional engineering is required for these, nor are additional development resources needed.

- Ongoing maintenance: In support of the Registry Operator’s staff allocated to this function, AFNIC will have specially trained support staff available to assist in the implementation of potential verifications and takedown procedure for the prevention and resolution of potential abuse. Given the scale of the .total as well as the restrictive nature of its registration policy, we estimate that this would require no more than 5 man days per year of AFNIC anti-abuse support staff.

Similar gTLD applications: (4)

gTLDFull Legal NameE-mail suffixzDetail
.bostikBostik SAbostik.com-4.33Compare
.MUTUELLEFédération Nationale de la Mutualité Françaisemutualite.fr-4.13Compare
.CANALPLUSCANAL+ FRANCEcanal-plus.com-3.54Compare