[DNS-Abuse-Measurements] abuse suspension of infrastructure domain names

Fri May 1 11:19:28 UTC 2020

I think there are a few issues at play here.

We have a few clients with critical infrastructure domains. We are aware 
of such domain names and our abuse team has a clear set of instructions, 
plus they are locked at the registry level for obvious reasons.

That will not prevent a registry from suspending a domain name 
(regardless if you are a registrar or not). What we can observe from the 
digital COVID outbreak that blocklists were popping up left and right 
with tons of false positives. If such blocklists are automatically 
parsed by gTLD registries it will cause issues.

To counter blocklist issues, the https://www.cyberthreatcoalition.org/ 
blocklist only contains IOC's that are flagged by 10+ different parties. 
Anything below that threshold will not make the blocklist.

Best,

Theo Geurts

Realtime Register B.V.

On 27-4-2020 18:57, Andrey Nesterenko via DNS-Abuse-Measurements wrote:
> Dear community,
>
> I am a representative of a hosting service company. Today one of our 
> domain names has been suspended by domain registrar because of spam 
> abuse. The domain name is in fact infrastructure domain name which we 
> used since 2005 for some dns servers and in server names.  Here is 
> what happened - spam was sent from a hacked script on one the cPanel 
> shared hosting servers.  And this server has this naming convention - 
> sharedserver.$suspendeddomain.com
>
> Of course, this domain name has nothing to do with that spam, but this 
> suspension resulted in a major outage (fortunately not that long) for 
> many services and customers in our global infrastructure.
>
> I don't think it is a good idea to post here the domain name in 
> question and corresponding registrar because my concern here is not 
> how their abuse team handled that, but about some feedback from 
> community and ICANN.
>
> Would it be a good idea to protect such kind of domain names use in 
> infrastructure of certain businesses from being suspended immediately 
> for such low priority cases? There are a lot of companies like us who 
> have just a few domain names important for DNS and resolving routing 
> infrastructure tasks and they have to be protected somehow.
>
> This is the second time it has happened to us so far.  The first time 
> it was with .host registry a few years ago when they suspend another 
> domain name used in our PaaS cloud infra: each environment had a 
> domain name set up in such a way - env-123456.mircloud.host - exactly 
> the same way as other cloud providers. Of course, it is possible that 
> one of the customers can host phishing tools or viruses on such 
> subdomains, but it should never mean to block the whole domain name 
> entirely. That time it was blocked directly by Radix btw.
>
> Any ideas and feedback here to help us deal with such situations other 
> than becoming a registrar ourselves?
>
> Andrey Nesterenko
> MIRhosting
>
> _______________________________________________
> DNS-Abuse-Measurements mailing list
> DNS-Abuse-Measurements at icann.org
> https://mm.icann.org/mailman/listinfo/dns-abuse-measurements
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/dns-abuse-measurements/attachments/20200501/57a517c2/attachment.html>