Using a host IP / A record may give you different results. Not all ADC-linked domain names will have proper DNS record setup, and many are in a whack-a-mole situation. A lot of time the registrar knows what the OSINT community doesn't know simply by checking the internal data which is only available to specific registrar. 

Let's focus on the registrar account / registrant level solution. Thanks! 

Best,

Ching 


On Fri, Apr 24, 2026 at 8:39 AM Naoum MENGOUDIS via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> wrote:
To me, all checks qualify as associated domain checks. The only difference is that some of them pivot on open source publicly accessible data (like NS or MX records or public abuse reports) and others pivot on personal data, like the registrant name or email address.

As I understand, Farzy has a problem not with the associated domains check itself, but with the datapoints that are used as pivot points. If you pivot on host IP for example, it's ok. If you pivot on registrant email then it is considered more intrusive.

Maybe we can explore this specific issue further. 

Regards,
Naoum

ΜΕΓΓΟΥΔΗΣ Ναούμ
Αστυνόμος Α'
Διεύθυνση Δίωξης Κυβερνοεγκλήματος
Τμήμα  Διαδικτυακής  Προστασίας  Ανηλίκων 

MENGOUDIS Naoum
Police Major
Cyber  Crime  Directorate
Online Child Protection Department
T: (+30) 2106476475
E: n.mengoudis@cybercrimeunit.gov.gr
-------------------
Email  Disclaimer
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for
the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately
by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.If you  are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Think green before printing

From: Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Sent: Friday, April 24, 2026 15:13
To: Bruna Martins dos Santos via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Cc: Dns-techs <dns-techs@na-nic.com.na>
Subject: [Gnso-dnsabuse-pdp] Re: ]ADC Should Be Triggered by Multiple Signals, Not One Abusive Domain
 
Is Signal Checking not already ADC?
 
el

-- 
Sent from my iPhone
On 24. Apr 2026 at 14:02 +0200, farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>, wrote:
Hi Nick, just to be clear we are not saying don’t start any kind of investigation. We are saying before you go to ADC check based on one abuse report, check these other signals. In order to do ADC you need to have access to registrar backend or database. 
These other signals I mentioned don't need access to backend it's public information. are not (I managed to gather the signals without being a registrar, I am only a detective

So in effect, to find out about those signals you don’t have to do ADC as your first action as I demonstrated. Those signals along with abusive domain could establish the trigger for ADC.



Farzaneh 

[…]
_______________________________________________
Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org
To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org