abuse suspension of infrastructure domain names
Dear community, I am a representative of a hosting service company. Today one of our domain names has been suspended by domain registrar because of spam abuse. The domain name is in fact infrastructure domain name which we used since 2005 for some dns servers and in server names. Here is what happened - spam was sent from a hacked script on one the cPanel shared hosting servers. And this server has this naming convention - sharedserver.$suspendeddomain.com Of course, this domain name has nothing to do with that spam, but this suspension resulted in a major outage (fortunately not that long) for many services and customers in our global infrastructure. I don't think it is a good idea to post here the domain name in question and corresponding registrar because my concern here is not how their abuse team handled that, but about some feedback from community and ICANN. Would it be a good idea to protect such kind of domain names use in infrastructure of certain businesses from being suspended immediately for such low priority cases? There are a lot of companies like us who have just a few domain names important for DNS and resolving routing infrastructure tasks and they have to be protected somehow. This is the second time it has happened to us so far. The first time it was with .host registry a few years ago when they suspend another domain name used in our PaaS cloud infra: each environment had a domain name set up in such a way - env-123456.mircloud.host - exactly the same way as other cloud providers. Of course, it is possible that one of the customers can host phishing tools or viruses on such subdomains, but it should never mean to block the whole domain name entirely. That time it was blocked directly by Radix btw. Any ideas and feedback here to help us deal with such situations other than becoming a registrar ourselves? Andrey Nesterenko MIRhosting
Andrey— I sympathize. As a registrar, we are running into situations where registries are discovering a domain on a blocklist and demanding that we take the domain down or they will. In some cases, the registry is amenable to conversations along the lines of "this is an infrastructure domain name" or "we have discussed it with the customer, which was hacked, and the issue has been remediated" but some registries are demanding that we (or the registrant) take it up with the blocklist and will not accept any excuses until the domain is off the list. I understand that this is at a different level (registry vs. registrar) but I also understand that there are many reasons that a domain might get used for DNS abuse that ought not result in suspension of the domain. I do not understand how to convey this concept in a manner that trigger-happy parties understand. /R -- Reg Levy Head of Compliance Tucows D: +1 (323) 880-0831 O: +1 (416) 535-0123 x1452 UTC -7
On 27 Apr 2020, at 09:57, Andrey Nesterenko via DNS-Abuse-Measurements <dns-abuse-measurements@icann.org> wrote:
Dear community,
I am a representative of a hosting service company. Today one of our domain names has been suspended by domain registrar because of spam abuse. The domain name is in fact infrastructure domain name which we used since 2005 for some dns servers and in server names. Here is what happened - spam was sent from a hacked script on one the cPanel shared hosting servers. And this server has this naming convention - sharedserver.$suspendeddomain.com <http://suspendeddomain.com/>
Of course, this domain name has nothing to do with that spam, but this suspension resulted in a major outage (fortunately not that long) for many services and customers in our global infrastructure.
I don't think it is a good idea to post here the domain name in question and corresponding registrar because my concern here is not how their abuse team handled that, but about some feedback from community and ICANN.
Would it be a good idea to protect such kind of domain names use in infrastructure of certain businesses from being suspended immediately for such low priority cases? There are a lot of companies like us who have just a few domain names important for DNS and resolving routing infrastructure tasks and they have to be protected somehow.
This is the second time it has happened to us so far. The first time it was with .host registry a few years ago when they suspend another domain name used in our PaaS cloud infra: each environment had a domain name set up in such a way - env-123456.mircloud.host - exactly the same way as other cloud providers. Of course, it is possible that one of the customers can host phishing tools or viruses on such subdomains, but it should never mean to block the whole domain name entirely. That time it was blocked directly by Radix btw.
Any ideas and feedback here to help us deal with such situations other than becoming a registrar ourselves?
Andrey Nesterenko MIRhosting _______________________________________________ DNS-Abuse-Measurements mailing list DNS-Abuse-Measurements@icann.org <mailto:DNS-Abuse-Measurements@icann.org> https://mm.icann.org/mailman/listinfo/dns-abuse-measurements <https://mm.icann.org/mailman/listinfo/dns-abuse-measurements>
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://www.icann.org/privacy/policy>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://www.icann.org/privacy/tos>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
I think there are a few issues at play here. We have a few clients with critical infrastructure domains. We are aware of such domain names and our abuse team has a clear set of instructions, plus they are locked at the registry level for obvious reasons. That will not prevent a registry from suspending a domain name (regardless if you are a registrar or not). What we can observe from the digital COVID outbreak that blocklists were popping up left and right with tons of false positives. If such blocklists are automatically parsed by gTLD registries it will cause issues. To counter blocklist issues, the https://www.cyberthreatcoalition.org/ blocklist only contains IOC's that are flagged by 10+ different parties. Anything below that threshold will not make the blocklist. Best, Theo Geurts Realtime Register B.V. On 27-4-2020 18:57, Andrey Nesterenko via DNS-Abuse-Measurements wrote:
Dear community,
I am a representative of a hosting service company. Today one of our domain names has been suspended by domain registrar because of spam abuse. The domain name is in fact infrastructure domain name which we used since 2005 for some dns servers and in server names. Here is what happened - spam was sent from a hacked script on one the cPanel shared hosting servers. And this server has this naming convention - sharedserver.$suspendeddomain.com
Of course, this domain name has nothing to do with that spam, but this suspension resulted in a major outage (fortunately not that long) for many services and customers in our global infrastructure.
I don't think it is a good idea to post here the domain name in question and corresponding registrar because my concern here is not how their abuse team handled that, but about some feedback from community and ICANN.
Would it be a good idea to protect such kind of domain names use in infrastructure of certain businesses from being suspended immediately for such low priority cases? There are a lot of companies like us who have just a few domain names important for DNS and resolving routing infrastructure tasks and they have to be protected somehow.
This is the second time it has happened to us so far. The first time it was with .host registry a few years ago when they suspend another domain name used in our PaaS cloud infra: each environment had a domain name set up in such a way - env-123456.mircloud.host - exactly the same way as other cloud providers. Of course, it is possible that one of the customers can host phishing tools or viruses on such subdomains, but it should never mean to block the whole domain name entirely. That time it was blocked directly by Radix btw.
Any ideas and feedback here to help us deal with such situations other than becoming a registrar ourselves?
Andrey Nesterenko MIRhosting
_______________________________________________ DNS-Abuse-Measurements mailing list DNS-Abuse-Measurements@icann.org https://mm.icann.org/mailman/listinfo/dns-abuse-measurements
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Hello, I think time (and so, money) is the most critical resource on all sides. From a RO perspective: Before taking down a domain name one *should* do some research to make sure that the abuse report is 1) evident, 2) the reason for taking down a domain name sufficient and 3) to communicate with the registrar for clarification to make sure that such things don’t happen. Of course..this would be the ideal..
Any ideas and feedback here to help us deal with such situations other than becoming a registrar ourselves? First I suggest to talk to the registrar and try to establish better communication and processing regarding abusive domains in your portfolio.
Best, Matthias On 27-4-2020 18:57, Andrey Nesterenko via DNS-Abuse-Measurements wrote: Dear community, I am a representative of a hosting service company. Today one of our domain names has been suspended by domain registrar because of spam abuse. The domain name is in fact infrastructure domain name which we used since 2005 for some dns servers and in server names. Here is what happened - spam was sent from a hacked script on one the cPanel shared hosting servers. And this server has this naming convention - sharedserver.$suspendeddomain.com Of course, this domain name has nothing to do with that spam, but this suspension resulted in a major outage (fortunately not that long) for many services and customers in our global infrastructure. I don't think it is a good idea to post here the domain name in question and corresponding registrar because my concern here is not how their abuse team handled that, but about some feedback from community and ICANN. Would it be a good idea to protect such kind of domain names use in infrastructure of certain businesses from being suspended immediately for such low priority cases? There are a lot of companies like us who have just a few domain names important for DNS and resolving routing infrastructure tasks and they have to be protected somehow. This is the second time it has happened to us so far. The first time it was with .host registry a few years ago when they suspend another domain name used in our PaaS cloud infra: each environment had a domain name set up in such a way - env-123456.mircloud.host - exactly the same way as other cloud providers. Of course, it is possible that one of the customers can host phishing tools or viruses on such subdomains, but it should never mean to block the whole domain name entirely. That time it was blocked directly by Radix btw. Any ideas and feedback here to help us deal with such situations other than becoming a registrar ourselves? Andrey Nesterenko MIRhosting _______________________________________________ DNS-Abuse-Measurements mailing list DNS-Abuse-Measurements@icann.org<mailto:DNS-Abuse-Measurements@icann.org> https://mm.icann.org/mailman/listinfo/dns-abuse-measurements _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Others have hinted at this so I’ll just say it directly. The best advice for you is to move your domain portfolio to a “better” registrar. In this case, “better” is defined as one with which you have an excellent working relationship and, specifically, they are in it to protect your domain name just as you are. You should expect to have to pay an above average fee for this service. However, I suspect that fee is far below the fee for becoming your own registrar. Many registrars have good practices, just as many registries do. However, the system allows for judgement calls, properly so, and it’s entirely possible you can caught up in the noise sometimes. You never know what’s really in progress from a security point of view. “White Glove” service for your critical domains is what the market provides and there are a number of registrars who provide varying levels of such services. Choose one that offers what you need. Note that registrars with such services typically have excellent relationships with many of the registries, so you actually get two benefits. Ask about this if it’s a concern for you. Jim On 27 Apr 2020, at 12:57, Andrey Nesterenko via DNS-Abuse-Measurements wrote:
Dear community,
I am a representative of a hosting service company. Today one of our domain names has been suspended by domain registrar because of spam abuse. The domain name is in fact infrastructure domain name which we used since 2005 for some dns servers and in server names. Here is what happened - spam was sent from a hacked script on one the cPanel shared hosting servers. And this server has this naming convention - sharedserver.$suspendeddomain.com
Of course, this domain name has nothing to do with that spam, but this suspension resulted in a major outage (fortunately not that long) for many services and customers in our global infrastructure.
I don't think it is a good idea to post here the domain name in question and corresponding registrar because my concern here is not how their abuse team handled that, but about some feedback from community and ICANN.
Would it be a good idea to protect such kind of domain names use in infrastructure of certain businesses from being suspended immediately for such low priority cases? There are a lot of companies like us who have just a few domain names important for DNS and resolving routing infrastructure tasks and they have to be protected somehow.
This is the second time it has happened to us so far. The first time it was with .host registry a few years ago when they suspend another domain name used in our PaaS cloud infra: each environment had a domain name set up in such a way - env-123456.mircloud.host - exactly the same way as other cloud providers. Of course, it is possible that one of the customers can host phishing tools or viruses on such subdomains, but it should never mean to block the whole domain name entirely. That time it was blocked directly by Radix btw.
Any ideas and feedback here to help us deal with such situations other than becoming a registrar ourselves?
Andrey Nesterenko MIRhosting
_______________________________________________ DNS-Abuse-Measurements mailing list DNS-Abuse-Measurements@icann.org https://mm.icann.org/mailman/listinfo/dns-abuse-measurements
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Hello, Thank you all for comments and suggestions. From my side, I agree that we should see if we can find "a better registrar" in a way of relationship. At least for own critical domains. However, I still think that it might be a good idea to get a way to protect certain domain names at more solid way, instead of relying on good relationships and abuse best practices. Its not my level of discussion and decisions of course, its registrar/register or probably icann. My level is network and hardware infrastructure and its scaring me that any single silly mistake or harmless abuse activity by someone can lead to major down for many resources and projects. I would expect to see it as a "must have" thing at register level. I realize, it raises a lot of question, how they should be qualified for and who and how have to do that. Still something what can help to have a better Internet I believe. Andrey Nesterenko MIRhosting ------ Original Message ------ From: "James Galvin" <jgalvin@afilias.info> To: "Andrey Nesterenko" <andrey@mirhosting.com> Cc: dns-abuse-measurements@icann.org Sent: 05.05.2020 18:56:00 Subject: Re: [DNS-Abuse-Measurements] abuse suspension of infrastructure domain names
Others have hinted at this so I’ll just say it directly.
The best advice for you is to move your domain portfolio to a “better” registrar. In this case, “better” is defined as one with which you have an excellent working relationship and, specifically, they are in it to protect your domain name just as you are. You should expect to have to pay an above average fee for this service. However, I suspect that fee is far below the fee for becoming your own registrar.
Many registrars have good practices, just as many registries do. However, the system allows for judgement calls, properly so, and it’s entirely possible you can caught up in the noise sometimes. You never know what’s really in progress from a security point of view.
“White Glove” service for your critical domains is what the market provides and there are a number of registrars who provide varying levels of such services. Choose one that offers what you need. Note that registrars with such services typically have excellent relationships with many of the registries, so you actually get two benefits. Ask about this if it’s a concern for you.
Jim
On 27 Apr 2020, at 12:57, Andrey Nesterenko via DNS-Abuse-Measurements wrote:
Dear community,
I am a representative of a hosting service company. Today one of our domain names has been suspended by domain registrar because of spam abuse. The domain name is in fact infrastructure domain name which we used since 2005 for some dns servers and in server names. Here is what happened - spam was sent from a hacked script on one the cPanel shared hosting servers. And this server has this naming convention - sharedserver.$suspendeddomain.com
Of course, this domain name has nothing to do with that spam, but this suspension resulted in a major outage (fortunately not that long) for many services and customers in our global infrastructure.
I don't think it is a good idea to post here the domain name in question and corresponding registrar because my concern here is not how their abuse team handled that, but about some feedback from community and ICANN.
Would it be a good idea to protect such kind of domain names use in infrastructure of certain businesses from being suspended immediately for such low priority cases? There are a lot of companies like us who have just a few domain names important for DNS and resolving routing infrastructure tasks and they have to be protected somehow.
This is the second time it has happened to us so far. The first time it was with .host registry a few years ago when they suspend another domain name used in our PaaS cloud infra: each environment had a domain name set up in such a way - env-123456.mircloud.host - exactly the same way as other cloud providers. Of course, it is possible that one of the customers can host phishing tools or viruses on such subdomains, but it should never mean to block the whole domain name entirely. That time it was blocked directly by Radix btw.
Any ideas and feedback here to help us deal with such situations other than becoming a registrar ourselves?
Andrey Nesterenko MIRhosting _______________________________________________ DNS-Abuse-Measurements mailing list DNS-Abuse-Measurements@icann.org https://mm.icann.org/mailman/listinfo/dns-abuse-measurements
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
I’d echo what Jim said. What you’re asking for is not unreasonable, but it’s the kind of thing where you’d need to choose a registrar that: * Knows about the domains which are “key” * You have a good relationship with That means that you might have to pay a bit more for your domains, but if they are crucial technical infrastructure then that’s a cost that you shouldn’t have an issue with. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com https://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, R93 X265,Ireland Company No.: 370845 From: DNS-Abuse-Measurements <dns-abuse-measurements-bounces@icann.org> on behalf of Andrey Nesterenko via DNS-Abuse-Measurements <dns-abuse-measurements@icann.org> Reply to: Andrey Nesterenko <andrey@mirhosting.com> Date: Wednesday 6 May 2020 at 09:20 To: James Galvin <jgalvin@afilias.info> Cc: "dns-abuse-measurements@icann.org" <dns-abuse-measurements@icann.org> Subject: Re: [DNS-Abuse-Measurements] abuse suspension of infrastructure domain names Hello, Thank you all for comments and suggestions. From my side, I agree that we should see if we can find "a better registrar" in a way of relationship. At least for own critical domains. However, I still think that it might be a good idea to get a way to protect certain domain names at more solid way, instead of relying on good relationships and abuse best practices. Its not my level of discussion and decisions of course, its registrar/register or probably icann. My level is network and hardware infrastructure and its scaring me that any single silly mistake or harmless abuse activity by someone can lead to major down for many resources and projects. I would expect to see it as a "must have" thing at register level. I realize, it raises a lot of question, how they should be qualified for and who and how have to do that. Still something what can help to have a better Internet I believe. Andrey Nesterenko MIRhosting ------ Original Message ------ From: "James Galvin" <jgalvin@afilias.info<mailto:jgalvin@afilias.info>> To: "Andrey Nesterenko" <andrey@mirhosting.com<mailto:andrey@mirhosting.com>> Cc: dns-abuse-measurements@icann.org<mailto:dns-abuse-measurements@icann.org> Sent: 05.05.2020 18:56:00 Subject: Re: [DNS-Abuse-Measurements] abuse suspension of infrastructure domain names Others have hinted at this so I’ll just say it directly. The best advice for you is to move your domain portfolio to a “better” registrar. In this case, “better” is defined as one with which you have an excellent working relationship and, specifically, they are in it to protect your domain name just as you are. You should expect to have to pay an above average fee for this service. However, I suspect that fee is far below the fee for becoming your own registrar. Many registrars have good practices, just as many registries do. However, the system allows for judgement calls, properly so, and it’s entirely possible you can caught up in the noise sometimes. You never know what’s really in progress from a security point of view. “White Glove” service for your critical domains is what the market provides and there are a number of registrars who provide varying levels of such services. Choose one that offers what you need. Note that registrars with such services typically have excellent relationships with many of the registries, so you actually get two benefits. Ask about this if it’s a concern for you. Jim On 27 Apr 2020, at 12:57, Andrey Nesterenko via DNS-Abuse-Measurements wrote: Dear community, I am a representative of a hosting service company. Today one of our domain names has been suspended by domain registrar because of spam abuse. The domain name is in fact infrastructure domain name which we used since 2005 for some dns servers and in server names. Here is what happened - spam was sent from a hacked script on one the cPanel shared hosting servers. And this server has this naming convention - sharedserver.$suspendeddomain.com Of course, this domain name has nothing to do with that spam, but this suspension resulted in a major outage (fortunately not that long) for many services and customers in our global infrastructure. I don't think it is a good idea to post here the domain name in question and corresponding registrar because my concern here is not how their abuse team handled that, but about some feedback from community and ICANN. Would it be a good idea to protect such kind of domain names use in infrastructure of certain businesses from being suspended immediately for such low priority cases? There are a lot of companies like us who have just a few domain names important for DNS and resolving routing infrastructure tasks and they have to be protected somehow. This is the second time it has happened to us so far. The first time it was with .host registry a few years ago when they suspend another domain name used in our PaaS cloud infra: each environment had a domain name set up in such a way - env-123456.mircloud.host - exactly the same way as other cloud providers. Of course, it is possible that one of the customers can host phishing tools or viruses on such subdomains, but it should never mean to block the whole domain name entirely. That time it was blocked directly by Radix btw. Any ideas and feedback here to help us deal with such situations other than becoming a registrar ourselves? Andrey Nesterenko MIRhosting _______________________________________________ DNS-Abuse-Measurements mailing list DNS-Abuse-Measurements@icann.org<mailto:DNS-Abuse-Measurements@icann.org> https://mm.icann.org/mailman/listinfo/dns-abuse-measurements _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
participants (6)
-
Andrey Nesterenko -
James Galvin -
Matthias Pfeifer | dotBERLIN GmbH & Co. KG -
Michele Neylon - Blacknight -
Reg Levy -
Theo Geurts