<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Helvetica Neue";
panose-1:2 0 5 3 0 0 0 2 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:469250854;
mso-list-template-ids:-389638324;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:899169418;
mso-list-template-ids:-1983753996;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:1096439106;
mso-list-template-ids:821094704;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="EN-IE" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Samaneh<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Do you have slides from the DAAR session?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US">Michele<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-GB" style="color:black">--<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:black">Mr Michele Neylon<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:black">Blacknight Solutions<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:black">Hosting, Colocation & Domains<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:black">https://www.blacknight.com/<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:black">https://blacknight.blog/<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:black">Intl. +353 (0) 59 9183072<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:black">Direct Dial: +353 (0)59 9183090<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:black">Personal blog: https://michele.blog/<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:black">Some thoughts: https://ceo.hosting/
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:black">-------------------------------<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:black">Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:black">Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845</span><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-GB" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">DNS-Abuse-Measurements <dns-abuse-measurements-bounces@icann.org> on behalf of Samaneh Tajalizadehkhoob via DNS-Abuse-Measurements
<dns-abuse-measurements@icann.org><br>
<b>Reply to: </b>Samaneh Tajalizadehkhoob <samaneh.tajali@icann.org><br>
<b>Date: </b>Tuesday 12 November 2019 at 12:00<br>
<b>To: </b>"dns-abuse-measurements@icann.org" <dns-abuse-measurements@icann.org><br>
<b>Cc: </b>David Conrad <david.conrad@icann.org><br>
<b>Subject: </b>[DNS-Abuse-Measurements] Highlights of ICANN 66 DAAR session<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue";color:black">Again we welcome members of the DNS Abuse measurement mailing list.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue";color:black">We have created this mailing list as a part of DAAR improvement process and followed by requests from the community for more transparency on the DAAR progress. The goal of the list
is to facilitate DNS Abuse/security measurement discussions including but not limited to those related to DAAR.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue";color:black">To start the discussion as the DAAR project owner and the mailing list facilitator, hereby I draft a couple of highlights of our DAAR session at ICANN66 in Montreal for those that were
not able to attend the session:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue";color:black">The feedback we have received up to now regarding the DAAR improvement process<o:p></o:p></span></p>
</div>
<ul style="margin-top:0cm" type="disc">
<li class="MsoNormal" style="color:black;mso-list:l2 level1 lfo1;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Requests for more transparency on DAAR progress
<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l2 level1 lfo1;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Re-aggregating the DAAR data <o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l2 level1 lfo1;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Adding threat domain time-to-live data
<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l2 level1 lfo1;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Adding ccTLDs to DAAR <o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l2 level1 lfo1;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Adding registrar metrics to DAAR <o:p>
</o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l2 level1 lfo1;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Publishing DAAR detailed data <o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l2 level1 lfo1;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Distinguishing between maliciously registered domains and compromised one
<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l2 level1 lfo1;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Better articulation of DAAR’s goal in monthly reports and documentation
<o:p></o:p></span></li></ul>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue";color:black">The changes we have made<o:p></o:p></span></p>
</div>
<ul style="margin-top:0cm" type="disc">
<li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo2;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Sharing DAAR data with registries via MOSAPI: Now each gTLD registry can view their own reputation data per security threat type via MOSAPI. For more information please contact
<a href="mailto:globalSupport@icann.org"><span style="color:#124F92">globalSupport@icann.org</span></a>.
<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo2;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Re-Aggregating DAAR statistics including those in the monthly report from a snapshot metric (measures for a specific day of the month) to a monthly median metric.
<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo2;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">We used <b>Restriction Type</b> as another metric to cut the data, on top of the TLD Type (based on our definition legacy versus new) that we already had. Plotting the data demonstrated that almost all threat types
are populated with security threat domains within <b>generic</b> gTLDs. This is while certain security threat types such as Botnet C&C have 25% of their abuse (10000 domains) located in
<b>generic restricted </b>gTLDs and Spam has around 5% of their total security threat domains (equal to 25000 domains) located in
<b>Brand</b> gTLDs. <o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo2;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Carried out an inferential analysis of potential relationships with abuse drivers. For instance, showed that “Size of a zone file” can be an
<b>explanatory factor</b> for the concentrations of security threat domains but it can also be an indicator of
<b>attack surface size </b>for attackers. <o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo2;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Using a GLM statistical model we modeled all the security threat drivers that we could collect data on and demonstrated that size of a TLD, type of a TLD and restriction type of a TLD plays a statistically significant
role in explaining security threat concentrations. <o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo2;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">To bring more transparency on the DAAR project and its progress we made the
<a href="mailto:dns-abuse-measurements@icann.org">dns-abuse-measurements@icann.org</a> mailing list
<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo2;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Upon many requests from ccTLDs, as of the ICANN66 meeting ccTLDs are able to provide their zone files for inclusion in DAAR. This means that they will be able to pull their own aggregated DAAR data via MOSAPI. The
process is simple, ccTLDs need to send an email to <a href="mailto:globalSupport@icann.org">
<span style="color:#124F92">globalSupport@icann.org</span></a> with the subject: ccTLDs access to the DAAR data. We encourage those parties interested to come forward and participate.<o:p></o:p></span></li></ul>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue";color:black"><br>
<br>
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue";color:black">Moving forward we intend to work on<o:p></o:p></span></p>
</div>
<ul style="margin-top:0cm" type="disc">
<ul style="margin-top:0cm" type="disc">
<li class="MsoNormal" style="color:black;mso-list:l1 level2 lfo3;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">DAAR v2 <o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l1 level2 lfo3;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Incorporating more Reputation Black/Block lists (RBLs)
<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l1 level2 lfo3;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Developing RBL evaluation cycle <o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l1 level2 lfo3;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Developing Registrar metrics <o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l1 level2 lfo3;font-stretch: normal">
<span style="font-family:"Helvetica Neue"">Reviewing other factors that drive security threat within registrars and registries
<o:p></o:p></span></li></ul>
</ul>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Cheers,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Samaneh Tajalizadehkhoob, PhD<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Lead SSR specialist<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">ICANN Office of CTO <o:p></o:p></p>
</div>
</div>
</body>
</html>