28 Abuse Prevention and Mitigation

Prototypical answer:

gTLDFull Legal NameE-mail suffixDetail
.mmaMMA IARDafnic.frView

Table of Content

1 - Introduction
2 - Definition of malicious or abusive behavior
3 - Abuse point of contact (POC)
4 - Policies for handling complaints regarding abuse
5 - Orphan glue records
6 - WHOIS accuracy
6.1 - Syntactic and semantic registration constraints
6.2 - Verification tools
6.3 - Whois Data Reminder Policy (WDRP)
6.4 - Protection against unfair use of Whois service
6.5 - Protection against Data Mining
6.6 - Prevention of Unauthorized data modification (Domain functions and control of the domain ⁄ control of use)
6.7 - Prevention from other abusive conducts
7 - Abuse prevention and mitigation policies and procedures
7.1 - No automatic domain registrations: The Delegation Commission’s filter
7.2 - Random Checks in respect of the use of the domain names
7.3 - Sensitization to Pharming and Phishing
7.4 - Registry Commitments
8 - Resourcing

1 - Introduction

The nature of the application (i.e. a Brand Community application with a strict upstream control by a Commission (the ʺDelegation Commissionʺ) designated by the Registry of delivered domain names and a Single Registrant with a full control on domain names) will constitute in itself a safeguard against potential abuses.

In order to minimize abusive registrations and other activities that have a negative impact on Internet users such as phishing or cybersquatting, a control will be carried out by the Delegation Commission on domain names and their intended content. The Single Registrant solemnly undertakes, as much as it is able to, to avoid such issues, which would not serve the Community’s best interest.

2 - Definition of malicious or abusive behavior

The prevention and mitigation policy will cover all types of abuse relevant to the applied for .MMA. The term ʺabuseʺ is considered widely and includes but is not limited to:
* Infringements to third parties rights (among which trademark abuse),
* Web content undermining morality and public order,
* Phishing, cybersquatting or other patterns deemed to have a negative impact on users, and
* Spam practices from an internet email address ending with .MMA.

3 - Abuse point of contact (POC)

The Registry undertakes to designate and make publicly known on its website a technically competent point of contact (the ʺPOCʺ) to deal with abusive⁄ malicious conduct issues. POC will be responsible for addressing matters requiring expedited attention and providing a timely response to abuse complaints concerning all names registered in the TLD. The POC will also be in charge of taking reasonable steps to investigate and respond to any reports from law enforcement, governmental and quasi-governmental agencies on illegal conducts in connection with the use of the TLD.

POCʹs information will be published and prominently displayed on the Registryʹs webpage.
It will provide the Community with all required details on how to contact the POC, including telephone and email address. To further increase POCʹs visibility, the same information will also be prominently displayed on the Registrar (s) website.

The POC is an individual who can -within 24 hours delay- take action to remedy the situation in the case of a well founded report of illegal, criminal or malicious activity, including allegations of fraud and domain name abuse, involving a domain name registration under .MMA.

4 - Policies for handling complaints regarding abuse

The policies presented herein are intended for the handling of complaints made against the Single Registrant and .MMA registrar(s).

= Policies =

The scope of the Registryʹs jurisdiction is strictly limited to matters relating to the .MMA domain namesʹ complaints, including but not limited to:

* the content of websites corresponding to .MMA domains (such content is subject to MMAʹs conditions on websites content as provided for in the response to question 20 (e)), including objectionable or offensive website content, and
* illegal or malicious use of a .MMA domain name, such as spam or phishing.

The Registry reserves the right not to acknowledge or investigate a complaint that is clearly frivolous, vexatious or abusive, or in MMAʹs opinion has been brought in bad faith.

= Complaints Management process =

* Complaints may be submitted to the Registry via the designated POC.
* Complaints are investigated based on the facts provided.
* Two situations may be distinguished:
* Complaints are taken into account within twenty four (24) hours. They will be handled by the POC directly if the case is obvious.
* If the case is more complex and if a decision cannot be made by the POC alone, the POC will acknowledge receipt within twenty four (24) hours and indicate the timeframe by which a response can be provided. The complaint is then forwarded to a two members Abuse Commission designated by the Registry (This Commission is different from the Delegation Commission which decides on the delegation of a domain name).
* The Abuse Commission endeavors to resolve the complaint as quickly as possible. In the event the complaint lodged with the POC is complex, the Abuse Commission will regularly keep the complainant informed of the progress of the complaint.
* The Abuse Commission, may seek further information from any party to assist with its investigation, and may place a registry server lock on the domain name(s) in question, in order to preserve the status quo whilst the investigation is pending.
* Depending on the POC ⁄ Abuse Commission’s decision, different kind of measures may be taken: suspension or deletion of the domain name for instance. Since there will be only one single applicant, as a general rule, it will not be possible to transfer ownership of the domain to any third party.

Under certain circumstances and to the extent permitted under applicable law, the domain user or the web manager’s details as well as the project’s file may be disclosed (for instance, further to a Court’s order).

5 - Orphan glue records

According to the definition found in the ʺSSAC Comment on the Orphan Glue Records in the Draft Applicant Guidebook”, a glue record becomes an ʺorphanʺ when the delegation point NS record (the ʺparent NS recordʺ) that references is removed while retaining the glue record itself in the zone. Consequently, the glue record becomes ʺorphanedʺ since it no longer has a parent NS record. In such a situation, registrars and registrants usually lose administrative control over the record, and the recordʹs attribution to a certain registrar may become unclear, which makes it a potential vector for abuse.

The glue record policy in effect for the .MMA TLD avoids this situation entirely by disallowing orphan glue records altogether. This corresponds to policy #3 mentioned in section 4.3 (page 6) of the SSAC document mentioned above. The technical implementation within the Registry and its associated zone generation process ensures this by the following measures:

* Any host object which is a glue record can be created only if the domain name exist and is sponsored by the registrar creating the host.
* Any deletion of a domain name which has subordinate hosts can be done only when these hosts are deleted. If these hosts are used in delegations for other .extension domain names, these delegations have to be removed to delete the host objects and then the domain name.

If the sponsored registrar of the domain name cannot remove these delegations (explicit refusal or inactivity from subordinate hosts registrar’s), it is possible to use a specific procedure by asking directly the Registry. Then, the Registry contact the domain name(s)’ registrar who used in delegation the host object(s) and asks him to remove the delegations. Registrars have 10 days to remove these delegations. If there is no removal of delegation within this deadline, the Registry deactivates directly the DNS configuration of the domain name(s) concerned. At the end of the procedure, the Registry informs the sponsored registrar that he can delete the host object(s) and the domain name.

This procedure is directly inspired from an existing AFNIC procedure. It will prohibit the creation of orphan glue records as from the opening of the .MMA

Insofar as the delegation and use of the .MMA domain names is strictly controlled and that domain names will be registered by very few registrars, MMA considers the risk of having orphan glue records in the .MMA zone as low.

WHOIS services – as mentioned in the “Draft Report for the Study of the Accuracy of WHOIS Registrant Contact Information” (whois-accuracy-study-17jan2010-en.pdf) are intended to provide free public access to information about the registrants of domain names.

In the case of the Community MMA TLD, Domain names will be delegated to one single registrant (the Single Registrant).

MMA, in its roles of Registry and Single Registrant, undertakes to keep these data updated. Regular verifications will be performed (at least on an annual basis), especially concerning organization name, contact person, postal address, telephone and email address.

In regard to our Single Registrant structure, this provision will only be relevant to this single entity. Required accuracy will be mainly in relation to the correct name and a valid postal mailing address for the current registered name holder. We thus assume that no further measures to promote Whois accuracy are necessary. Nevertheless, the Registry is committed to ensure WHOIS verification upfront but also to provide searchable WHOIS functionality.

6 - WHOIS accuracy

RFC3912 specifies the Whois protocol and explain it as follows:

Whois is a TCP-based transaction-oriented query⁄response protocol that is widely used to provide information services to Internet users. While originally used to provide ʺwhite pagesʺ services and information about registered domain names, current deployments cover a much broader range of information services. The protocol delivers its content in a human-readable format.

Information about registered domain names is very sensitive. A Registry Operator shall insure the accuracy of the registrant contact information, including administrative, technical and billing contact details. In case of malicious or abusive activity, the Whois contact is usually the first and most important source of information. Whois accuracy is therefore a major step to counter malicious conducts. These information may be required by law-enforcement authorities to identify individuals and organizations responsible for domain names.

The .MMA registry will make a firm commitment to obtaining true and accurate registration details from each registrant in order to maintain a consistent Whois accuracy throughout the registry.

6.1 - Syntactic and semantic registration constraints:

The .MMA registry is firmly committed to run a “thick-registry” with high quality of data. The first step to accuracy is achieved through syntactic and semantic checks which are being carried out at the time of registration of the domain name.

Standard EPP checks: a first set of tests is implemented in compliance with standards:
* RFC 5733, the Extensible Provisioning Protocol (EPP) Contact Mapping, requires contact data to contain a name, a city, a country code and an e-mail address in order to allow or perform a syntactically complete EPP request

Additional checks: the following syntactic checks are implemented:
* a test to ensure that the domain name has the proper number of labels (which is two for a traditional registry that allows only second level domains to be registered),
* a test to ensure that no hyphens occur in position 3 and 4 of any of the domainʹs U-labels (to protect ʺxn--ʺ and future ACE prefixes),
* a test to disallow hyphens at the beginning or end of the name,
* a test to find ASCII characters which are neither a letter, nor a digit or a hyphen,
* a test to find invalid IDN characters, i.e. characters not contained in any of the support IDN character tables
* a test to validate IP address format using the following scheme :
〈ipv4-addr〉 [1-255](\.[0-255]){3,3}
〈ipv6-addr〉 [a-fA-F0-9:]+(:〈ipv4-addr〉)?
* a test to validate telephone and mail format using the following scheme (with specific tests for fr numbers):
〈num tel〉 \+[1-9][0-9]{0,3}〈sp〉[1-9]([〈sp〉\.-]?[0-9])+
〈num tel fr〉 \+33〈sp〉[1-9]([〈sp〉\.-]?[0-9]){8}
〈e-mail〉 (([^\s\(\)\[\]\.\\〉〈,;:ʺ@]+(\.[^\s\(\)\[\]\.\\〉〈,;:ʺ@]+)*)|(ʺ[^ʺ@\\\r\n]+ʺ))@〈label〉(\.〈label〉)*

Additional checks: the following semantic checks are implemented:
* a test to disallow reserved names if authorisation code is not present
* a test to disallow registry reserved names if authorisation code is not present
* a test to disallow ICANN reserved names
* a test to disallow otherwise reserved or unsuitable names
* a test to ensure that at least one address element is given

6.2 - Verification tools

This verification procedure is designed to guarantee the reliability and the accuracy of the Whois database.
The .MMA registry will conduct Whois accuracy verification for compliance with criteria concerning the reliability of registrants identification: the registry will verify whether the information provided by the registrant when registering the domain name contains inaccurate or false information about the registrantʹs identity.
Those verifications will be carried out on a random basis or following a third-party request with the Single Abuse Point of Contact.

The registry may be led to ask registrars for additional information or documents, including the production of documentary evidence of compliance with the reliability of the data provided by the registrant if the registry is in possession of documentary evidence to the contrary (mail returned marked “Not Known at This Address”, bailiff’s report, unidentifiable address, etc.).

A domain name may be blocked under the following circumstances: when a check of the identification data provided by the registrant shows that it is inaccurate or that the registrant appears not to be eligible to register domain names in the .MMA TLD in accordance with the policies that have been set by the Registry.

If the investigation that is carried out by the Registry shows that the registrant is not compliant with such registration policies, the Registry Operator shall be entitled to outright delete such domain name and, as the case may be, put such domain name on a blocked list. However, the deletion of a domain name can only occur after the registrant has been formally asked to rectify the situation and to modify its registration data to comply with eligibility criteria.

During the redemption period, the domain name can be reactivated with the same configuration. Once deleted, the domain name will become available again and can be registered by a new applicant.

6.3 - Whois Data Reminder Policy (WDRP)

In 2003, ICANN adopted the ʺWhois Data Reminder Policyʺ (WDRP, http:⁄⁄www.icann.org⁄en⁄registrars⁄wdrp.htm) which obliges ICANN-accredited registrars to send yearly Whois data reminder notices to registrants. These notices contain the Whois data currently on file for the respective domain, as well as instructions for the registrant about ways to correct the data if required. While the .MMA Registry does not intend to replicate this reminder procedure on the registry level, however MMA will comply with WDRP as expected from an ICANN accredited registrar.

6.4 - Protection against unfair use of Whois service

As stated above, Whois Service gives access to sensitive data, including contact details of registrants. The .MMA registry is committed to insure the protection of these data against abusive behaviours. Firstly, the .MMA registry will implement technical measures to prevent data mining on the Whois, such as automated collection of registrants’ email addresses, which may on their turn be used by third parties for the purposes of spamming. Secondly, the .MMA registry and its registry backend service provider, AFNIC, will deploy all necessary means to secure access to its database, specifically by implementing procedures in order to prevent Unauthorized Data Modifications. These procedures will reinforce the security of both EPP and Web-based access to Whois data.

6.5 - Protection against Data Mining

The .MMA registry database user commits to using the published data according to the laws and regulations in effect. Besides, the user shall respect the provisions of the French Data Protection Act. Violation of this act carries criminal penalties.

As the user is accessing personal data, he must refrain from any collection, misuse or any act that could lead to invasion of privacy or damaging the reputation of individuals.
The Registry can at any time filter the access to its services in case of malevolent use suspicions.

* Captcha: users shall pass a Captcha before access is granted to the web based RDDS.

* Rate-limiting: The registry has chosen limitation measures for the number of requests in order to prevent abuse in the use of personal data and to guarantee the quality of the service.
By a transparent parameter adjustment policy, the registry guarantees quality of service to the punctual users and professionals. The rates and thresholds of this system are described in the registry use case of question Q26.

* White list: The white list mechanism offers specific access for registrars to the port 43 whois considering that the incoming traffic must come from two pre-defined IP address. This white list access offers higher thresholds of rate limiting for the users.

6.6 - Prevention of Unauthorized data modification (Domain functions and control of the domain ⁄ control of use)

Domains are fully controlled by MMA in its roles of Registry and Single Registrant.
The single Registrant will be solely entitled to proceed with any administrative modification of the domain name (such as renewal, update of the Registrant data, etc.).

Technical modifications related to name servers will be asked either directly or through the registrar.
Such precaution, together with the random checks on the use of domain names will enable to limit the potential abuse through .MMA domain names.

Data modification is managed through strict authentication and access policies.
* SSL⁄TLS protocol is used on all interfaces with clients (both EPP and web based SRS).
* a password policy is applied both on the password itself (minimum length, mandatory digits and non-alphanumerical characters), and on the validity term of the password
* use of an SSL client certificate pre-installed by the registry for EPP access.
* IP authentication limited to two addresses.
The .MMA registry backend service provider, AFNIC, will share its experience in the .fr with a view to ensuring effective, timely and sufficient Domain Data Access Control.

6.7 - Prevention from other abusive conducts

= DNSSEC (cache poisoning) =

One of the main authentication issue encountered on the DNS is the cache poisoning issue. This directly affects DNS service integrity without the attacker having to corrupt or modify data in the registry database.
The answer to this issue is implementation and deployment of DNSSEC. The registry operator already successfully manages DNSSEC-enabled zones: on September, 29th 2010, the .MMA registry back-end service provider, AFNIC, finished adding its 6 ccTLDs key materials (DS records) into the IANA root zone, ending with .FR after extensive tests with its other TLDs. Since then, related DNSSEC operations and monitoring are spread inside the organization, alongside all other standard day to day operations, so that DNSSEC is a core service enabled by default.

= Domain name Sniping (grabbing) =

Domain name sniping refers to the practice of trying to re-register potentially interesting domain names immediately after they are deleted.
The .MMA Registry supports the Redemption Grace Period as proposed by ICANN and implements it in full compliance with RFC 3915 (ʺDomain Registry Grace Period Mapping for the Extensible Provisioning Protocol (EPP)ʺ). This greatly reduces the possibility of a domain name being “forgotten” by its registrant.

= Domain name tasting =

Domain name testing is a practice using the 5-days Add Grace Period (AGP) during which a newly created domain name may be deleted with a refund of the domain fee to check if the domain name is of interest or not. AGP is implemented and therefore domain name testing has to be dealt with. However, considering the fact that the .MMA is intended to be a single registrant-TLD, the chances that this process will be effectively used is rather limited, although the AGP is common practice and corresponds to the policies of almost all existing generic top-level domains.

In 2008, ICANN introduced the ʺAGP Limits Policyʺ (http:⁄⁄ www.icann.org⁄en⁄tlds⁄agp-policy-17dec08-en.htm) which addresses these issues resulting from the Add Grace Period. The .MMA registry, will fully implement this policy by restricting Add Grace Period refunds to registrars according to the limits specified by the policy.

The number of operations concerned are included in ICANN reports and related report columns are :
* number of AGP deletes (ʺdomains-deleted-graceʺ)
* number of exemption requests (ʺagp-exemption-requestsʺ)
* number of exemptions granted (ʺagp-exemptions-grantedʺ)
* number of names affected by granted exemption request (ʺagp- exempted-domainsʺ)

7 - Abuse prevention and mitigation policies and procedures

The essence of any abuse prevention and mitigation policy is to strengthen the background checks on all applicants “to protect the public interest in the allocation of critical internet resources”.
For our Single Registrant structure, enabling effective risk mitigation will be as follows:

7.1 - No automatic domain registrations: The Delegation Commission’s filter

Before the registration of a domain name, a Delegation Commission will be in charge of the validation of the project, including the required domain name and its intended use. Apart from the adequacy with the Community interests and values, elements such as third parties rights, geographical names, public order and common interest will be taken into account. Any content which may raise risks, be potentially confusing or deceptive, or have a negative impact on the consumer, will be automatically excluded.

7.2 - Random Checks in respect of the use of the domain names

After the registration of a domain name and the activation of the related website, random checks will be performed by the Delegation Commission which granted the right of use of the domain name.

If the use of the domain name does not match the project validated by the Delegation Commission, the Delegation Commission may initiate a Registry procedure aimed at protecting MMAʹs Community, domain users and third parties:

* The domain user must remedy the issue raised by the Delegation Commission within 72 hours.
* After these 72 hours, if the Commission finds that the issue is remedied, i.e. the domain is used as for its intended use, the file is then closed.
* If the issue is not remedied, the Delegation Commission may decide on suspension of the use of the domain⁄ site or deletion of the domain.
* The domain user may appeal this decision in writing within a reasonable lapse of time with the Highest Representative of the Registry.

7.3 - Sensitization to Pharming and Phishing

In relation to pharming and phishing practices, the Registry will implement regular and frequent warnings and explanations on the Registry website and will use any means to sensitize Community members and users to such patterns, e.g. emailing the Community members, warning on the .MMA websites, possibility to reach the Abuse Point of Contact for these practices.

7.4 - Registry Commitments

The Registry is committed:
* to implement the requirements for thick Whois (management by the Registry)
* to publish anti-abuse Point of Contact as well as suspension procedures

Given its Brand Community nature and its structure, the .MMA constitutes in itself a measure of protection against possible abuses.

8 - Resourcing

One Point of Contact from the legal department is in charge of receiving the complaints and to make a decision:
* either the case is obvious and the POC takes immediate action, or
* the situation is more complex and the POC submits the Complaint to the Abuse Commission.

The Abuse Commission consists of 2 members from the legal department in charge of dealing with complaints which are too complex to be handled by the POC. Members of the Abuse Commission are different from those composing the Delegation Commission.

The POC and the Abuse Commission members will be chosen among Community members, and according to the following criteria:
* Legal skills: the POC and Abuse Commission must have the experience and capability to assess abuse claims,
* Technical skills: the POC and Abuse Commission must have a good understanding of the basic functioning of domain names and basic knowledge of the Internet architecture.

POC and Abuse Commission will be designated on the GO-Live date of the Registry. Substitutes to the POC and to members of the Abuse Commission will also be designated to palliate any absence.

The registry services provider AFNIC, provides the following resources :

Initial Implementation: Thanks to the experience and prior investment by its Registry Back-end Service Provider (AFNIC), the .MMA Registry already supports the above mentioned technical abuse prevention and mitigation measures. No additional engineering is required for these, nor are additional development resources needed.

Ongoing maintenance: In support of the Registry Operator’s staff allocated to this function, AFNIC will havespecially trained support staff available to assist in the implementation of potential verifications and takedown procedure for the prevention and resolution of potential abuse. Given the scale of the .MMA as well as the restrictive nature of its registration policy, we estimate that this would require no more than 10 man days per year of AFNIC’s anti-abuse support staff.

Similar gTLD applications: (0)

gTLDFull Legal NameE-mail suffixzDetail