<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Mark,</p>
<p>I think the times of legitimate high volume requests have passed.
There are now less invasive methods of confirming domain ownership
- such as modifications to the DNS records - that do not require
knowing the personal data whom the domain belongs to. High volume
requests are almost always an indicator for abuse.</p>
<p>You have a point about request formats and we should allow some
leeway for formats that have been accurate recently.</p>
<p>If the data has actually changed, then that would not be a
request for the same data anymore. But I I think we need to have
some form of cap for requests for the dame domain by the same
requestor. Two to three requests over the course of as many
months probably would not count as abusive.</p>
<p>Circumventing legitimate rate limits is abusive use of the system
as those limits are there for a reason. If multiple vendors are
used that access the data, each of those vendors would have to be
accredited seperately and therefore not fall under the
circumvention rule. If those vendors are however affiliated
entities, this would be different. Which brings me to another
affiliation requirement: Provide list of all affiliated entities
that are already accredited, or have applied for accreditetion,
similar to the obligation of registrars to provide lists of all
affiliated registrars to ICANN.<br>
</p>
<p>I think the terms harvesting and mining speak for themselves but
I assume we can find a commonly acceptable definition. <br>
</p>
<p>Best,</p>
<p>Volker<br>
</p>
<div class="moz-cite-prefix">Am 09.10.2019 um 04:25 schrieb Mark
Svancarek (CELA) via Gnso-epdp-team:<br>
</div>
<blockquote type="cite"
cite="mid:MWHPR21MB0512C588244F2EFDF082097BD1950@MWHPR21MB0512.namprd21.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:"Helvetica Neue";}
@font-face
{font-family:"Helvetica Neue Light";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.p1, li.p1, div.p1
{mso-style-name:p1;
margin:0in;
margin-bottom:.0001pt;
font-size:9.0pt;
font-family:"Helvetica Neue";}
p.p2, li.p2, div.p2
{mso-style-name:p2;
margin:0in;
margin-bottom:.0001pt;
font-size:9.0pt;
font-family:"Helvetica Neue";}
p.li1, li.li1, div.li1
{mso-style-name:li1;
margin:0in;
margin-bottom:.0001pt;
font-size:9.0pt;
font-family:"Helvetica Neue";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Helvetica Neue";
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:948396141;
mso-list-type:hybrid;
mso-list-template-ids:469802438 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:JA">Thanks,
James. Here are my concerns:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:JA"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1"><span
style="font-size:11.0pt;mso-fareast-language:JA">Some
abuse may be high-volume, but high volume is not
inherently abusive. If there are industry-standard
methods for distinguishing denial-of-service attacks from
other high-volume activity, we should adopt them here.<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1"><span
style="font-size:11.0pt;mso-fareast-language:JA">Request
formats may change over time. Use of outdated formats
during a transition period is not abusive.<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1"><span
style="font-size:11.0pt;mso-fareast-language:JA">Subsequent
requests for data where the format has been improved (e.g.
missing fields have been populated; more appropriate basis
has been submitted; more information that has been
discovered during an ongoing investigation is added; etc.)
is acceptable.<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1"><span
style="font-size:11.0pt;mso-fareast-language:JA">Repeated
requests for a domain name record over are justifiable
when it is reasonable to assume that domain name
registration data is likely to have changed during an
investigation. <o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1"><span
style="font-size:11.0pt;mso-fareast-language:JA">In the
Port 43 public WhoIs system some requestors used multiple
and/or spoofed IP addresses to avoid rate limits imposed
by registrars. Until issues of SLAs and funding are
resolved, we cannot assume that rate limiting, or quota
systems, will apply to SSAD. Whatever systems are
ultimately put in place, the following observations about
IP addresses and distributed requests should be
considered: <o:p></o:p></span></li>
<ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level2 lfo1"><span
style="font-size:11.0pt;mso-fareast-language:JA">It is
not unusual to have a case worked on by multiple
vendors/attorneys/platforms (e.g. one organization for
initial take down requests, another to handle
escalations, outside counsel for follow-up and/or suit).<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level2 lfo1"><span
style="font-size:11.0pt;mso-fareast-language:JA">It is
not unusual to have a case worked on from multiple
geographies.<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level2 lfo1"><span
style="font-size:11.0pt;mso-fareast-language:JA">It is
not unusual for a requestor to use a VPN.<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level2 lfo1"><span
style="font-size:11.0pt;mso-fareast-language:JA">Credentialed
access should be based on credentials and be neutral to
IP addresses - so mitigations based on IP addresses are
only applicable for the noncredentialled users of SSAD,
if at all.<o:p></o:p></span></li>
</ul>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1"><span
style="font-size:11.0pt;mso-fareast-language:JA">I am very
concerned about the undefined terms “harvesting” and
“mining”, which seem to me to be more about intent than
any specific activity. Until we specifically describe the
behavior to be blocked, we should remove the last bullet.<o:p></o:p></span></li>
</ul>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:JA"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:JA">/marksv<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:JA"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Gnso-epdp-team
<a class="moz-txt-link-rfc2396E" href="mailto:gnso-epdp-team-bounces@icann.org"><gnso-epdp-team-bounces@icann.org></a>
<b>On Behalf Of </b>James M. Bladel<br>
<b>Sent:</b> Tuesday, October 8, 2019 7:15 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:gnso-epdp-team@icann.org">gnso-epdp-team@icann.org</a><br>
<b>Subject:</b> [Gnso-epdp-team] "Abusive" use of SSAD<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Helvetica
Neue"">Colleagues – <o:p>
</o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica
Neue""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica
Neue"">Following up with my homework from last
Thursday, here is the non-exhaustive list of “abusive” SSAD
behaviors.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica
Neue""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica
Neue"">I’ve been in discussions with Mark SV, and note
that he has some concerns. Expect his comments/edits in a
separate message that will be a fast-follow to this post.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica
Neue""><br>
Thanks—<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica
Neue""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Helvetica
Neue"">J.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Helvetica Neue
Light"">-------------<o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Helvetica Neue
Light";color:#00B050">James Bladel<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Helvetica Neue
Light"">GoDaddy</span><span
style="font-family:"Helvetica Neue Light""><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-family:"Helvetica",sans-serif;color:black">“Abusive”
use of SSAD may include (but is not limited to) the
following behaviors/practices:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-family:"Helvetica",sans-serif;color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:1.25in;text-indent:-.25in"><span
style="font-family:"Helvetica",sans-serif;color:black">1. High
volume submissions of malformed or incomplete requests.<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:1.25in;text-indent:-.25in"><span
style="font-family:"Helvetica",sans-serif;color:black">2. Frequent
duplicate requests that were previously fulfilled or denied.<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:1.25in;text-indent:-.25in"><span
style="font-family:"Helvetica",sans-serif;color:black">3. Use
of distributed or spoofed source addresses or platforms to
circumvent quotas or rate limits.<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:1.25in;text-indent:-.25in"><span
style="font-family:"Helvetica",sans-serif;color:black">4. Use
of false or counterfeit credentials to access the system.<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:1.25in;text-indent:-.25in"><span
style="font-family:"Helvetica",sans-serif;color:black">5. Storing/delaying
and sending high volume requests with the intention of
causing SSAD or other parties to fail SLA performance.<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:1.25in;text-indent:-.25in"><span
style="font-family:"Helvetica",sans-serif;color:black">6. Attempts
or efforts to mine or harvest the data protected by SSAD.<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:1.25in;text-indent:-.25in"><span
style="font-family:"Helvetica",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"
style="margin-left:1.25in;text-indent:-.25in"><span
style="font-family:"Helvetica",sans-serif;color:black">As
with other access policy violations, abusive behavior can
result in suspension or termination of access to the SSAD.<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:1.25in;text-indent:-.25in"><span
style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Gnso-epdp-team mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Gnso-epdp-team@icann.org">Gnso-epdp-team@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/policy">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/tos">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</pre>
</blockquote>
<div class="moz-signature">-- <br>
Volker A. Greimann<br>
General Counsel and Policy Manager<br>
<strong style="border-bottom: 3px solid #5C46B5">KEY-SYSTEMS GMBH</strong><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a><br>
<br>
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835<br>
CEO: Alexander Siffrin<br>
<br>
Part of the CentralNic Group PLC (LON: CNIC) a company registered
in England and Wales with company number 8576358.</div>
</body>
</html>