_______________________________________________Farzi,
You appear to have selected quotes from something written by Karl Auerbach, but did not state where we can find Karl’s comments. Can you give us the source and where we can find these comments and also clarify if you agree with these comments?
Best regards,
Marc H. Trachtenberg
ShareholderChair, Internet, Domain Name, e-Commerce and Social Media Practice
Greenberg Traurig, LLPAspen Chicago
411 E. Main Street 360 North Green Street
Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607
T +1.970.300.5313 T +1.312.456.1020
M +1.773.677.3305 M +1.773.677.3305
trac@gtlaw.com | www.gtlaw.com | View GT Biography
From: farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Sent: Friday, June 5, 2026 3:20 PM
To: Nitin Walia <nitin@data.in>
Cc: david hughes via gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Subject: [Gnso-dnsabuse-pdp] Re: New Interisle Study
*EXTERNAL TO GT*
We should be doing policy to address the risk and that’s legitimate and appropriate, just like we do for human rights impact assessment. We consider the risk to human rights. But the urgency of this issue and the effectiveness of whatever policy we produce should not be inflated based on data whose methodology we cannot fully audit, and sometimes not produced by neutral parties and without validation of definitions etc. We need to be proportionate and rigorous, so that we don’t come up with a policy that causes overreach, could impact people’s access to domains and increase political and legal risk.
Auerbach is making some interesting comments about the report which I have pasted here:
From where I sit claims of "malicious" and "abuse" are often mere whining about acts that are neither actually malicious nor actually abusive.
What I am suggesting is that when writing about domain names (or in this case, about the mere registration of a name) as being malicious or abusive that those terms not only ought to be clearly defined, but that those definitions be front and center on any report about such domains.
The Interisle report says this (on page 35):
How does Interisle determine if a domain has been “maliciously registered?”
We consider domains blocklisted within 90 days of registration to be malicious.
I note that Interisle seems to distinguish between malicious *registration* and malicious *use*. There us a vast gap there - the same as the difference between a) buying a glass cutter and b) using that glass cutter in a crime (such as cutting through a window pane in order to commit a burglary.)
In other words in the minds of Interisle, a domain that somebody puts onto some block lists within three months is adjudged, usually without further inquiry, as "malicious".
Or to put it another way around, what is "malicious" depends on the opinions of some unknown block listing agencies.
That is not not a definition. Rather it is an invitation to vigilante and inconsistent behaviour.
A true definition would dig into real actions that have been actually performed through the use of an accused domain name.
Perhaps the Interisle definition could be useful as a sieve to identify registrations that deserve deeper inquiry.
But saying that a domain name is malicious simply on the basis of block list entries is a process based on third party rumor (in law we would call that "hearsay", a thing that is usually excluded by our rules of evidence) rather than on a presentation of relevant, directly obtained, supporting facts.
Farzaneh
On Wed, Jun 3, 2026 at 1:52 AM Nitin Walia via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> wrote:
ICANN Published Two Years of Enforcing DNS Abuse Mitigation Requirements: Progress & Next Steps
Warm Regards
Nitin Walia
Director
Data Ingenious Global
nitin@data.in | नितिन@डाटा.भारत
www.data.in
--------------------------------------------------------------
The content of this email is confidential and intended only for the recipient specified.
If you received this message in error, please delete it and inform the sender.
From: David Hughes via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> MailId : [154969301]
To: trachtenbergm@gtlaw.com,gnso-dnsabuse-pdp@icann.org
Subject: [Gnso-dnsabuse-pdp] Re: New Interisle Study
Date: 03 Jun 2026 06:24:57 AMthank you Marc,
You beat me to the punch.
Very useful study, none of it surprising.
but Shockingly high levels of abuse levels at some registrars.
(if I read it correctly, one has 80% plus abuse?, please correct me if i am reading it wrong).
From: trachtenbergm--- via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>
Date: Tuesday, June 2, 2026 at 9:58 AM
To: gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>
Subject: [Gnso-dnsabuse-pdp] New Interisle StudyFYI fellow members of the DNS Abuse PDP Part 1,
The new Interisle study is out and underscores the importance of this PDP getting it right and resulting in something that is meaningful, including in particular, having measurable and enforceable obligations (see https://interisle.net/insights/cybercriminaldomaindemand).
The report indicates that 10% to 20% of domains are registered for bad purposes, but it might be even higher. The report further indicated that 10% of gTLD domains registered in 2025 have been added to blocklists, and almost all of these were registered for malicious purposes rather than being compromised. As an aside, WhoisXML API analyzes 8-10 million new registrations every month and generally estimates that about a quarter of them are registered for malicious purposes).
Notably for this PDP, the report also addresses Associated Domains - see in particular pg 17:
A recent study about associated domains was performed by the research team in ICANN’s Office of the CTO (OCTO). This study found that “at least 16% of newly registered gTLD domains, [created] in the first quarter of 2025, exhibited batch registration patterns.” Starting with an initial set of “seed” RBL- listed domains, the researchers found an additional 80% more domains that were associated with the blocklisted ones. This “indicates that for every three newly registered malicious domains reported through RBL feeds, batch expansion (using conservative filtering) identifies an additional two neighboring domains.” The researchers stated that “the true rate is likely to be higher” since they excluded ”many valid batches” such as those containing more than 1,000 domains. The results “indicate that batch registrations are prevalent, significantly predict overall abuse rates, and are useful for pivoting and expanding from known malicious ‘seed’ domain sets, particularly in certain TLDs and registrar environments.”
Best regards,
Marc H. Trachtenberg
ShareholderChair, Internet, Domain Name, e-Commerce and Social Media Practice
Greenberg Traurig, LLPAspen Chicago
411 E. Main Street 360 North Green Street
Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607
T +1.970.300.5313 T +1.312.456.1020
M +1.773.677.3305 M +1.773.677.3305
trac@gtlaw.com | www.gtlaw.com | View GT Biography
If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com, and do not use or disseminate the information.
_______________________________________________
Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org
To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.orgDo not Remove:
[HID]20260603062457190[-HID]
[XGENFOOTER]
[-XGENFOOTER]
_______________________________________________
Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org
To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org
Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org
To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org
