Hi Farzaneh (and everyone else) - I wanted to note that Section 3.18.2 of the RAA has language that might account for these considerations in the language highlighted below: "When Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, Registrar must promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse. Action(s) may vary depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage.” Perhaps that language would be helpful in any ultimate Policy to take those concerns into consideration. Thanks, Brian [Logo]<https://www.thenew.org/> Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org<mailto:brian@pir.org> | www.thenew.org<applewebdata://98ECC0AE-88EB-4427-B85E-6E9A6F544FBE/www.thenew.org> | Power your inspiration. Connect your world. [cid2922828134*image003.png@01D94119.58E327D0][A green sign with a white star and black text Description automatically generated] Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete. From: farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Date: Sunday, April 12, 2026 at 10:31 AM To: Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr> Cc: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. Hi Naoum, You mentioned earlier that ADC would have no adverse effect on rights (I include access in it too). I did not respond at the time because I think that conclusion is premature and needs to be assessed in context. First, when we talk about human rights in this setting, we are not only concerned with established violations but with risk, that is, the likelihood that certain practices could lead to disproportionate or unjustified impacts on registrants and end users. In your example, you effectively illustrate how that risk can increase with ADC check: “PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources)” This approach introduces a clear risk of overbroad action, where domains that have not been individually assessed are nevertheless subject to the same outcome. Even if some domains are abusive, extending action to the entire portfolio without further verification raises questions of proportionality, accuracy, and potential impact on legitimate uses. Best regards Farzaneh On Sun, Apr 12, 2026 at 7:33 AM Naoum MENGOUDIS via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: Dear all, Following the numbers being thrown around in the recent emails, It would be of interest to know the average number of domains an end customer holds. And maybe also the maximum number of domains an end customer holds, to have an idea of the extreme case scenario. This would give us a better estimate of the work needed to be done when doing ADC. [End customer means actual registrants, excluding Resellers and Privacy & Proxy Services] Having 100.000 abusive reports in total says nothing about the overhead of a possible ADC. Maybe ADC would actually help because the reports would be handled in groups instead of one by one (because, as you know, when you are "in the zone" you get more work done compared to starting and stopping and constantly switching contexts). For example, if the average ownership is 100 domains per end customer, you would have to check an additional 99 domains of that customer when one of his domains is reported. Better do it as a group, instead of waiting to do it 100 times in total at some point. PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources). On the contrary, acting on each of the reports that will come in the future is way more resource intensive. And can we have some examples of real scenarios when an ADC would be detrimental to the resource use of the Registrar? So we can validate or not this argument, or any other related argument, or plan appropriate safeguards, instead of dismissing a good practice (i.e. the ADC triggered every time). Regards, Naoum ΜΕΓΓΟΥΔΗΣ Ναούμ Αστυνόμος Α' Διεύθυνση Δίωξης Κυβερνοεγκλήματος Τμήμα Διαδικτυακής Προστασίας Ανηλίκων Λ. Αλεξάνδρας 173, 115 22, Αθήνα<https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...> MENGOUDIS Naoum Police Major Cyber Crime Directorate Online Child Protection Department Alexandras Avenue 173, 115 22, Athens<https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...> T: (+30) 2106476475 E: n.mengoudis@cybercrimeunit.gov.gr<mailto:n.mengoudis@cybercrimeunit.gr> ------------------- Email Disclaimer This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Think green before printing _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org>

The language Action(s) may vary depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage” could make sense to apply to what actions the registrar should take after conducting the ADC, but it does not make sense for the reasons previously discussed for the trigger which must be actionable evidence of DNS Abuse, and use of severity as a trigger will make the end result of the PDP be meaningless and will result in even more overhead for registrars as they will have to do this analysis on the front end and document to demonstrate compliance. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Sunday, April 12, 2026 8:58 AM To: Brian F. Cimbolic <brian@pir.org> Cc: Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr>; Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. *EXTERNAL TO GT* Thank you Brian, this is helpful and we have mentioned in our preliminary feedback that this language should be taken into consideration. We also used the language to come up with the tiered model (severity of harm) to justify the triggering of ADC. Farzaneh On Sun, Apr 12, 2026 at 10:55 AM Brian F. Cimbolic <brian@pir.org<mailto:brian@pir.org>> wrote: Hi Farzaneh (and everyone else) - I wanted to note that Section 3.18.2 of the RAA has language that might account for these considerations in the language highlighted below: "When Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, Registrar must promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse. Action(s) may vary depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage.” Perhaps that language would be helpful in any ultimate Policy to take those concerns into consideration. Thanks, Brian [Logo]<https://urldefense.com/v3/__https:/www.thenew.org/__;!!DUT_TFPxUQ!EkyXNgFfq8...> Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org<mailto:brian@pir.org> | www.thenew.org<https://urldefense.com/v3/__http:/www.thenew.org__;!!DUT_TFPxUQ!EkyXNgFfq8Ui...> | Power your inspiration. Connect your world. [cid:image004.png@01DCCA7C.EF4A1F40][A green sign with a white star and black text Description automatically generated] Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete. From: farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Date: Sunday, April 12, 2026 at 10:31 AM To: Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr<mailto:n.mengoudis@cybercrimeunit.gov.gr>> Cc: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. Hi Naoum, You mentioned earlier that ADC would have no adverse effect on rights (I include access in it too). I did not respond at the time because I think that conclusion is premature and needs to be assessed in context. First, when we talk about human rights in this setting, we are not only concerned with established violations but with risk, that is, the likelihood that certain practices could lead to disproportionate or unjustified impacts on registrants and end users. In your example, you effectively illustrate how that risk can increase with ADC check: “PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources)” This approach introduces a clear risk of overbroad action, where domains that have not been individually assessed are nevertheless subject to the same outcome. Even if some domains are abusive, extending action to the entire portfolio without further verification raises questions of proportionality, accuracy, and potential impact on legitimate uses. Best regards Farzaneh On Sun, Apr 12, 2026 at 7:33 AM Naoum MENGOUDIS via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: Dear all, Following the numbers being thrown around in the recent emails, It would be of interest to know the average number of domains an end customer holds. And maybe also the maximum number of domains an end customer holds, to have an idea of the extreme case scenario. This would give us a better estimate of the work needed to be done when doing ADC. [End customer means actual registrants, excluding Resellers and Privacy & Proxy Services] Having 100.000 abusive reports in total says nothing about the overhead of a possible ADC. Maybe ADC would actually help because the reports would be handled in groups instead of one by one (because, as you know, when you are "in the zone" you get more work done compared to starting and stopping and constantly switching contexts). For example, if the average ownership is 100 domains per end customer, you would have to check an additional 99 domains of that customer when one of his domains is reported. Better do it as a group, instead of waiting to do it 100 times in total at some point. PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources). On the contrary, acting on each of the reports that will come in the future is way more resource intensive. And can we have some examples of real scenarios when an ADC would be detrimental to the resource use of the Registrar? So we can validate or not this argument, or any other related argument, or plan appropriate safeguards, instead of dismissing a good practice (i.e. the ADC triggered every time). Regards, Naoum ΜΕΓΓΟΥΔΗΣ Ναούμ Αστυνόμος Α' Διεύθυνση Δίωξης Κυβερνοεγκλήματος Τμήμα Διαδικτυακής Προστασίας Ανηλίκων Λ. Αλεξάνδρας 173, 115 22, Αθήνα<https://urldefense.com/v3/__https:/url.us.m.mimecastprotect.com/s/80S3Cxkwp1...> MENGOUDIS Naoum Police Major Cyber Crime Directorate Online Child Protection Department Alexandras Avenue 173, 115 22, Athens<https://urldefense.com/v3/__https:/url.us.m.mimecastprotect.com/s/80S3Cxkwp1...> T: (+30) 2106476475 E: n.mengoudis@cybercrimeunit.gov.gr<mailto:n.mengoudis@cybercrimeunit.gr> ------------------- Email Disclaimer This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Think green before printing _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org> ---------------------------------------------------------------------- If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com, and do not use or disseminate the information.

Dear Michaela, Thank you for your thoughtful note. I would like to offer some additional perspectives. You mentioned that the goal is to ensure ADCs are conducted with "care" rather than on every instance of reported abuse. However, "care" can have various interpretations. For some registrars, conducting an ADC with care could involve preemptive risk-profiling for every newly registered domain to prevent cyberattacks, potentially relying on internal labeling or third-party sources. For instance, at the time of registration, attributes such as group number or group size could be added to the domain or registrant data to facilitate investigation in the future. In a scenario where a registrar identifies a domain like "xxbank-secure-logincom.[TLD]" , and still suggests 10–20 other TLDs to that same customer, I strongly recommend recording this ADC group at the time of registration. This would be highly beneficial for any future investigations. I still believe using "severity as a trigger" can be problematic. As previously shared, a large ADC group might contain only one phishing domain, yet that single domain could target a public water supply org. Given how rapidly the cyberattack landscape evolves, a tiered model is unlikely to capture these risks effectively and could complicate the workflow. Thanks! Best, Ching On Mon, Apr 13, 2026 at 7:04 PM Michaela Nakayama Shapiro via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> wrote:

INTERNAL

Dear all,

With apologies for the delayed response (catching up on the mailing list from the weekend), I want to thank @Brian F. Cimbolic <brian@pir.org> for re-upping this section. Echoing @farzaneh badii <farzaneh.badii@gmail.com>, this language lays the groundwork for the tiered model of severity of harm that the NCSG is keen to see reflected in the outcome of this PDP. Particularly given that registrars will conduct ADCs differently, having this language is one clear means of accounting for the type and severity of harm to be addressed without preventing ADCs from taking place (as we are also keen to protect victims of spam, phishing, etc. from harm).

Building on the strawman proposal helpfully put forward by staff last week, I would like to suggest the following change:

*When a registrar has actionable evidence that a Registered Name is being used for DNS Abuse and has taken appropriate mitigation action(s) under section 3.18.2 of the Registrar Accreditation Agreement (RAA), the registrar must perform an Associated Domain Check **depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage**. *

Respectfully, I disagree with Mark that "use of a severity as a trigger will make the end result of the PDP meaningless and will result in even more overhead for registrars." Registrars should already be accounting for severity of harm when taking 'appropriate action' on DNS abuse so this will simply be reiterating this obligation up-front. The aim is not to prevent ADCs from happening but rather ensuring that these are conducted with care (rather than on every and any instance of reported DNS abuse). Particularly as we have yet to define minimum procedural requirements for ADCs or to clarify obligations regarding evidence gathering, the NCSG wants to ensure that this balancing exercise is integrated both at the 'trigger' phase and during the ADC.

Looking forward to discussing this more — whether via the mailing list or on today's call (or both).

Best,

Michaela

*Michaela Nakayama Shapiro *(she/her/hers) Programme Officer - Censorship [image: Logo.png] <https://www.article19.org> Defending freedom of expression and information *www.article19.org* <https://www.article19.org> Subscribe to our Newsletter <https://www.article19.org/ie-sign-up/> <https://www.article19.org/ie-sign-up> *Note: we work half day Fridays (AM)* Follow us [image: Bluesky1x.png] <https://bsky.app/profile/article19.bsky.social> <https://www.facebook.com/article19org/> <https://www.youtube.com/channel/UCDB6E_x0xRSfF62b872n9YQ> <https://www.linkedin.com/company/article19> <https://www.instagram.com/article19org/> <https://twitter.com/intent/follow?screen_name=article19org> [image: Targeted registration] <https://tinyurl.com/35zaz2r6> ------------------------------ *From:* Brian F. Cimbolic via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> *Sent:* 12 April 2026 15:55 *To:* Farzaneh Badii <farzaneh.badii@gmail.com>; Naoum MENGOUDIS < n.mengoudis@cybercrimeunit.gov.gr> *Cc:* Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> *Subject:* [Gnso-dnsabuse-pdp] Re: Another numbers request.

Hi Farzaneh (and everyone else) - I wanted to note that Section 3.18.2 of the RAA has language that might account for these considerations in the language highlighted below:

"When Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, Registrar must promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse. Action(s) may vary depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage.”

Perhaps that language would be helpful in any ultimate Policy to take those concerns into consideration.

Thanks,

Brian

*[image: Logo] <https://www.thenew.org/>*

*Brian Cimbolic* *| Chief Legal and Policy Officer*

*brian@pir.org <brian@pir.org>* | *www.thenew.org <http://www.thenew.org>* | *Power your inspiration. Connect your world.*

*[image: cid2922828134*image003.png@01D94119.58E327D0][image: A green sign with a white star and black text Description automatically generated]*

*Confidentiality Note:* Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete.

*From: *farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> *Date: *Sunday, April 12, 2026 at 10:31 AM *To: *Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr> *Cc: *Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> *Subject: *[Gnso-dnsabuse-pdp] Re: Another numbers request.

Hi Naoum,

You mentioned earlier that ADC would have no adverse effect on rights (I include access in it too). I did not respond at the time because I think that conclusion is premature and needs to be assessed in context.

First, when we talk about human rights in this setting, we are not only concerned with established violations but with risk, that is, the likelihood that certain practices could lead to disproportionate or unjustified impacts on registrants and end users.

In your example, you effectively illustrate how that risk can increase with ADC check: “PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources)”

This approach introduces a clear risk of overbroad action, where domains that have not been individually assessed are nevertheless subject to the same outcome. Even if some domains are abusive, extending action to the entire portfolio without further verification raises questions of proportionality, accuracy, and potential impact on legitimate uses.

Best regards

Farzaneh

On Sun, Apr 12, 2026 at 7:33 AM Naoum MENGOUDIS via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> wrote:

Dear all,

Following the numbers being thrown around in the recent emails, It would be of interest to know the average number of domains an end customer holds. And maybe also the maximum number of domains an end customer holds, to have an idea of the extreme case scenario. This would give us a better estimate of the work needed to be done when doing ADC. [End customer means actual registrants, excluding Resellers and Privacy & Proxy Services]

Having 100.000 abusive reports in total says nothing about the overhead of a possible ADC. Maybe ADC would actually help because the reports would be handled in groups instead of one by one (because, as you know, when you are "in the zone" you get more work done compared to starting and stopping and constantly switching contexts).

For example, if the average ownership is 100 domains per end customer, you would have to check an additional 99 domains of that customer when one of his domains is reported. Better do it as a group, instead of waiting to do it 100 times in total at some point. PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources). On the contrary, acting on each of the reports that will come in the future is way more resource intensive.

And can we have some examples of real scenarios when an ADC would be detrimental to the resource use of the Registrar? So we can validate or not this argument, or any other related argument, or plan appropriate safeguards, instead of dismissing a good practice (i.e. the ADC triggered every time).

Regards, Naoum

ΜΕΓΓΟΥΔΗΣ Ναούμ Αστυνόμος Α' Διεύθυνση Δίωξης Κυβερνοεγκλήματος Τμήμα Διαδικτυακής Προστασίας Ανηλίκων Λ. Αλεξάνδρας 173, 115 22, Αθήνα <https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...>

MENGOUDIS Naoum Police Major Cyber Crime Directorate Online Child Protection Department Alexandras Avenue 173, 115 22, Athens <https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...>

T: (+30) 2106476475 E: n.mengoudis@cybercrimeunit.gov.gr <n.mengoudis@cybercrimeunit.gr> ------------------- *Email Disclaimer*

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

*Think green before printing*

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

In this example of the customer that has 20 out of 100 domains which are deemed to be abusive, then I disagree that suspending all of the domain names in the account would constitute a disproportionate or unjustified impacts on the registrant or end user. In the example, this customer is clearly a serial abuser of domain names and this would justify shutting down the entire customer account. Furthermore, if you look at the terms of use of almost all registrars, even one incident of a domain being used for DNS Abuse (or any other violations of the terms) is sufficient to permit the registrar to suspend or terminate all services provided to the customer, which includes all of their domains. So, to the extent that there is any risk of overreach create by the ADC itself – which I disagree exists at all - it is no greater than what already exists. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Sunday, April 12, 2026 8:31 AM To: Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr> Cc: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. *EXTERNAL TO GT* Hi Naoum, You mentioned earlier that ADC would have no adverse effect on rights (I include access in it too). I did not respond at the time because I think that conclusion is premature and needs to be assessed in context. First, when we talk about human rights in this setting, we are not only concerned with established violations but with risk, that is, the likelihood that certain practices could lead to disproportionate or unjustified impacts on registrants and end users. In your example, you effectively illustrate how that risk can increase with ADC check: “PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources)” This approach introduces a clear risk of overbroad action, where domains that have not been individually assessed are nevertheless subject to the same outcome. Even if some domains are abusive, extending action to the entire portfolio without further verification raises questions of proportionality, accuracy, and potential impact on legitimate uses. Best regards Farzaneh On Sun, Apr 12, 2026 at 7:33 AM Naoum MENGOUDIS via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: Dear all, Following the numbers being thrown around in the recent emails, It would be of interest to know the average number of domains an end customer holds. And maybe also the maximum number of domains an end customer holds, to have an idea of the extreme case scenario. This would give us a better estimate of the work needed to be done when doing ADC. [End customer means actual registrants, excluding Resellers and Privacy & Proxy Services] Having 100.000 abusive reports in total says nothing about the overhead of a possible ADC. Maybe ADC would actually help because the reports would be handled in groups instead of one by one (because, as you know, when you are "in the zone" you get more work done compared to starting and stopping and constantly switching contexts). For example, if the average ownership is 100 domains per end customer, you would have to check an additional 99 domains of that customer when one of his domains is reported. Better do it as a group, instead of waiting to do it 100 times in total at some point. PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources). On the contrary, acting on each of the reports that will come in the future is way more resource intensive. And can we have some examples of real scenarios when an ADC would be detrimental to the resource use of the Registrar? So we can validate or not this argument, or any other related argument, or plan appropriate safeguards, instead of dismissing a good practice (i.e. the ADC triggered every time). Regards, Naoum ΜΕΓΓΟΥΔΗΣ Ναούμ Αστυνόμος Α' Διεύθυνση Δίωξης Κυβερνοεγκλήματος Τμήμα Διαδικτυακής Προστασίας Ανηλίκων Λ. Αλεξάνδρας 173, 115 22, Αθήνα<https://urldefense.com/v3/__https:/www.google.com/maps/place/**_**K/@37.9879...> MENGOUDIS Naoum Police Major Cyber Crime Directorate Online Child Protection Department Alexandras Avenue 173, 115 22, Athens<https://urldefense.com/v3/__https:/www.google.com/maps/place/**_**K/@37.9879...> T: (+30) 2106476475 E: n.mengoudis@cybercrimeunit.gov.gr<mailto:n.mengoudis@cybercrimeunit.gr> ------------------- Email Disclaimer This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Think green before printing _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org> ---------------------------------------------------------------------- If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com, and do not use or disseminate the information.

Eberhart, How would it be illegal for a registrar to suspend or terminate services when the registrar's terms have been violated if such remedy is described in the terms? This happens every day. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen                                           Chicago 411 E. Main Street                         360 North Green Street Suite 207 | Aspen, CO 81611        Suite 1300 | Chicago, IL 60607 T +1.970.300.5313                         T +1.312.456.1020 M +1.773.677.3305                        M +1.773.677.3305 trac@gtlaw.com | www.gtlaw.com  |  View GT Biography -----Original Message----- From: Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Sunday, April 12, 2026 2:53 PM To: gnso-dnsabuse-pdp@icann.org Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. *EXTERNAL TO GT* It would probably be plain illegal, at least cuase significant legal exposure.œ el On 2026-04-12 21:11, trachtenbergm--- via Gnso-dnsabuse-pdp wrote:

In this example of the customer that has 20 out of 100 domains which are deemed to be abusive, then I disagree that suspending all of the domain names in the account would constitute a disproportionate or unjustified impacts on the registrant or end user. [...]

Marc H. Trachtenberg [...] -- Eberhard W. Lisse \ /Obstetrician & Gynaecologist (retired) el@lisse.NA / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht\ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org ---------------------------------------------------------------------- If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com, and do not use or disseminate the information.

I understand that but the client paid subject to the terms. If the terms of service of the registrar state that customers who violate the terms, including specifically the acceptable use policy, are subject to suspension or termination of the registrar’s services, which include the domain names in their account, I do not see what the legal issue is. Are you aware of a specific jurisdiction where this would be problematic under the applicable law? I also don’t think a court will be too sympathetic where the registrant used 20 out of the 100 domain names in its account for phishing or malware. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Monday, April 13, 2026 12:55 AM To: gnso-dnsabuse-pdp@icann.org Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. I am coming at this from the ccTLD perspective, remember? Where we are used to having approximately 250 different jurisdictions (Civil and Common Law). We are talking about guilt by association here, not (so much) proven DNS abuse. And, when this Policy filters down into the Registrar Agreement, does this material change work retrospectively? The client paid (consideration) and the Registrar just removes additional 100 names. I am not sure how that would fly in Court. el -- Sent from my iPhone On Apr 13, 2026 at 01:54 +0200, trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>, wrote: Eberhart, How would it be illegal for a registrar to suspend or terminate services when the registrar's terms have been violated if such remedy is described in the terms? This happens every day. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com | www.gtlaw.com<http://www.gtlaw.com>  |  View GT Biography -----Original Message----- From: Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Sunday, April 12, 2026 2:53 PM To: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. *EXTERNAL TO GT* It would probably be plain illegal, at least cuase significant legal exposure.œ el On 2026-04-12 21:11, trachtenbergm--- via Gnso-dnsabuse-pdp wrote: In this example of the customer that has 20 out of 100 domains which are deemed to be abusive, then I disagree that suspending all of the domain names in the account would constitute a disproportionate or unjustified impacts on the registrant or end user. [...] Marc H. Trachtenberg [...] -- Eberhard W. Lisse \ /Obstetrician & Gynaecologist (retired) el@lisse.NA<mailto:el@lisse.NA> / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht\ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org> ---------------------------------------------------------------------- If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com<mailto:postmaster@gtlaw.com>, and do not use or disseminate the information.

Eberhard, I don’t think anyone is suggesting that the ADC policy require a registrar to take this action against the entire account. I am certainly not suggesting that the registrar be required to do this. I was just pointing out that if the registrar chose to do this that it would not be disproportionate and the registrar has the option to do so, even now. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Monday, April 13, 2026 1:35 AM To: gnso-dnsabuse-pdp@icann.org Cc: Dns-techs <dns-techs@na-nic.com.na> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. That's helpful in a way. So we do not act against Associated Names, but against the Registrant? Is that covered by the charter? Are there judgements which could be persuasive or even binding, in the US at least, for similar situations? I forgot to mention that Registrars will probably use AI to do the ADC and (thus play a significant role in) termination. How that will fare in Court is anybody's guess. Which reminds me, how would we address that they can change their modus operandi and register smaller numbers per individual client, and circumvent email and sms checks by generating more email accounts (ie fictitious individuals) and phone banks and have AI answer the return (existence) checks? How do we catch if they spread the Registrations over different Registrars? I can easily foresee registering names in a chain, using the previous one for the email address of the next and similar strategies. In different TLDs with different Registrars making this much more complex. el -- Sent from my iPhone On Apr 13, 2026 at 09:00 +0200, trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>, wrote: I understand that but the client paid subject to the terms. If the terms of service of the registrar state that customers who violate the terms, including specifically the acceptable use policy, are subject to suspension or termination of the registrar’s services, which include the domain names in their account, I do not see what the legal issue is. Are you aware of a specific jurisdiction where this would be problematic under the applicable law? I also don’t think a court will be too sympathetic where the registrant used 20 out of the 100 domain names in its account for phishing or malware. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography<https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> <image001.png> <image002.png> From: Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Monday, April 13, 2026 12:55 AM To: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. I am coming at this from the ccTLD perspective, remember? Where we are used to having approximately 250 different jurisdictions (Civil and Common Law). We are talking about guilt by association here, not (so much) proven DNS abuse. And, when this Policy filters down into the Registrar Agreement, does this material change work retrospectively? The client paid (consideration) and the Registrar just removes additional 100 names. I am not sure how that would fly in Court. el -- Sent from my iPhone On Apr 13, 2026 at 01:54 +0200, trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>, wrote: Eberhart, How would it be illegal for a registrar to suspend or terminate services when the registrar's terms have been violated if such remedy is described in the terms? This happens every day. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com | www.gtlaw.com<http://www.gtlaw.com>  |  View GT Biography -----Original Message----- From: Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Sunday, April 12, 2026 2:53 PM To: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. *EXTERNAL TO GT* It would probably be plain illegal, at least cuase significant legal exposure.œ el On 2026-04-12 21:11, trachtenbergm--- via Gnso-dnsabuse-pdp wrote: In this example of the customer that has 20 out of 100 domains which are deemed to be abusive, then I disagree that suspending all of the domain names in the account would constitute a disproportionate or unjustified impacts on the registrant or end user. [...] Marc H. Trachtenberg [...] -- Eberhard W. Lisse \ /Obstetrician & Gynaecologist (retired) el@lisse.NA<mailto:el@lisse.NA> / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht\ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org> ---------------------------------------------------------------------- If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com<mailto:postmaster@gtlaw.com>, and do not use or disseminate the information.

Some customers will want to do it themselves and others will want us to do it for them. So—not necessarily. /R -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7

On Apr 13, 2026, at 04:59, Gabriel Andrews via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> wrote:

Reg -

Your input on differing business models is important.

Given that your customers are resellers, would you view it as reasonable - when your team judges it cannot "simply look at all domains in an account" - that the obligation to perform the ADC be passed from you as Rr to your Reseller customer, so that they might perform the ADC using information available to them as the customer-facing entity?

Gabriel

From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Monday, April 13, 2026 1:35 PM To: Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr> Cc: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [EXTERNAL EMAIL] - [Gnso-dnsabuse-pdp] Re: Another numbers request.

Naoum:

The mean number of domains in a reseller account for my company is going to be probably in the high hundred thousands. We have customers with millions of domains and customers with single-digits. Themode is probably closer to tens of thousands. It is not usually the case that my team can simply look at all domains in an account.

Servus, Reg

-- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter

UTC -7

On Apr 12, 2026, at 04:32, Naoum MENGOUDIS via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> wrote:

Dear all,

Following the numbers being thrown around in the recent emails, It would be of interest to know the average number of domains an end customer holds. And maybe also the maximum number of domains an end customer holds, to have an idea of the extreme case scenario. This would give us a better estimate of the work needed to be done when doing ADC. [End customer means actual registrants, excluding Resellers and Privacy & Proxy Services]

Having 100.000 abusive reports in total says nothing about the overhead of a possible ADC. Maybe ADC would actually help because the reports would be handled in groups instead of one by one (because, as you know, when you are "in the zone" you get more work done compared to starting and stopping and constantly switching contexts).

For example, if the average ownership is 100 domains per end customer, you would have to check an additional 99 domains of that customer when one of his domains is reported. Better do it as a group, instead of waiting to do it 100 times in total at some point. PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources). On the contrary, acting on each of the reports that will come in the future is way more resource intensive.

And can we have some examples of real scenarios when an ADC would be detrimental to the resource use of the Registrar? So we can validate or not this argument, or any other related argument, or plan appropriate safeguards, instead of dismissing a good practice (i.e. the ADC triggered every time).

Regards, Naoum

ΜΕΓΓΟΥΔΗΣ Ναούμ Αστυνόμος Α' Διεύθυνση Δίωξης Κυβερνοεγκλήματος Τμήμα Διαδικτυακής Προστασίας Ανηλίκων Λ. Αλεξάνδρας 173, 115 22, Αθήνα <https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...>

MENGOUDIS Naoum Police Major Cyber Crime Directorate Online Child Protection Department Alexandras Avenue 173, 115 22, Athens <https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...>

T: (+30) 2106476475 E: n.mengoudis@cybercrimeunit.gov.gr <mailto:n.mengoudis@cybercrimeunit.gr> ------------------- Email Disclaimer This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Think green before printing

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org <mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org <mailto:gnso-dnsabuse-pdp-leave@icann.org>

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

Hi Gabe, thank you for your comment. That is exactly what we already do when we "outsource" some of our duty to investigate and mitigate to our resellers. Where we act as wholesale registrar, we are basically in the same position as a registry operator. We have no insight into the actual operations of our resellers, how they engage with their customers, what data they collect and what tools they may have available. But we do trust them to have better and more information than we do. That is why whenever we forward an abuse complaint, we will request that the reseller also look at the customer account through which the registration occurred if they determine that the complaint is valid, just like a registry would when they forward abuse complaint to their registrars. We will never have the level of insight and data that comes with having the direct customer relationship with the registrants. We will never know if a bulk of registration requests originated from a certain global region or even IP range. But our reseller may. Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com Office: +49-172-6367025 Web: www.teaminternet.com Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: Gabriel Andrews via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: 13 April 2026 2:29 PM To: Reg Levy <rlevy@tucows.com> Cc: Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr>; Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: [EXTERNAL EMAIL] - Re: Another numbers request. Ok - so it would seem worthwhile to consider that a reseller performing the ADC on their own customers might be reasonable in some circumstances (assuming the reseller does the ADC in a manner that satisfies you, so you as Rr can in turn satisfy ICANN). In the other case, those circumstances in which the reseller wants your team (as Rr) to do the ADC for them - would it be reasonable to assume that they provide you with information which would enable you to more narrowly the ADC on only a subset of the total domains in the reseller account? (whether by giving you access to the customer account info, or other?) ________________________________ From: Reg Levy <rlevy@tucows.com> Sent: Monday, April 13, 2026 2:01 PM To: Andrews, Gabriel F. (OTD) (FBI) <gfandrews@fbi.gov> Cc: Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr>; Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: Re: [Gnso-dnsabuse-pdp] [EXTERNAL EMAIL] - Re: Another numbers request. Some customers will want to do it themselves and others will want us to do it for them. So—not necessarily. /R -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7 On Apr 13, 2026, at 04:59, Gabriel Andrews via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> wrote: Reg - Your input on differing business models is important. Given that your customers are resellers, would you view it as reasonable - when your team judges it cannot "simply look at all domains in an account" - that the obligation to perform the ADC be passed from you as Rr to your Reseller customer, so that they might perform the ADC using information available to them as the customer-facing entity? Gabriel ________________________________ From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Monday, April 13, 2026 1:35 PM To: Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr> Cc: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [EXTERNAL EMAIL] - [Gnso-dnsabuse-pdp] Re: Another numbers request. Naoum: The mean number of domains in a reseller account for my company is going to be probably in the high hundred thousands. We have customers with millions of domains and customers with single-digits. Themode is probably closer to tens of thousands. It is not usually the case that my team can simply look at all domains in an account. Servus, Reg -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7 On Apr 12, 2026, at 04:32, Naoum MENGOUDIS via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> wrote: Dear all, Following the numbers being thrown around in the recent emails, It would be of interest to know the average number of domains an end customer holds. And maybe also the maximum number of domains an end customer holds, to have an idea of the extreme case scenario. This would give us a better estimate of the work needed to be done when doing ADC. [End customer means actual registrants, excluding Resellers and Privacy & Proxy Services] Having 100.000 abusive reports in total says nothing about the overhead of a possible ADC. Maybe ADC would actually help because the reports would be handled in groups instead of one by one (because, as you know, when you are "in the zone" you get more work done compared to starting and stopping and constantly switching contexts). For example, if the average ownership is 100 domains per end customer, you would have to check an additional 99 domains of that customer when one of his domains is reported. Better do it as a group, instead of waiting to do it 100 times in total at some point. PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources). On the contrary, acting on each of the reports that will come in the future is way more resource intensive. And can we have some examples of real scenarios when an ADC would be detrimental to the resource use of the Registrar? So we can validate or not this argument, or any other related argument, or plan appropriate safeguards, instead of dismissing a good practice (i.e. the ADC triggered every time). Regards, Naoum ΜΕΓΓΟΥΔΗΣ Ναούμ Αστυνόμος Α' Διεύθυνση Δίωξης Κυβερνοεγκλήματος Τμήμα Διαδικτυακής Προστασίας Ανηλίκων Λ. Αλεξάνδρας 173, 115 22, Αθήνα<https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...> MENGOUDIS Naoum Police Major Cyber Crime Directorate Online Child Protection Department Alexandras Avenue 173, 115 22, Athens<https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...> T: (+30) 2106476475 E: n.mengoudis@cybercrimeunit.gov.gr<mailto:n.mengoudis@cybercrimeunit.gr> ------------------- Email Disclaimer This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Think green before printing _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org> _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

Thank you all for the robust conversations happening on the list! Best, Paul [cid:image001.png@01DCCC11.B91650B0] Paul McGrady Partner Elster & McGrady 434 Houston St, Suite 261 Nashville, TN 37203 3847 N. Lincoln Avenue Second Floor Chicago, IL 60613 Office Direct: +1 (312) 515-4422 paul@elstermcgrady.com<mailto:paul@elstermcgrady.com> www.elstermcgrady.com<http://www.elstermcgrady.com/> From: Gabriel Andrews via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Monday, April 13, 2026 6:59 AM To: Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr>; Reg Levy <rlevy@tucows.com> Cc: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: [EXTERNAL EMAIL] - Re: Another numbers request. Reg - Your input on differing business models is important. Given that your customers are resellers, would you view it as reasonable - when your team judges it cannot "simply look at all domains in an account" - that the obligation to perform the ADC be passed from you as Rr to your Reseller customer, so that they might perform the ADC using information available to them as the customer-facing entity? Gabriel ________________________________ From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Monday, April 13, 2026 1:35 PM To: Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr<mailto:n.mengoudis@cybercrimeunit.gov.gr>> Cc: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [EXTERNAL EMAIL] - [Gnso-dnsabuse-pdp] Re: Another numbers request. Naoum: The mean number of domains in a reseller account for my company is going to be probably in the high hundred thousands. We have customers with millions of domains and customers with single-digits. The mode is probably closer to tens of thousands. It is not usually the case that my team can simply look at all domains in an account. Servus, Reg -- Reg Levy | Associate General Counsel - Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7 On Apr 12, 2026, at 04:32, Naoum MENGOUDIS via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: Dear all, Following the numbers being thrown around in the recent emails, It would be of interest to know the average number of domains an end customer holds. And maybe also the maximum number of domains an end customer holds, to have an idea of the extreme case scenario. This would give us a better estimate of the work needed to be done when doing ADC. [End customer means actual registrants, excluding Resellers and Privacy & Proxy Services] Having 100.000 abusive reports in total says nothing about the overhead of a possible ADC. Maybe ADC would actually help because the reports would be handled in groups instead of one by one (because, as you know, when you are "in the zone" you get more work done compared to starting and stopping and constantly switching contexts). For example, if the average ownership is 100 domains per end customer, you would have to check an additional 99 domains of that customer when one of his domains is reported. Better do it as a group, instead of waiting to do it 100 times in total at some point. PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources). On the contrary, acting on each of the reports that will come in the future is way more resource intensive. And can we have some examples of real scenarios when an ADC would be detrimental to the resource use of the Registrar? So we can validate or not this argument, or any other related argument, or plan appropriate safeguards, instead of dismissing a good practice (i.e. the ADC triggered every time). Regards, Naoum ΜΕΓΓΟΥΔΗΣ Ναούμ Αστυνόμος Α' Διεύθυνση Δίωξης Κυβερνοεγκλήματος Τμήμα Διαδικτυακής Προστασίας Ανηλίκων Λ. Αλεξάνδρας 173, 115 22, Αθήνα<https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...> MENGOUDIS Naoum Police Major Cyber Crime Directorate Online Child Protection Department Alexandras Avenue 173, 115 22, Athens<https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...> T: (+30) 2106476475 E: n.mengoudis@cybercrimeunit.gov.gr<mailto:n.mengoudis@cybercrimeunit.gr> ------------------- Email Disclaimer This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Think green before printing _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org> This email originated from outside the firm. Please use caution.

That is not data I have access to. (Note that I was answering the question of “average number of domains a[] customer holds”: “end customer” isn’t really a useful way of talking about our customer base. We just have customers—they may have customers, who may have customers, who may have customers, who… you get the picture. Eventually someone visits a website hosted on a domain name and they are the customer, too.) A retail registrar may want to weigh in about how many domains their customers may have. -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7

On Apr 13, 2026, at 07:11, Naoum MENGOUDIS via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> wrote:

Thanks Reg.

The numbers that would be helpful are the ones excluding Resellers. Just plain human/person end customers (not legal entities).

But in any case, we agree that checking exhaustively may not be an option. Good thing we are discussing reliable indicators already.

ΜΕΓΓΟΥΔΗΣ Ναούμ Αστυνόμος Α' Διεύθυνση Δίωξης Κυβερνοεγκλήματος Τμήμα Διαδικτυακής Προστασίας Ανηλίκων Λ. Αλεξάνδρας 173, 115 22, Αθήνα <https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...>

MENGOUDIS Naoum Police Major Cyber Crime Directorate Online Child Protection Department Alexandras Avenue 173, 115 22, Athens <https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...>

T: (+30) 2106476475 E: n.mengoudis@cybercrimeunit.gov.gr <mailto:n.mengoudis@cybercrimeunit.gr> ------------------- Email Disclaimer This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Think green before printing

From: Reg Levy <rlevy@tucows.com> Sent: Monday, April 13, 2026 14:35 To: Naoum MENGOUDIS <n.mengoudis@cybercrimeunit.gov.gr> Cc: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: Re: [Gnso-dnsabuse-pdp] Another numbers request.

Naoum:

The mean number of domains in a reseller account for my company is going to be probably in the high hundred thousands. We have customers with millions of domains and customers with single-digits. The mode is probably closer to tens of thousands. It is not usually the case that my team can simply look at all domains in an account.

Servus, Reg

-- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter

UTC -7

...

On Apr 12, 2026, at 04:32, Naoum MENGOUDIS via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> wrote:

Dear all,

Following the numbers being thrown around in the recent emails, It would be of interest to know the average number of domains an end customer holds. And maybe also the maximum number of domains an end customer holds, to have an idea of the extreme case scenario. This would give us a better estimate of the work needed to be done when doing ADC. [End customer means actual registrants, excluding Resellers and Privacy & Proxy Services]

Having 100.000 abusive reports in total says nothing about the overhead of a possible ADC. Maybe ADC would actually help because the reports would be handled in groups instead of one by one (because, as you know, when you are "in the zone" you get more work done compared to starting and stopping and constantly switching contexts).

For example, if the average ownership is 100 domains per end customer, you would have to check an additional 99 domains of that customer when one of his domains is reported. Better do it as a group, instead of waiting to do it 100 times in total at some point. PLUS, you can use heuristics, like, if you verify that 20 of the 100 domains of the customer are abusive, and using other available information and indicators (e.g. everything being registered via API and on the same day), you can just deactivate all 100 of the domains and nobody will complain about it (without even having to check further, saving lots and lots of resources). On the contrary, acting on each of the reports that will come in the future is way more resource intensive.

And can we have some examples of real scenarios when an ADC would be detrimental to the resource use of the Registrar? So we can validate or not this argument, or any other related argument, or plan appropriate safeguards, instead of dismissing a good practice (i.e. the ADC triggered every time).

Regards, Naoum

ΜΕΓΓΟΥΔΗΣ Ναούμ Αστυνόμος Α' Διεύθυνση Δίωξης Κυβερνοεγκλήματος Τμήμα Διαδικτυακής Προστασίας Ανηλίκων Λ. Αλεξάνδρας 173, 115 22, Αθήνα <https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...>

MENGOUDIS Naoum Police Major Cyber Crime Directorate Online Child Protection Department Alexandras Avenue 173, 115 22, Athens <https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...>

T: (+30) 2106476475 E: n.mengoudis@cybercrimeunit.gov.gr <mailto:n.mengoudis@cybercrimeunit.gr> ------------------- Email Disclaimer This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Think green before printing

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org <mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org <mailto:gnso-dnsabuse-pdp-leave@icann.org>

---

Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org