+1, an actionable report pursuant to 3.18.2 should be enough to trigger ADC. After this first step, a registrar should have the latitude to determine the depth and breadth of ADC informed by the signals/indicators available to them and apply mitigation actions where appropriate.

 

From: Gabriel Andrews via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Reply-To: Gabriel Andrews <gfandrews@fbi.gov>
Date: Wednesday, April 15, 2026 at 5:27 AM
To: "Brian F. Cimbolic" <brian@pir.org>, farzaneh badii <farzaneh.badii@gmail.com>
Cc: "trachtenbergm@gtlaw.com" <trachtenbergm@gtlaw.com>, "volker.greimann@centralnic.com" <volker.greimann@centralnic.com>, "el@lisse.NA" <el@lisse.NA>, "gnso-dnsabuse-pdp@icann.org" <gnso-dnsabuse-pdp@icann.org>, "dns-techs@na-nic.com.na" <dns-techs@na-nic.com.na>
Subject: [EXTERNAL] [Gnso-dnsabuse-pdp] Re: [EXTERNAL EMAIL] - Re: Another numbers request.

 

Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

I'm going to speak for a moment on my own behalf to share experience as an investigator, and not on behalf of the GAC. 

 

Farzi, I believe you correctly identify a commonly employed LE principle that the more privacy-invasive an investigative technique is, the more facts/circumstances that may be required to justify its use.  Policy is often in place such that a LE investigation can only be opened when there are articulable facts indicating a crime has been committed (for which the agency has authority to investigate).  Further, if the investigator wishes to use a particularly privacy-invasive technique, (such as a wiretap to surveil communications in realtime) extensive predication of facts must be presented as to why that level of privacy-invasion is required and couldn't be otherwise satisfied with less privacy invasive techniques.   

 

I believe you incorrectly, however, apply that important principle when you suggest that evidence of a maliciously registered domain - sufficient to trigger 3.18.2 - would not justify taking a look at the other domains registered by that threat actor.  This is a minimally invasive investigative step which would be one of the very first steps to take in an investigation once evidence is received of malicious registrations having been made by that customer.   It makes use only of information already in possession of the registrar (or reseller), it doesn't piece the veil of protected communications, it's merely a step taken - after you have proof that a domain is maliciously registered - to see what other domains that threat actor is also using maliciously.  To not take this step would be, in my view, irresponsible.  

 

Following evidence of malicious registration, an ADC will allow informed mitigative action, which may especially be important to mitigate or prevent victim harm.  Example:  If a threat actor has registered 100 phishing domains in furtherance of a Business Email Compromise scheme, if a registrar takes piecemeal action only against the one or two domains first reported, the threat actor may yet continue their scheme to defraud the additional 98 victims.  Worse, they may accelerate their scheme if already using some of those other 98 domains in communication with victim(s), knowing that the "heat is on".   Whereas, if the Rr performed the ADC before taking mitigative action, they may see all 100 domains, and choose to take comprehensive mitigative action against all the phishing domains simultaneously, greatly mitigating potential harm.  Recognition of this principle is, I believe, the driving purpose behind this PDP.  

 

All this said -  I would greatly benefit from any scenario you might provide in which conducting this simple check might in any way cause harm to an innocent party.  I believe Brian asked for such a scenario/example previously, and I have eagerly awaited the same, recognizing that there may be a situation I simply haven't considered.   

 

 

 

 

 

---

From: farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Sent: Wednesday, April 15, 2026 3:44 AM
To: Brian F. Cimbolic <brian@pir.org>
Cc: trachtenbergm@gtlaw.com <trachtenbergm@gtlaw.com>; volker.greimann@centralnic.com <volker.greimann@centralnic.com>; el@lisse.NA <el@lisse.na>; gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>; dns-techs@na-nic.com.na <dns-techs@na-nic.com.na>
Subject: [EXTERNAL EMAIL] - [Gnso-dnsabuse-pdp] Re: Another numbers request.

 

I repeat my point, which reflects a global legal practice: the initiation and scope of an investigation must be necessary and proportionate to the available indicators of abuse. We are not confusing investigation and enforcement. Investigative methods themselves, not just penalties, are subject to these requirements. More intrusive or expansive methods must be justified by an initial evidentiary threshold and cannot be used as a default to determine that threshold.

I therefore disagree that ADC is required to assess the nature or extent of an alleged violation. Initial action should be based on indicators derived from the domain itself, such as corroborated abuse reports but also other domain-level signals. We should not be using ADC to determine whether there is sufficient basis to conduct ADC. The appropriate approach is to rely on domain-level indicators first, and only where those establish a sufficient basis, consider more expansive investigative steps, such as examining additional domains associated with an account.

That threshold can be derived from observable indicators of abuse. In phishing cases, for example, the domain string itself can be a strong signal. A domain like “bankofamerica1” may indicate a high likelihood of targeted financial phishing and could justify further scrutiny. By contrast, domains like “youtubee[.]com” or “craigslit[.]com” may suggest typosquatting and potential malware, but those indicators alone do not justify expanding the scope of investigation to associated domains.

The point is that not all indicators justify the same investigative response. The scope of the investigation must be calibrated to the strength and nature of the indicators, and ADC should be reserved for cases where those indicators establish a sufficient basis to expand beyond the domain itself.

 

Farzaneh 

 

 

On Wed, Apr 15, 2026 at 1:38 AM Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> wrote:

I agree with Marc - the determination to suspend an individual domain name found during an ADC should rely on the mechanisms already contained in the RAA - if the ADC provides actionable evidence of malicious DNS Abuse, the registrar would be obligated to suspend the relevant domain(s). 

 

If there are 20 other domains in the same registrar account that appear legitimate/benign, I don’t think anyone has ever suggested that those names be suspended too (as there would be no actionable evidence of DNS Abuse under 3.18.2 of the RAA). And if they are, it feels there is consensus that we can nip that line of policy in the bud. 

 

	Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org | www.thenew.org | Power your inspiration. Connect your world.

 

Confidentiality Note:  Proprietary and confidential to Public Interest Registry.  If received in error, please inform sender and then delete.

 

From: trachtenbergm--- via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Date: Tuesday, April 14, 2026 at 8:35 PM
To: volker.greimann@centralnic.com <volker.greimann@centralnic.com>, el@lisse.NA <el@lisse.NA>, gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>
Cc: dns-techs@na-nic.com.na <dns-techs@na-nic.com.na>
Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request.

Volker,

 

I agree with most of these points and that these are important considerations for the registrar when deciding what mitigation action to take, but my point was that the takedown part is not part of the ADC.  The takedown part already exists in the DNS Abuse amendments in the RAA.  This discussion, while important, is outside the ADC.  That’s why it is a rabbit hole for purposes of trying to create the ADC.  Once again, it is the conflation of investigation with enforcement/mitigation.

 

Best regards,

 

Marc H. Trachtenberg
Shareholder

Chair, Internet, Domain Name, e-Commerce and Social Media Practice
Greenberg Traurig, LLP

Aspen                                           Chicago

411 E. Main Street                         360 North Green Street

Suite 207 | Aspen, CO 81611        Suite 1300 | Chicago, IL 60607

T +1.970.300.5313                         T +1.312.456.1020

M +1.773.677.3305                        M +1.773.677.3305
trac@gtlaw.com | www.gtlaw.com  |  View GT Biography

 

From: Volker Greimann <volker.greimann@centralnic.com>
Sent: Tuesday, April 14, 2026 3:38 PM
To: el@lisse.NA; gnso-dnsabuse-pdp@icann.org; Trachtenberg, Marc H. (Shld-ASP-IP-Tech) <trachtenbergm@gtlaw.com>
Cc: dns-techs@na-nic.com.na
Subject: Re: [Gnso-dnsabuse-pdp] Re: Another numbers request.

 

Hi Marc,

 

it is not really a rabbit hole since it is just the kind of issue that registrars face when dealing with associated domain names. Every takedown also carries with it a certain liability risk that has to be balanced as part of the review process before taking a decision to act. That is why we need actionable evidence of abuse, and that does not change for associated domain checks either. 

 

We have had cases where "Dumb Criminal A" defecated where he dined and had registered his personal (legal-use) domain names in the same account that also held the problematic ones. Do we take those down as well? 

 

We have had cases where we took down a significant number of domain names of a third-party privacy or trustee service that was not recognizable as such because of a high prevalence of abusive registrations using that registration data set, thereby affecting a significant number of non-abusive registrations. Justified? Maybe! Liability risk? For sure.

 

We do see cases where criminals register domains through various resellers and even registrars, but never use more than one at a time. We can only ever detect one domain engaged in abusive activities. We see the associated domains as such and even without actionable evidence for every single one we will take action based on various indicators of likelihood of abusive use. But the risk remains of also taking down domains that were never intended for such use. 

 

We have seen domains registered for advertising or monetization purposes where the abuse originates from a bad advertiser of the parking provider that circumvented their internal review processes. Most of those domains are used by other advertisers for legitimate purposes. In fact, their registration pattern is similar to the case of the reservoir domains above. They would all fall into the classification of associated domains, but in this case, a takedown would be problematic. 

 

Just because a domain is associated somehow with an abusive registration does not mean it was registered for the same purpose, or even by or on behalf of the same end customer. As a registrar, it is our job to navigate those dangerous waters, balance legal obligations to our legitimate customers and our legal and policy obligations to take action on malicious registrations. It is easy when the ocean is clear and you can see the floor, but there are hidden reefs that we need to watch out for. And it does take an experienced captain and crew to navigate those shoals. But to do that successfully, we need room to navigate and trust in our experience. 

 

 

Sincerely,

Volker Greimann
General Counsel & Head of Policy and Compliance - Online Division

volker.greimann@centralnic.com
Office: +49-172-6367025
Web: www.teaminternet.com

Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR. Team Internet is a company registered in England and Wales with the company number 8576358.

 

---

From: trachtenbergm--- via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Sent: 14 April 2026 8:26 PM
To: el@lisse.na <el@lisse.na>; gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>
Cc: dns-techs@na-nic.com.na <dns-techs@na-nic.com.na>
Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request.

 

Eberhard,

 

I think we are going down a rabbit hole here. This is outside the scope of the ADC as the ADC is not mandating that entire accounts get shut down or that the registrar take any action other than investigate for associated domains. Any resulting obligations to take action based on what the registrar finds already exist in the RAA.

 

Best regards,

 

Marc H. Trachtenberg
Shareholder

Chair, Internet, Domain Name, e-Commerce and Social Media Practice
Greenberg Traurig, LLP

Aspen                                           Chicago

411 E. Main Street                         360 North Green Street

Suite 207 | Aspen, CO 81611        Suite 1300 | Chicago, IL 60607

T +1.970.300.5313                         T +1.312.456.1020

M +1.773.677.3305                        M +1.773.677.3305
trac@gtlaw.com | www.gtlaw.com  |  View GT Biography

 

From: Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Sent: Tuesday, April 14, 2026 12:13 PM
To: gnso-dnsabuse-pdp@icann.org
Cc: Dns-techs <dns-techs@na-nic.com.na>
Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request.

 

*EXTERNAL TO GT*

Becky, 

 

you are the lawyer, I am not. 

 

I just mean a concept. 

 

Can you take down a Registered Name, just because (at least) another Name registered by same Registrant has been mitigated?

 

If a single Registrant has 5 Names, 1 reported, investigated, proven as phishing, and mitigated accordingly, ADC done, and 3 of the others are mitigable, I still don't like that the 5th one would or could be mitigated as well. 

 

However as Marc wrote, you act against the Registrant (for violating the Terms and Conditions). 

 

How would that work? Can you really unilaterally decide to take Names down, or do you have to give notice of termination of the Registrant agreement (0 to n days notice)? So they transfer the Name elsewhere, and perhaps even register the mitigated Names again.

 

Now you take a Reseller which has a Million Names. ADC finds 50, 500 or even 5000 in need of mitigation. 

 

Do you take the 50, 500 or 5000 names down or do you cancel the agreement with the Reseller (for violation the Terms and Conditions). What happens then to the Names left? 

 

Or if the Reseller is just irritated enough that they transfer significant Revenue elsewhere? There are enough accredited Registrars around, after all.

 

The obviously even more difficult question is how to prevent them from becoming wise to the Policy and transferring the rest of a portfolio to another Registrar, when a single one is taken down, ie before the ADC can be done?

 

 

We have not thought through the consequences of our considerations, and/or the cost. 

 

 

 

el

--
Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (retired)
el@lisse.NA / * | Telephone: +264 81 124 6733 (cell)
PO Box 8421 Bachbrecht \ / If this email is signed with GPG/PGP
10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply

On Apr 14, 2026 at 18:50 +0200, Becky Burr <bburr@pir.org>, wrote:

I am confused by the use of the term “guilt by association” here.  That usually means you consider one person guilty of some bad act because that person is associated with someone else who is a known bad guy.  And yes, in that context, there are significant human rights concerns.

 

Here, we are just saying that if a registrant/account holder is known to be using one domain for DNS abuse then we are going to check to make sure the same registrant/account holder isn’t using other domains for DNS abuse.  And, if the answer is no, then nothing happens to the associated domains.  So, unless you are arguing that domains themselves have human rights, I don’t see what the guilt by association issue is.  

 

Am I missing something? 

 

Becky Burr

 

---

If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com, and do not use or disseminate the information.

_______________________________________________
Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org
To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

_______________________________________________
Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org
To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org