SME, weighing in (fork)
I’d like to respond to Ching’s request for data:
It would be very helpful if the SMEs (such as NetBeason or NetCraft) & the Registrars could kindly share the following information (i.e. as required by by RAA <https://itp.cdn.icann.org/en/files/accredited-registrars/registrar-accredita...> 3.18.4) which will help ascertain to the level of effort that will actually be needed to conduct ADC: Number of complaints received in 2025 Number of complaints that were valid Number of complaints that were actioned
I would submit that the number of complaints received by reporters is less relevant than those received by registrars, since we are the ones acting (and upon whom the onus of the new policy or best practices will fall). I’d also like to note that we are required to maintain records but not create them; what follows should not be understood to be readily available to any registrar and is only available to me because of an unrelated internal project. In 2025, IANA 69, one of the four registrars my team manages, received just under 100k abuse complaints marked as “phishing” through our online forms. Note that this does not include any other type of DNS Abuse or other abuse and does not include phishing reported through different means. Fewer than 10,000 were legitimate phishing complaints. We have to sift through 90% chaff to even get to the phishing reports—and that doesn’t look at the validity of the reports in the first place. ────────────────────────────┼───────── │ Category │ Tickets │ ├────────────────────────────┼─────────┤ │ TOTAL │ 98,212 │ ├────────────────────────────┼─────────┤ │ Noise │ 39,267 │ ├────────────────────────────┼─────────┤ │ Legitimate (all others) │ 58,945 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ MISROUTED REQUESTS │ 12,298 │ ├────────────────────────────┼─────────┤ │ Support request │ 6.142 │ ├────────────────────────────┼─────────┤ │ Sales inquiry │ 3,133 │ ├────────────────────────────┼─────────┤ │ Technical support │ 1,569 │ ├────────────────────────────┼─────────┤ │ Complaint, all other │ 1,454 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ DOMAIN DISPUTES │ 13,609 │ ├────────────────────────────┼─────────┤ │ Domain ownership │ 6,120 │ ├────────────────────────────┼─────────┤ │ Registry compliance │ 4,243 │ ├────────────────────────────┼─────────┤ │ UDRP │ 1,828 │ ├────────────────────────────┼─────────┤ │ Whois issues │ 841 │ ├────────────────────────────┼─────────┤ │ Whois inaccuracy │ 577 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ CONTENT CONCERNS │ 15,062 │ ├────────────────────────────┼─────────┤ │ Hosting (non-DMCA) │ 7,833 │ ├────────────────────────────┼─────────┤ │ DMCA │ 3,888 │ ├────────────────────────────┼─────────┤ │ Law enforcement │ 3,341 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ Phishing │ 8,291 │ ────────────────────────────┴───────── I hope this is helpful context for the conversation. Servus, Reg -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7
Regarding those numbers, can we see how many of the phising reports that you acted upon turned out to be associated? i.e. the domains belonging to the same customer. This way we could have an idea as to how much work the ADC would spare you (because you would not had received these additional reports if you actioned on all domains proactively). thanks. Naoum ΜΕΓΓΟΥΔΗΣ Ναούμ Αστυνόμος Α' Διεύθυνση Δίωξης Κυβερνοεγκλήματος Τμήμα Διαδικτυακής Προστασίας Ανηλίκων Λ. Αλεξάνδρας 173, 115 22, Αθήνα<https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...> MENGOUDIS Naoum Police Major Cyber Crime Directorate Online Child Protection Department Alexandras Avenue 173, 115 22, Athens<https://www.google.com/maps/place/%CE%94%CE%B9%CE%B5%CF%8D%CE%B8%CF%85%CE%BD...> T: (+30) 2106476475 E: n.mengoudis@cybercrimeunit.gov.gr<mailto:n.mengoudis@cybercrimeunit.gr> ------------------- Email Disclaimer This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Think green before printing ________________________________ From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Friday, April 3, 2026 22:10 To: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] SME, weighing in (fork) I’d like to respond to Ching’s request for data: It would be very helpful if the SMEs (such as NetBeason or NetCraft) & the Registrars could kindly share the following information (i.e. as required by by RAA<https://itp.cdn.icann.org/en/files/accredited-registrars/registrar-accredita...> 3.18.4) which will help ascertain to the level of effort that will actually be needed to conduct ADC: * Number of complaints received in 2025 * Number of complaints that were valid * Number of complaints that were actioned I would submit that the number of complaints received by reporters is less relevant than those received by registrars, since we are the ones acting (and upon whom the onus of the new policy or best practices will fall). I’d also like to note that we are required to maintain records but not create them; what follows should not be understood to be readily available to any registrar and is only available to me because of an unrelated internal project. In 2025, IANA 69, one of the four registrars my team manages, received just under 100k abuse complaints marked as “phishing” through our online forms. Note that this does not include any other type of DNS Abuse or other abuse and does not include phishing reported through different means. Fewer than 10,000 were legitimate phishing complaints. We have to sift through 90% chaff to even get to the phishing reports—and that doesn’t look at the validity of the reports in the first place. ────────────────────────────┼───────── │ Category │ Tickets │ ├────────────────────────────┼─────────┤ │ TOTAL │ 98,212 │ ├────────────────────────────┼─────────┤ │ Noise │ 39,267 │ ├────────────────────────────┼─────────┤ │ Legitimate (all others) │ 58,945 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ MISROUTED REQUESTS │ 12,298 │ ├────────────────────────────┼─────────┤ │ Support request │ 6.142 │ ├────────────────────────────┼─────────┤ │ Sales inquiry │ 3,133 │ ├────────────────────────────┼─────────┤ │ Technical support │ 1,569 │ ├────────────────────────────┼─────────┤ │ Complaint, all other │ 1,454 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ DOMAIN DISPUTES │ 13,609 │ ├────────────────────────────┼─────────┤ │ Domain ownership │ 6,120 │ ├────────────────────────────┼─────────┤ │ Registry compliance │ 4,243 │ ├────────────────────────────┼─────────┤ │ UDRP │ 1,828 │ ├────────────────────────────┼─────────┤ │ Whois issues │ 841 │ ├────────────────────────────┼─────────┤ │ Whois inaccuracy │ 577 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ CONTENT CONCERNS │ 15,062 │ ├────────────────────────────┼─────────┤ │ Hosting (non-DMCA) │ 7,833 │ ├────────────────────────────┼─────────┤ │ DMCA │ 3,888 │ ├────────────────────────────┼─────────┤ │ Law enforcement │ 3,341 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ Phishing │ 8,291 │ ────────────────────────────┴───────── I hope this is helpful context for the conversation. Servus, Reg -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7
Naoum, this is a GREAT idea. Perhaps we can refine it a little? If any Registrar is currently doing or has the technical capacity of doing it, can they run the ADC on the Registered Names found to be abusive ie having attracted Mitigation? I.e. weed out the false positive reports. Such an exercise could provide insight into the actual size of the problem. Reg, are you currently in a position to assess or estimate abusive associated domain nanes for the numbers you showed, ie after removing false positive? greetings, el -- Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (retired) el@lisse.NA / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht \ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply On Apr 4, 2026 at 10:14 +0200, Naoum MENGOUDIS via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>, wrote:
Regarding those numbers, can we see how many of the phising reports that you acted upon turned out to be associated? i.e. the domains belonging to the same customer.
This way we could have an idea as to how much work the ADC would spare you (because you would not had received these additional reports if you actioned on all domains proactively).
thanks.
Naoum […]
Reg, great idea. Happy to contribute our data. Over the 2025 period, Netcraft submitted 261,995 confirmed domains involved in Phishing activity to registrars and registries across the domain industry. This figure does not include the reports that were not valid. Of this figure, the vast majority has been actioned with only 0.34% outstanding. I'd be happy to provide further examples or data as needed, including specific domain examples and or how Netcraft operate, similar to previous SME presentations. Kind Regards, [The Netcraft Logo]<https://www.netcraft.com/> Luke Wood Global Infrastructure Partnerships Lead LinkedIn: https://www.linkedin.com/in/luke-wood-netcraft/ Book time with Luke Wood: Service Provider Call - 30 Minutes <https://outlook.office.com/bookwithme/user/b701e911aa6a4c09ab9eb508968dd261@...> +44 (0) 1225 447500 | www.netcraft.com<https://www.netcraft.com/> From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: 03 April 2026 20:10 To: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] SME, weighing in (fork) I'd like to respond to Ching's request for data: It would be very helpful if the SMEs (such as NetBeason or NetCraft) & the Registrars could kindly share the following information (i.e. as required by by RAA<https://itp.cdn.icann.org/en/files/accredited-registrars/registrar-accredita...> 3.18.4) which will help ascertain to the level of effort that will actually be needed to conduct ADC: o Number of complaints received in 2025 o Number of complaints that were valid o Number of complaints that were actioned I would submit that the number of complaints received by reporters is less relevant than those received by registrars, since we are the ones acting (and upon whom the onus of the new policy or best practices will fall). I'd also like to note that we are required to maintain records but not create them; what follows should not be understood to be readily available to any registrar and is only available to me because of an unrelated internal project. In 2025, IANA 69, one of the four registrars my team manages, received just under 100k abuse complaints marked as "phishing" through our online forms. Note that this does not include any other type of DNS Abuse or other abuse and does not include phishing reported through different means. Fewer than 10,000 were legitimate phishing complaints. We have to sift through 90% chaff to even get to the phishing reports-and that doesn't look at the validity of the reports in the first place. ────────────────────────────┼───────── │ Category │ Tickets │ ├────────────────────────────┼─────────┤ │ TOTAL │ 98,212 │ ├────────────────────────────┼─────────┤ │ Noise │ 39,267 │ ├────────────────────────────┼─────────┤ │ Legitimate (all others) │ 58,945 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ MISROUTED REQUESTS │ 12,298 │ ├────────────────────────────┼─────────┤ │ Support request │ 6.142 │ ├────────────────────────────┼─────────┤ │ Sales inquiry │ 3,133 │ ├────────────────────────────┼─────────┤ │ Technical support │ 1,569 │ ├────────────────────────────┼─────────┤ │ Complaint, all other │ 1,454 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ DOMAIN DISPUTES │ 13,609 │ ├────────────────────────────┼─────────┤ │ Domain ownership │ 6,120 │ ├────────────────────────────┼─────────┤ │ Registry compliance │ 4,243 │ ├────────────────────────────┼─────────┤ │ UDRP │ 1,828 │ ├────────────────────────────┼─────────┤ │ Whois issues │ 841 │ ├────────────────────────────┼─────────┤ │ Whois inaccuracy │ 577 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ CONTENT CONCERNS │ 15,062 │ ├────────────────────────────┼─────────┤ │ Hosting (non-DMCA) │ 7,833 │ ├────────────────────────────┼─────────┤ │ DMCA │ 3,888 │ ├────────────────────────────┼─────────┤ │ Law enforcement │ 3,341 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ Phishing │ 8,291 │ ────────────────────────────┴───────── I hope this is helpful context for the conversation. Servus, Reg -- Reg Levy | Associate General Counsel - Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7
Luke it would be VERY interesting to see how your (Netcraft's) confirmed reporting to Reg's Registrar fares, in terms of their own determination wrt false and true positives. If the following is out of scope, feel free to email the ccNSO TechWg open list (reading in copy) directly: Can you share insight into your confirmation and reporting methodology? For example is there a parseable format, or do you send more or less free form (if automated) text emails? And to whom? Do you do any ADC yourselves after confirmation? Would you be willing to do 20 minutes at a TechDay? For example in Seville? F2F or remote. el -- Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (retired) el@lisse.NA / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht \ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply On Apr 6, 2026 at 12:49 +0200, Luke Wood via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>, wrote:
Reg, great idea.
Happy to contribute our data.
Over the 2025 period, Netcraft submitted 261,995 confirmed domains involved in Phishing activity to registrars and registries across the domain industry. This figure does not include the reports that were not valid. Of this figure, the vast majority has been actioned with only 0.34% outstanding. I’d be happy to provide further examples or data as needed, including specific domain examples and or how Netcraft operate, similar to previous SME presentations.
Kind Regards, Luke Wood
[…]
All— I think we’re getting a bit into the weeds, here. I have provided the full amount of the information that I have—Naoum’s and Eberhard’s questions are reasonable questions but don’t have a whole lot of bearing on our actual remit, here. Similarly, I don’t think it’s reasonable to ask Netcraft to call out specific registrars. I shared to provide a sense of the volume we’re working with—and the relationship between that volume to actual reports. Servus, Reg -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7
On Apr 6, 2026, at 06:35, Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> wrote:
Luke
it would be VERY interesting to see how your (Netcraft's) confirmed reporting to Reg's Registrar fares, in terms of their own determination wrt false and true positives.
If the following is out of scope, feel free to email the ccNSO TechWg open list (reading in copy) directly:
Can you share insight into your confirmation and reporting methodology?
For example is there a parseable format, or do you send more or less free form (if automated) text emails? And to whom?
Do you do any ADC yourselves after confirmation?
Would you be willing to do 20 minutes at a TechDay? For example in Seville? F2F or remote.
el
-- Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (retired) el@lisse.NA <mailto:el@lisse.NA> / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht \ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply On Apr 6, 2026 at 12:49 +0200, Luke Wood via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org <mailto:gnso-dnsabuse-pdp@icann.org>>, wrote:
Reg, great idea.
Happy to contribute our data.
Over the 2025 period, Netcraft submitted 261,995 confirmed domains involved in Phishing activity to registrars and registries across the domain industry. This figure does not include the reports that were not valid. Of this figure, the vast majority has been actioned with only 0.34% outstanding. I’d be happy to provide further examples or data as needed, including specific domain examples and or how Netcraft operate, similar to previous SME presentations.
Kind Regards,
<image001.png> <https://www.netcraft.com/> Luke Wood
[…]
Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org <mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org <mailto:gnso-dnsabuse-pdp-leave@icann.org>
Reg, I was thinking about how to anonymize this, before posting, as the point is not to out a Registrar (nor even these self appointed reporters) but to gain more sense how big the problem actually is. How much do you estimate are your Registrar's cost per reported Registered Name, and how much would an ADC add to that? Data Driven Decision Making and all. el -- Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (retired) el@lisse.NA / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht \ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply On Apr 6, 2026 at 19:38 +0200, Reg Levy via CCNSO-TechDay <ccnso-techday@icann.org>, wrote:
All—
I think we’re getting a bit into the weeds, here. I have provided the full amount of the information that I have—Naoum’s and Eberhard’s questions are reasonable questions but don’t have a whole lot of bearing on our actual remit, here. Similarly, I don’t think it’s reasonable to ask Netcraft to call out specific registrars. I shared to provide a sense of the volume we’re working with—and the relationship between that volume to actual reports.
Servus, Reg
[…]
Hi Luke, Does the number of domain names represent maliciously registered domain names only or all domain names involved in phishing including compromised domain names? Best, Thomas ________________________________ Von: Luke Wood via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Gesendet: Montag, April 6, 2026 12:49 An: Reg Levy <rlevy@tucows.com>; Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Betreff: [Gnso-dnsabuse-pdp] Re: SME, weighing in (fork) Reg, great idea. Happy to contribute our data. Over the 2025 period, Netcraft submitted 261,995 confirmed domains involved in Phishing activity to registrars and registries across the domain industry. This figure does not include the reports that were not valid. Of this figure, the vast majority has been actioned with only 0.34% outstanding. I’d be happy to provide further examples or data as needed, including specific domain examples and or how Netcraft operate, similar to previous SME presentations. Kind Regards, [The Netcraft Logo]<https://www.netcraft.com/> Luke Wood Global Infrastructure Partnerships Lead LinkedIn: https://www.linkedin.com/in/luke-wood-netcraft/ Book time with Luke Wood: Service Provider Call - 30 Minutes<https://outlook.office.com/bookwithme/user/b701e911aa6a4c09ab9eb508968dd261@...> +44 (0) 1225 447500 | www.netcraft.com<https://www.netcraft.com/> From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: 03 April 2026 20:10 To: Feodora Hamza via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] SME, weighing in (fork) I’d like to respond to Ching’s request for data: It would be very helpful if the SMEs (such as NetBeason or NetCraft) & the Registrars could kindly share the following information (i.e. as required by by RAA<https://itp.cdn.icann.org/en/files/accredited-registrars/registrar-accredita...> 3.18.4) which will help ascertain to the level of effort that will actually be needed to conduct ADC: o Number of complaints received in 2025 o Number of complaints that were valid o Number of complaints that were actioned I would submit that the number of complaints received by reporters is less relevant than those received by registrars, since we are the ones acting (and upon whom the onus of the new policy or best practices will fall). I’d also like to note that we are required to maintain records but not create them; what follows should not be understood to be readily available to any registrar and is only available to me because of an unrelated internal project. In 2025, IANA 69, one of the four registrars my team manages, received just under 100k abuse complaints marked as “phishing” through our online forms. Note that this does not include any other type of DNS Abuse or other abuse and does not include phishing reported through different means. Fewer than 10,000 were legitimate phishing complaints. We have to sift through 90% chaff to even get to the phishing reports—and that doesn’t look at the validity of the reports in the first place. ────────────────────────────┼───────── │ Category │ Tickets │ ├────────────────────────────┼─────────┤ │ TOTAL │ 98,212 │ ├────────────────────────────┼─────────┤ │ Noise │ 39,267 │ ├────────────────────────────┼─────────┤ │ Legitimate (all others) │ 58,945 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ MISROUTED REQUESTS │ 12,298 │ ├────────────────────────────┼─────────┤ │ Support request │ 6.142 │ ├────────────────────────────┼─────────┤ │ Sales inquiry │ 3,133 │ ├────────────────────────────┼─────────┤ │ Technical support │ 1,569 │ ├────────────────────────────┼─────────┤ │ Complaint, all other │ 1,454 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ DOMAIN DISPUTES │ 13,609 │ ├────────────────────────────┼─────────┤ │ Domain ownership │ 6,120 │ ├────────────────────────────┼─────────┤ │ Registry compliance │ 4,243 │ ├────────────────────────────┼─────────┤ │ UDRP │ 1,828 │ ├────────────────────────────┼─────────┤ │ Whois issues │ 841 │ ├────────────────────────────┼─────────┤ │ Whois inaccuracy │ 577 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ CONTENT CONCERNS │ 15,062 │ ├────────────────────────────┼─────────┤ │ Hosting (non-DMCA) │ 7,833 │ ├────────────────────────────┼─────────┤ │ DMCA │ 3,888 │ ├────────────────────────────┼─────────┤ │ Law enforcement │ 3,341 │ ├────────────────────────────┼─────────┤ ├────────────────────────────┼─────────┤ │ Phishing │ 8,291 │ ────────────────────────────┴───────── I hope this is helpful context for the conversation. Servus, Reg -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7
participants (5)
-
Eberhard W Lisse -
Luke Wood -
Naoum MENGOUDIS -
Reg Levy -
Thomas Rickert | rickert.law