The Messaging Malware Mobile Anti-Abuse Working Group (M³AAWG) called on the Internet Corporation for Assigned Names and Numbers (ICANN) to create new contract requirements for registrars and registry operators to quickly mitigate domain name system (DNS) abuse, such as phishing and malware, that are standardized, clear, implementable, and enforceable. M³AAWG made these recommendations in comments submitted in June 2023, in response to ICANN’s proposal to amend the Base Generic Top-Level Domain (gTLD) Registry Agreement (RA) and standard Registrar Accreditation Agreement (RAA) that apply to all registrars.

Recommendations for Standardization of Abuse Reporting

M³AAWG believes the most important aspect of establishing a format for reporting is to ensure standardization across the contracts. We cannot leave it to registrars and registry operators to implement varied approaches to accepting abuse reports.

M³AAWG recommended the following standards for abuse contacts and reports:

• Email should always be present and accessible as an abuse reporting mechanism.
• The abuse reporting contact address must be unfiltered as abuse reporting addresses may be subject to routine email anti-malware and anti-spam filtering, making it difficult to share samples of malicious or unwanted messages.
• Receipt confirmation should be allowed via an authenticated application programming interface (API) in a standardized format, in addition to other reporting channels. M³AAWG noted that email senders can be spoofed, and a report confirmation could be used as a reflected attack on a third party.
• Standardized web form content and layout and allow practical rate limits on submissions so users can submit attachments up to a reasonable file size limit. This will ensure web forms can manage the high volumes that are often associated with malware attacks and ensure abuse reporters can submit screenshots and other evidence to support the request.

Recommendations Regarding Response Timelines and Actions to be Taken

M³AAWG noted that the proposal lacked clarity regarding what constitutes “reasonable,” “prompt” and “appropriate” mitigation action and urged ICANN to clearly define these obligations in the contracts.

• M³AAWG recommends the registrar take “reasonable and prompt steps (within 3 business days, with the speed proportional to the abuse risk) to investigate, mitigate (where DNS Abuse is detected), and respond appropriately to any acts of abuse.”

Recommendations Regarding the proposed definition of ‘DNS Abuse’

While the quoted typology of abuse includes many common ills that deserve action and remediation (malware, botnets, phishing, pharming, and spam as a delivery mechanism for the other forms of DNS Abuse), the proposed definition is far from complete or sufficiently flexible in a changing abuse environment.

• M³AAWG proposed an addition to the definition of  ‘DNS Abuse’ to include “distributed denial of service (DDoS), Child Sexual Abuse Materials (CSAM), terrorism-promoting content, terrorism funding solicitations, the online sale of controlled substances without a valid prescription, general spam (not referenced in the prior sentence), and the online sale of counterfeit goods.”

As cybercrime and abuse are constantly evolving, the list and definition of what constitutes DNS Abuse is constantly in flux. M³AAWG proposed the implementation of a bi-yearly review, by a diverse group of experts, to avoid outdated definitions or incomplete lists of individually relevant, illicit activities.

M³AAWG’s Goal: Further DNS Anti-Abuse Efforts
Today, many registries and registrars are voluntarily addressing abuse and agree on the basics of anti-abuse, as evidenced by the DNS Abuse Framework. M³AAWG hopes that this effort will further what is already established and that tangible changes will result from ICANN’s efforts to establish standardized, clear, and enforceable actions across all registrars and registry operators.

Additional recommendations can be found in the full report, Comments of the Messaging Malware Mobile Anti-Abuse Working Group (M³AAWG) on ICANN Amendments to the Base gTLD RA and RAA to Modify DNS Abuse Contract Obligations available on the M³AAWG website.

M³AAWG has previously offered comments on various Public Policy initiatives. Visit Public Policy on the M³AAWG website for more.