Hi Michaela, A few observations: Observation #1. You wrote: This assessment is also in line with the Preliminary Rationale for the Strawperson language for charter question 1<https://secure-web.cisco.com/1lgYdNA3LmWA1u6qgOVHCHbGpI-4Dq4t7RfvSnMTAGdq1Qn...> "The WG further considered, as noted in the Charter, that an ADC is most appropriately required where the registrar has sufficient indicators to reasonably determine that the domain name is being used for DNS Abuse.” Thinking about assessing proportionality on the basis of multiple 'signals' or 'indicators' may be a better route to go down given the complexities of assessing 'severity' at the 'trigger' stage The statement you quote from Q1 strawperson is taken out of context. The complete line is: “The WG further considered, as noted in the Charter, that an ADC is most appropriately required where the registrar has sufficient indicators to reasonably determine that the domain name is being used for DNS Abuse, rather than where a legitimate domain has been compromised by a third party.” This is meant to distinguish that ADC should not be targeted at compromised domain names. The ‘sufficient indicators’ is to establish this distinction, and once that distinction is made, then ADC may be applicable. Observation #2. You wrote: Broadly speaking, the NCSG does not think that all instances of actionable evidence of abuse should lead to an ADC. This is for two reasons: (1) limitations on registrar capacity (running an ADC on a single instance of DNS abuse would be operationally complex and costly); and (2) this could lead to ADCs becoming a ‘de-facto’ process for any and all reported instances of DNS abuse. This is correct. ADC should not apply to verified DNS Abuse on compromised domain names (registrar handles these cases under 3.18.2). We then should agree that ADC must apply in cases of malicious registration as reasonably determined by the registrar. Best -Dennis From: Michaela Nakayama Shapiro via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Reply-To: Michaela Nakayama Shapiro <michaela.shapiro@article19.org> Date: Wednesday, April 29, 2026 at 7:48 AM To: Nick Wenban-Smith <Nick.Wenban-Smith@nominet.uk>, Ching Chiao <ching.chiao@whoisxmlapi.com>, farzaneh badii <farzaneh.badii@gmail.com> Cc: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [EXTERNAL] [Gnso-dnsabuse-pdp] Re: [MALICIOUS URLS, FILTERED]ADC Should Be Triggered by Multiple Signals, Not One Abusive Domain Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. INTERNAL Hi all, Thanks everyone for the feedback and thoughts on the example shared by @farzaneh badii<mailto:farzaneh.badii@gmail.com>! This came as a response to concerns flagged in the working group meeting that a concrete example of the potential risks associated (pun intended 🙂) with conducting an ADC was needed to better understand why a human rights impact assessment is relevant at the ’trigger’ stage. However, we understand not everyone may agree with this assessment and more discussion may be needed. In the meantime, the NCSG thought it would be helpful to further clarify our position. The NCSG is NOT saying an ADC on the basis of a single reported instance of DNS abuse is always disproportionate. As in the example Farzaneh shared, a domain registered mimicking popular communication channels (such as Telegram) could signal a systematic effort to cause security issues for a specific population at a specific moment. This is a valuable contextual indicator for triggering ADC — the timing and the target indicate something that the domain name alone cannot. This is exactly why the context of the reported abuse must be analyzed. That being said, what the NCSG wants to emphasise is that proportionality principles still apply, regardless of there being one actionable instance of DNS abuse. A quick 'proportionality check' could simply look like ensuring there is one additional indicator of a potential pattern of abusive behavior. Without clarity as to the scope and breadth of the ADC (which will vary per registrar, as noted in the PDP charter), the NCSG emphasises that proportionality must be considered (and is relevant) at every stage of the ADC process - from trigger, to investigation, to mitigation. This assessment is also in line with the Preliminary Rationale for the Strawperson language for charter question 1<https://secure-web.cisco.com/1lgYdNA3LmWA1u6qgOVHCHbGpI-4Dq4t7RfvSnMTAGdq1Qn...> "The WG further considered, as noted in the Charter, that an ADC is most appropriately required where the registrar has sufficient indicators to reasonably determine that the domain name is being used for DNS Abuse.” Thinking about assessing proportionality on the basis of multiple 'signals' or 'indicators' may be a better route to go down given the complexities of assessing 'severity' at the 'trigger' stage (thank you, Marc and @Ching Chiao<mailto:ching.chiao@whoisxmlapi.com> for your thoughtful responses on this). Broadly speaking, the NCSG does not think that all instances of actionable evidence of abuse should lead to an ADC. This is for two reasons: (1) limitations on registrar capacity (running an ADC on a single instance of DNS abuse would be operationally complex and costly); and (2) this could lead to ADCs becoming a ‘de-facto’ process for any and all reported instances of DNS abuse. We hope that this also addresses the concerns you raised, @Nick Wenban-Smith<mailto:Nick.Wenban-Smith@nominet.uk>, about the registrar being unable to know whether this is a one-off or part of a broader campaign, for which an ADC would be invaluable for determining what action to take, or whether inaction is the right choice. Happy to discuss more, particularly as folks come back from Manchester (I hope those of you there are enjoying the unusually sunny weather)! Best, Michaela Michaela Nakayama Shapiro (she/her/hers) Programme Officer - Censorship [Logo.png]<https://secure-web.cisco.com/1Dwptg4x3-OILE4Bdam8qzr-Igv4lgkFYksBCSWLwzJRbwy...> Defending freedom of expression and information www.article19.org<https://secure-web.cisco.com/1Dwptg4x3-OILE4Bdam8qzr-Igv4lgkFYksBCSWLwzJRbwy...> Subscribe to our Newsletter<https://secure-web.cisco.com/1ooP-EOICCrOH4YEKCsEOskTUY4Qs-sYVcnP7cyI2ZWoiRG...> [cid:image002.png@01DCDC7D.EE01F280]<https://secure-web.cisco.com/1XpR9URfz5LM11OPd6OEja_8TyqHEK1KGHir6wEUX1AEr4F...> Note: we work half day Fridays (AM) Follow us [Bluesky1x.png]<https://secure-web.cisco.com/10DzVfqedZ_1WIDXsESxam9yyLkjKuiGbIL3LGUfqqUdp5d...> [cid:image004.png@01DCDC7D.EE01F280]<https://www.facebook.com/article19org/> [cid:image005.png@01DCDC7D.EE01F280]<https://www.youtube.com/channel/UCDB6E_x0xRSfF62b872n9YQ> [cid:image006.png@01DCDC7D.EE01F280]<https://secure-web.cisco.com/1fExeF-E3gjilDU3lkVaveyZGAf-4LaLCnogKsrHOrR3qKK...> [cid:image007.png@01DCDC7D.EE01F280]<https://secure-web.cisco.com/165PxV1GT3qGay9EmN5TH4529GX4dy26RSRIZPcckVA20Ub...> [cid:image008.png@01DCDC7D.EE01F280]<https://twitter.com/intent/follow?screen_name=article19org> [cid:image009.png@01DCDC7D.EE01F280]<https://secure-web.cisco.com/1Vheimlp5xQdBRy00Y9Tqhve1sRN7G_XXQacG-uWk-qhCyp...> From: Nick Wenban-Smith via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Date: Wednesday, 22 April 2026 at 16:02 To: Ching Chiao <ching.chiao@whoisxmlapi.com>, farzaneh badii <farzaneh.badii@gmail.com> Cc: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: [MALICIOUS URLS, FILTERED]ADC Should Be Triggered by Multiple Signals, Not One Abusive Domain Hi Detective FB Thanks for the investigation and report; I think some contextual examples of when ADC can assist with abuse mitigation are really helpful when considering our policy deliberations. Sharing wider threat intel as between registrars and the wider security and LE community when a widespread attack is spotted could be an important part of a community response bearing in mind that threat actors will spread their attacks across multiple registrars and TLDs, both gTLDs and ccTLDs for that matter (NB not part of this PDP1 Charter but I digress). Just coming back to the multiple signals point, I think there is a risk of conflating the trigger for ADC, the investigations conducted by the registrar, and then the mitigation action taken by the registrar (if any), which I see as all discrete aspects of the policy work in accordance with the Charter instructions to us. What I don't follow with the multiple signals argument as part of the trigger test, is how with respect to a single proven maliciously registered abusive domain, the registrar could possibly know prior to doing some basic investigation at least, whether or not it is part of a wider campaign? In fact I'd go further than that and say that the whole point about the registrar investigation is to determine whether the trigger domain was a one off abusive registration (in which case nothing to see any further) or whether in fact due to multiple signals (or whatever we want to call them) it is clear that (as per your examples below) it could be part of a wider pattern of malicious registrations which therefore need investigation. And if it then found by the registrar that other domains are also abusively registered then they should be actioned by the registrar without separate abuse notifications needing to be filed by anyone. If they aren't abusive then the registrar obviously shouldn't take any mitigation action. But that will only become clear having done the investigation, with no wriggle room for wilful blindness on the part of the registrar. Given registrar friends on the PDP have already told us that they already conduct ADC it would be nice to understand whether I have understood this practice correctly and my analysis here is fair. If a wheel has already been invented then let's not get into different shapes and sizes and a set of competing standards, but document existing good policies which already work. Cheers all Nick ________________________________ From: farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Wednesday, April 22, 2026 12:53 To: Ching Chiao <ching.chiao@whoisxmlapi.com> Cc: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [MALICIOUS URLS, FILTERED][Gnso-dnsabuse-pdp] ADC Should Be Triggered by Multiple Signals, Not One Abusive Domain Caution: This is an external email and may be malicious. Please take extra care when replying, clicking links or opening attachments. Hi all, I just wanted to show you what we mean by considering other indicators rather than one domain to start ADC. You need multiple signals to trigger ADC, not just one abusive domain. Here's what those signals look like — and how even free agent Detective Badi undertook her analysis with zero equipment or use of intelligence firms (yes yes I know, when it scales it's harder.) Before diving in, here are the kinds of freely available, contextual indicators I can think of: 1. Is the domain on a blocklist? 2. Has it been reported before? 3. Does it relate to a documented, active campaign? 4. Does it share infrastructure (e.g. nameservers) that host a large number of malicious actors? 5. Was it registered during a period of heightened relevance to a specific attack target? 6. Is the registry going through a period of increased abuse? (check domain metrica) 7. Is the registrar going through a period of increased abuse? (check domain metrica) These paint a much richer picture than "one domain in a portfolio is bad, therefore ADC should start and every domain should be checked." This is not a formal NCSG position , but we've been saying for a while that ADC should be triggered based on a combination of such indicators/signals rather than profiling entire registrant portfolios from a single abusive domain. Ching's ADC examples inspired me to actually do this exercise and show what that looks like in practice. One caveat before I go further: I am not comfortable with these indicators. But they might be better than profiling domain name registrants and their entire portfolios based on a single abusive domain. --- THE TELEGRAM-HONG KONG CASE In Ching's examples I came across telegram-hongkong[.]com. This one is very interesting for me I worked on the use of Telegram in Hong Kong during the 2019 uprising. Here's the scenario: imagine this domain was registered around the uprising time in Hong Kong. Telegram was the most popular app during the uprising, and people were desperately trying to download and use it. A domain registered in that window, mimicking Telegram, could signal a systematic effort to cause security issues for a specific population at a specific moment. That's a genuinely good contextual indicator for triggering ADC — the timing and the target tell you something that the domain name alone cannot. But this is not without its complications. During that same period, people also ran apps that helped protesters track police locations, and dear Apple took those down. Now imagine that somewhere in an "abusive" portfolio, a couple of domains exist that were actually helping protesters. Authorities are actively requesting takedowns of such domains. What should the registrar do? Does their knowledge of those domains create legal or political exposure for them? The contextual signal cuts both ways. Which is exactly why context needs to be analyzed. For the record, Malwarebytes documented a campaign where attackers used malicious Google ads exclusively targeting people in Hong Kong, luring victims into downloading a malicious version of Telegram. So yes — this domain relates to a well-known, documented campaign. That's another signal worth noting. --- THE CRAIGSLIT / CALUDE CASE I do DNS abuse reporting as a hobby, partly to understand what doesn't work and what could be better. In one of my hunts I came across Craigslit[.]com. I reported it multiple times through different reporting mechanisms, it got suspended, and then, sigh, it's active again. What's interesting is that it used to share a nameserver that I have come across too often in abusive domain (like calude(.)ai But the name server can be rapidly changed so this metric should not be used on its own. Another signal: whether a domain has been reported before. I was excited to see that Domain Metrica claimed to have this kind of data — until it didn't actually tell me whether the domain had ever been reported, despite the fact that I know I reported it myself. This is admittedly a weak signal, but public reporting history is still better than snooping on registrant accounts. All in all, You need contextual, situational signals alongside the abusive domain to justify starting ADC — things like blocklist presence, prior reports, shared infrastructure, registration timing, and ties to documented malicious campaigns. These signals are freely available in the world. No special access required. No account surveillance needed. you can use abuse.ch<http://secure-web.cisco.com/1BZB0-EyjFrgCcD-rYQevZwzy2424uO_vDgh2061MI04vLWW...> and a myriad of free tools that can help you with your decision. Best regards, Detective FB Ching's ADC examples inspired me to do this exercise. This is not an NCSG position but we have been saying that the start of ADC should be based on different indicators instead of just if one domain is abusive, then we should trigger ADC. Before I begin, I want to be very clear that I am not comfortable with these indicators. But they are better than profiling domain name registrants and their portfolios based on one abusive domain. In Ching's examples I came across telegram-hongkong[.]com. This is a very interesting case. It was exciting for me especially because I worked on the use of Telegram in Hong Kong during the 2019 uprising. So the scenario is as follows: imagine if this domain was registered around that time. Telegram was the most popular app around that time and people would want to download it or use it. So perhaps if the domain was registered during that time, it could signal that it's a systematic effort to cause some security issues. So that's actually a good indicator to consider when wanting to trigger ADC. This is not without its shortcomings. During that period they also ran apps that would inform the protestors about the police location. Those apps were taken down by dear Apple. Now imagine if in this abusive portfolio, there are a couple of registered domains that help protestors. There is a clear request from the authorities to take down such apps/domains. What should the registrar do? doesn't their knowledge of existence of such domains create problems? Other factors that should be considered are: is the nameserver ... does the domain relate to a well known campaign (it does, Malwarebytes documented a campaign where attackers used malicious Google ads exclusively targeting people in Hong Kong, luring victims into downloading a malicious version of Telegram.) Anyway I continue. I do DNS abuse reporting as a hobby to understand what doesn't work, what could be better etc. In one of my hunts, I came across Craigslit[.]com. I reported this domain many times using different reporting mechanisms and it was suspended and now I see it's active again. But interestingly it shares the same name-server with my other hunt and that's calude.ai, They both use NS1.HASTYDNS.COM<http://secure-web.cisco.com/1l15LLs-tuNPu4mQFmRuuLKEET2gefIwRKgZNKXh-vo0A-t9...> (the name server). Another signal can be if the domain has been reported before. I got excited to see domain metrica said it has such data but it didn't tell me if it was ever reported despite the fact that I know I have reported the domain name! (this is a weak signal, but again public data might be better than snooping on accounts etc). So what is the moral of the story. You need to have different signals (contextual situational) as well as the abusive domain to start ADC. Those signals are available for free out in the world and even Detective Badi without any equipment managed to do it. Farzaneh On Wed, Apr 15, 2026 at 7:01 AM Ching Chiao via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: Dear all, Please review the attached 2023 research slides regarding typosquatting groups, which may be relevant to this PDP. In short, the research compares two different datasets -- typo groups vs. confirmed IoC domains . Feel free to ask any questions or comments via the list or privately. Best, Ching Ching Chiao 乔敬 Head of APAC & Corporate Development [Image removed by sender.] Check our latest Internet Abuse Signal research: https://main.whoisxmlapi.com/blog/to-cache-a-predator-ilovepoop-toolkit-react2shell-cve-2025-55182<https://secure-web.cisco.com/1eTgThDAb10Uv7QOwH8grodWjkEkZ0kdzx4HtV2_ej-kLWG-LtTQcrD3YFD2F369TL163Nw4gfXcqX8y95r02oX_HX0bvdtTTrEQolC9M1hQzFMkz1inFWzOpnXrWPeer29iK0x1tQgscFiXivREP3Z_LxlJQRu-PFKOw5aI_OEkFC2Rr_IBSy9hdPvEvHT-zVB5q3KW2kUHRoiyAOtniTLsSWtS0JZ01DLS5yNlqehYRRdMOuiZz9bW-nAQUwhblmkadUY8Yb-YMuko6C_rbr1s2ZXNivtto-lN2kPWVUzGaeO-5HDgTYkDH2ZXBCUNa/https%3A%2F%2Fmain.whoisxmlapi.com%2Fblog%2Fto-cache-a-predator-ilovepoop-toolkit-react2shell-cve-2025-55182> WhoisXMLAPI.com<http://secure-web.cisco.com/1rKYUKEeCa6HXYaOgHrUs7mvPuMJkx48OvVkSmGjaOJ_Rtth...> 中文:https://zh.main.whoisxmlapi.com/<https://secure-web.cisco.com/1Jg5W7wgvG8hNYDVfPt4h5Hg7EiLVKsKCC-UINN1PR5rX9FgEoN53BPSmY_dk3LimmUCkImPjTs43lssxenZIFYO9tYcjr4gmt3RgV4Bc7LdWZTJuTEcC1FVrUFSWgOKgNLwA5ivtQ05cth_apRDzD0bR6PNlsTNNUGTxI-GJr3_vSfldhBRaNLq-e0eMASutwMQJLx1hB02qa2LAYLxqV4BE70T1JqMlJb9zP1MBpxuze23SXuVOz2kxyShqQ41O6JK4QHq2vo7iHMoAZSO64liKzRUk8XUvhvet6dKDyjcqsswZWmZHiqU19-sgmBuz/https%3A%2F%2Fzh.main.whoisxmlapi.com%2F> 日本语 :https://ja.main.whoisxmlapi.com/<https://secure-web.cisco.com/1bhfrIEZMiPghCvJvStGu1OSPrKJKmxVDKlYr2HESvyT86XJCkSnk_y43YcrBtOm6-uFMJEdX5our8FN3vjA6_UGgQ_5tVL2t7FCwJhPhEhr8RfNWAiOpK6Sy-Ecz2U7QD0q7jlJa64hzAIvitOgLG17H2-qstkCcBJCdh2YFnFsrFzAEpFY7jm7M38Jv2EDApb9k242kpWiOyQIMg5b98cv0YDBXkkNy0iSOlEfUjP_X-WKyO5i2jlGOK8t5BIkPFr9cMZaUPCMj4dalJ8_cuNDZcP1VkShw8mYA1kbE-oL4vOXpW4EVqa76XRUqshUs/https%3A%2F%2Fja.main.whoisxmlapi.com%2F> LinkedIn : https://www.linkedin.com/in/chiao/<https://secure-web.cisco.com/1t206i74U7nKgDxBltQMUVTT-lVN75OzDS5E0gP9oGXnm91-fmX41VXJ2o1T-JV8u7iYxtvrWuJEhKmmV4pf1Xre2eiOK4lZ2XmGNF66aZ-lC5JHEHhE_3rIPqimotb3E_KfIkp72UpJpkNLm33PK7n8COm5JyD567veu7b6vUhxEDLT1wyD3ZowuXBwEpE-dDLLeV7-SHiMj_wVmul_Lz6Hwzn4Drp73NCXeJvMvhI3XwDLTsfw0313CCHLn55osPodU92H1yWbNRVSVYE33PKILptSwZmHliCuvcmbGNdk/https%3A%2F%2Fwww.linkedin.com%2Fin%2Fchiao%2F> Book a meeting now: https://calendar.app.google/9neWrkwvhPHRqGZ86<https://secure-web.cisco.com/1OG5PtqhWfaTdOV3637C_tKP2GmxnPyjqaEWEqTNefJCd-YPxj92znGH44bZESrEO6LzjO30JZYyHfbrkB3Uo5D1nfBnW5x08ZrrxY0MbaAPv-taad2cNz5SldMob0iPkS9K-v8b2hk9bc2hshkeNDhkeyhf5_621Z09kp2L3INHOTsP1kbNpaQJbcYsjWtwHcstmx47zF9eubWAGhPtU7JVjXzfR7d03eVzdDv8l9ey1DRA8i-vse9UnV_pSwf03T7Vt17fPxHfq2fZi73RGLwr-RqBwmiw5BCRsJgFXm2-_kb3i4lJ7oMsMb-1R-PzL/https%3A%2F%2Fcalendar.app.google%2F9neWrkwvhPHRqGZ86> _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org>
