Back

28 Abuse Prevention and Mitigation

gTLDFull Legal NameE-mail suffixDetail
.homeUniregistry, Corp.uniregistry.comView
TABLE OF CONTENTS

28.1 ABUSE PREVENTION AND MITIGATION
28.1.1 Overview
28.1.2 Abusive Conduct
28.1.3 Directory of Abuse Response Tools
28.1.4 Single Point of Contact
28.1.5 Abuse Identification, Queuing, and Response
28.1.6 Pro-active Abuse Detection And Mitigation
28.1.7 Whois Accuracy
28.1.8 Terrorism and International Criminal Organizations
28.1.9 Criminal Investigations ⁄ Law Enforcement Contacts
28.1.10 Cooperative Efforts
28.1.11 Orphan Glue Records and Consistency Checking
28.1.12 Registrar incentives ⁄ disincentives
28.1.13 Registrant Security
28.1.14 APPENDIX A: UNIREGISTRY .HOME ABUSE POLICY
28.2 RESOURCING
28.2.1 Human Resources
28.3 ABOUT THIS RESPONSE

- - - - -

28.1. ABUSE PREVENTION AND MITIGATION

28.1.1. Overview

UniRegistry understands that the privilege of operating Internet infrastructure brings with it the responsibility of ensuring that the infrastructure operates in a secure, stable and predictable manner. Additionally, the ultimate commercial success of the registry is determined in large part by its reputation among users of the internet. To the extent that any TLD is known as a haven for abusive activities, such a reputation may be imputed in the minds of users to all registrants in the TLD. To protect against such harms, UniRegistry has implemented a comprehensive policy to prevent, mitigate and correct abusive uses of the DNS, registrations, and Whois as they are detected.

At the same time, UniRegistry believes that domain name registrants should be secure in their ownership of domain names. Our abuse policies will be developed and implemented in an open and transparent manner designed to allow users a clear and accurate understanding of the state of their domain names at all times.

For transparency, orders from courts directed to the registry for purposes of altering the registration state or ownership of a domain name will be posted on a publicly accessible website operated by UniRegistry.

What constitutes ʺabuseʺ can be subjective and can also depend on the jurisdiction in which the ʺabuseʺ has an impact. Additionally, those intent on disruptive or criminal behavior on the internet are endlessly creative, so a static definition of ʺabuseʺ can become obsolete or inapplicable to new forms of undesired behavior. What can be done at a registry level is to (a) detect and investigate behaviors frequently associated with common known forms of abusive behavior, and (b) to respond promptly and intelligently to reported instances of abusive behaviors with appropriate action, bearing in mind that a domain name registrant may itself be an incidental victim of hacking, identity theft, and other abusive activities designed to conceal the identity of a third party bad actor.

The primary commercial relationship defined by a domain registration is between the registrant and the registrar. Many incidents of abuse arise from compromise of the registrantʹs account with its registrar or hosting provider (which is often the registrar). For example, many phishing sites are deployed in subdirectories of web hosting accounts of sites which are otherwise operating normally. Because these incidents arise at a level which is not best addressed by disabling a domain name in its entirety, .HOME accredited-registrars are a key component of our abuse policy and response. The registrars have a direct relationship with the customer, and are most favorably positioned to address and resolve instances of account hacking with their customers.

UniRegistry will provide front-line response to urgent abuses that threaten the security or stability of the DNS. UniRegistry will also track registrar response to abuse reports in order to take action in the event the registrant, registrar or hosting provider does not respond to or mitigate issues in a reasonable amount of time. What is ʺreasonableʺ in this context depends on the nature of the abuse at issue.

We believe in the value of accurate contact information for all .HOME domain name registrants. To ensure compliance both with ICANN policy and UniRegistry whois accuracy policies, UniRegistry has adopted a three-pronged approach to data accuracy, described below, which will (i) provide registrants an incentive to providing accurate information; (ii) create consequences for non-compliance for registrants and registrars, including loss of a domain name or loss of accreditation; and (iii) evaluate and, if necessary, correct registration data on a continuous, rolling basis.

28.1.2. Abusive Conduct

UniRegistry policies, flowing to registrars and registrants through their relevant agreements, will prohibit abusive uses of .HOME domain names. As defined by UniRegistry, ʺAbusive Useʺ shall include the following actions:

(a) Spam: The use of electronic messaging systems to send unsolicited bulk messages. The term applies to e-mail spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of Web sites and Internet forums.;

(b) Phishing: The use of counterfeit Web pages that are designed to trick recipients into divulging sensitive data such as usernames, passwords, or financial data;

(c) Pharming: The redirecting of unknowing users to fraudulent sites or services, typically through DNS hijacking or poisoning;

(d) Willful distribution of malware: The dissemination of software designed to infiltrate or damage a computer system without the ownerʹs informed consent. Examples include, without limitation, computer viruses, worms, keyloggers, and Trojan horses;

(e) Fast flux hosting: Use of fast-flux techniques to disguise the location of Web sites or other Internet services, or to avoid detection and mitigation efforts, or to host illegal activities. Fast-flux techniques use DNS to frequently change the location on the Internet to which the domain name of an Internet host or name server resolves;

(f) Botnet command and control: Services run on a domain name that are used to control a collection of compromised computers or ʺzombies,ʺ or to direct denial-of-service attacks (DDoS attacks);

(g) Child endangerment, including the distribution of child pornography; and

(h) Illegal Access to Other Computers or Networks: Illegally accessing computers, accounts, or networks belonging to another party, or attempting to penetrate security measures of another individualʹs system (often known as ʺhackingʺ). Also, any activity that might be used as a precursor to an attempted system penetration (e.g., port scan, stealth scan, or other information gathering activity).

What constitutes ʺabuseʺ is an evolving definition, as bad actors develop more sophisticated or novel forms of undesired behavior. Uniregistry shall maintain engagement with the relevant policy bodies in addition to ICANN, such as the Internet Governance Forum, the Internet Engineering Task Force, and other organizations which provide government and non-governmental policy reports identifying new forms of abusive behavior, and Uniregistry will continue to update its abuse response policies and procedures based on evolving best practices. By the same token, registrants need to have a degree of security that their domain names will not be disabled in response to spurious or incorrect abuse reports.

28.1.3. Directory of Abuse Response Tools

The first issue confronting entities engaged in abuse response, or victims of abusive behavior is often ʺto whom do I report this?ʺ As discussed below, Uniregistry will maintain a single point of contact for receiving abuse reports, and routing them to the appropriate responder. In addition, Uniregistry will maintain in connection with the single point of contact, a directory of third party entities, such as the Internet Crime Complaint Center (IC3) maintained by the US Federal Bureau of Investigation, the UK Serious Organized Crimes Agency, and other law enforcement bodies which are engaged in international cooperative efforts to address internet crime. Additionally, the directory will include resources to consumer agencies and other organizations which provide tools, education, monitoring and assistance in combating abusive internet activities.

This information will be published on the registry website. We will receive reports from registrars, resellers, registrants, and third parties.

28.1.4. Single Point of Contact

To make contacting UniRegistry easy and intuitive, we are reserving ʺABUSE.HOMEʺ as a name for exclusive use for the registry for purposes of abuse reporting. The main website for the registry, and other intuitive names, such as ʺUNIREGISTRY.HOMEʺ and ʺNIC.HOMEʺ will include links to the abuse reporting system. The website at http:⁄⁄ABUSE.HOME⁄ will host UniRegistryʹs abuse policy (attached as Appendix A to this answer), provide a web form for reporting DNS abuses, and provide postal, fax, email and telephonic abuse reporting contacts. In addition, a website at NIC.HOME will be used as a directory for all registry services, including links to UniRegistryʹs abuse policy for .HOME and the registryʹs abuse reporting and tracking facilities. We will further maintain a designated e-mail contact address, such as abuse@abuse.HOME to be provided specifically to law enforcement agencies, Computer Emergency Response Teams (CERTs), the anticrime and anti-phishing community (interveners), businesses that provide online reputation protection services, network operators, and Internet users to report issues of abuse.

A front-end help desk will receive reports by telephone, email, FAX, and other unstructured means of communication, as an intake mechanism for abuse reports to be provided to the Registry Operations Center (ROC). The help desk will be staffed 24x7. The help desk staff will follow a structured procedure for taking abuse reports and entering data into the web form for reporting abuse. The help desk staff will not have discretionary authority to affect operation of a domain name.

Structured input, for example reports made via our abuse reporting website at ABUSE.HOME, will bypass the help desk and be sent directly to the ROC. The abuse reporting form will include input fields to identify the domain name at issue, a menu for identifying whether the type of abuse being reported falls into a designated category defined by the Uniregistry abuse policy, contact information for the person or entity making the report in the event further information is needed, and text entry for further relevant information. Upon completion of the abuse reporting form, the reporting system will confirm whether the domain name at issue corresponds to a non-reserved domain name registered to an end user, and an email message requiring confirmation will be sent to the reporter, to discourage reports which are themselves abusive.

The ROC is a dispatch point. All incoming reports are entered into a tracking system. Each report will be given a unique identifier for tracking and compliance purposes. The ROC will do an initial evaluation of each incoming report to ascertain whether that report indicates abuse of some kind, what type of abuse is alleged, whether the report is indicative of a technical failure or is a misdirected inquiry non-indicative of abuse. The tracking system will generate reports to registry management to assure that all reports are handled in a timely and responsive manner.

Incoming reports that suggest potential abuse of UniRegistryʹs services will be sent to (i) UniRegistryʹs compliance department; (ii) UniRegistryʹs back-end service provider ISC; and (iii) the registrar of record for any reported .HOME domain name included in the abuse report.

28.1.5. Abuse Identification, Queuing, and Response

As abuse reports are received, UniRegistry will use a combination of automated processes and human review to place them into three categories for response. UniRegistry also will accept and give compliance priority to abuse reports sent in machine-readable Abuse Reporting Format (ARF). The ABUSE.HOME website will contain information for internet service providers, email service providers, hosting companies and other Internet infrastructure providers about how to participate in UniRegistryʹs complaint feedback loop.

Category 1 reports will receive the highest priority. These are reports of abuse in which use of a .HOME domain name is either (a) causing immediate and substantial injury to Internet infrastructure, systems, or services that, if not terminated immediately, will cause unavailability or material degradation of such infrastructure, systems or services, or (b) obvious instances of criminal activity which, if not ceased immediately, is likely to cause substantial injury to Internet users. As soon as an abuse report is categorized as a Category 1 abuse, a ʺserverHoldʺ status will be set, effectively unpublishing the name from the Internet (though whois contact details will remain published and unchanged). Immediately after the deletion of the nameserver records from the zone file, notices of the domain name takedown will be sent to both the affected domain name registrant and the domain nameʹs registrar of record. The notice will provide a record of the report received, the reasons for the action taken, and a point of contact for the registrant or registrar to address the takedown and seek republication of the domain nameʹs DNS records.

Category 2 reports will be sent to registrars and registrants for investigation and response. Category 2 reports of abuse are deemed serious and potentially threatening to Internet infrastructure, systems, or services but which either (i) UniRegistry cannot verify or (ii) the potential abuse is not immediate and ongoing. For these reports, UniRegistry anticipates that the registrar will provide first line response, given its relationship to the registrant. UniRegistry will expect a response within seven (7) days. If no response is received, UniRegistry will makes its own decision about how to handle the issue.

Category 3 reports will be sent to registrars and registrants for investigation and response. Category 3 abuse reports consist of all abuse reports that do not otherwise fall into Category 1 or 2.

28.1.6. Pro-active Abuse Detection And Mitigation

It is, of course, essential to react appropriately to abuse reports. Often, such reports are ʺtoo little, too lateʺ as the intended harm has already taken place. As the zone operator for the .HOME, Uniregistry is positioned to detect patterns of zone access and internet traffic indicating an activity profile consistent with known forms of abuse. We believe that detection of activity consistent with abusive behavior is preferable to an after-the-fact response once the damage has been done. UniRegistry will make use of ISCʹs Security Information Exchange (SIE) network to track, in real time, domain names associated with abusive behavior. Recently implemented, the SIE has proven itself an effective mitigation technique for protecting against misuse of network infrastructure and Internet-based resources. The SIE network consists of more than one hundred (100+) passive DNS sensors located in several Internet Service Providers (ISPs), collecting actual real time queries made to authoritative name servers from millions of Internet users.

SIE is an industry and law enforcement clearinghouse of various kinds of security-related information that can be accessed by vetted, credentialed participants in real time subject to common access rules and following strict privacy guidelines. Among the variety of information available through SIE, there are ʺchannelsʺ that provide a real-time view of DNS data associated with malicious use. Tapping this information allows UniRegistry a better chance to proactively detect uses of domain names under its responsibility that constitute abuse.
Domain names associated with suspicious activity profiles will be manually reviewed by the abuse response team as such activity is detected. Where it appears that some form of abuse (as defined in this response) is occurring the detected abuse will be addressed at the registry level in those instances where disabling the domain name is indicated or the abuse will be referred to the registrar so that the registrar can take corrective action with the registrant within a reasonable time. Detected suspicious activity profiles in which no clearly apparent abusive behavior is taking place will also be referred to the registrar for further investigation with the registrant.

28.1.7. Whois Accuracy

Accurate information in the whois database protects both domain name registrants and the users who rely on those registrantsʹ Internet-based services. UniRegistry has taken a multi-factored approach to the promotion of whois accuracy. We create incentives to registrants to provide accurate information in the first instance and to keep that information current. We have sanctions, ranging from temporary suspension up to de-accreditation, for registrars that fail to seriously heed their contractual responsibilities to obtain and maintain accurate whois data and to regularly inform registrants of their corresponding responsibility to provide and maintain accurate WHOIS data.

Uniregistry will require registrars to implement and confirm implementation of the WHOIS Data Reminder Policy (WDRP - http:⁄⁄www.icann.org⁄en⁄registrars⁄wdrp.htm), under which the registrar will present current WHOIS information to each registrant at least annually and remind the registrant that inaccurate or false WHOIS data can result in the domain name registration being canceled.

Uniregistry will require registrars to receive and act on reports generated by the WHOIS Data Problem Report System (WDPRS - http:⁄⁄www.icann.org⁄en⁄whois⁄wdprs-report-final-31mar04.htm). The WDPRS system, as currently implemented, involves communications between ICANN and the registrar. In the event Uniregistry is notified by ICANN of registrar non-responsiveness to a WDPRS within the 15 day required response time to WDPRS reports, Uniregistry will investigate registrar handling of WDPRS complaints. If the registrar does not respond to or investigate WDPRS, and either cannot ensure compliance or is repeatedly non-compliant, such registrar will be suspended until such time as it can ensure compliance.

In addition to these passive and reactive measures, Uniregistry will implement an active WHOIS accuracy program. Registrations will be periodically statistically sampled (in the event of low registration volume the sample will include all registrations) and tested. Testing will be performed by commercial ʺdata hygieneʺ services for such internal accuracy indications as whether postal data and telephone numbers are appropriate for the indicated registrant address (i.e. postal codes correspond to the indicated geographic area of the registrant, telephone numbers are of the corresponding format and dialing codes). Uniregistry shall process exceptional WHOIS data identified by the active WHOIS data accuracy program in the same process flow as WDPRS reports are handled.

28.1.8. Terrorism and International Criminal Organizations

Uniregistry will periodically review WHOIS data against identity and contact data provided by the United States Department of Treasury Specially Designated Nationals List (SDN) maintained by the Office of Foreign Asset Control (http:⁄⁄www.treasury.gov⁄resource-center⁄sanctions⁄SDN-List⁄Pages⁄default.aspx). Any domain name found to be registered to an SDN will be summarily suspended from operation.

28.1.9. Criminal Investigations ⁄ Law Enforcement Contacts

Uniregistry will receive service of any warrant, subpoena, seizure order or equivalent directive served in Uniregistryʹs charter jurisdiction, or upon Uniregistryʹs agents for service of process in the United States and the United Kingdom. Contact information for Uniregistryʹs agents for service of process will be published at ABUSE.HOME, who will issue immediate confirmation of receipt to the sender. Uniregistry shall maintain, and shall require accredited registrars to maintain, a law enforcement contact, including a 24⁄7 telephone contact by which law enforcement agencies may inquire and obtain confirmation that any other written communication directed to it has been received. Subject to confirmation of bona fide law enforcement status and provision of appropriate contact information, receipt of written and email communications from law enforcement authorities will be acknowledged within 24 hours.

Uniregistry cannot prescribe in advance how it will respond to every type of contact from every jurisdiction. What may be considered defensible freedom of expression in one jurisdiction may constitute a criminal activity in another. Uniregistryʹs response to warrants, subpoenae, court orders and the like will be guided by whether such documents originate with a court or authority of competent jurisdiction over the matter. ʺCompetent jurisdictionʺ, in general, is understood to indicate a governmental authority possessing (1) statutory authority to adjudicate the cause of action and to enforce remedies, and (2) personal jurisdiction over the registry, registrar, or registrant by virtue of presence in the indicated jurisdiction or where the actorʹs contacts with the jurisdiction are sufficiently continuous and systematic that accession to such jurisdiction does not violate inter-jurisdictional norms. For the purpose of legal compliance in situations where ʺcompetent jurisdictionʺ is questionable, but where the effects of the activity in question have a substantial impact in the indicated jurisdiction, Uniregistryʹs response will be guided by principles of inter-jurisdictional enforcement in the next-nearest ʺcompetent jurisdictionʺ (such as any competent jurisdiction attaching to the registry, registrar or registrant). For example, in relation to activities conducted in Country A having an impact in Country B with which there are no relevant treaties, diplomatic relations, or law enforcement cooperation, then the activity in question will be assessed in accordance with the relevant authority of Country A alone, and whether an entity in Country A would ordinarily be subject to law enforcement or other government actions undertaken in Country B in relation to an entity in Country B.

In no instance will Uniregistry undertake an investigation of reports alleging sexual or other illegal exploitation of minors, as accessing such material is itself a criminal activity. All reports alleging sexual or other illegal exploitation of minors will be referred to the CyberTipline operated by the US National Center for Missing and Exploited Children (NCMEC), and Uniregistry will receive and act upon instructions received by the NCMEC in relation to the report.

UniRegistry will publish on its single point of contact page directions to law enforcement around the globe on how to become a recognized law enforcement reporter in order to streamline jurisdictional review of proposed enforcement actions, in circumstances where the same or similar claims, parties and issues are involved. Recognized law enforcement reporters will be provided with information about how to contact UniRegistry and receive a token that will pre-authenticate them for future contacts with the registry.

28.1.10. Cooperative Efforts

Effective response to abuse activity on the internet is often the product of non-institutionalized and occasionally ad-hoc cooperation among the technical and law enforcement communities. The detection and response to botnets, malware, etc. can require mutual trust, goodwill and discretion among those best positioned to cooperate in such instances. For example, the so called ʺConfickerʺ malware (http:⁄⁄en.wikipedia.org⁄wiki⁄Conficker) required an extraordinary effort to convene and coordinate a response which became known as the ʺConficker Working Groupʺ (http:⁄⁄www.confickerworkinggroup.org⁄wiki⁄). Key personnel of both Uniregistry and ISC have long been participants in the relevant working groups, task forces, and internet policy groups in which the requisite trust relationships required to respond to immediate threats have been formed. Such trust relationships are essential in the context of abuse response, as effective cooperative response may require information to be shared on a confidential basis.

28.1.11. Orphan Glue Records and Consistency Checking

Our Shared Registry System (SRS), will automatically delete host registration objects whose parent domains have been deleted. However, we can only act upon names controlled by UniRegistryʹs platform.

To address other forms of inconsistency, a number of processes will generate automatic notifications to the registrar when problems in the use of the existing information are detected.

For Lame Delegations (LD) detection -- that is, name server delegations to hosts that do not respond authoritatively for the delegating domain -- our SRS will perform periodic checks over the registered domains. Name servers will be queried and its response will be analyzed for correctness and in particular, to determine whether the host is responding authoritatively for the domain.

Another expected problem is the Inexistant Host (IH) -- name server hosts outside of the registered zone. Our SRS will attempt to resolve the name of each of the name servers periodically. When name resolution for the host fails, it is classified as an IH.

When LDs, IHs or other errors are identified, a message will be sent to the registrar so that actions can be taken.

After a sufficient time has elapsed with no resolution or indications from the registrar, the delegation will be marked as ʺincompleteʺ or ʺinaccurateʺ so that inconsistent or incorrect data is never published in the DNS. The amount of time to wait for action from the registrar is to be defined and reviewed periodically.

28.1.12. Registrar incentives ⁄ disincentives

Uniregistry will conduct an annual review of abuse incidents by registrar, and will impose the following incentives and sanctions.

Abuse Prevention Incentive Tiers
1. Registrars having responsibility for at least 1000 names will be awarded a discount of registration fees for the succeeding year for an abuse incidence of under .1%.

2. Registrars exceeding an abuse incidence of 10% and⁄or failure to timely respond to WDPRS reports within 15 days on more than 5% of total WDPRS reports, will be assessed a refundable surcharge for the succeeding year, provided that the succeeding yearʹs abuse incidence rate is reduced to below 1%.

3. Registrars with exceptional incidents over a shorter span of time than one year will be subject to temporary suspension until adequate assurances are received that such registrars will improve performance by taking materially demonstrable efforts to address any underlying systemic issue or problematic registrants.

4. Registrars exceeding an abuse incidence of 10% in two successive years will be de-accredited.

Uniregistry will adjust the relevant time periods thresholds and penalties associated with the incentives and disincentives in response to experience gained.

28.1.13. Registrant Security

Uniregistry will require registrars to provide multi-factor authentication from registrants to process update, transfers, and deletion requests, to publish and explain the registrarʹs security procedures for such multi-factor authentication on its website, and to notify all points of contact designated by the registrant for notification of update, transfers, and deletion requests. In the event a registrar is determined responsible for more than three incidents of domain misappropriation in a single calendar year, a surcharge will be assessed against all registrations for the succeeding year. In the succeeding year, if the incidence of domain misappropriation has not been reduced below three incidents, the registrar will be de-accredited.

28.1.14. APPENDIX A: UNIREGISTRY .HOME ABUSE POLICY

The following definitions and procedures are to be incorporated into the terms of the Registry-Registrar Agreement (RRA), and by mandatory reference into the Registrant Agreement (including where Uniregistry or an affiliated entity acts as registrar for a subject Domain Name).

Uniregistry Abusive Use Policy

1. Definitions

ʺAbusive Useʺ shall include the following actions:(a) Spam: The use of electronic messaging systems to send unsolicited bulk messages. The term applies to e-mail spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of Web sites and Internet forums; (b) Phishing: The use of counterfeit Web pages that are designed to trick recipients into divulging sensitive data such as usernames, passwords, or financial data;(c) Pharming: The redirecting of unknowing users to fraudulent sites or services, typically through DNS hijacking or poisoning;(d) Willful distribution of malware: The dissemination of software designed to infiltrate or damage a computer system without the ownerʹs informed consent. Examples include, without limitation, computer viruses, worms, keyloggers, and Trojan horses;(e) Fast flux hosting: Use of fast-flux techniques to disguise the location of Web sites or other Internet services, or to avoid detection and mitigation efforts, or to host illegal activities. Fast-flux techniques use DNS to frequently change the location on the Internet to which the domain name of an Internet host or name server resolves;(f) Botnet command and control: Services run on a domain name that are used to control a collection of compromised computers or ʺzombies,ʺ or to direct denial-of-service attacks (DDoS attacks);(g) Child endangerment, including the distribution of child pornography; and(h) Illegal Access to Other Computers or Networks: Illegally accessing computers, accounts, or networks belonging to another party, or attempting to penetrate security measures of another individualʹs system (often known as ʺhackingʺ). Also, any activity that might be used as a precursor to an attempted system penetration (e.g., port scan, stealth scan, or other information gathering activity).(i) Other: Uniregistry may update these definitions from time to time as new forms of abusive activity emerge or are identified, and in general to (1) protect the integrity and stability of the registry; (2) comply with government rules or requirements or inquiries by law enforcement; or (3) avoid or mitigate any liability, civil or criminal, on the part of Uniregistry, as well as its affiliates, subsidiaries, officers, directors, and employees

2. In General Uniregistry shall reserve the right, without obligation, to receive and investigate reports of abusive use of domain names, as defined above, and to to deny, cancel, suspend, or place any domain name(s) on registry lock, hold or similar status, upon reasonable evidence thereof.

3. Accredited Reporters Uniregistry recognizes that certain governmental and⁄or industry organizations possess expertise in collecting information in relation to particular forms of abusive use. Such organizations include the Anti-Phishing Working Group, Spamhaus, LegitScript, and others. Accordingly, reports from such organizations shall receive priority attention and action by Uniregistry. Uniregistry shall assign a non-published contact method (including email and telephone) and this contact method to such organizations by which reports may be submitted. Uniregistry shall maintain and publish contact information for such organizations on an abusive use reporting page by which members of the public may report suspected abusive use directly to Uniregistry, or opt to send their report to such established organizations for their review prior to reporting to Uniregistry. Uniregistry shall further maintain an application process by which such established organizations may obtain accredited reporter status. In particular relation to reports concerning child pornography, any report and recommendation received by Uniregistry from the National Center for Missing and Exploited Children (NCMEC) will be acted upon without review by Uniregistry. Likewise, Uniregistry will undertake no independent investigation of reports of child pornography from any source, but will forward such reports upon receipt to the NCMEC.

4. Procedure (a) Accredited Report Upon receipt of a report from an accredited reporter, Uniregistry will confirm receipt of the report to the reporter, review the report to determine that the subject Domain Name is registered via Uniregistry, and will notify the registrar of record for processing according to the applicable policy of the registrar. Uniregistry will proceed to take appropriate action in relation to the report without further notice, and confirm such action to the reporter.

(b) All other reports Upon receipt of a report from a non-accredited reporter, Uniregistry will confirm receipt of the report and provide the reporter with contact information of accredited reporters who accept reports of abusive use from the general public. Additionally, Uniregistry will forward the report to the registrar of record for processing according to the applicable policy of the registrar. Uniregistry will review the report and may proceed to take appropriate action in relation to the report if such action appears warranted. In the course of such review and⁄or action, Uniregistry may request additional information concerning the report and the identity of the reporter, and will further determine whether such action is to be confirmed to the reporter.

28.2. RESOURCING

Costs and procurement of the resources described here are detailed in response to Question 47.

28.2.1. Human Resources

See EXHIBIT: 28-Chart-Resourcing.png

The resourcing plan specific to this response follows the principles, guidelines and information set forth in our response to Question 23.

The accompanying chart shows the human resources allocated to the functions depicted in this response.

Uniregistry maintains retainer relationships with two attorneys having extensive experience in internet matters, who will be responsible for reviewing and authorizing response to any abuse incident, report, or law enforcement or court action requiring legal review such as jurisdictional analysis. At any time, at least one of these attorneys shall be ʺon callʺ to immediately address such incidents as circumstances warrant.

28.3. ABOUT THIS RESPONSE

We believe that this answer meets the requirements and addresses all the points of this question:

* We have created a single point of contact for abuse reporting using any of several means (from telephone to text message to web) and in the languages supported by .HOME. This point of contact is active and available 24x7.
* We have created enhanced means to handle reports and requests from law enforcement.
* We have a Registry Operations Center that will dispatch all incoming reports of abuse to our abuse management team.
* We have a structured response plan that tailors our response to the nature and exigency of the report.
* We have mechanisms to evaluate orphaned glue records and to remove them as needed.
* Our registration system incorporates technical mechanisms to put a name into suspension when warranted by our abuse policy.
* We have written policies regarding abuse and Whois accuracy.

We believe that this answer exceeds the requirements of this question:

* We require registrars (and indirectly require registrants) to provide and maintain accurate Whois information.
* We require registrars to participate in ICANNʹs WHOIS Data Problem Report System (WDPRS) and ICANNʹs WHOIS Data Reminder Policy (WDRP).
* We will perform validation tests on statistically meaningful samples of Whois data to look for inaccurate data.
* We use strong security methods to assure that registrar-registry interactions are authenticated and protected.
gTLDFull Legal NameE-mail suffixDetail
.styleUniregistry, Corp.uniregistry.comView
TABLE OF CONTENTS

28.1 ABUSE PREVENTION AND MITIGATION
28.1.1 Overview
28.1.2 Abusive Conduct
28.1.3 Directory of Abuse Response Tools
28.1.4 Single Point of Contact
28.1.5 Abuse Identification, Queuing, and Response
28.1.6 Pro-active Abuse Detection And Mitigation
28.1.7 Whois Accuracy
28.1.8 Terrorism and International Criminal Organizations
28.1.9 Criminal Investigations ⁄ Law Enforcement Contacts
28.1.10 Cooperative Efforts
28.1.11 Orphan Glue Records and Consistency Checking
28.1.12 Registrar incentives ⁄ disincentives
28.1.13 Registrant Security
28.1.14 APPENDIX A: UNIREGISTRY .STYLE ABUSE POLICY
28.2 RESOURCING
28.2.1 Human Resources
28.3 ABOUT THIS RESPONSE

- - - - -

28.1. ABUSE PREVENTION AND MITIGATION

28.1.1. Overview

UniRegistry understands that the privilege of operating Internet infrastructure brings with it the responsibility of ensuring that the infrastructure operates in a secure, stable and predictable manner. Additionally, the ultimate commercial success of the registry is determined in large part by its reputation among users of the internet. To the extent that any TLD is known as a haven for abusive activities, such a reputation may be imputed in the minds of users to all registrants in the TLD. To protect against such harms, UniRegistry has implemented a comprehensive policy to prevent, mitigate and correct abusive uses of the DNS, registrations, and Whois as they are detected.

At the same time, UniRegistry believes that domain name registrants should be secure in their ownership of domain names. Our abuse policies will be developed and implemented in an open and transparent manner designed to allow users a clear and accurate understanding of the state of their domain names at all times.

For transparency, orders from courts directed to the registry for purposes of altering the registration state or ownership of a domain name will be posted on a publicly accessible website operated by UniRegistry.

What constitutes ʺabuseʺ can be subjective and can also depend on the jurisdiction in which the ʺabuseʺ has an impact. Additionally, those intent on disruptive or criminal behavior on the internet are endlessly creative, so a static definition of ʺabuseʺ can become obsolete or inapplicable to new forms of undesired behavior. What can be done at a registry level is to (a) detect and investigate behaviors frequently associated with common known forms of abusive behavior, and (b) to respond promptly and intelligently to reported instances of abusive behaviors with appropriate action, bearing in mind that a domain name registrant may itself be an incidental victim of hacking, identity theft, and other abusive activities designed to conceal the identity of a third party bad actor.

The primary commercial relationship defined by a domain registration is between the registrant and the registrar. Many incidents of abuse arise from compromise of the registrantʹs account with its registrar or hosting provider (which is often the registrar). For example, many phishing sites are deployed in subdirectories of web hosting accounts of sites which are otherwise operating normally. Because these incidents arise at a level which is not best addressed by disabling a domain name in its entirety, .STYLE accredited-registrars are a key component of our abuse policy and response. The registrars have a direct relationship with the customer, and are most favorably positioned to address and resolve instances of account hacking with their customers.

UniRegistry will provide front-line response to urgent abuses that threaten the security or stability of the DNS. UniRegistry will also track registrar response to abuse reports in order to take action in the event the registrant, registrar or hosting provider does not respond to or mitigate issues in a reasonable amount of time. What is ʺreasonableʺ in this context depends on the nature of the abuse at issue.

We believe in the value of accurate contact information for all .STYLE domain name registrants. To ensure compliance both with ICANN policy and UniRegistry whois accuracy policies, UniRegistry has adopted a three-pronged approach to data accuracy, described below, which will (i) provide registrants an incentive to providing accurate information; (ii) create consequences for non-compliance for registrants and registrars, including loss of a domain name or loss of accreditation; and (iii) evaluate and, if necessary, correct registration data on a continuous, rolling basis.

28.1.2. Abusive Conduct

UniRegistry policies, flowing to registrars and registrants through their relevant agreements, will prohibit abusive uses of .STYLE domain names. As defined by UniRegistry, ʺAbusive Useʺ shall include the following actions:

(a) Spam: The use of electronic messaging systems to send unsolicited bulk messages. The term applies to e-mail spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of Web sites and Internet forums.;

(b) Phishing: The use of counterfeit Web pages that are designed to trick recipients into divulging sensitive data such as usernames, passwords, or financial data;

(c) Pharming: The redirecting of unknowing users to fraudulent sites or services, typically through DNS hijacking or poisoning;

(d) Willful distribution of malware: The dissemination of software designed to infiltrate or damage a computer system without the ownerʹs informed consent. Examples include, without limitation, computer viruses, worms, keyloggers, and Trojan horses;

(e) Fast flux hosting: Use of fast-flux techniques to disguise the location of Web sites or other Internet services, or to avoid detection and mitigation efforts, or to host illegal activities. Fast-flux techniques use DNS to frequently change the location on the Internet to which the domain name of an Internet host or name server resolves;

(f) Botnet command and control: Services run on a domain name that are used to control a collection of compromised computers or ʺzombies,ʺ or to direct denial-of-service attacks (DDoS attacks);

(g) Child endangerment, including the distribution of child pornography; and

(h) Illegal Access to Other Computers or Networks: Illegally accessing computers, accounts, or networks belonging to another party, or attempting to penetrate security measures of another individualʹs system (often known as ʺhackingʺ). Also, any activity that might be used as a precursor to an attempted system penetration (e.g., port scan, stealth scan, or other information gathering activity).

What constitutes ʺabuseʺ is an evolving definition, as bad actors develop more sophisticated or novel forms of undesired behavior. Uniregistry shall maintain engagement with the relevant policy bodies in addition to ICANN, such as the Internet Governance Forum, the Internet Engineering Task Force, and other organizations which provide government and non-governmental policy reports identifying new forms of abusive behavior, and Uniregistry will continue to update its abuse response policies and procedures based on evolving best practices. By the same token, registrants need to have a degree of security that their domain names will not be disabled in response to spurious or incorrect abuse reports.

28.1.3. Directory of Abuse Response Tools

The first issue confronting entities engaged in abuse response, or victims of abusive behavior is often ʺto whom do I report this?ʺ As discussed below, Uniregistry will maintain a single point of contact for receiving abuse reports, and routing them to the appropriate responder. In addition, Uniregistry will maintain in connection with the single point of contact, a directory of third party entities, such as the Internet Crime Complaint Center (IC3) maintained by the US Federal Bureau of Investigation, the UK Serious Organized Crimes Agency, and other law enforcement bodies which are engaged in international cooperative efforts to address internet crime. Additionally, the directory will include resources to consumer agencies and other organizations which provide tools, education, monitoring and assistance in combating abusive internet activities.

This information will be published on the registry website. We will receive reports from registrars, resellers, registrants, and third parties.

28.1.4. Single Point of Contact

To make contacting UniRegistry easy and intuitive, we are reserving ʺABUSE.STYLEʺ as a name for exclusive use for the registry for purposes of abuse reporting. The main website for the registry, and other intuitive names, such as ʺUNIREGISTRY.STYLEʺ and ʺNIC.STYLEʺ will include links to the abuse reporting system. The website at http:⁄⁄ABUSE.STYLE⁄ will host UniRegistryʹs abuse policy (attached as Appendix A to this answer), provide a web form for reporting DNS abuses, and provide postal, fax, email and telephonic abuse reporting contacts. In addition, a website at NIC.STYLE will be used as a directory for all registry services, including links to UniRegistryʹs abuse policy for .STYLE and the registryʹs abuse reporting and tracking facilities. We will further maintain a designated e-mail contact address, such as abuse@abuse.STYLE to be provided specifically to law enforcement agencies, Computer Emergency Response Teams (CERTs), the anticrime and anti-phishing community (interveners), businesses that provide online reputation protection services, network operators, and Internet users to report issues of abuse.

A front-end help desk will receive reports by telephone, email, FAX, and other unstructured means of communication, as an intake mechanism for abuse reports to be provided to the Registry Operations Center (ROC). The help desk will be staffed 24x7. The help desk staff will follow a structured procedure for taking abuse reports and entering data into the web form for reporting abuse. The help desk staff will not have discretionary authority to affect operation of a domain name.

Structured input, for example reports made via our abuse reporting website at ABUSE.STYLE, will bypass the help desk and be sent directly to the ROC. The abuse reporting form will include input fields to identify the domain name at issue, a menu for identifying whether the type of abuse being reported falls into a designated category defined by the Uniregistry abuse policy, contact information for the person or entity making the report in the event further information is needed, and text entry for further relevant information. Upon completion of the abuse reporting form, the reporting system will confirm whether the domain name at issue corresponds to a non-reserved domain name registered to an end user, and an email message requiring confirmation will be sent to the reporter, to discourage reports which are themselves abusive.

The ROC is a dispatch point. All incoming reports are entered into a tracking system. Each report will be given a unique identifier for tracking and compliance purposes. The ROC will do an initial evaluation of each incoming report to ascertain whether that report indicates abuse of some kind, what type of abuse is alleged, whether the report is indicative of a technical failure or is a misdirected inquiry non-indicative of abuse. The tracking system will generate reports to registry management to assure that all reports are handled in a timely and responsive manner.

Incoming reports that suggest potential abuse of UniRegistryʹs services will be sent to (i) UniRegistryʹs compliance department; (ii) UniRegistryʹs back-end service provider ISC; and (iii) the registrar of record for any reported .STYLE domain name included in the abuse report.

28.1.5. Abuse Identification, Queuing, and Response

As abuse reports are received, UniRegistry will use a combination of automated processes and human review to place them into three categories for response. UniRegistry also will accept and give compliance priority to abuse reports sent in machine-readable Abuse Reporting Format (ARF). The ABUSE.STYLE website will contain information for internet service providers, email service providers, hosting companies and other Internet infrastructure providers about how to participate in UniRegistryʹs complaint feedback loop.

Category 1 reports will receive the highest priority. These are reports of abuse in which use of a .STYLE domain name is either (a) causing immediate and substantial injury to Internet infrastructure, systems, or services that, if not terminated immediately, will cause unavailability or material degradation of such infrastructure, systems or services, or (b) obvious instances of criminal activity which, if not ceased immediately, is likely to cause substantial injury to Internet users. As soon as an abuse report is categorized as a Category 1 abuse, a ʺserverHoldʺ status will be set, effectively unpublishing the name from the Internet (though whois contact details will remain published and unchanged). Immediately after the deletion of the nameserver records from the zone file, notices of the domain name takedown will be sent to both the affected domain name registrant and the domain nameʹs registrar of record. The notice will provide a record of the report received, the reasons for the action taken, and a point of contact for the registrant or registrar to address the takedown and seek republication of the domain nameʹs DNS records.

Category 2 reports will be sent to registrars and registrants for investigation and response. Category 2 reports of abuse are deemed serious and potentially threatening to Internet infrastructure, systems, or services but which either (i) UniRegistry cannot verify or (ii) the potential abuse is not immediate and ongoing. For these reports, UniRegistry anticipates that the registrar will provide first line response, given its relationship to the registrant. UniRegistry will expect a response within seven (7) days. If no response is received, UniRegistry will makes its own decision about how to handle the issue.

Category 3 reports will be sent to registrars and registrants for investigation and response. Category 3 abuse reports consist of all abuse reports that do not otherwise fall into Category 1 or 2.

28.1.6. Pro-active Abuse Detection And Mitigation

It is, of course, essential to react appropriately to abuse reports. Often, such reports are ʺtoo little, too lateʺ as the intended harm has already taken place. As the zone operator for the .STYLE, Uniregistry is positioned to detect patterns of zone access and internet traffic indicating an activity profile consistent with known forms of abuse. We believe that detection of activity consistent with abusive behavior is preferable to an after-the-fact response once the damage has been done. UniRegistry will make use of ISCʹs Security Information Exchange (SIE) network to track, in real time, domain names associated with abusive behavior. Recently implemented, the SIE has proven itself an effective mitigation technique for protecting against misuse of network infrastructure and Internet-based resources. The SIE network consists of more than one hundred (100+) passive DNS sensors located in several Internet Service Providers (ISPs), collecting actual real time queries made to authoritative name servers from millions of Internet users.

SIE is an industry and law enforcement clearinghouse of various kinds of security-related information that can be accessed by vetted, credentialed participants in real time subject to common access rules and following strict privacy guidelines. Among the variety of information available through SIE, there are ʺchannelsʺ that provide a real-time view of DNS data associated with malicious use. Tapping this information allows UniRegistry a better chance to proactively detect uses of domain names under its responsibility that constitute abuse.
Domain names associated with suspicious activity profiles will be manually reviewed by the abuse response team as such activity is detected. Where it appears that some form of abuse (as defined in this response) is occurring the detected abuse will be addressed at the registry level in those instances where disabling the domain name is indicated or the abuse will be referred to the registrar so that the registrar can take corrective action with the registrant within a reasonable time. Detected suspicious activity profiles in which no clearly apparent abusive behavior is taking place will also be referred to the registrar for further investigation with the registrant.

28.1.7. Whois Accuracy

Accurate information in the whois database protects both domain name registrants and the users who rely on those registrantsʹ Internet-based services. UniRegistry has taken a multi-factored approach to the promotion of whois accuracy. We create incentives to registrants to provide accurate information in the first instance and to keep that information current. We have sanctions, ranging from temporary suspension up to de-accreditation, for registrars that fail to seriously heed their contractual responsibilities to obtain and maintain accurate whois data and to regularly inform registrants of their corresponding responsibility to provide and maintain accurate WHOIS data.

Uniregistry will require registrars to implement and confirm implementation of the WHOIS Data Reminder Policy (WDRP - http:⁄⁄www.icann.org⁄en⁄registrars⁄wdrp.htm), under which the registrar will present current WHOIS information to each registrant at least annually and remind the registrant that inaccurate or false WHOIS data can result in the domain name registration being canceled.

Uniregistry will require registrars to receive and act on reports generated by the WHOIS Data Problem Report System (WDPRS - http:⁄⁄www.icann.org⁄en⁄whois⁄wdprs-report-final-31mar04.htm). The WDPRS system, as currently implemented, involves communications between ICANN and the registrar. In the event Uniregistry is notified by ICANN of registrar non-responsiveness to a WDPRS within the 15 day required response time to WDPRS reports, Uniregistry will investigate registrar handling of WDPRS complaints. If the registrar does not respond to or investigate WDPRS, and either cannot ensure compliance or is repeatedly non-compliant, such registrar will be suspended until such time as it can ensure compliance.

In addition to these passive and reactive measures, Uniregistry will implement an active WHOIS accuracy program. Registrations will be periodically statistically sampled (in the event of low registration volume the sample will include all registrations) and tested. Testing will be performed by commercial ʺdata hygieneʺ services for such internal accuracy indications as whether postal data and telephone numbers are appropriate for the indicated registrant address (i.e. postal codes correspond to the indicated geographic area of the registrant, telephone numbers are of the corresponding format and dialing codes). Uniregistry shall process exceptional WHOIS data identified by the active WHOIS data accuracy program in the same process flow as WDPRS reports are handled.

28.1.8. Terrorism and International Criminal Organizations

Uniregistry will periodically review WHOIS data against identity and contact data provided by the United States Department of Treasury Specially Designated Nationals List (SDN) maintained by the Office of Foreign Asset Control (http:⁄⁄www.treasury.gov⁄resource-center⁄sanctions⁄SDN-List⁄Pages⁄default.aspx). Any domain name found to be registered to an SDN will be summarily suspended from operation.

28.1.9. Criminal Investigations ⁄ Law Enforcement Contacts

Uniregistry will receive service of any warrant, subpoena, seizure order or equivalent directive served in Uniregistryʹs charter jurisdiction, or upon Uniregistryʹs agents for service of process in the United States and the United Kingdom. Contact information for Uniregistryʹs agents for service of process will be published at ABUSE.STYLE, who will issue immediate confirmation of receipt to the sender. Uniregistry shall maintain, and shall require accredited registrars to maintain, a law enforcement contact, including a 24⁄7 telephone contact by which law enforcement agencies may inquire and obtain confirmation that any other written communication directed to it has been received. Subject to confirmation of bona fide law enforcement status and provision of appropriate contact information, receipt of written and email communications from law enforcement authorities will be acknowledged within 24 hours.

Uniregistry cannot prescribe in advance how it will respond to every type of contact from every jurisdiction. What may be considered defensible freedom of expression in one jurisdiction may constitute a criminal activity in another. Uniregistryʹs response to warrants, subpoenae, court orders and the like will be guided by whether such documents originate with a court or authority of competent jurisdiction over the matter. ʺCompetent jurisdictionʺ, in general, is understood to indicate a governmental authority possessing (1) statutory authority to adjudicate the cause of action and to enforce remedies, and (2) personal jurisdiction over the registry, registrar, or registrant by virtue of presence in the indicated jurisdiction or where the actorʹs contacts with the jurisdiction are sufficiently continuous and systematic that accession to such jurisdiction does not violate inter-jurisdictional norms. For the purpose of legal compliance in situations where ʺcompetent jurisdictionʺ is questionable, but where the effects of the activity in question have a substantial impact in the indicated jurisdiction, Uniregistryʹs response will be guided by principles of inter-jurisdictional enforcement in the next-nearest ʺcompetent jurisdictionʺ (such as any competent jurisdiction attaching to the registry, registrar or registrant). For example, in relation to activities conducted in Country A having an impact in Country B with which there are no relevant treaties, diplomatic relations, or law enforcement cooperation, then the activity in question will be assessed in accordance with the relevant authority of Country A alone, and whether an entity in Country A would ordinarily be subject to law enforcement or other government actions undertaken in Country B in relation to an entity in Country B.

In no instance will Uniregistry undertake an investigation of reports alleging sexual or other illegal exploitation of minors, as accessing such material is itself a criminal activity. All reports alleging sexual or other illegal exploitation of minors will be referred to the CyberTipline operated by the US National Center for Missing and Exploited Children (NCMEC), and Uniregistry will receive and act upon instructions received by the NCMEC in relation to the report.

UniRegistry will publish on its single point of contact page directions to law enforcement around the globe on how to become a recognized law enforcement reporter in order to streamline jurisdictional review of proposed enforcement actions, in circumstances where the same or similar claims, parties and issues are involved. Recognized law enforcement reporters will be provided with information about how to contact UniRegistry and receive a token that will pre-authenticate them for future contacts with the registry.

28.1.10. Cooperative Efforts

Effective response to abuse activity on the internet is often the product of non-institutionalized and occasionally ad-hoc cooperation among the technical and law enforcement communities. The detection and response to botnets, malware, etc. can require mutual trust, goodwill and discretion among those best positioned to cooperate in such instances. For example, the so called ʺConfickerʺ malware (http:⁄⁄en.wikipedia.org⁄wiki⁄Conficker) required an extraordinary effort to convene and coordinate a response which became known as the ʺConficker Working Groupʺ (http:⁄⁄www.confickerworkinggroup.org⁄wiki⁄). Key personnel of both Uniregistry and ISC have long been participants in the relevant working groups, task forces, and internet policy groups in which the requisite trust relationships required to respond to immediate threats have been formed. Such trust relationships are essential in the context of abuse response, as effective cooperative response may require information to be shared on a confidential basis.

28.1.11. Orphan Glue Records and Consistency Checking

Our Shared Registry System (SRS), will automatically delete host registration objects whose parent domains have been deleted. However, we can only act upon names controlled by UniRegistryʹs platform.

To address other forms of inconsistency, a number of processes will generate automatic notifications to the registrar when problems in the use of the existing information are detected.

For Lame Delegations (LD) detection -- that is, name server delegations to hosts that do not respond authoritatively for the delegating domain -- our SRS will perform periodic checks over the registered domains. Name servers will be queried and its response will be analyzed for correctness and in particular, to determine whether the host is responding authoritatively for the domain.

Another expected problem is the Inexistant Host (IH) -- name server hosts outside of the registered zone. Our SRS will attempt to resolve the name of each of the name servers periodically. When name resolution for the host fails, it is classified as an IH.

When LDs, IHs or other errors are identified, a message will be sent to the registrar so that actions can be taken.

After a sufficient time has elapsed with no resolution or indications from the registrar, the delegation will be marked as ʺincompleteʺ or ʺinaccurateʺ so that inconsistent or incorrect data is never published in the DNS. The amount of time to wait for action from the registrar is to be defined and reviewed periodically.

28.1.12. Registrar incentives ⁄ disincentives

Uniregistry will conduct an annual review of abuse incidents by registrar, and will impose the following incentives and sanctions.

Abuse Prevention Incentive Tiers
1. Registrars having responsibility for at least 1000 names will be awarded a discount of registration fees for the succeeding year for an abuse incidence of under .1%.

2. Registrars exceeding an abuse incidence of 10% and⁄or failure to timely respond to WDPRS reports within 15 days on more than 5% of total WDPRS reports, will be assessed a refundable surcharge for the succeeding year, provided that the succeeding yearʹs abuse incidence rate is reduced to below 1%.

3. Registrars with exceptional incidents over a shorter span of time than one year will be subject to temporary suspension until adequate assurances are received that such registrars will improve performance by taking materially demonstrable efforts to address any underlying systemic issue or problematic registrants.

4. Registrars exceeding an abuse incidence of 10% in two successive years will be de-accredited.

Uniregistry will adjust the relevant time periods thresholds and penalties associated with the incentives and disincentives in response to experience gained.

28.1.13. Registrant Security

Uniregistry will require registrars to provide multi-factor authentication from registrants to process update, transfers, and deletion requests, to publish and explain the registrarʹs security procedures for such multi-factor authentication on its website, and to notify all points of contact designated by the registrant for notification of update, transfers, and deletion requests. In the event a registrar is determined responsible for more than three incidents of domain misappropriation in a single calendar year, a surcharge will be assessed against all registrations for the succeeding year. In the succeeding year, if the incidence of domain misappropriation has not been reduced below three incidents, the registrar will be de-accredited.

28.1.14. APPENDIX A: UNIREGISTRY .STYLE ABUSE POLICY

The following definitions and procedures are to be incorporated into the terms of the Registry-Registrar Agreement (RRA), and by mandatory reference into the Registrant Agreement (including where Uniregistry or an affiliated entity acts as registrar for a subject Domain Name).

Uniregistry Abusive Use Policy

1. Definitions

ʺAbusive Useʺ shall include the following actions:(a) Spam: The use of electronic messaging systems to send unsolicited bulk messages. The term applies to e-mail spam and similar abuses such as instant messaging spam, mobile messaging spam, and the spamming of Web sites and Internet forums; (b) Phishing: The use of counterfeit Web pages that are designed to trick recipients into divulging sensitive data such as usernames, passwords, or financial data;(c) Pharming: The redirecting of unknowing users to fraudulent sites or services, typically through DNS hijacking or poisoning;(d) Willful distribution of malware: The dissemination of software designed to infiltrate or damage a computer system without the ownerʹs informed consent. Examples include, without limitation, computer viruses, worms, keyloggers, and Trojan horses;(e) Fast flux hosting: Use of fast-flux techniques to disguise the location of Web sites or other Internet services, or to avoid detection and mitigation efforts, or to host illegal activities. Fast-flux techniques use DNS to frequently change the location on the Internet to which the domain name of an Internet host or name server resolves;(f) Botnet command and control: Services run on a domain name that are used to control a collection of compromised computers or ʺzombies,ʺ or to direct denial-of-service attacks (DDoS attacks);(g) Child endangerment, including the distribution of child pornography; and(h) Illegal Access to Other Computers or Networks: Illegally accessing computers, accounts, or networks belonging to another party, or attempting to penetrate security measures of another individualʹs system (often known as ʺhackingʺ). Also, any activity that might be used as a precursor to an attempted system penetration (e.g., port scan, stealth scan, or other information gathering activity).(i) Other: Uniregistry may update these definitions from time to time as new forms of abusive activity emerge or are identified, and in general to (1) protect the integrity and stability of the registry; (2) comply with government rules or requirements or inquiries by law enforcement; or (3) avoid or mitigate any liability, civil or criminal, on the part of Uniregistry, as well as its affiliates, subsidiaries, officers, directors, and employees

2. In General Uniregistry shall reserve the right, without obligation, to receive and investigate reports of abusive use of domain names, as defined above, and to to deny, cancel, suspend, or place any domain name(s) on registry lock, hold or similar status, upon reasonable evidence thereof.

3. Accredited Reporters Uniregistry recognizes that certain governmental and⁄or industry organizations possess expertise in collecting information in relation to particular forms of abusive use. Such organizations include the Anti-Phishing Working Group, Spamhaus, LegitScript, and others. Accordingly, reports from such organizations shall receive priority attention and action by Uniregistry. Uniregistry shall assign a non-published contact method (including email and telephone) and this contact method to such organizations by which reports may be submitted. Uniregistry shall maintain and publish contact information for such organizations on an abusive use reporting page by which members of the public may report suspected abusive use directly to Uniregistry, or opt to send their report to such established organizations for their review prior to reporting to Uniregistry. Uniregistry shall further maintain an application process by which such established organizations may obtain accredited reporter status. In particular relation to reports concerning child pornography, any report and recommendation received by Uniregistry from the National Center for Missing and Exploited Children (NCMEC) will be acted upon without review by Uniregistry. Likewise, Uniregistry will undertake no independent investigation of reports of child pornography from any source, but will forward such reports upon receipt to the NCMEC.

4. Procedure (a) Accredited Report Upon receipt of a report from an accredited reporter, Uniregistry will confirm receipt of the report to the reporter, review the report to determine that the subject Domain Name is registered via Uniregistry, and will notify the registrar of record for processing according to the applicable policy of the registrar. Uniregistry will proceed to take appropriate action in relation to the report without further notice, and confirm such action to the reporter.

(b) All other reports Upon receipt of a report from a non-accredited reporter, Uniregistry will confirm receipt of the report and provide the reporter with contact information of accredited reporters who accept reports of abusive use from the general public. Additionally, Uniregistry will forward the report to the registrar of record for processing according to the applicable policy of the registrar. Uniregistry will review the report and may proceed to take appropriate action in relation to the report if such action appears warranted. In the course of such review and⁄or action, Uniregistry may request additional information concerning the report and the identity of the reporter, and will further determine whether such action is to be confirmed to the reporter.

28.2. RESOURCING

Costs and procurement of the resources described here are detailed in response to Question 47.

28.2.1. Human Resources

See EXHIBIT: 28-Chart-Resourcing.png

The resourcing plan specific to this response follows the principles, guidelines and information set forth in our response to Question 23.

The accompanying chart shows the human resources allocated to the functions depicted in this response.

Uniregistry maintains retainer relationships with two attorneys having extensive experience in internet matters, who will be responsible for reviewing and authorizing response to any abuse incident, report, or law enforcement or court action requiring legal review such as jurisdictional analysis. At any time, at least one of these attorneys shall be ʺon callʺ to immediately address such incidents as circumstances warrant.

28.3. ABOUT THIS RESPONSE

We believe that this answer meets the requirements and addresses all the points of this question:

* We have created a single point of contact for abuse reporting using any of several means (from telephone to text message to web) and in the languages supported by .STYLE. This point of contact is active and available 24x7.
* We have created enhanced means to handle reports and requests from law enforcement.
* We have a Registry Operations Center that will dispatch all incoming reports of abuse to our abuse management team.
* We have a structured response plan that tailors our response to the nature and exigency of the report.
* We have mechanisms to evaluate orphaned glue records and to remove them as needed.
* Our registration system incorporates technical mechanisms to put a name into suspension when warranted by our abuse policy.
* We have written policies regarding abuse and Whois accuracy.

We believe that this answer exceeds the requirements of this question:

* We require registrars (and indirectly require registrants) to provide and maintain accurate Whois information.
* We require registrars to participate in ICANNʹs WHOIS Data Problem Report System (WDPRS) and ICANNʹs WHOIS Data Reminder Policy (WDRP).
* We will perform validation tests on statistically meaningful samples of Whois data to look for inaccurate data.
* We use strong security methods to assure that registrar-registry interactions are authenticated and protected.