Contractual Compliance Twelve-Month Trends on DNS Abuse Reporting

On 5 April 2024, the new DNS Abuse mitigation obligations included in the Registrar Accreditation Agreement (RAA) and the Base Registry Agreement (RA) became effective.

To illustrate historical trends over time, the reports below will be published as a 12-month rolling series, updated every month, and will focus on complaints received and addressed under these new DNS Abuse requirements.

To align with the effective date and relevant DNS Abuse data that was captured, April 2024 will remain the starting date for these reports until 12 months have passed (March 2025).

Description of New DNS Abuse Reports

DNS Abuse Complaints Received Against Registrars and Registry Operators

These reports show the volume of external complaints received against registrars and registry operators, respectively, that allege DNS Abuse. To be as detailed as possible, the reports are broken out by DNS Abuse type - they list all external complaints received alleging malware, botnets, phishing, pharming, and spam used to deliver DNS Abuse. As one single complaint can (and often does) report multiple types of DNS Abuse associated with the reported domain name(s) (e.g., one domain name is used to conduct a phishing attack and to send spam emails which deliver the phishing), the sum of the DNS Abuse types in these reports will be greater than the total of individual DNS Abuse complaints received within the month.

These reports show all external complaints received in which the complainants selected one or more DNS Abuse type(s) in the Contractual Compliance webform. These do not equal the number of complaints received with validated and actionable allegations of DNS Abuse. For example, these reports include complaints that were subsequently closed for lacking evidence that the complainant had first submitted its complaint to the registrar or registry operator or because they referred to country-code top-level domains, which are outside of ICANN Contractual Compliance's enforcement authority. These also include complaints that were submitted alleging DNS Abuse but were processed under other applicable RA or RAA obligations due to lack of evidence that any type of DNS Abuse was ever substantiated to the contracted party or to ICANN. ICANN Contractual Compliance conducts a comprehensive review of each complaint and closes complaints (with a comprehensive explanation sent to the complainant) or re-categorizes them as necessary. Additional reports have been included to detail actions taken on actionable DNS Abuse complaints.

Number of Compliance Notifications Sent to Registrars and Registry Operators Under DNS Abuse Requirements by DNS Abuse Type

These reports show the volume of compliance notifications sent to registrars and registry operators resulting from actionable complaints with allegations of DNS Abuse. These actionable DNS Abuse complaints triggered compliance investigations conducted through these notifications, subsequent communications with the relevant contracted parties and the review of multiple records and data related to each case. Each notification generally includes the complaint received and evidence as well as an itemized list of the information and records required from the contracted party to demonstrate compliance and by when.

One single complaint can and often report multiple types of DNS Abuse associated with the reported domain name(s); therefore, the sum of the DNS Abuse types in these reports will not equal the total of individual DNS Abuse notifications sent within the month. One single complaint can also report one or multiple domain names used for DNS Abuse.

ICANN Contractual Compliance reports also indicate how many notifications were sent to registrars under Section 3.18.3 of the RAA. These are cases that result from reports submitted to a registrar by a law enforcement agency or other public authorities within the jurisdiction in which the registrar is established or maintains a physical office.

Invalid or Unactionable Complaints Received Against Registrars and Registry Operators by DNS Abuse Type

These reports show the number of unactionable complaints received alleging DNS Abuse broken down by DNS Abuse type. These external complaints were closed without contacting the registrar or registry operator. The reports specify the reason why the complaint was deemed unactionable.

These external complaints often entail multiple communications between ICANN Contractual Compliance and the complainants to request and assess additional information and records to determine whether any action can be taken under the RAA or RA. When closing these unactionable complaints, ICANN Contractual Compliance sends to the complainant an explanation why the complaint is not actionable and other avenues the complainant may consider pursuing.

Monthly Detail of Reasons for Resolving Cases with Registrars and Registry Operators by DNS Abuse Type

These reports show the number of cases addressed and resolved with contracted parties resulting from actionable DNS Abuse complaints and the reason why the case was deemed resolved. The reasons why a case is deemed resolved include whether the contracted party took mitigation action to disrupt or to stop the DNS Abuse and which action. For example, the registrar suspended the domain name or requested the reseller or registrant to take action that then resulted in the threat being disabled; or the registrar did not have actionable evidence of the DNS Abuse.

DNS Abuse cases resolved with registrars and registry operators involving maliciously registered vs. compromised domains

These reports show the number of individual cases addressed and resolved with registrars or registry operators under DNS Abuse requirements for which the reported domain names where deemed to be maliciously registered versus those that included compromised domain names. This distinction is made by the ICANN Contractual Compliance processor when resolving the case and is based on all the information regarding the domain name(s) obtained by ICANN Contractual Compliance when validating the complaint and when addressing it with the contracted party.