Further to my email below, per the charter of the PDP, the purpose of the PDP is: “to create an obligation for registrars to investigate other domains associated with a customer account or registrant where at least one domain of that registrant is found to be engaged in DNS Abuse, as defined in the RAA. To develop a Consensus Policy that imposes an obligation on ICANN accredited registrars to proactively investigate associated domain names, and/or related orders when a domain under their management is found to have been registered for malicious purposes.” This seems to be pretty clear that the trigger for the ADC is where at least one domain of that registrant is found to be engaged in DNS Abuse. It is also clear that the Consensus Policy we are developing will create an obligation to investigate associated domain names, and/or related orders when a domain under their management is found to have been registered for malicious purposes. Furthermore, the obligation is to conduct the investigation proactively. Notwithstanding your points below, my proposed language seems to be consistent with the purpose of the PDP. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/> | View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: trachtenbergm--- via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Wednesday, March 18, 2026 9:41 PM To: volker.greimann@centralnic.com; rlevy@tucows.com Cc: gnso-dnsabuse-pdp@icann.org; brian@pir.org Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Thanks Volker. I understand all of this. But for clarity are you saying that there should only be an obligation to conduct an ADC when the registrar already believes that there may be associated domains? Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/> | View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Volker Greimann <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>> Sent: Wednesday, March 18, 2026 8:25 PM To: Trachtenberg, Marc H. (Shld-ASP-IP-Tech) <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>>; rlevy@tucows.com<mailto:rlevy@tucows.com> Cc: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>; brian@pir.org<mailto:brian@pir.org> Subject: Re: [Gnso-dnsabuse-pdp] Re: Straw Proposal Hi Marc, I am glad you asked because they touch upon actual abuse mitigation experience. Such belief can and does arise from multiple sources. For example, the complainant could have reported 2+ domains in their report. Similarly, we could have received multiple different reports from 2+ reporters that show the abuse mitigation agent that there is a pattern to these reported registrations even if the reporter may not be aware of them. In some cases, we also conduct such checks based on single reports with only one domain of the naming pattern of that domain could reasonably indicate that more such domains exist. For example, the domain phishinglove-singapore.[tld] may indicate that other similarly named domains like lovephish-sydney.[tld] or similar could be found in the same account. Similarly, the domain carding02.[tld] often leads to similar domains using the same string with a different number attached. Sometimes it is a question of "know your customer". Some resellers may have a different track record than others when it comes to the customer that abuse their services. In short, there are many different indicators (that will likely need to be adjusted over time) for a registrar to develop a reasonable belief that an ADC may be an effort worth the while it takes to complete it. But the point is that an ADC will take extra time and effort and if we are forced to conduct one for every single domain where an action was warranted, it will slow our response times, leave bad domains online longer than necessary and give threat actors and easier time. I feel that our job should be to make it harder for threat actors, not easier. Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> Office: +49-172-6367025 Web: www.teaminternet.com<https://urldefense.com/v3/__http:/www.teaminternet.com__;!!DUT_TFPxUQ!DCiz1A...> Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com> <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>> Sent: 19 March 2026 2:09 AM To: rlevy@tucows.com<mailto:rlevy@tucows.com> <rlevy@tucows.com<mailto:rlevy@tucows.com>>; Volker Greimann <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>> Cc: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>>; brian@pir.org<mailto:brian@pir.org> <brian@pir.org<mailto:brian@pir.org>> Subject: RE: [Gnso-dnsabuse-pdp] Re: Straw Proposal You don't often get email from trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>. Learn why this is important<https://urldefense.com/v3/__https:/aka.ms/LearnAboutSenderIdentification__;!...> But how would a registrar reasonably believe that there may be other Registered Names associated to the Registered Name without the obligation to conduct an investigation? It would seem that for this to be meaningful there must be both a trigger (i.e., at least one domain name where there is actionable evidence of DNS abuse) and then the obligation (i.e., to conduct a review or investigation to see if there are other associated domains). Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/> | View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Wednesday, March 18, 2026 8:02 PM To: Volker Greimann <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>> Cc: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>>; Brian F. Cimbolic <brian@pir.org<mailto:brian@pir.org>> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal *EXTERNAL TO GT* Volker, Marc— Thanks for your quick review! I agree something along the lines of “where a reasonable indication exists” is necessary. I think Marc’s edits restated what Brian said just using more words (and I prefer succintity for clarity) except for adding in an immediacy (“When a Registrar has actionable evidence”) that is both unwarranted and unreasonable. Perhaps: When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement and reasonably believes there may be other Registered Names associated to the Registered Name, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review. /R -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7 On Mar 18, 2026, at 17:55, Volker Greimann <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>> wrote: Hi Brian, removing any requirement of there being any reasonable indication of there actually being further domains to look for is unreasonable and will ultimately achieve the opposite of our goal: Instead of taking a targeted approach to likely occurrences of DNS abuse, this new language would require Registrars to go on wild goose chases for potentially existing affiliated domain names. So instead of actioning multiple abuse tickets received by a registrar, the abuse desk has to spend time doing a victory lap each time we take action on one ticket, greatly reducing the capacity to timely act upon incoming reports. There must be an element in the ADC requirement that only triggers the requirement to do an ADC when it can be reasonably assumed that such ADs exist, instead of triggering the ADC every time an action is taken. This would be a gift to threat actors as it would force us to spend time engaging in Kabuki theatre rather than actioning actual reports of abuse. Also, I am missing any hint of a suggestion of what Registries might be able to contribute. If we look at this solely from an individual registrars' perspective, we will not achieve anything. We are already seeing many abuse campaigns span that across multiple registrars and that can be detected on a registry level. Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> Office: +49-172-6367025 Web: www.teaminternet.com<https://urldefense.com/v3/__http:/www.teaminternet.com/__;!!DUT_TFPxUQ!EhyjA...> Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: 18 March 2026 10:14 PM To: Reg Levy <rlevy@tucows.com<mailto:rlevy@tucows.com>>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Hi all - First, thank you all for some great sessions to kick this work off in Mumbai. I thought we already made a lot of progress in our first working session. In advance of Monday’s call, I wanted to float a slightly modified version of the Strawman that Reg (very helpfully!) provided below. I provide a clean version, as well as a screenshot of Redlines so we can all see exactly what I’m proposing we change. Summary of proposed tweaks: * The actual obligation to mitigate DNS Abuse in the RAA is found in 3.18.2, rather than the broader 3.18, which includes other unrelated provisions. Tightening that subsection reference should make it clearer where an Associated Domain Check comes into play. * I tried to harmonize the language from Reg’s version with the terms and definitions set forth in the RAA already. So rather than “domains,” it’s “Registered Name” (again, simply to match the RAA defined terms). 3.18.2 also references “mitigation action(s)” so I incorporated that verbiage rather than the more generic “action." * 3.18.2 already requires that Registrars take mitigation action(s) when they have actionable evidence of DNS Abuse. If the Associated Domain Check is fruitful and the Registrar finds such actionable evidence of abuse, it is similarly obligated to take mitigation action(s). So, I suggest striking the “and take action against those domains where appropriate” as redundant. REDLINE: <Screenshot 2026-03-18 at 4.09.42 PM.png> CLEAN: When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review. Looking forward to the call on Monday. Please let me know if you have any questions. Thanks, Brian <image001.png><https://urldefense.com/v3/__https:/www.thenew.org/__;!!DUT_TFPxUQ!EhyjAaaGsF...> Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org<mailto:brian@pir.org> | www.thenew.org<https://urldefense.com/v3/__http:/www.thenew.org__;!!DUT_TFPxUQ!EhyjAaaGsFc-...> | Power your inspiration. Connect your world. <image002.png><image004.png> Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete. From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Date: Monday, March 9, 2026 at 6:19 AM To: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Straw Proposal All— As noted in the chat in the session today, this is the straw proposal a number of us have been working on for the last few days and we’d love additional input: When a registrar takes action under Section 3.18 of the Registrar Accreditation Agreement, the registrar shall promptly review other domains that are reasonably associated with that domain when there are clear indicators that other domains registered by the same customer may be involved in the same abusive activity, using information reasonably available to the registrar at the time of review, and take action against those domains where appropriate. Servus, Reg -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC +5:30 ________________________________ If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com<mailto:postmaster@gtlaw.com>, and do not use or disseminate the information.
