Paul, just for record keeping purposes, is that Open Source? I have some technical issues and would like this When a registrar takes action under Section 3.18 of the Registrar Accreditation Agreement, the registrar shall promptly review other domains that are reasonably associated with that domain when there are clear indicators that other domains registered by the same customer may be involved in the same abusive activity, using information reasonably available to the registrar at the time of review, and take action against those domains where appropriate. to read (as a base of departure, without making substantive changes or even commenting on content) When a registrar takes action under Section 3.18 of the Registrar Accreditation Agreement, the registrar shall promptly review other Registered Names that are reasonably associated with that Registered Name Holder when there are clear indicators that other Registered Names registered by the same Registered Name Holder may be involved in the same abusive activity, using information reasonably available to the registrar at the time of review, and take action against those Registered Name Holder where appropriate. I believe Terminology is important. I have shortened the below in order to assist with brevity. On 2026-03-09 16:37, Paul McGrady via Gnso-dnsabuse-pdp wrote:

Thanks Reg. I appreciate the starting point. Staff will put this into a Google Doc with commenting turned on, so that we don’t trigger an email avalanche. 

Best,

Paul [...]

-- Eberhard W. Lisse \ /Obstetrician & Gynaecologist (retired) el@lisse.NA / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht\ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply

Thanks EL. We made our way through Charter Q1 in Mumbai so we are ideating over Strawperson 1 whilst moving on to discussing Charter Q2. Best, Paul   Paul McGrady Partner Elster & McGrady 434 Houston St, Suite 261 Nashville, TN 37203   3847 N. Lincoln Avenue Second Floor Chicago, IL 60613   Office Direct: +1 (312) 515-4422 paul@elstermcgrady.com www.elstermcgrady.com       -----Original Message----- From: Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Wednesday, March 18, 2026 5:35 PM To: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal The technical changes (domain -> Registered Name and the like) are in line with what I suggested previously and make sense. Since we are developing Policy and not writing the actual RAA, I would suggest we'll leave the (or include a) requirement to take action, which makes it clearer. That said, would it not be better to work off the Charter Questions first? On a technical point, please do not email images, because they are difficult to include in replies. el On 2026-03-18 15:14, Brian F. Cimbolic via Gnso-dnsabuse-pdp wrote: [...]

In advance of Monday’s call, I wanted to float a slightly modified version of the Strawman that Reg (very helpfully!) provided below. I provide a clean version, as well as a screenshot of Redlines so we can all see exactly what I’m proposing we change.

*Summary of proposed tweaks*:

* The actual obligation to mitigate DNS Abuse in the RAA is found in 3.18.*_2_*, rather than the broader 3.18, which includes other unrelated provisions. Tightening that subsection reference should make it clearer where an Associated Domain Check comes into play.

* I tried to harmonize the language from Reg’s version with the terms and definitions set forth in the RAA already. So rather than “domains,” it’s “Registered Name” (again, simply to match the RAA defined terms). 3.18.2 also references “mitigation action(s)” so I incorporated that verbiage rather than the more generic “action."

* 3.18.2 already requires that Registrars take mitigation action(s) when they have actionable evidence of DNS Abuse. If the Associated Domain Check is fruitful and the Registrar finds such actionable evidence of abuse, it is similarly obligated to take mitigation action(s). So, I suggest striking the “and take action against those domains where appropriate” as redundant. [...] *CLEAN*:

When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review. [...]

-- Eberhard W. Lisse \ /Obstetrician & Gynaecologist (retired) el@lisse.NA / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht\ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org This email originated from outside the firm. Please use caution.

Thanks Marc. Same comments as I made to Brian. Stay tuned for Strawperson No.1 in a Google doc which I hope we will have for you soon where you can add these comments. Email is going to be impractical for our group our size. [cid:image001.png@01DCB75A.EDAC8B80] Paul McGrady Partner Elster & McGrady 434 Houston St, Suite 261 Nashville, TN 37203 3847 N. Lincoln Avenue Second Floor Chicago, IL 60613 Office Direct: +1 (312) 515-4422 paul@elstermcgrady.com<mailto:paul@elstermcgrady.com> www.elstermcgrady.com<http://www.elstermcgrady.com/> From: trachtenbergm--- via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Wednesday, March 18, 2026 6:34 PM To: brian@pir.org; rlevy@tucows.com; gnso-dnsabuse-pdp@icann.org Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Brian, Thanks for your work on this and reasoned approach. I agree that section 3.18.2 is the relevant section but think that the obligation to conduct the associated domain name check should actually be triggered when the Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, not when mitigation starts as what is appropriate mitigation may depend on what is found in the associated domain check. My proposed adjustments to your language below REDLINE When a rRegistrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement, has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, the registrar shall promptly review take reasonable steps to identify other reasonably associated Registered Name(s) sponsored by Registrar (“Associated Registered Names”). If the Registrar identifies Associated Registered Names, it will promptly take reasonable steps to determine investigate whether any of the Associated Registered Names are being used for such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the rRegistrar at the time of review. If the Registrar’s investigation results in actionable evidence that any of the Associated Registered Names are being used for DNS Abuse, then Registrar shall promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, such Associated Registered Names from being used for DNS Abuse pursuant to Section 3.18.2. CLEAN When a Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, the registrar shall promptly take reasonable steps to identify other associated Registered Name(s) sponsored by Registrar (“Associated Registered Names”). If the Registrar identifies Associated Registered Names, it will promptly take reasonable steps to investigate whether any of the Associated Registered Names are being used for DNS Abuse using information reasonably available to the Registrar at the time of review. If the Registrar’s investigation results in actionable evidence that any of the Associated Registered Names are being used for DNS Abuse, then Registrar shall promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, such Associated Registered Names from being used for DNS Abuse pursuant to Section 3.18.2. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Wednesday, March 18, 2026 4:14 PM To: Reg Levy <rlevy@tucows.com<mailto:rlevy@tucows.com>>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal *EXTERNAL TO GT* Hi all - First, thank you all for some great sessions to kick this work off in Mumbai. I thought we already made a lot of progress in our first working session. In advance of Monday’s call, I wanted to float a slightly modified version of the Strawman that Reg (very helpfully!) provided below. I provide a clean version, as well as a screenshot of Redlines so we can all see exactly what I’m proposing we change. Summary of proposed tweaks: * The actual obligation to mitigate DNS Abuse in the RAA is found in 3.18.2, rather than the broader 3.18, which includes other unrelated provisions. Tightening that subsection reference should make it clearer where an Associated Domain Check comes into play. * I tried to harmonize the language from Reg’s version with the terms and definitions set forth in the RAA already. So rather than “domains,” it’s “Registered Name” (again, simply to match the RAA defined terms). 3.18.2 also references “mitigation action(s)” so I incorporated that verbiage rather than the more generic “action." * 3.18.2 already requires that Registrars take mitigation action(s) when they have actionable evidence of DNS Abuse. If the Associated Domain Check is fruitful and the Registrar finds such actionable evidence of abuse, it is similarly obligated to take mitigation action(s). So, I suggest striking the “and take action against those domains where appropriate” as redundant. REDLINE: [Screenshot 2026-03-18 at 4.09.42 PM.png] CLEAN: When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review. Looking forward to the call on Monday. Please let me know if you have any questions. Thanks, Brian [Logo]<https://urldefense.com/v3/__https:/www.thenew.org/__;!!DUT_TFPxUQ!ErhXlnls48...> Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org<mailto:brian@pir.org> | www.thenew.org<applewebdata://98ECC0AE-88EB-4427-B85E-6E9A6F544FBE/www.thenew.org> | Power your inspiration. Connect your world. [cid2922828134*image003.png@01D94119.58E327D0][A green sign with a white star and black text Description automatically generated] Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete. From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Date: Monday, March 9, 2026 at 6:19 AM To: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Straw Proposal All— As noted in the chat in the session today, this is the straw proposal a number of us have been working on for the last few days and we’d love additional input: When a registrar takes action under Section 3.18 of the Registrar Accreditation Agreement, the registrar shall promptly review other domains that are reasonably associated with that domain when there are clear indicators that other domains registered by the same customer may be involved in the same abusive activity, using information reasonably available to the registrar at the time of review, and take action against those domains where appropriate. Servus, Reg -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC +5:30 ________________________________ If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com<mailto:postmaster@gtlaw.com>, and do not use or disseminate the information. This email originated from outside the firm. Please use caution.

Volker, Marc— Thanks for your quick review! I agree something along the lines of “where a reasonable indication exists” is necessary. I think Marc’s edits restated what Brian said just using more words (and I prefer succintity for clarity) except for adding in an immediacy (“When a Registrar has actionable evidence”) that is both unwarranted and unreasonable. Perhaps: When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement and reasonably believes there may be other Registered Names associated to the Registered Name, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review. /R -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7

On Mar 18, 2026, at 17:55, Volker Greimann <volker.greimann@centralnic.com> wrote:

Hi Brian,

removing any requirement of there being any reasonable indication of there actually being further domains to look for is unreasonable and will ultimately achieve the opposite of our goal:

Instead of taking a targeted approach to likely occurrences of DNS abuse, this new language would require Registrars to go on wild goose chases for potentially existing affiliated domain names. So instead of actioning multiple abuse tickets received by a registrar, the abuse desk has to spend time doing a victory lap each time we take action on one ticket, greatly reducing the capacity to timely act upon incoming reports.

There must be an element in the ADC requirement that only triggers the requirement to do an ADC when it can be reasonably assumed that such ADs exist, instead of triggering the ADC every time an action is taken. This would be a gift to threat actors as it would force us to spend time engaging in Kabuki theatre rather than actioning actual reports of abuse.

Also, I am missing any hint of a suggestion of what Registries might be able to contribute. If we look at this solely from an individual registrars' perspective, we will not achieve anything. We are already seeing many abuse campaigns span that across multiple registrars and that can be detected on a registry level.

Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division

volker.greimann@centralnic.com <mailto:volker.greimann@centralnic.com> Office: +49-172-6367025 Web: www.teaminternet.com <http://www.teaminternet.com/>

Team Internet Group PLC (AIM:TIG <aim:TIG>). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR. Team Internet is a company registered in England and Wales with the company number 8576358.

From: Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: 18 March 2026 10:14 PM To: Reg Levy <rlevy@tucows.com>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal

Hi all - First, thank you all for some great sessions to kick this work off in Mumbai. I thought we already made a lot of progress in our first working session.

In advance of Monday’s call, I wanted to float a slightly modified version of the Strawman that Reg (very helpfully!) provided below. I provide a clean version, as well as a screenshot of Redlines so we can all see exactly what I’m proposing we change.

Summary of proposed tweaks: The actual obligation to mitigate DNS Abuse in the RAA is found in 3.18.2, rather than the broader 3.18, which includes other unrelated provisions. Tightening that subsection reference should make it clearer where an Associated Domain Check comes into play. I tried to harmonize the language from Reg’s version with the terms and definitions set forth in the RAA already. So rather than “domains,” it’s “Registered Name” (again, simply to match the RAA defined terms). 3.18.2 also references “mitigation action(s)” so I incorporated that verbiage rather than the more generic “action." 3.18.2 already requires that Registrars take mitigation action(s) when they have actionable evidence of DNS Abuse. If the Associated Domain Check is fruitful and the Registrar finds such actionable evidence of abuse, it is similarly obligated to take mitigation action(s). So, I suggest striking the “and take action against those domains where appropriate” as redundant.

REDLINE:

<Screenshot 2026-03-18 at 4.09.42 PM.png>

CLEAN:

When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review.

Looking forward to the call on Monday. Please let me know if you have any questions.

Thanks,

Brian

<image001.png> <https://www.thenew.org/> Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org <mailto:brian@pir.org> | www.thenew.org <> | Power your inspiration. Connect your world.

<image002.png><image004.png>

Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete.

From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Date: Monday, March 9, 2026 at 6:19 AM To: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Straw Proposal

All—

As noted in the chat in the session today, this is the straw proposal a number of us have been working on for the last few days and we’d love additional input:

When a registrar takes action under Section 3.18 of the Registrar Accreditation Agreement, the registrar shall promptly review other domains that are reasonably associated with that domain when there are clear indicators that other domains registered by the same customer may be involved in the same abusive activity, using information reasonably available to the registrar at the time of review, and take action against those domains where appropriate.

Servus, Reg

-- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter

UTC +5:30

Hi Marc, I am glad you asked because they touch upon actual abuse mitigation experience. Such belief can and does arise from multiple sources. For example, the complainant could have reported 2+ domains in their report. Similarly, we could have received multiple different reports from 2+ reporters that show the abuse mitigation agent that there is a pattern to these reported registrations even if the reporter may not be aware of them. In some cases, we also conduct such checks based on single reports with only one domain of the naming pattern of that domain could reasonably indicate that more such domains exist. For example, the domain phishinglove-singapore.[tld] may indicate that other similarly named domains like lovephish-sydney.[tld] or similar could be found in the same account. Similarly, the domain carding02.[tld] often leads to similar domains using the same string with a different number attached. Sometimes it is a question of "know your customer". Some resellers may have a different track record than others when it comes to the customer that abuse their services. In short, there are many different indicators (that will likely need to be adjusted over time) for a registrar to develop a reasonable belief that an ADC may be an effort worth the while it takes to complete it. But the point is that an ADC will take extra time and effort and if we are forced to conduct one for every single domain where an action was warranted, it will slow our response times, leave bad domains online longer than necessary and give threat actors and easier time. I feel that our job should be to make it harder for threat actors, not easier. Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com Office: +49-172-6367025 Web: www.teaminternet.com Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: trachtenbergm@gtlaw.com <trachtenbergm@gtlaw.com> Sent: 19 March 2026 2:09 AM To: rlevy@tucows.com <rlevy@tucows.com>; Volker Greimann <volker.greimann@centralnic.com> Cc: gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>; brian@pir.org <brian@pir.org> Subject: RE: [Gnso-dnsabuse-pdp] Re: Straw Proposal You don't often get email from trachtenbergm@gtlaw.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> But how would a registrar reasonably believe that there may be other Registered Names associated to the Registered Name without the obligation to conduct an investigation? It would seem that for this to be meaningful there must be both a trigger (i.e., at least one domain name where there is actionable evidence of DNS abuse) and then the obligation (i.e., to conduct a review or investigation to see if there are other associated domains). Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Wednesday, March 18, 2026 8:02 PM To: Volker Greimann <volker.greimann@centralnic.com> Cc: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>; Brian F. Cimbolic <brian@pir.org> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal *EXTERNAL TO GT* Volker, Marc— Thanks for your quick review! I agree something along the lines of “where a reasonable indication exists” is necessary. I think Marc’s edits restated what Brian said just using more words (and I prefer succintity for clarity) except for adding in an immediacy (“When a Registrar has actionable evidence”) that is both unwarranted and unreasonable. Perhaps: When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement and reasonably believes there may be other Registered Names associated to the Registered Name, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review. /R -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7 On Mar 18, 2026, at 17:55, Volker Greimann <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>> wrote: Hi Brian, removing any requirement of there being any reasonable indication of there actually being further domains to look for is unreasonable and will ultimately achieve the opposite of our goal: Instead of taking a targeted approach to likely occurrences of DNS abuse, this new language would require Registrars to go on wild goose chases for potentially existing affiliated domain names. So instead of actioning multiple abuse tickets received by a registrar, the abuse desk has to spend time doing a victory lap each time we take action on one ticket, greatly reducing the capacity to timely act upon incoming reports. There must be an element in the ADC requirement that only triggers the requirement to do an ADC when it can be reasonably assumed that such ADs exist, instead of triggering the ADC every time an action is taken. This would be a gift to threat actors as it would force us to spend time engaging in Kabuki theatre rather than actioning actual reports of abuse. Also, I am missing any hint of a suggestion of what Registries might be able to contribute. If we look at this solely from an individual registrars' perspective, we will not achieve anything. We are already seeing many abuse campaigns span that across multiple registrars and that can be detected on a registry level. Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> Office: +49-172-6367025 Web: www.teaminternet.com<https://urldefense.com/v3/__http:/www.teaminternet.com/__;!!DUT_TFPxUQ!EhyjA...> Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: 18 March 2026 10:14 PM To: Reg Levy <rlevy@tucows.com<mailto:rlevy@tucows.com>>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Hi all - First, thank you all for some great sessions to kick this work off in Mumbai. I thought we already made a lot of progress in our first working session. In advance of Monday’s call, I wanted to float a slightly modified version of the Strawman that Reg (very helpfully!) provided below. I provide a clean version, as well as a screenshot of Redlines so we can all see exactly what I’m proposing we change. Summary of proposed tweaks: * The actual obligation to mitigate DNS Abuse in the RAA is found in 3.18.2, rather than the broader 3.18, which includes other unrelated provisions. Tightening that subsection reference should make it clearer where an Associated Domain Check comes into play. * I tried to harmonize the language from Reg’s version with the terms and definitions set forth in the RAA already. So rather than “domains,” it’s “Registered Name” (again, simply to match the RAA defined terms). 3.18.2 also references “mitigation action(s)” so I incorporated that verbiage rather than the more generic “action." * 3.18.2 already requires that Registrars take mitigation action(s) when they have actionable evidence of DNS Abuse. If the Associated Domain Check is fruitful and the Registrar finds such actionable evidence of abuse, it is similarly obligated to take mitigation action(s). So, I suggest striking the “and take action against those domains where appropriate” as redundant. REDLINE: <Screenshot 2026-03-18 at 4.09.42 PM.png> CLEAN: When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review. Looking forward to the call on Monday. Please let me know if you have any questions. Thanks, Brian <image001.png><https://urldefense.com/v3/__https:/www.thenew.org/__;!!DUT_TFPxUQ!EhyjAaaGsF...> Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org<mailto:brian@pir.org> | www.thenew.org<https://urldefense.com/v3/__http:/www.thenew.org__;!!DUT_TFPxUQ!EhyjAaaGsFc-...> | Power your inspiration. Connect your world. <image002.png><image004.png> Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete. From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Date: Monday, March 9, 2026 at 6:19 AM To: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Straw Proposal All— As noted in the chat in the session today, this is the straw proposal a number of us have been working on for the last few days and we’d love additional input: When a registrar takes action under Section 3.18 of the Registrar Accreditation Agreement, the registrar shall promptly review other domains that are reasonably associated with that domain when there are clear indicators that other domains registered by the same customer may be involved in the same abusive activity, using information reasonably available to the registrar at the time of review, and take action against those domains where appropriate. Servus, Reg -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC +5:30 ________________________________ If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com, and do not use or disseminate the information.

Further to my email below, per the charter of the PDP, the purpose of the PDP is: “to create an obligation for registrars to investigate other domains associated with a customer account or registrant where at least one domain of that registrant is found to be engaged in DNS Abuse, as defined in the RAA. To develop a Consensus Policy that imposes an obligation on ICANN accredited registrars to proactively investigate associated domain names, and/or related orders when a domain under their management is found to have been registered for malicious purposes.” This seems to be pretty clear that the trigger for the ADC is where at least one domain of that registrant is found to be engaged in DNS Abuse. It is also clear that the Consensus Policy we are developing will create an obligation to investigate associated domain names, and/or related orders when a domain under their management is found to have been registered for malicious purposes. Furthermore, the obligation is to conduct the investigation proactively. Notwithstanding your points below, my proposed language seems to be consistent with the purpose of the PDP. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: trachtenbergm--- via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Wednesday, March 18, 2026 9:41 PM To: volker.greimann@centralnic.com; rlevy@tucows.com Cc: gnso-dnsabuse-pdp@icann.org; brian@pir.org Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Thanks Volker. I understand all of this. But for clarity are you saying that there should only be an obligation to conduct an ADC when the registrar already believes that there may be associated domains? Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Volker Greimann <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>> Sent: Wednesday, March 18, 2026 8:25 PM To: Trachtenberg, Marc H. (Shld-ASP-IP-Tech) <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>>; rlevy@tucows.com<mailto:rlevy@tucows.com> Cc: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>; brian@pir.org<mailto:brian@pir.org> Subject: Re: [Gnso-dnsabuse-pdp] Re: Straw Proposal Hi Marc, I am glad you asked because they touch upon actual abuse mitigation experience. Such belief can and does arise from multiple sources. For example, the complainant could have reported 2+ domains in their report. Similarly, we could have received multiple different reports from 2+ reporters that show the abuse mitigation agent that there is a pattern to these reported registrations even if the reporter may not be aware of them. In some cases, we also conduct such checks based on single reports with only one domain of the naming pattern of that domain could reasonably indicate that more such domains exist. For example, the domain phishinglove-singapore.[tld] may indicate that other similarly named domains like lovephish-sydney.[tld] or similar could be found in the same account. Similarly, the domain carding02.[tld] often leads to similar domains using the same string with a different number attached. Sometimes it is a question of "know your customer". Some resellers may have a different track record than others when it comes to the customer that abuse their services. In short, there are many different indicators (that will likely need to be adjusted over time) for a registrar to develop a reasonable belief that an ADC may be an effort worth the while it takes to complete it. But the point is that an ADC will take extra time and effort and if we are forced to conduct one for every single domain where an action was warranted, it will slow our response times, leave bad domains online longer than necessary and give threat actors and easier time. I feel that our job should be to make it harder for threat actors, not easier. Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> Office: +49-172-6367025 Web: www.teaminternet.com<https://urldefense.com/v3/__http:/www.teaminternet.com__;!!DUT_TFPxUQ!DCiz1A...> Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com> <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>> Sent: 19 March 2026 2:09 AM To: rlevy@tucows.com<mailto:rlevy@tucows.com> <rlevy@tucows.com<mailto:rlevy@tucows.com>>; Volker Greimann <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>> Cc: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>>; brian@pir.org<mailto:brian@pir.org> <brian@pir.org<mailto:brian@pir.org>> Subject: RE: [Gnso-dnsabuse-pdp] Re: Straw Proposal You don't often get email from trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>. Learn why this is important<https://urldefense.com/v3/__https:/aka.ms/LearnAboutSenderIdentification__;!...> But how would a registrar reasonably believe that there may be other Registered Names associated to the Registered Name without the obligation to conduct an investigation? It would seem that for this to be meaningful there must be both a trigger (i.e., at least one domain name where there is actionable evidence of DNS abuse) and then the obligation (i.e., to conduct a review or investigation to see if there are other associated domains). Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Wednesday, March 18, 2026 8:02 PM To: Volker Greimann <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>> Cc: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>>; Brian F. Cimbolic <brian@pir.org<mailto:brian@pir.org>> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal *EXTERNAL TO GT* Volker, Marc— Thanks for your quick review! I agree something along the lines of “where a reasonable indication exists” is necessary. I think Marc’s edits restated what Brian said just using more words (and I prefer succintity for clarity) except for adding in an immediacy (“When a Registrar has actionable evidence”) that is both unwarranted and unreasonable. Perhaps: When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement and reasonably believes there may be other Registered Names associated to the Registered Name, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review. /R -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7 On Mar 18, 2026, at 17:55, Volker Greimann <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>> wrote: Hi Brian, removing any requirement of there being any reasonable indication of there actually being further domains to look for is unreasonable and will ultimately achieve the opposite of our goal: Instead of taking a targeted approach to likely occurrences of DNS abuse, this new language would require Registrars to go on wild goose chases for potentially existing affiliated domain names. So instead of actioning multiple abuse tickets received by a registrar, the abuse desk has to spend time doing a victory lap each time we take action on one ticket, greatly reducing the capacity to timely act upon incoming reports. There must be an element in the ADC requirement that only triggers the requirement to do an ADC when it can be reasonably assumed that such ADs exist, instead of triggering the ADC every time an action is taken. This would be a gift to threat actors as it would force us to spend time engaging in Kabuki theatre rather than actioning actual reports of abuse. Also, I am missing any hint of a suggestion of what Registries might be able to contribute. If we look at this solely from an individual registrars' perspective, we will not achieve anything. We are already seeing many abuse campaigns span that across multiple registrars and that can be detected on a registry level. Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> Office: +49-172-6367025 Web: www.teaminternet.com<https://urldefense.com/v3/__http:/www.teaminternet.com/__;!!DUT_TFPxUQ!EhyjA...> Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: 18 March 2026 10:14 PM To: Reg Levy <rlevy@tucows.com<mailto:rlevy@tucows.com>>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Hi all - First, thank you all for some great sessions to kick this work off in Mumbai. I thought we already made a lot of progress in our first working session. In advance of Monday’s call, I wanted to float a slightly modified version of the Strawman that Reg (very helpfully!) provided below. I provide a clean version, as well as a screenshot of Redlines so we can all see exactly what I’m proposing we change. Summary of proposed tweaks: * The actual obligation to mitigate DNS Abuse in the RAA is found in 3.18.2, rather than the broader 3.18, which includes other unrelated provisions. Tightening that subsection reference should make it clearer where an Associated Domain Check comes into play. * I tried to harmonize the language from Reg’s version with the terms and definitions set forth in the RAA already. So rather than “domains,” it’s “Registered Name” (again, simply to match the RAA defined terms). 3.18.2 also references “mitigation action(s)” so I incorporated that verbiage rather than the more generic “action." * 3.18.2 already requires that Registrars take mitigation action(s) when they have actionable evidence of DNS Abuse. If the Associated Domain Check is fruitful and the Registrar finds such actionable evidence of abuse, it is similarly obligated to take mitigation action(s). So, I suggest striking the “and take action against those domains where appropriate” as redundant. REDLINE: <Screenshot 2026-03-18 at 4.09.42 PM.png> CLEAN: When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review. Looking forward to the call on Monday. Please let me know if you have any questions. Thanks, Brian <image001.png><https://urldefense.com/v3/__https:/www.thenew.org/__;!!DUT_TFPxUQ!EhyjAaaGsF...> Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org<mailto:brian@pir.org> | www.thenew.org<https://urldefense.com/v3/__http:/www.thenew.org__;!!DUT_TFPxUQ!EhyjAaaGsFc-...> | Power your inspiration. Connect your world. <image002.png><image004.png> Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete. From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Date: Monday, March 9, 2026 at 6:19 AM To: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Straw Proposal All— As noted in the chat in the session today, this is the straw proposal a number of us have been working on for the last few days and we’d love additional input: When a registrar takes action under Section 3.18 of the Registrar Accreditation Agreement, the registrar shall promptly review other domains that are reasonably associated with that domain when there are clear indicators that other domains registered by the same customer may be involved in the same abusive activity, using information reasonably available to the registrar at the time of review, and take action against those domains where appropriate. Servus, Reg -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC +5:30 ________________________________ If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com<mailto:postmaster@gtlaw.com>, and do not use or disseminate the information.

Good Day to All, Here is my straw person, drawing from your detailed and experienced inputs: "When a registrar investigates into a report pursuant to Section 3.18.2 of the Registrar Accreditation Agreement, and gathers actionable evidence that a Registered Name is being used for DNS Abuse, the Registrar shall promptly review other reasonably associated Registered Name(s) where the Registrar encounters credible indicators suggesting that the abusive activity may not be isolated but may involve other domain names under common utility or related control. " Please let me know your thoughts on this language. Such 'indicators' may include common control or utility of multiple domains, shared infrastructure combined with consistent abuse patterns, or corroborating information from multiple reports (as Volker cited) or trusted sources (such as Registries). ​ Volker Greimann via Gnso-dnsabuse-pdp 19/03/2026 02:25 For example, the complainant could have reported 2+ domains in their report. Similarly, we could have received multiple different reports from 2+ reporters that show the abuse mitigation agent that there is a pattern to these reported registrations even if the reporter may not be aware of them. ​ The mere fact that investigation (or action) has been taken on a single domain name should not, on its own, trigger a requirement to investigate associated domain names. The findings of such investigation may, however, should provide a basis to assess whether the abuse activity is entirely isolated beyond reasonable doubt or indicative of a broader, coordinated pattern of DNS Abuse, which could justify further targeted inquiry, ultimately triggering conditions to expand scope.. Or not. A triggered associated domain check should not delay or otherwise impede timely investigation or mitigation actions in response to established abuse reports. Warm Regards, Christabel Mebaghandu, mIEEE MNCS fNSIG. Chief Technology Officer Civil Center for Peace Justice and Development Floor 2, Senator Samuel Plaza Opp. Customary Court of Appeal, Rumuogba, Port Harcourt Rivers State, Nigeria. +234-816-127-8131 christabel.mebaghandu@ccpjd.org<mailto:%20christabel.mebaghandu@ccpjd.org> ________________________________ From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Thursday, 19 March 2026 02:01 To: Volker Greimann <volker.greimann@centralnic.com> Cc: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>; Brian F. Cimbolic <brian@pir.org> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Volker, Marc— Thanks for your quick review! I agree something along the lines of “where a reasonable indication exists” is necessary. I think Marc’s edits restated what Brian said just using more words (and I prefer succintity for clarity) except for adding in an immediacy (“When a Registrar has actionable evidence”) that is both unwarranted and unreasonable. Perhaps: When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement and reasonably believes there may be other Registered Names associated to the Registered Name, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review. /R -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC -7 On Mar 18, 2026, at 17:55, Volker Greimann <volker.greimann@centralnic.com> wrote: Hi Brian, removing any requirement of there being any reasonable indication of there actually being further domains to look for is unreasonable and will ultimately achieve the opposite of our goal: Instead of taking a targeted approach to likely occurrences of DNS abuse, this new language would require Registrars to go on wild goose chases for potentially existing affiliated domain names. So instead of actioning multiple abuse tickets received by a registrar, the abuse desk has to spend time doing a victory lap each time we take action on one ticket, greatly reducing the capacity to timely act upon incoming reports. There must be an element in the ADC requirement that only triggers the requirement to do an ADC when it can be reasonably assumed that such ADs exist, instead of triggering the ADC every time an action is taken. This would be a gift to threat actors as it would force us to spend time engaging in Kabuki theatre rather than actioning actual reports of abuse. Also, I am missing any hint of a suggestion of what Registries might be able to contribute. If we look at this solely from an individual registrars' perspective, we will not achieve anything. We are already seeing many abuse campaigns span that across multiple registrars and that can be detected on a registry level. Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> Office: +49-172-6367025 Web: www.teaminternet.com<http://www.teaminternet.com/> Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: 18 March 2026 10:14 PM To: Reg Levy <rlevy@tucows.com>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Hi all - First, thank you all for some great sessions to kick this work off in Mumbai. I thought we already made a lot of progress in our first working session. In advance of Monday’s call, I wanted to float a slightly modified version of the Strawman that Reg (very helpfully!) provided below. I provide a clean version, as well as a screenshot of Redlines so we can all see exactly what I’m proposing we change. Summary of proposed tweaks: * The actual obligation to mitigate DNS Abuse in the RAA is found in 3.18.2, rather than the broader 3.18, which includes other unrelated provisions. Tightening that subsection reference should make it clearer where an Associated Domain Check comes into play. * I tried to harmonize the language from Reg’s version with the terms and definitions set forth in the RAA already. So rather than “domains,” it’s “Registered Name” (again, simply to match the RAA defined terms). 3.18.2 also references “mitigation action(s)” so I incorporated that verbiage rather than the more generic “action." * 3.18.2 already requires that Registrars take mitigation action(s) when they have actionable evidence of DNS Abuse. If the Associated Domain Check is fruitful and the Registrar finds such actionable evidence of abuse, it is similarly obligated to take mitigation action(s). So, I suggest striking the “and take action against those domains where appropriate” as redundant. REDLINE: <Screenshot 2026-03-18 at 4.09.42 PM.png> CLEAN: When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review. Looking forward to the call on Monday. Please let me know if you have any questions. Thanks, Brian <image001.png><https://www.thenew.org/> Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org<mailto:brian@pir.org> | www.thenew.org | Power your inspiration. Connect your world. <image002.png><image004.png> Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete. From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Date: Monday, March 9, 2026 at 6:19 AM To: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Straw Proposal All— As noted in the chat in the session today, this is the straw proposal a number of us have been working on for the last few days and we’d love additional input: When a registrar takes action under Section 3.18 of the Registrar Accreditation Agreement, the registrar shall promptly review other domains that are reasonably associated with that domain when there are clear indicators that other domains registered by the same customer may be involved in the same abusive activity, using information reasonably available to the registrar at the time of review, and take action against those domains where appropriate. Servus, Reg -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC +5:30

Aw Paul you are spoiling our fun, drafting by remote committee is excellent viewing. Seriously though, I think in Mumbai we only really touched on the first of the nine questions set out in the Charter, namely what's the trigger for an ADC. I think that was settled pretty quickly in fact, it's when a registrar knows (or ought to know) that it has a malicious registration on its hands per RRA 3.18.2. However while I think it's really helpful to test out some ideas for how the contractual wording might look like in the black and white text (and in particular to align with existing terminology in the RRA at an early stage), I am not sure we as a group have really grappled with the more tricky questions which are to come including the definition of "associated domain" and also what "investigation" means in practice in this context for the registrars concerned (questions 2 & 3 in the charter). Until those have been discussed and some basic principles agreed then I think there's limited progress that can be made in putting that into meaningful wording which would be actionable in a compliance sense. Best wishes Nick ________________________________ From: Paul McGrady via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: 19 March 2026 09:40 To: Brian F. Cimbolic <brian@pir.org>; Reg Levy <rlevy@tucows.com>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Caution: This is an external email and may be malicious. Please take extra care when replying, clicking links or opening attachments. Thanks Brian. I am meeting with Staff today and I hope we can get this Strawperson language into a Google Doc for folks to comment on. Keeping track of this via email string is going to be impossible with a group this size. Please stay tuned and do add your suggestions to Q1 Strawperson as soon as we get that Google Doc live. Best, Paul [cid:image003.png@01DCB75A.7E4D0A30] Paul McGrady Partner Elster & McGrady 434 Houston St, Suite 261 Nashville, TN 37203 3847 N. Lincoln Avenue Second Floor Chicago, IL 60613 Office Direct: +1 (312) 515-4422 paul@elstermcgrady.com<mailto:paul@elstermcgrady.com> www.elstermcgrady.com<http://secure-web.cisco.com/1ycb1KaZsRf7jFSzJH1vBR9qRb6_kEVHRk1cZug4_yBIPHQN...> From: Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Wednesday, March 18, 2026 4:14 PM To: Reg Levy <rlevy@tucows.com>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Hi all - First, thank you all for some great sessions to kick this work off in Mumbai. I thought we already made a lot of progress in our first working session. In advance of Monday’s call, I wanted to float a slightly modified version of the Strawman that Reg (very helpfully!) provided below. I provide a clean version, as well as a screenshot of Redlines so we can all see exactly what I’m proposing we change. Summary of proposed tweaks: * The actual obligation to mitigate DNS Abuse in the RAA is found in 3.18.2, rather than the broader 3.18, which includes other unrelated provisions. Tightening that subsection reference should make it clearer where an Associated Domain Check comes into play. * I tried to harmonize the language from Reg’s version with the terms and definitions set forth in the RAA already. So rather than “domains,” it’s “Registered Name” (again, simply to match the RAA defined terms). 3.18.2 also references “mitigation action(s)” so I incorporated that verbiage rather than the more generic “action." * 3.18.2 already requires that Registrars take mitigation action(s) when they have actionable evidence of DNS Abuse. If the Associated Domain Check is fruitful and the Registrar finds such actionable evidence of abuse, it is similarly obligated to take mitigation action(s). So, I suggest striking the “and take action against those domains where appropriate” as redundant. REDLINE: [Screenshot 2026-03-18 at 4.09.42 PM.png] CLEAN: When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review. Looking forward to the call on Monday. Please let me know if you have any questions. Thanks, Brian [Logo]<https://secure-web.cisco.com/1PoC7u7Atiw2TJYkMRMIb21VDCVv77RbWLEb9hUKqreGgGJ...> Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org<mailto:brian@pir.org> | www.thenew.org | Power your inspiration. Connect your world. [cid2922828134*image003.png@01D94119.58E327D0][A green sign with a white star and black text Description automatically generated] Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete. From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Date: Monday, March 9, 2026 at 6:19 AM To: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Straw Proposal All— As noted in the chat in the session today, this is the straw proposal a number of us have been working on for the last few days and we’d love additional input: When a registrar takes action under Section 3.18 of the Registrar Accreditation Agreement, the registrar shall promptly review other domains that are reasonably associated with that domain when there are clear indicators that other domains registered by the same customer may be involved in the same abusive activity, using information reasonably available to the registrar at the time of review, and take action against those domains where appropriate. Servus, Reg -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC +5:30 This email originated from outside the firm. Please use caution.

Hi Nick, Paul, and all, I agree with Nick that we are still in the early stages of this process. I suggest we wait for stakeholder's early input to determine if the current discussion for Q1 is sufficient or if additional steps are necessary. Specifically, we may need to consider creating a new appendix to Section 3.18.2. This could serve as a checklist to provide clear guidelines for registrars while ensuring the policy is operationally enforceable by ICANN Compliance. Thank you very much! Best regards, Ching On Thu, Mar 19, 2026 at 6:21 AM Nick Wenban-Smith via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> wrote:

Aw Paul you are spoiling our fun, drafting by remote committee is excellent viewing.

Seriously though, I think in Mumbai we only really touched on the first of the nine questions set out in the Charter, namely what's the trigger for an ADC. I think that was settled pretty quickly in fact, it's when a registrar knows (or ought to know) that it has a malicious registration on its hands per RRA 3.18.2.

However while I think it's really helpful to test out some ideas for how the contractual wording might look like in the black and white text (and in particular to align with existing terminology in the RRA at an early stage), I am not sure we as a group have really grappled with the more tricky questions which are to come including the definition of "associated domain" and also what "investigation" means in practice in this context for the registrars concerned (questions 2 & 3 in the charter). Until those have been discussed and some basic principles agreed then I think there's limited progress that can be made in putting that into meaningful wording which would be actionable in a compliance sense.

Best wishes Nick ------------------------------ *From:* Paul McGrady via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> *Sent:* 19 March 2026 09:40 *To:* Brian F. Cimbolic <brian@pir.org>; Reg Levy <rlevy@tucows.com>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> *Subject:* [Gnso-dnsabuse-pdp] Re: Straw Proposal

Caution: This is an external email and may be malicious. Please take extra care when replying, clicking links or opening attachments.

Thanks Brian. I am meeting with Staff today and I hope we can get this Strawperson language into a Google Doc for folks to comment on. Keeping track of this via email string is going to be impossible with a group this size. Please stay tuned and do add your suggestions to Q1 Strawperson as soon as we get that Google Doc live.

Best,

Paul

*Paul McGrady*

Partner

Elster & McGrady

434 Houston St,

Suite 261

Nashville, TN 37203

3847 N. Lincoln Avenue

Second Floor

Chicago, IL 60613

Office Direct: +1 (312) 515-4422

*paul@elstermcgrady.com <paul@elstermcgrady.com>*

*www.elstermcgrady.com <http://secure-web.cisco.com/1ycb1KaZsRf7jFSzJH1vBR9qRb6_kEVHRk1cZug4_yBIPHQNlaBhr24MRNC9t9k84XFqOIJlk2sINYRl8sjEWucofwJoXyWChKi0xwzhi-eitxwmibJ5z5Lu2inCIdYErCuSZYAS6tH5OxSovGM9qzeOOpYWU2ZS8UifKmLWYgy-qPKff9sk8XY1pG9Mz4tphYmsJevtU4Mo2HXbqnjgfmp0Kxo693NtNLqKDQFBS0pOlFtYhv8Ry-jODGQGJci2p/http%3A%2F%2Fwww.elstermcgrady.com%2F>*

*From:* Brian F. Cimbolic via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> *Sent:* Wednesday, March 18, 2026 4:14 PM *To:* Reg Levy <rlevy@tucows.com>; anil Jain via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> *Subject:* [Gnso-dnsabuse-pdp] Re: Straw Proposal

Hi all - First, thank you all for some great sessions to kick this work off in Mumbai. I thought we already made a lot of progress in our first working session.

In advance of Monday’s call, I wanted to float a slightly modified version of the Strawman that Reg (very helpfully!) provided below. I provide a clean version, as well as a screenshot of Redlines so we can all see exactly what I’m proposing we change.

*Summary of proposed tweaks*:

- The actual obligation to mitigate DNS Abuse in the RAA is found in 3.18.*2*, rather than the broader 3.18, which includes other unrelated provisions. Tightening that subsection reference should make it clearer where an Associated Domain Check comes into play.

- I tried to harmonize the language from Reg’s version with the terms and definitions set forth in the RAA already. So rather than “domains,” it’s “Registered Name” (again, simply to match the RAA defined terms). 3.18.2 also references “mitigation action(s)” so I incorporated that verbiage rather than the more generic “action."

- 3.18.2 already requires that Registrars take mitigation action(s) when they have actionable evidence of DNS Abuse. If the Associated Domain Check is fruitful and the Registrar finds such actionable evidence of abuse, it is similarly obligated to take mitigation action(s). So, I suggest striking the “and take action against those domains where appropriate” as redundant.

*REDLINE*:

[image: Screenshot 2026-03-18 at 4.09.42 PM.png]

*CLEAN*:

When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review.

Looking forward to the call on Monday. Please let me know if you have any questions.

Thanks,

Brian

[image: Logo] <https://secure-web.cisco.com/1PoC7u7Atiw2TJYkMRMIb21VDCVv77RbWLEb9hUKqreGgGJ...>

*Brian Cimbolic* *| Chief Legal and Policy Officer*

*brian@pir.org <brian@pir.org>* | *www.thenew.org* | *Power your inspiration. Connect your world.*

*[image: cid2922828134*image003.png@01D94119.58E327D0][image: A green sign with a white star and black text Description automatically generated]*

*Confidentiality Note:* Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete.

*From: *Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> *Date: *Monday, March 9, 2026 at 6:19 AM *To: *anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> *Subject: *[Gnso-dnsabuse-pdp] Straw Proposal

All—

As noted in the chat in the session today, this is the straw proposal a number of us have been working on for the last few days and we’d love additional input:

When a registrar takes action under Section 3.18 of the Registrar Accreditation Agreement, the registrar shall promptly review other domains that are reasonably associated with that domain when there are clear indicators that other domains registered by the same customer may be involved in the same abusive activity, using information reasonably available to the registrar at the time of review, and take action against those domains where appropriate.

*Servus*,

Reg

-- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter

UTC +5:30

This email originated from outside the firm. Please use caution. _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

Dear Paul, I agree. To be clear, I am not suggesting that we take on the role of creating annexes. Rather, I am suggesting that we keep our approach open and avoid focusing too much effort on tweaking Section 3.18.2 without first understanding the early input from stakeholders. Thanks again! Best regards, Ching On Thu, Mar 19, 2026 at 6:42 AM Paul McGrady <paul@elstermcgrady.com> wrote:

Thanks Ching. Creating annexes is usually the role of an IRT, not a PDP. We can certainly add something like that to Implementation Guidance if we decided we want to encourage ICANN Staff to build such a thing. But, I think that is jumping ahead. Let’s talk through all the questions, do earlier ideation after each question, firm up what we can, keep swimming until we talk through all the Charter Questions and then congeal around some high level policy and some really useful Implementation Guidance. All while setting the landspeed record.

Best,

Paul

*Paul McGrady*

Partner

Elster & McGrady

434 Houston St,

Suite 261

Nashville, TN 37203

3847 N. Lincoln Avenue

Second Floor

Chicago, IL 60613

Office Direct: +1 (312) 515-4422

*paul@elstermcgrady.com <paul@elstermcgrady.com>*

*www.elstermcgrady.com <http://www.elstermcgrady.com/>*

*From:* Ching Chiao <ching.chiao@whoisxmlapi.com> *Sent:* Thursday, March 19, 2026 5:36 AM *To:* Nick Wenban-Smith <Nick.Wenban-Smith@nominet.uk> *Cc:* Brian F. Cimbolic <brian@pir.org>; Reg Levy <rlevy@tucows.com>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>; Paul McGrady <paul@elstermcgrady.com> *Subject:* Re: [Gnso-dnsabuse-pdp] Re: Straw Proposal

You don't often get email from ching.chiao@whoisxmlapi.com. Learn why this is important <https://aka.ms/LearnAboutSenderIdentification>

Hi Nick, Paul, and all,

I agree with Nick that we are still in the early stages of this process. I suggest we wait for stakeholder's early input to determine if the current discussion for Q1 is sufficient or if additional steps are necessary. Specifically, we may need to consider creating a new appendix to Section 3.18.2. This could serve as a checklist to provide clear guidelines for registrars while ensuring the policy is operationally enforceable by ICANN Compliance.

Thank you very much!

Best regards,

Ching

On Thu, Mar 19, 2026 at 6:21 AM Nick Wenban-Smith via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> wrote:

Aw Paul you are spoiling our fun, drafting by remote committee is excellent viewing.

Seriously though, I think in Mumbai we only really touched on the first of the nine questions set out in the Charter, namely what's the trigger for an ADC. I think that was settled pretty quickly in fact, it's when a registrar knows (or ought to know) that it has a malicious registration on its hands per RRA 3.18.2.

However while I think it's really helpful to test out some ideas for how the contractual wording might look like in the black and white text (and in particular to align with existing terminology in the RRA at an early stage), I am not sure we as a group have really grappled with the more tricky questions which are to come including the definition of "associated domain" and also what "investigation" means in practice in this context for the registrars concerned (questions 2 & 3 in the charter). Until those have been discussed and some basic principles agreed then I think there's limited progress that can be made in putting that into meaningful wording which would be actionable in a compliance sense.

Best wishes

Nick ------------------------------

*From:* Paul McGrady via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> *Sent:* 19 March 2026 09:40 *To:* Brian F. Cimbolic <brian@pir.org>; Reg Levy <rlevy@tucows.com>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> *Subject:* [Gnso-dnsabuse-pdp] Re: Straw Proposal

*Caution:* This is an external email and may be malicious. Please take extra care when replying, clicking links or opening attachments.

Thanks Brian. I am meeting with Staff today and I hope we can get this Strawperson language into a Google Doc for folks to comment on. Keeping track of this via email string is going to be impossible with a group this size. Please stay tuned and do add your suggestions to Q1 Strawperson as soon as we get that Google Doc live.

Best,

Paul

*Paul McGrady*

Partner

Elster & McGrady

434 Houston St,

Suite 261

Nashville, TN 37203

3847 N. Lincoln Avenue

Second Floor

Chicago, IL 60613

Office Direct: +1 (312) 515-4422

*paul@elstermcgrady.com <paul@elstermcgrady.com>*

*www.elstermcgrady.com <http://secure-web.cisco.com/1ycb1KaZsRf7jFSzJH1vBR9qRb6_kEVHRk1cZug4_yBIPHQNlaBhr24MRNC9t9k84XFqOIJlk2sINYRl8sjEWucofwJoXyWChKi0xwzhi-eitxwmibJ5z5Lu2inCIdYErCuSZYAS6tH5OxSovGM9qzeOOpYWU2ZS8UifKmLWYgy-qPKff9sk8XY1pG9Mz4tphYmsJevtU4Mo2HXbqnjgfmp0Kxo693NtNLqKDQFBS0pOlFtYhv8Ry-jODGQGJci2p/http%3A%2F%2Fwww.elstermcgrady.com%2F>*

*From:* Brian F. Cimbolic via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> *Sent:* Wednesday, March 18, 2026 4:14 PM *To:* Reg Levy <rlevy@tucows.com>; anil Jain via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> *Subject:* [Gnso-dnsabuse-pdp] Re: Straw Proposal

Hi all - First, thank you all for some great sessions to kick this work off in Mumbai. I thought we already made a lot of progress in our first working session.

In advance of Monday’s call, I wanted to float a slightly modified version of the Strawman that Reg (very helpfully!) provided below. I provide a clean version, as well as a screenshot of Redlines so we can all see exactly what I’m proposing we change.

*Summary of proposed tweaks*:

- The actual obligation to mitigate DNS Abuse in the RAA is found in 3.18.*2*, rather than the broader 3.18, which includes other unrelated provisions. Tightening that subsection reference should make it clearer where an Associated Domain Check comes into play.

- I tried to harmonize the language from Reg’s version with the terms and definitions set forth in the RAA already. So rather than “domains,” it’s “Registered Name” (again, simply to match the RAA defined terms). 3.18.2 also references “mitigation action(s)” so I incorporated that verbiage rather than the more generic “action."

- 3.18.2 already requires that Registrars take mitigation action(s) when they have actionable evidence of DNS Abuse. If the Associated Domain Check is fruitful and the Registrar finds such actionable evidence of abuse, it is similarly obligated to take mitigation action(s). So, I suggest striking the “and take action against those domains where appropriate” as redundant.

*REDLINE*:

[image: Screenshot 2026-03-18 at 4.09.42 PM.png]

*CLEAN*:

When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review.

Looking forward to the call on Monday. Please let me know if you have any questions.

Thanks,

Brian

[image: Logo] <https://secure-web.cisco.com/1PoC7u7Atiw2TJYkMRMIb21VDCVv77RbWLEb9hUKqreGgGJ...>

*Brian Cimbolic* *| Chief Legal and Policy Officer*

*brian@pir.org <brian@pir.org>* | *www.thenew.org <http://www.thenew.org/>* | *Power your inspiration. Connect your world.*

*[image: cid2922828134*image003.png@01D94119.58E327D0][image: A green sign with a white star and black text Description automatically generated]*

*Confidentiality Note:* Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete.

*From: *Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> *Date: *Monday, March 9, 2026 at 6:19 AM *To: *anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> *Subject: *[Gnso-dnsabuse-pdp] Straw Proposal

All—

As noted in the chat in the session today, this is the straw proposal a number of us have been working on for the last few days and we’d love additional input:

When a registrar takes action under Section 3.18 of the Registrar Accreditation Agreement, the registrar shall promptly review other domains that are reasonably associated with that domain when there are clear indicators that other domains registered by the same customer may be involved in the same abusive activity, using information reasonably available to the registrar at the time of review, and take action against those domains where appropriate.

*Servus*,

Reg

-- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter

UTC +5:30

This email originated from outside the firm. Please use caution.

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

This email originated from outside the firm. Please use caution.

But doesn’t the charter constrain what we do in the PDP? Otherwise what is the purpose of the charter? Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Thursday, March 19, 2026 8:27 AM To: Ching Chiao <ching.chiao@whoisxmlapi.com> Cc: Paul McGrady <paul@elstermcgrady.com>; Nick Wenban-Smith <Nick.Wenban-Smith@nominet.uk>; Brian F. Cimbolic <brian@pir.org>; Reg Levy <rlevy@tucows.com>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal *EXTERNAL TO GT* Paul If I may, I think people can converse here and also put their ideas in the Google doc. I just want to clarify something about the charter. The charter tries not to be prescriptive, so while it creates a baseline for starting an ADC, it's up to this PDP to come up with indicators. The charter doesn't set the policy. We do. Farzaneh On Thu, Mar 19, 2026 at 6:52 AM Ching Chiao via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: Dear Paul, I agree. To be clear, I am not suggesting that we take on the role of creating annexes. Rather, I am suggesting that we keep our approach open and avoid focusing too much effort on tweaking Section 3.18.2 without first understanding the early input from stakeholders. Thanks again! Best regards, Ching On Thu, Mar 19, 2026 at 6:42 AM Paul McGrady <paul@elstermcgrady.com<mailto:paul@elstermcgrady.com>> wrote: Thanks Ching. Creating annexes is usually the role of an IRT, not a PDP. We can certainly add something like that to Implementation Guidance if we decided we want to encourage ICANN Staff to build such a thing. But, I think that is jumping ahead. Let’s talk through all the questions, do earlier ideation after each question, firm up what we can, keep swimming until we talk through all the Charter Questions and then congeal around some high level policy and some really useful Implementation Guidance. All while setting the landspeed record. Best, Paul [cid:image003.png@01DCB77B.095C8130] Paul McGrady Partner Elster & McGrady 434 Houston St, Suite 261 Nashville, TN 37203 3847 N. Lincoln Avenue Second Floor Chicago, IL 60613 Office Direct: +1 (312) 515-4422 paul@elstermcgrady.com<mailto:paul@elstermcgrady.com> www.elstermcgrady.com<https://urldefense.com/v3/__http:/www.elstermcgrady.com/__;!!DUT_TFPxUQ!Cp_B...> From: Ching Chiao <ching.chiao@whoisxmlapi.com<mailto:ching.chiao@whoisxmlapi.com>> Sent: Thursday, March 19, 2026 5:36 AM To: Nick Wenban-Smith <Nick.Wenban-Smith@nominet.uk<mailto:Nick.Wenban-Smith@nominet.uk>> Cc: Brian F. Cimbolic <brian@pir.org<mailto:brian@pir.org>>; Reg Levy <rlevy@tucows.com<mailto:rlevy@tucows.com>>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>>; Paul McGrady <paul@elstermcgrady.com<mailto:paul@elstermcgrady.com>> Subject: Re: [Gnso-dnsabuse-pdp] Re: Straw Proposal You don't often get email from ching.chiao@whoisxmlapi.com<mailto:ching.chiao@whoisxmlapi.com>. Learn why this is important<https://urldefense.com/v3/__https:/aka.ms/LearnAboutSenderIdentification__;!...> Hi Nick, Paul, and all, I agree with Nick that we are still in the early stages of this process. I suggest we wait for stakeholder's early input to determine if the current discussion for Q1 is sufficient or if additional steps are necessary. Specifically, we may need to consider creating a new appendix to Section 3.18.2. This could serve as a checklist to provide clear guidelines for registrars while ensuring the policy is operationally enforceable by ICANN Compliance. Thank you very much! Best regards, Ching On Thu, Mar 19, 2026 at 6:21 AM Nick Wenban-Smith via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: Aw Paul you are spoiling our fun, drafting by remote committee is excellent viewing. Seriously though, I think in Mumbai we only really touched on the first of the nine questions set out in the Charter, namely what's the trigger for an ADC. I think that was settled pretty quickly in fact, it's when a registrar knows (or ought to know) that it has a malicious registration on its hands per RRA 3.18.2. However while I think it's really helpful to test out some ideas for how the contractual wording might look like in the black and white text (and in particular to align with existing terminology in the RRA at an early stage), I am not sure we as a group have really grappled with the more tricky questions which are to come including the definition of "associated domain" and also what "investigation" means in practice in this context for the registrars concerned (questions 2 & 3 in the charter). Until those have been discussed and some basic principles agreed then I think there's limited progress that can be made in putting that into meaningful wording which would be actionable in a compliance sense. Best wishes Nick ________________________________ From: Paul McGrady via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: 19 March 2026 09:40 To: Brian F. Cimbolic <brian@pir.org<mailto:brian@pir.org>>; Reg Levy <rlevy@tucows.com<mailto:rlevy@tucows.com>>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Caution: This is an external email and may be malicious. Please take extra care when replying, clicking links or opening attachments. Thanks Brian. I am meeting with Staff today and I hope we can get this Strawperson language into a Google Doc for folks to comment on. Keeping track of this via email string is going to be impossible with a group this size. Please stay tuned and do add your suggestions to Q1 Strawperson as soon as we get that Google Doc live. Best, Paul [cid:image003.png@01DCB77B.095C8130] Paul McGrady Partner Elster & McGrady 434 Houston St, Suite 261 Nashville, TN 37203 3847 N. Lincoln Avenue Second Floor Chicago, IL 60613 Office Direct: +1 (312) 515-4422 paul@elstermcgrady.com<mailto:paul@elstermcgrady.com> www.elstermcgrady.com<https://urldefense.com/v3/__http:/secure-web.cisco.com/1ycb1KaZsRf7jFSzJH1vB...> From: Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Wednesday, March 18, 2026 4:14 PM To: Reg Levy <rlevy@tucows.com<mailto:rlevy@tucows.com>>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Hi all - First, thank you all for some great sessions to kick this work off in Mumbai. I thought we already made a lot of progress in our first working session. In advance of Monday’s call, I wanted to float a slightly modified version of the Strawman that Reg (very helpfully!) provided below. I provide a clean version, as well as a screenshot of Redlines so we can all see exactly what I’m proposing we change. Summary of proposed tweaks: * The actual obligation to mitigate DNS Abuse in the RAA is found in 3.18.2, rather than the broader 3.18, which includes other unrelated provisions. Tightening that subsection reference should make it clearer where an Associated Domain Check comes into play. * I tried to harmonize the language from Reg’s version with the terms and definitions set forth in the RAA already. So rather than “domains,” it’s “Registered Name” (again, simply to match the RAA defined terms). 3.18.2 also references “mitigation action(s)” so I incorporated that verbiage rather than the more generic “action." * 3.18.2 already requires that Registrars take mitigation action(s) when they have actionable evidence of DNS Abuse. If the Associated Domain Check is fruitful and the Registrar finds such actionable evidence of abuse, it is similarly obligated to take mitigation action(s). So, I suggest striking the “and take action against those domains where appropriate” as redundant. REDLINE: [Screenshot 2026-03-18 at 4.09.42 PM.png] CLEAN: When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review. Looking forward to the call on Monday. Please let me know if you have any questions. Thanks, Brian [Logo]<https://urldefense.com/v3/__https:/secure-web.cisco.com/1PoC7u7Atiw2TJYkMRMI...> Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org<mailto:brian@pir.org> | www.thenew.org<https://urldefense.com/v3/__http:/www.thenew.org/__;!!DUT_TFPxUQ!Cp_B3qYJaJC...> | Power your inspiration. Connect your world. [cid2922828134*image003.png@01D94119.58E327D0][A green sign with a white star and black text Description automatically generated] Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete. From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Date: Monday, March 9, 2026 at 6:19 AM To: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Straw Proposal All— As noted in the chat in the session today, this is the straw proposal a number of us have been working on for the last few days and we’d love additional input: When a registrar takes action under Section 3.18 of the Registrar Accreditation Agreement, the registrar shall promptly review other domains that are reasonably associated with that domain when there are clear indicators that other domains registered by the same customer may be involved in the same abusive activity, using information reasonably available to the registrar at the time of review, and take action against those domains where appropriate. Servus, Reg -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC +5:30 This email originated from outside the firm. Please use caution. _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org> This email originated from outside the firm. Please use caution. _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org> ---------------------------------------------------------------------- If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com, and do not use or disseminate the information.

All, this is the first Reference I have ever seen to "Implementation Guidance". Shortened in terms for brevity. Given that I vice-chaired two ccPDP's where implementation turned out to be complex, I wonder where I can read up on this. greetings, el -- Sent from my iPhone On Mar 19, 2026 at 06:43 -0400, Paul McGrady via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>, wrote:

[…]We can certainly add something like that to Implementation Guidance if we decided we want to encourage ICANN Staff to build such a thing.[…]

Hello WG Members, In response to Paul’s request on the peculiarities of GNSO and the Policy Development Process. There are two courses on the ICANN Learn page: https://learn.icann.org/#/ which would be relevant: 502 Getting to know the GNSO and 503 ICANN Policy Development Processes (PDPs). These are useful for all of us to review and refresh, whether it is someone’s first or someone’s twentieth PDP. Thank you, John R. Emery, Ph.D. Policy Development Support Senior Specialist Generic Names Supporting Organization (GNSO) Internet Corporation for Assigned Names and Numbers (ICANN) www.icann.org<http://www.icann.org> From: Paul McGrady via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Reply-To: Paul McGrady <paul@elstermcgrady.com> Date: Friday, March 20, 2026 at 17:29 To: Eberhard W Lisse <el@lisse.na> Cc: Bruna Martins dos Santos via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Thanks Eberhard, You raise a good point. There are peculiarities of how the GNSO works. It would be helpful for us to have a webinar for anybody from outside of the GNSO, or even those from within the GNSO for whom this is their first PDP, to learn how things are done at the GNSO. I believe it will smooth much of our process once we all get on the same page about our process. Staff, please set that up. Best, Paul Sent from my iPhone On Mar 20, 2026, at 12:43 AM, Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> wrote: All, this is the first Reference I have ever seen to "Implementation Guidance". Shortened in terms for brevity. Given that I vice-chaired two ccPDP's where implementation turned out to be complex, I wonder where I can read up on this. greetings, el -- Sent from my iPhone On Mar 19, 2026 at 06:43 -0400, Paul McGrady via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>, wrote: […]We can certainly add something like that to Implementation Guidance if we decided we want to encourage ICANN Staff to build such a thing.[…] This email originated from outside the firm. Please use caution. _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

Hi all – Given the vibrant discussion, the GAC wished to share its thoughts on the email list for visibility and will plan to also enter them into the anticipated Google Doc per the chair’s instructions. Specifically: The GAC is of the view that ADC should be triggered when the registrar has actionable evidence that a domain has been, is being used, or is likely to be used for DNS abuse. To be effective, a framework requiring registrars to proactively pivot to investigate domains linked to malicious actors, particularly in cases of high-volume domain registrations used for DNS Abuse campaigns, must empower registrars to intervene in the case that an ADC leads a registrar to a set of registrations that are clearly pending to be used for DNS Abuse. For illustrative purposes, with a real world example: If a registrar were to receive a complaint for the phishing domain <victim>-signinokta.com, and is made aware of an ongoing phishing campaign in which numerous victims are impersonated by similarly formatted domains each impersonating sign in portals of customers of the Okta single sign in vendor, then there should be a reasonable expectation that the registrar would review their portfolio to identify any/all domains which appear to be part of the SSO vendor phishing campaign, pivoting on reasonably available information, and taking action against all such domains (whether phishing emails had already been sent to the impersonated victims or were likely to be sent in the imminent future). We look forward to tomorrow’s discussion. Gabriel From: Ching Chiao via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Thursday, March 19, 2026 3:36 AM To: Nick Wenban-Smith <Nick.Wenban-Smith@nominet.uk> Cc: Brian F. Cimbolic <brian@pir.org>; Reg Levy <rlevy@tucows.com>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org>; Paul McGrady <paul@elstermcgrady.com> Subject: [EXTERNAL EMAIL] - [Gnso-dnsabuse-pdp] Re: Straw Proposal Hi Nick, Paul, and all, I agree with Nick that we are still in the early stages of this process. I suggest we wait for stakeholder's early input to determine if the current discussion for Q1 is sufficient or if additional steps are necessary. Specifically, we may need to consider creating a new appendix to Section 3.18.2. This could serve as a checklist to provide clear guidelines for registrars while ensuring the policy is operationally enforceable by ICANN Compliance. Thank you very much! Best regards, Ching On Thu, Mar 19, 2026 at 6:21 AM Nick Wenban-Smith via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: Aw Paul you are spoiling our fun, drafting by remote committee is excellent viewing. Seriously though, I think in Mumbai we only really touched on the first of the nine questions set out in the Charter, namely what's the trigger for an ADC. I think that was settled pretty quickly in fact, it's when a registrar knows (or ought to know) that it has a malicious registration on its hands per RRA 3.18.2. However while I think it's really helpful to test out some ideas for how the contractual wording might look like in the black and white text (and in particular to align with existing terminology in the RRA at an early stage), I am not sure we as a group have really grappled with the more tricky questions which are to come including the definition of "associated domain" and also what "investigation" means in practice in this context for the registrars concerned (questions 2 & 3 in the charter). Until those have been discussed and some basic principles agreed then I think there's limited progress that can be made in putting that into meaningful wording which would be actionable in a compliance sense. Best wishes Nick ________________________________ From: Paul McGrady via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: 19 March 2026 09:40 To: Brian F. Cimbolic <brian@pir.org<mailto:brian@pir.org>>; Reg Levy <rlevy@tucows.com<mailto:rlevy@tucows.com>>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Caution: This is an external email and may be malicious. Please take extra care when replying, clicking links or opening attachments. Thanks Brian. I am meeting with Staff today and I hope we can get this Strawperson language into a Google Doc for folks to comment on. Keeping track of this via email string is going to be impossible with a group this size. Please stay tuned and do add your suggestions to Q1 Strawperson as soon as we get that Google Doc live. Best, Paul [cid:image001.png@01DCBA1F.DC3733B0] Paul McGrady Partner Elster & McGrady 434 Houston St, Suite 261 Nashville, TN 37203 3847 N. Lincoln Avenue Second Floor Chicago, IL 60613 Office Direct: +1 (312) 515-4422 paul@elstermcgrady.com<mailto:paul@elstermcgrady.com> www.elstermcgrady.com<http://secure-web.cisco.com/1ycb1KaZsRf7jFSzJH1vBR9qRb6_kEVHRk1cZug4_yBIPHQN...> From: Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Wednesday, March 18, 2026 4:14 PM To: Reg Levy <rlevy@tucows.com<mailto:rlevy@tucows.com>>; anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Re: Straw Proposal Hi all - First, thank you all for some great sessions to kick this work off in Mumbai. I thought we already made a lot of progress in our first working session. In advance of Monday’s call, I wanted to float a slightly modified version of the Strawman that Reg (very helpfully!) provided below. I provide a clean version, as well as a screenshot of Redlines so we can all see exactly what I’m proposing we change. Summary of proposed tweaks: * The actual obligation to mitigate DNS Abuse in the RAA is found in 3.18.2, rather than the broader 3.18, which includes other unrelated provisions. Tightening that subsection reference should make it clearer where an Associated Domain Check comes into play. * I tried to harmonize the language from Reg’s version with the terms and definitions set forth in the RAA already. So rather than “domains,” it’s “Registered Name” (again, simply to match the RAA defined terms). 3.18.2 also references “mitigation action(s)” so I incorporated that verbiage rather than the more generic “action." * 3.18.2 already requires that Registrars take mitigation action(s) when they have actionable evidence of DNS Abuse. If the Associated Domain Check is fruitful and the Registrar finds such actionable evidence of abuse, it is similarly obligated to take mitigation action(s). So, I suggest striking the “and take action against those domains where appropriate” as redundant. REDLINE: [Screenshot 2026-03-18 at 4.09.42 PM.png] CLEAN: When a registrar takes mitigation action(s) on a Registered Name under Section 3.18.2 of the Registrar Accreditation Agreement, the registrar shall promptly review other reasonably associated Registered Name(s) to determine whether such Registered Name(s) may be involved in DNS Abuse using information reasonably available to the registrar at the time of review. Looking forward to the call on Monday. Please let me know if you have any questions. Thanks, Brian [Logo]<https://secure-web.cisco.com/1PoC7u7Atiw2TJYkMRMIb21VDCVv77RbWLEb9hUKqreGgGJ...> Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org<mailto:brian@pir.org> | www.thenew.org<http://www.thenew.org/> | Power your inspiration. Connect your world. [cid2922828134*image003.png@01D94119.58E327D0][A green sign with a white star and black text Description automatically generated] Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete. From: Reg Levy via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Date: Monday, March 9, 2026 at 6:19 AM To: anil Jain via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Subject: [Gnso-dnsabuse-pdp] Straw Proposal All— As noted in the chat in the session today, this is the straw proposal a number of us have been working on for the last few days and we’d love additional input: When a registrar takes action under Section 3.18 of the Registrar Accreditation Agreement, the registrar shall promptly review other domains that are reasonably associated with that domain when there are clear indicators that other domains registered by the same customer may be involved in the same abusive activity, using information reasonably available to the registrar at the time of review, and take action against those domains where appropriate. Servus, Reg -- Reg Levy | Associate General Counsel – Domains +1 (323) 880-0831 Tucows #MakingTheInternetBetter UTC +5:30 This email originated from outside the firm. Please use caution. _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org>