28 Abuse Prevention and Mitigation

Prototypical answer:

gTLDFull Legal NameE-mail suffixDetail
.obiOBI Group Holding GmbHobi.deView

1. Comprehensive abuse policies, which include clear definitions of what constitutes abuse in the TLD, and procedures that will effectively minimize potential for abuse in the TLD
OBI is deploying several measures to prevent or mitigate abuse.
The overarching principle not only to protect the OBI brand and its reputation, but also to protect users from being harmed when searching for information about OBI, its products or services is to establish and maintain control of the namespace to the best possible extent.
OBI recognizes that there are various threats for users seeking information about OBI or its products and services that might originate outside the namespace of the proposed gTLD, i.e. in other TLDs or even without involving any domain name, but only IP-addresses.
In the light of a holistic approach, OBI will
(i) educate its contractors, customers and target groups that reliable and trustworthy information is only found in the „”OBI” namespace; and
(ii) inform and educate its franchise partners that they should promote the new namespace as a source of reliable and trustworthy information and make this approach part of the marketing campaigns of the whole OBI group and its franchise partners.
There are known abuse scenarios and there will be more yet unknown tactics to deceive Internet users by means of using known brands. While there is little that OBI can do to prevent such abuse from taking place in areas that cannot be controlled by OBI, the risk of illegal activity causing harm to users can be diminished by means of user education. Each user that positively knows where to find original information will less likely be misguided by illegal offers. Additionally, OBI assumes that such educational activities will ultimately take away the commercial appeal or at least limit the attractiveness, if any, of scam abusing the OBI brand.
Since only OBI is an eligible registrant of .obi domain names, the risk of abuse is low. Nonetheless, OBI will comprehensively address this issue.

1.1 Abuse Prevention and Mitigation Implementation Plan
The following policies will be implemented upon the launch of the new .obi gTLD. All policies will also be published prominently on the Registry website alongside the abuse point of contact and with instructions on how to best report any suspected violations of the policies to the registry.
* The .obi gTLD will only be available to Obi Group Holding GmbH as registrant. This enables OBI to control the registration process and the WHOIS accuracy in a way most registries are not able to, thus providing a extra layer of security to prevent registration abuse.

The “.OBI Eligibility Policy” will state that only Obi Group Holding GmbH is eligible to register a .OBI domain name. The registrar or the registrars that OBI will be working with, will be required to ensure that only registration requests from persons duly authorized by OBI are processed.
It should be pointed out that the Registrant of all domain names within the .OBI namespace will be only OBI. This “single registrant” approach will ensure WHOIS accuracy and it will ensure that all complaints regarding specific domain names are handled promptly. While certain domain names may be used by group companies or contractors, OBI will be able to unambiguously identify the respective parties internally.

The “.OBI Eligibility Policy” will be made binding for all registrants by contractually obligating registrars through the RRA to pass on the “.OBI Eligibility Policy” as part of their registration agreements.

* By registering a specific domain name the registrant will further need to agree and comply with the “.OBI Domain Name Policy” (DNP). The DNP will be made binding for all registrants by contractually obligating registrars through the Registry-Registrar Agreement to pass on the DNP as part of their registration agreements.

The registered domain names shall only be used for bona fide business or commercial purposes in connection with all activities for which the OBI brand may be used legitimately, such as providing information on markets, contracted manufacturers, its products, services and the company itself.

The overall goal of the DNP is to limit significant harm to internet users, to enable OBI or registrars to investigate and to take action in case of malicious use of domain names and to deter registrants from engaging in illegal or fraudulent use of domain names. OBI defines abuse as an action that causes actual and substantial harm, or is a material predicate of such harm, and is illegal, illegitimate, or otherwise contrary to company policy.
OBI will distinguish here in the context of the “.OBI Domain Name Policy” between:
“registration abuse” and “usage abuse”.
“Registration abuse” is:
* Use of faulty⁄falsified⁄incomplete⁄stolen person-related or company-related data on registration (danger to WHOIS accuracy, see below);
* Cybersquatting⁄typosquatting;
* Registration of illegal domain names (see question 29);
“Usage abuse” is:
* Violation of applicable laws or regulation; in particular the provisions of the German Criminal Code, the German Youth Protection Act and the German Interstate Treaty on the Protection of Minors in the Media (JMStV). Only such contents are permissible which may be made available to underaged persons without any restrictions;
* Use of a domain to publish content which incites to hatred against parts of the population or against a national, racial, religious or ethnic group, content which glorifies violence, content which violates the human dignity, content which denies or plays down acts committed under the National Socialist regime;
* Distribution of child abusive material;
* Use of a domain name for the dissemination of spam, i.e. unsolicited bulk electronic communication (e-mail, instant messaging, on websites, in forums or mobile messaging) or advertising a domain name by means of spam.
* Use of a domain name for Distributed Denial-of-service attacks (“DDoS attacks”);
* Use of domain names in phishing activities, tricking Internet users into divulging personal data such as names, adresses, usernames, passwords, or financial data;
* Use of domain names in pharming , such as DNS hijacking and DNS cache poisoning;
* Use of domain names for the intentional distribution of malicious code such as spyware, botware, keylogger bots, viruses, worms or trojans;
* Use of domain names to command and control botnets , i.e. a network of compromised computers or “zombies,”
* Use of domain names in activities intended to gain illegal access to other computers or networks (“hacking”), as well as any activity to prepare for such a system penetration; or
* Use of a domain name fast flux hosting, disguising the location of internet addresses or Internet services.

OBI reserves the right to deny, cancel or transfer any registration, or place any domain name(s) on registry lock, hold or similar status, that it deems necessary, at its discretion (1) to protect the integrity and stability of the registry; (2) to comply with any applicable laws, government rules or requirements, requests by law enforcement, or any dispute resolution process; (3) to avoid any liability, civil or criminal, on the part of OBI, as well as its affiliates, subsidiaries, officers, directors, and employees; (4) in accordance with the terms of the registration agreement or (5) to correct mistakes made by OBI or any registrar in connection with a domain name registration. 

Additionally, as detailed in the answer to Question 29 (Rights Protection Mechanisms), OBI takes extensive measures to protect third party rights with regard to .OBI domain names. This includes
* conducting a Sunrise phase to allow trademark holders to secure names related to their trademarks prior to general availability (due to the very strict and limiting nature of the “.OBI Eligibility Policy” this should not become relevant within the .OBI namespace);
* accessing the Trademark Clearinghouse to validate trademarks presented by registrants;
* offering the Trademark Claims Service;
* taking precautions against phishing and pharming and
* committing to full compliance with established Dispute Resolution and Suspension Procedures, including the Uniform Rapid Suspension (URS), the Trademark Post-Delegation Dispute Resolution Procedure (Trademark PDDRP), and the Uniform Domain Name Dispute Resolution Policy (URDP).
Please refer to the answer to question 29 for more detailed information on these measures.

1.2 Policy for Handling Complaints Regarding Abuse
OBI will provide Internet users with a prominent online point of contact to report “Registration Abuse” or “Usage Abuse” as defined above by using a standardized web form. The whole procedure will be governed by the “.obi Abuse Reporting and Takedown Policy” (ARTP).
The “ARTP” will provide users affected or believing they are affected by illegal .obi use with a transparent and structured route which the complaint procedure follows.

The key points of are:

- The complaints procedure is open to any user;
- Users must give at least one email address where they can be notified of the status of the complaint procedure;
- Depending on which abuse variant they select, users are obliged to supply certain additional information; there is also the option to upload e.g. screenshots or other files for the purposes of evidence;
- If the predefined abuse forms do not fit, users can enter their own information which must meet certain minimum standards for length (to prevent abuse of the form);
- Users must state in every case for which .obi domain names a complaint is being submitted;
- Users must finally declare in every case that all the information submitted is true; the form is secured by a CAPTCHA query.
The abuse point-of-contact will be responsive and effective, tasked with answering email quickly, empowered to take effective action, and guided by well-defined written criteria.
This role-based function will be performed by the legal department of the OBI group.
After sending the web form the user will be provided in all cases with an automatically generated email containing an tracking or case number.
Each report will be carefully reviewed and evaluated regarding its credibility, to determine whether the reported issue is an abuse concern, and to assess the required action(s) – if any. OBI’s abuse team will closely work together with the registrar(s) as well as the Registry Service Provider – VeriSign - to rapidly address potential threats or abuse complaints, investigate all reasonable complaints, and take any appropriate action(s),
As standard practice, OBI’s abuse team will forward all credible and actionable reports including the accompanying evidence with a recommendation what action should be taken to OBI’s legal department, which is responsible for compliance. The recommendation also states the type of infringement and the legal basis of the sanction, such as the applicable terms of use, ICANN policies, applicable laws or the DNP.
The standard procedure will be:
* OBI will identify the business unit or party that has been granted a right to use the domain name or which is responsible for the server (Respondent) for which a complaint has been received and notify its abuse team;
* The Respondent will receive the complaint by email and is obliged to process and reply to all correspondence forwarded by OBI’s abuse team without delay, and at least within 48 hours, unless a third party has set a shorter period or there is other specific need for speed;
* with the response, the Respondent must state whether he wishes cure the alleged breach or to defend against the third party allegation;
* a matter is settled when the Respondent evidences to have cured the breach within the deadline given;
* should a Respondent fail to respond to the request of OBI’s abuse team in time, OBI is entitled to delete or suspend the respective domain name or make certain content or services offered thereunder unavailable.
Reports and requests from competent authorities, law enforcement and⁄or courts receive top priority. These parties will receive priority contact options to ensure quick and proper reactions. Such requests will be handled and resolved by OBI’s abuse team without delay, the latest within 24 hrs.
In all cases OBI reserves the right to act directly and immediately in cases of obvious and significant malicious conduct. Should OBI (or the registrar) decide to suspend a specific domain name the suspension request will be fulfilled as described below.

1.3 Suspension Process for abusive domain names
In the case of domain name abuse, OBI will determine whether to take down the subject domain name. Verisign, OBI’s selected backend registry services provider, will follow the following auditable processes to comply with the suspension request.

Figure 28-2: Suspension processes conducted by backend registry services provider

OBI submits the suspension request to Verisign for processing, documented by:
* Threat domain name
* Registry incident number
* Incident narrative, threat analytics, screen shots to depict abuse, and⁄or other evidence
* Threat classification
* Threat urgency description
* Recommended timeframe for suspension⁄takedown
* Technical details (e.g., WHOIS records, IP addresses, hash values, anti-virus detection results⁄nomenclature, name servers, domain name statuses that are relevant to the suspension)
* Incident response, including surge capacity

When Verisign receives a suspension request from OBI, it performs the following verification procedures:
* Validate that all the required data appears in the notification.
* Validate that the request for suspension is for a registered domain name.
* Return a case number for tracking purposes.

If required data is missing from the suspension request, or the domain name is not registered, the request will be rejected and returned to OBI with the following information:
* Threat domain name
* Registry incident number
* Verisign case number
* Error

1.4 Domain Name Abuse Prevention Measurements
Verisign, OBI’s selected backend registry services provider, provides the following domain name abuse prevention services, which OBI incorporates into its full-service registry operations. These services are available at the time of domain name registration.
1.4.1 Registry Lock.
The Registry Lock Service allows registrars to offer server-level protection for their registrants’ domain names. A registry lock can be applied during the initial standup of the domain name or at any time that the registry is operational.
Specific Extensible Provisioning Protocol (EPP) status codes are set on the domain name to prevent malicious or inadvertent modifications, deletions, and transfers. Typically, these ‘server’ level status codes can only be updated by the registry. The Registrar only has ‘client’ level codes and cannot alter ‘server’ level status codes. The registrant must provide a pass phrase to the registry before any updates are made to the domain name. However, with Registry Lock, provided via Verisign, OBI’s subcontractor, registrars can also take advantage of server status codes.
The following EPP server status codes are applicable for domain names:
(i) serverUpdateProhibited,
(ii) serverDeleteProhibited, and
(iii) serverTransferProhibited. These statuses may be applied individually or in combination.
The EPP also enables setting host (i.e. name server) status codes to prevent deleting or renaming a host or modifying its IP addresses. Setting host status codes at the registry reduces the risk of inadvertent disruption of DNS resolution for domain names.
The Registry Lock Service is used in conjunction with a registrar’s proprietary security measures to bring a greater level of security to registrants’ domain names and help mitigate potential for unintended deletions, transfers, and⁄or updates.
Two components comprise the Registry Lock Service:
OBI and⁄or its registrars provides Verisign, OBI’s selected provider of backend registry services, with a list of the domain names to be placed on the server status codes. During the term of the service agreement, the registrar can add domain names to be placed on the server status codes and⁄or remove domain names currently placed on the server status codes. Verisign then manually authenticates that the registrar submitting the list of domain names is the registrar-of-record for such domain names.
If OBI and⁄or its registrars requires changes (including updates, deletes, and transfers) to a domain name placed on a server status code, Verisign follows a secure, authenticated process to perform the change. This process includes a request from an OBI -authorized representative for Verisign to remove the specific registry status code, validation of the authorized individual by Verisign, removal of the specified server status code, registrar completion of the desired change, and a request from an OBI -authorized individual to reinstate the server status code on the domain name. This process is designed to complement automated transaction processing through the Shared Registration System (SRS) by using independent authentication by trusted registry experts.
1.4.2 Malware scanning service
Registrants are often unknowing victims of malware exploits. Verisign has developed proprietary code to help identify malware in the zones it manages, which in turn helps registrars by identifying malicious code hidden in their domain names.
Verisign’s malware scanning service helps prevent websites from infecting other websites by scanning web pages for embedded malicious content that will infect visitors’ websites. Verisign’s malware scanning technology uses a combination of in-depth malware behavioral analysis, anti-virus results, detailed malware patterns, and network analysis to discover known exploits for the particular scanned zone. If malware is detected, the service sends the registrar a report that contains the number of malicious domains found and details about malicious content within its TLD zones. Reports with remediation instructions are provided to help registrars and registrants eliminate the identified malware from the registrant’s website.

1.5 Proposed Measures for Removal of Orphan Glue Records
Although orphan glue records often support correct and ordinary operation of the Domain Name System (DNS), registry operators will be required to remove orphan glue records (as defined at http:⁄⁄www.icann.org⁄en⁄committees⁄security⁄sac048.pdf) when provided with evidence in written form that such records are present in connection with malicious conduct. OBI’s selected backend registry services provider’s (Verisign’s) registration system is specifically designed to not allow orphan glue records. Registrars are required to delete⁄move all dependent DNS records before they are allowed to delete the parent domain.
To prevent orphan glue records, Verisign performs the following checks before removing a domain or name server:
Checks during domain delete:
* Parent domain delete is not allowed if any other domain in the zone refers to the child name server.
* If the parent domain is the only domain using the child name server, then both the domain and the glue record are removed from the zone.

Check during explicit name server delete:
* Verisign confirms that the current name server is not referenced by any domain name (in-zone) before deleting the name server.
Zone-file impact:
* If the parent domain references the child name server AND if other domains in the zone also reference it AND if the parent domain name is assigned a serverHold status, then the parent domain goes out of the zone but the name server glue record does not.
* If no domains reference a name server, then the zone file removes the glue record.

2. WHOIS Accuracy
The accuracy and access of WHOIS information is a topic of global discussion and importance. It is without question that the accuracy of data associated with any domain names registered in the .OBI space is of paramount concern. As mentioned before OBI will be following a single registrant approach to ensure WHOIS accuracy. All domain names registered within the .OBI namespace will be using identical registrant data. The .OBI Eligibility Policy will clearly state that only Obi Group Holding GmbH will be an eligible registrant. This policy will be made part of the Registry Registrar Agreement and thus be binding for registrars. Thus, WHOIS will always be 100% accurate.

3. Ensuring Proper Access to Domain Functions
OBI is aware of the risks resulting from all communication regarding the different domain functions on the registry-registrar-level. To ensure proper access to domain functions, OBI incorporates Verisign’s Registry-Registrar Two-Factor Authentication Service into its full-service registry operations. The service is designed to improve domain name security and assist registrars in protecting the accounts they manage by providing another level of assurance that only authorized personnel can communicate with the registry. As part of the service, dynamic one-time passwords (OTPs) supplement the user names and passwords currently used to process update, transfer, and⁄or deletion requests. These one-time passwords enable transaction processing to be based on requests that are validated both by “what users know” (i.e., their user name and password) and “what users have” (i.e., a two-factor authentication credential with a one-time-password).
Registrars can use the one-time-password when communicating directly with Verisign’s Customer Service department as well as when using the registrar portal to make manual updates, transfers, and⁄or deletion transactions. The Two-Factor Authentication Service is an optional service offered to registrars that execute the Registry-Registrar Two-Factor Authentication Service Agreement. As shown in Figure 28-1, the registrars’ authorized contacts use the OTP to enable strong authentication when they contact the registry. There is no charge for the Registry-Registrar Two-Factor Authentication Service. It is enabled only for registrars that wish to take advantage of the added security provided by the service.

Figure 28-1: Verisign Registry-Registrar Two-Factor Authentication Service

4. Technical plan scope⁄scale that is consistent with the overall business approach and planned size of the registry

Scope⁄Scale Consistency
OBI has a legal department which is responsible for compliance of the OBI group. The team consists of nine fully trained lawyers, of which 5 specialize in trademark law, competition law and cyber law. They are familiar with the legal implications of online services and abuse scenarios on the Internet since they legally advise the IT departement on how to deal with abuse cases already. Since the .obi gTLD will only have one registrant, which is the registry operator itself, chances of registration abuse to occur are slim. When it comes to usage abuse, there are no new challenges since OBI is operating websites and online services for many years and is familiar with the parameters to do so in a compliant manner. Also, in the unlikely case of infringements of applicable laws by group companies or fanchisees, there is no indication that a substantial increase of cases, if any, will take place with the introduction of the new gTLD since OBI markets that would be eligible to present themselves in the new gTLD namespace already have websites. Nonetheless, the compiance ⁄ abuse department is ready to respond to challenges and workload there might be. The number of staff that can handle complaints is already much higher than necessary, but in case there should be numerous reports, OBI also has specialized law firms to which such work could be outsourced.
Scope⁄Scale Consistency Specific to Backend Registry Activities
Verisign, OBI’s selected backend registry services provider, is an experienced backend registry provider that has developed and uses proprietary system scaling models to guide the growth of its TLD supporting infrastructure. These models direct Verisign’s infrastructure scaling to include, but not be limited to, server capacity, data storage volume, and network throughput that are aligned with projected demand and usage patterns. Verisign periodically updates these models to account for the adoption of more capable and cost-effective technologies.
Verisign’s scaling models are proven predictors of needed capacity and related cost. As such, they provide the means to link the projected infrastructure needs of the 〈new string〉 gTLD with necessary implementation and sustainment cost. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its scaling models, Verisign derived the necessary infrastructure required to implement and sustain this gTLD. Verisign’s pricing for the backend registry services it provides to OBI fully accounts for cost related to this infrastructure, which is provided as “Other Operating Cost” (Template 1, Line I.L) within the Question 46 financial projections response.

5. Technical plan that is adequately resourced in the planned costs detailed in the financial section

5.1 Resource Planning
Since a low volume of abuse resports that need to be managed is expected, 0.5 FTE has been allocated to this task, amongst others, in the financial plan, although the workforce of a team of nine fully trained lawyers can be used, if need be. In addition to that, resources of Obi Smart Technologies GmbH can be used when it comes to technical questions in the course of abuse management. There is an outsourcing agreement with this company, which is an OBI group company, which is included in the financial planning.

5.2 Resource Planning Specific to Backend Registry Activities
Verisign, OBI’s selected backend registry services provider, is an experienced backend registry provider that has developed a set of proprietary resourcing models to project the number and type of personnel resources necessary to operate a TLD. Verisign routinely adjusts these staffing models to account for new tools and process innovations. These models enable Verisign to continually right-size its staff to accommodate projected demand and meet service level agreements as well as Internet security and stability requirements. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its staffing models, Verisign derived the necessary personnel levels required for this gTLD’s initial implementation and ongoing maintenance. Verisign’s pricing for the backend registry services it provides to OBI fully accounts for cost related to this infrastructure, which is provided as “Total Critical Registry Function Cash Outflows” (Template 1, Line IIb.G) within the Question 46 financial projections response.
Verisign employs more than 1,040 individuals of which more than 775 comprise its technical work force. (Current statistics are publicly available in Verisign’s quarterly filings.) Drawing from this pool of on-hand and fully committed technical resources, Verisign has maintained DNS operational accuracy and stability 100 percent of the time for more than 13 years for .com, proving Verisign’s ability to align personnel resource growth to the scale increases of Verisign’s TLD service offerings.
Verisign projects it will use the following personnel roles, which are described in Section 5 of the response to Question 31, Technical Overview of Proposed Registry, to support abuse prevention and mitigation:
Application Engineers: 19
Business Continuity Personnel: 3
Customer Affairs Organization: 9
Customer Support Personnel: 36
Information Security Engineers: 11
Network Administrators: 11
Network Architects: 4
Network Operations Center (NOC) Engineers: 33
Project Managers: 25
Quality Assurance Engineers: 11
Systems Architects: 9

To implement and manage the .OBI gTLD as described in this application, Verisign, OBI’s selected backend registry services provider, scales, as needed, the size of each technical area now supporting its portfolio of TLDs. Consistent with its resource modeling, Verisign periodically reviews the level of work to be performed and adjusts staff levels for each technical area.
When usage projections indicate a need for additional staff, Verisign’s internal staffing group uses an in-place staffing process to identify qualified candidates. These candidates are then interviewed by the lead of the relevant technical area. By scaling one common team across all its TLDs instead of creating a new entity to manage only this proposed gTLD, Verisign realizes significant economies of scale and ensures its TLD best practices are followed consistently. This consistent application of best practices helps ensure the security and stability of both the Internet and this proposed gTLD, as Verisign holds all contributing staff members accountable to the same procedures that guide its execution of the Internet’s largest TLDs (i.e. .com and .net). Moreover, by augmenting existing teams, Verisign affords new employees the opportunity to be mentored by existing senior staff. This mentoring minimizes start-up learning curves and helps ensure that new staff members properly execute their duties.

Similar gTLD applications: (0)

gTLDFull Legal NameE-mail suffixzDetail