Volker, I agree with most of these points and that these are important considerations for the registrar when deciding what mitigation action to take, but my point was that the takedown part is not part of the ADC. The takedown part already exists in the DNS Abuse amendments in the RAA. This discussion, while important, is outside the ADC. That’s why it is a rabbit hole for purposes of trying to create the ADC. Once again, it is the conflation of investigation with enforcement/mitigation. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Volker Greimann <volker.greimann@centralnic.com> Sent: Tuesday, April 14, 2026 3:38 PM To: el@lisse.NA; gnso-dnsabuse-pdp@icann.org; Trachtenberg, Marc H. (Shld-ASP-IP-Tech) <trachtenbergm@gtlaw.com> Cc: dns-techs@na-nic.com.na Subject: Re: [Gnso-dnsabuse-pdp] Re: Another numbers request. Hi Marc, it is not really a rabbit hole since it is just the kind of issue that registrars face when dealing with associated domain names. Every takedown also carries with it a certain liability risk that has to be balanced as part of the review process before taking a decision to act. That is why we need actionable evidence of abuse, and that does not change for associated domain checks either. We have had cases where "Dumb Criminal A" defecated where he dined and had registered his personal (legal-use) domain names in the same account that also held the problematic ones. Do we take those down as well? We have had cases where we took down a significant number of domain names of a third-party privacy or trustee service that was not recognizable as such because of a high prevalence of abusive registrations using that registration data set, thereby affecting a significant number of non-abusive registrations. Justified? Maybe! Liability risk? For sure. We do see cases where criminals register domains through various resellers and even registrars, but never use more than one at a time. We can only ever detect one domain engaged in abusive activities. We see the associated domains as such and even without actionable evidence for every single one we will take action based on various indicators of likelihood of abusive use. But the risk remains of also taking down domains that were never intended for such use. We have seen domains registered for advertising or monetization purposes where the abuse originates from a bad advertiser of the parking provider that circumvented their internal review processes. Most of those domains are used by other advertisers for legitimate purposes. In fact, their registration pattern is similar to the case of the reservoir domains above. They would all fall into the classification of associated domains, but in this case, a takedown would be problematic. Just because a domain is associated somehow with an abusive registration does not mean it was registered for the same purpose, or even by or on behalf of the same end customer. As a registrar, it is our job to navigate those dangerous waters, balance legal obligations to our legitimate customers and our legal and policy obligations to take action on malicious registrations. It is easy when the ocean is clear and you can see the floor, but there are hidden reefs that we need to watch out for. And it does take an experienced captain and crew to navigate those shoals. But to do that successfully, we need room to navigate and trust in our experience. Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> Office: +49-172-6367025 Web: www.teaminternet.com<https://urldefense.com/v3/__http:/www.teaminternet.com__;!!DUT_TFPxUQ!Ah6Du0...> Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: trachtenbergm--- via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: 14 April 2026 8:26 PM To: el@lisse.na<mailto:el@lisse.na> <el@lisse.na<mailto:el@lisse.na>>; gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Cc: dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na> <dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na>> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. Eberhard, I think we are going down a rabbit hole here. This is outside the scope of the ADC as the ADC is not mandating that entire accounts get shut down or that the registrar take any action other than investigate for associated domains. Any resulting obligations to take action based on what the registrar finds already exist in the RAA. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Tuesday, April 14, 2026 12:13 PM To: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> Cc: Dns-techs <dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na>> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. *EXTERNAL TO GT* Becky, you are the lawyer, I am not. I just mean a concept. Can you take down a Registered Name, just because (at least) another Name registered by same Registrant has been mitigated? If a single Registrant has 5 Names, 1 reported, investigated, proven as phishing, and mitigated accordingly, ADC done, and 3 of the others are mitigable, I still don't like that the 5th one would or could be mitigated as well. However as Marc wrote, you act against the Registrant (for violating the Terms and Conditions). How would that work? Can you really unilaterally decide to take Names down, or do you have to give notice of termination of the Registrant agreement (0 to n days notice)? So they transfer the Name elsewhere, and perhaps even register the mitigated Names again. Now you take a Reseller which has a Million Names. ADC finds 50, 500 or even 5000 in need of mitigation. Do you take the 50, 500 or 5000 names down or do you cancel the agreement with the Reseller (for violation the Terms and Conditions). What happens then to the Names left? Or if the Reseller is just irritated enough that they transfer significant Revenue elsewhere? There are enough accredited Registrars around, after all. The obviously even more difficult question is how to prevent them from becoming wise to the Policy and transferring the rest of a portfolio to another Registrar, when a single one is taken down, ie before the ADC can be done? We have not thought through the consequences of our considerations, and/or the cost. el -- Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (retired) el@lisse.NA<mailto:el@lisse.NA> / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht \ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply On Apr 14, 2026 at 18:50 +0200, Becky Burr <bburr@pir.org<mailto:bburr@pir.org>>, wrote: I am confused by the use of the term “guilt by association” here. That usually means you consider one person guilty of some bad act because that person is associated with someone else who is a known bad guy. And yes, in that context, there are significant human rights concerns. Here, we are just saying that if a registrant/account holder is known to be using one domain for DNS abuse then we are going to check to make sure the same registrant/account holder isn’t using other domains for DNS abuse. And, if the answer is no, then nothing happens to the associated domains. So, unless you are arguing that domains themselves have human rights, I don’t see what the guilt by association issue is. Am I missing something? [Logo]<https://urldefense.com/v3/__https:/www.thenew.org/__;!!DUT_TFPxUQ!GykcfK67cz...> Becky Burr ________________________________ If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com<mailto:postmaster@gtlaw.com>, and do not use or disseminate the information.

+1 to Brian’s point. I did not suggest and I am not aware of anyone else in the PDP that suggested that all other domain names in the same account (or otherwise determined to be associated) with the triggering domain, but for which there is no actionable evidence of DNS Abuse, be automatically suspended. I said that a registrar could do this if they choose if permitted under their terms of use, but regardless, this is outside of the scope of the PDP which just focuses on checking for associated domains, not enforcement / mitigation actions which must or should be taken , which is already addressed in the RAA. Accordingly, I ask that people stop raising this red herring in our discussions. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Tuesday, April 14, 2026 6:39 PM To: Trachtenberg, Marc H. (Shld-ASP-IP-Tech) <trachtenbergm@gtlaw.com>; volker.greimann@centralnic.com; el@lisse.NA; gnso-dnsabuse-pdp@icann.org Cc: dns-techs@na-nic.com.na Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. I agree with Marc - the determination to suspend an individual domain name found during an ADC should rely on the mechanisms already contained in the RAA - if the ADC provides actionable evidence of malicious DNS Abuse, the registrar would be obligated to suspend the relevant domain(s). If there are 20 other domains in the same registrar account that appear legitimate/benign, I don’t think anyone has ever suggested that those names be suspended too (as there would be no actionable evidence of DNS Abuse under 3.18.2 of the RAA). And if they are, it feels there is consensus that we can nip that line of policy in the bud. [Logo]<https://urldefense.com/v3/__https:/www.thenew.org/__;!!DUT_TFPxUQ!GzvxL5NS3v...> Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org<mailto:brian@pir.org> | www.thenew.org<applewebdata://98ECC0AE-88EB-4427-B85E-6E9A6F544FBE/www.thenew.org> | Power your inspiration. Connect your world. [cid2922828134*image003.png@01D94119.58E327D0][A green sign with a white star and black text Description automatically generated] Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete. From: trachtenbergm--- via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Date: Tuesday, April 14, 2026 at 8:35 PM To: volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>>, el@lisse.NA<mailto:el@lisse.NA> <el@lisse.NA<mailto:el@lisse.NA>>, gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Cc: dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na> <dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na>> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. Volker, I agree with most of these points and that these are important considerations for the registrar when deciding what mitigation action to take, but my point was that the takedown part is not part of the ADC. The takedown part already exists in the DNS Abuse amendments in the RAA. This discussion, while important, is outside the ADC. That’s why it is a rabbit hole for purposes of trying to create the ADC. Once again, it is the conflation of investigation with enforcement/mitigation. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography<https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Volker Greimann <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>> Sent: Tuesday, April 14, 2026 3:38 PM To: el@lisse.NA<mailto:el@lisse.NA>; gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>; Trachtenberg, Marc H. (Shld-ASP-IP-Tech) <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>> Cc: dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na> Subject: Re: [Gnso-dnsabuse-pdp] Re: Another numbers request. Hi Marc, it is not really a rabbit hole since it is just the kind of issue that registrars face when dealing with associated domain names. Every takedown also carries with it a certain liability risk that has to be balanced as part of the review process before taking a decision to act. That is why we need actionable evidence of abuse, and that does not change for associated domain checks either. We have had cases where "Dumb Criminal A" defecated where he dined and had registered his personal (legal-use) domain names in the same account that also held the problematic ones. Do we take those down as well? We have had cases where we took down a significant number of domain names of a third-party privacy or trustee service that was not recognizable as such because of a high prevalence of abusive registrations using that registration data set, thereby affecting a significant number of non-abusive registrations. Justified? Maybe! Liability risk? For sure. We do see cases where criminals register domains through various resellers and even registrars, but never use more than one at a time. We can only ever detect one domain engaged in abusive activities. We see the associated domains as such and even without actionable evidence for every single one we will take action based on various indicators of likelihood of abusive use. But the risk remains of also taking down domains that were never intended for such use. We have seen domains registered for advertising or monetization purposes where the abuse originates from a bad advertiser of the parking provider that circumvented their internal review processes. Most of those domains are used by other advertisers for legitimate purposes. In fact, their registration pattern is similar to the case of the reservoir domains above. They would all fall into the classification of associated domains, but in this case, a takedown would be problematic. Just because a domain is associated somehow with an abusive registration does not mean it was registered for the same purpose, or even by or on behalf of the same end customer. As a registrar, it is our job to navigate those dangerous waters, balance legal obligations to our legitimate customers and our legal and policy obligations to take action on malicious registrations. It is easy when the ocean is clear and you can see the floor, but there are hidden reefs that we need to watch out for. And it does take an experienced captain and crew to navigate those shoals. But to do that successfully, we need room to navigate and trust in our experience. Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> Office: +49-172-6367025 Web: www.teaminternet.com<https://urldefense.com/v3/__http:/www.teaminternet.com__;!!DUT_TFPxUQ!Ah6Du0...> Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: trachtenbergm--- via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: 14 April 2026 8:26 PM To: el@lisse.na<mailto:el@lisse.na> <el@lisse.na<mailto:el@lisse.na>>; gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Cc: dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na> <dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na>> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. Eberhard, I think we are going down a rabbit hole here. This is outside the scope of the ADC as the ADC is not mandating that entire accounts get shut down or that the registrar take any action other than investigate for associated domains. Any resulting obligations to take action based on what the registrar finds already exist in the RAA. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography<https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Tuesday, April 14, 2026 12:13 PM To: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> Cc: Dns-techs <dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na>> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. *EXTERNAL TO GT* Becky, you are the lawyer, I am not. I just mean a concept. Can you take down a Registered Name, just because (at least) another Name registered by same Registrant has been mitigated? If a single Registrant has 5 Names, 1 reported, investigated, proven as phishing, and mitigated accordingly, ADC done, and 3 of the others are mitigable, I still don't like that the 5th one would or could be mitigated as well. However as Marc wrote, you act against the Registrant (for violating the Terms and Conditions). How would that work? Can you really unilaterally decide to take Names down, or do you have to give notice of termination of the Registrant agreement (0 to n days notice)? So they transfer the Name elsewhere, and perhaps even register the mitigated Names again. Now you take a Reseller which has a Million Names. ADC finds 50, 500 or even 5000 in need of mitigation. Do you take the 50, 500 or 5000 names down or do you cancel the agreement with the Reseller (for violation the Terms and Conditions). What happens then to the Names left? Or if the Reseller is just irritated enough that they transfer significant Revenue elsewhere? There are enough accredited Registrars around, after all. The obviously even more difficult question is how to prevent them from becoming wise to the Policy and transferring the rest of a portfolio to another Registrar, when a single one is taken down, ie before the ADC can be done? We have not thought through the consequences of our considerations, and/or the cost. el -- Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (retired) el@lisse.NA<mailto:el@lisse.NA> / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht \ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply On Apr 14, 2026 at 18:50 +0200, Becky Burr <bburr@pir.org<mailto:bburr@pir.org>>, wrote: I am confused by the use of the term “guilt by association” here. That usually means you consider one person guilty of some bad act because that person is associated with someone else who is a known bad guy. And yes, in that context, there are significant human rights concerns. Here, we are just saying that if a registrant/account holder is known to be using one domain for DNS abuse then we are going to check to make sure the same registrant/account holder isn’t using other domains for DNS abuse. And, if the answer is no, then nothing happens to the associated domains. So, unless you are arguing that domains themselves have human rights, I don’t see what the guilt by association issue is. Am I missing something? [Logo]<https://urldefense.com/v3/__https:/www.thenew.org/__;!!DUT_TFPxUQ!GykcfK67cz...> Becky Burr ________________________________ If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com<mailto:postmaster@gtlaw.com>, and do not use or disseminate the information.

I'm going to speak for a moment on my own behalf to share experience as an investigator, and not on behalf of the GAC. Farzi, I believe you correctly identify a commonly employed LE principle that the more privacy-invasive an investigative technique is, the more facts/circumstances that may be required to justify its use. Policy is often in place such that a LE investigation can only be opened when there are articulable facts indicating a crime has been committed (for which the agency has authority to investigate). Further, if the investigator wishes to use a particularly privacy-invasive technique, (such as a wiretap to surveil communications in realtime) extensive predication of facts must be presented as to why that level of privacy-invasion is required and couldn't be otherwise satisfied with less privacy invasive techniques. I believe you incorrectly, however, apply that important principle when you suggest that evidence of a maliciously registered domain - sufficient to trigger 3.18.2 - would not justify taking a look at the other domains registered by that threat actor. This is a minimally invasive investigative step which would be one of the very first steps to take in an investigation once evidence is received of malicious registrations having been made by that customer. It makes use only of information already in possession of the registrar (or reseller), it doesn't piece the veil of protected communications, it's merely a step taken - after you have proof that a domain is maliciously registered - to see what other domains that threat actor is also using maliciously. To not take this step would be, in my view, irresponsible. Following evidence of malicious registration, an ADC will allow informed mitigative action, which may especially be important to mitigate or prevent victim harm. Example: If a threat actor has registered 100 phishing domains in furtherance of a Business Email Compromise scheme, if a registrar takes piecemeal action only against the one or two domains first reported, the threat actor may yet continue their scheme to defraud the additional 98 victims. Worse, they may accelerate their scheme if already using some of those other 98 domains in communication with victim(s), knowing that the "heat is on". Whereas, if the Rr performed the ADC before taking mitigative action, they may see all 100 domains, and choose to take comprehensive mitigative action against all the phishing domains simultaneously, greatly mitigating potential harm. Recognition of this principle is, I believe, the driving purpose behind this PDP. All this said - I would greatly benefit from any scenario you might provide in which conducting this simple check might in any way cause harm to an innocent party. I believe Brian asked for such a scenario/example previously, and I have eagerly awaited the same, recognizing that there may be a situation I simply haven't considered. ________________________________ From: farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> Sent: Wednesday, April 15, 2026 3:44 AM To: Brian F. Cimbolic <brian@pir.org> Cc: trachtenbergm@gtlaw.com <trachtenbergm@gtlaw.com>; volker.greimann@centralnic.com <volker.greimann@centralnic.com>; el@lisse.NA <el@lisse.na>; gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>; dns-techs@na-nic.com.na <dns-techs@na-nic.com.na> Subject: [EXTERNAL EMAIL] - [Gnso-dnsabuse-pdp] Re: Another numbers request. I repeat my point, which reflects a global legal practice: the initiation and scope of an investigation must be necessary and proportionate to the available indicators of abuse. We are not confusing investigation and enforcement. Investigative methods themselves, not just penalties, are subject to these requirements. More intrusive or expansive methods must be justified by an initial evidentiary threshold and cannot be used as a default to determine that threshold. I therefore disagree that ADC is required to assess the nature or extent of an alleged violation. Initial action should be based on indicators derived from the domain itself, such as corroborated abuse reports but also other domain-level signals. We should not be using ADC to determine whether there is sufficient basis to conduct ADC. The appropriate approach is to rely on domain-level indicators first, and only where those establish a sufficient basis, consider more expansive investigative steps, such as examining additional domains associated with an account. That threshold can be derived from observable indicators of abuse. In phishing cases, for example, the domain string itself can be a strong signal. A domain like “bankofamerica1” may indicate a high likelihood of targeted financial phishing and could justify further scrutiny. By contrast, domains like “youtubee[.]com” or “craigslit[.]com” may suggest typosquatting and potential malware, but those indicators alone do not justify expanding the scope of investigation to associated domains. The point is that not all indicators justify the same investigative response. The scope of the investigation must be calibrated to the strength and nature of the indicators, and ADC should be reserved for cases where those indicators establish a sufficient basis to expand beyond the domain itself. Farzaneh On Wed, Apr 15, 2026 at 1:38 AM Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: I agree with Marc - the determination to suspend an individual domain name found during an ADC should rely on the mechanisms already contained in the RAA - if the ADC provides actionable evidence of malicious DNS Abuse, the registrar would be obligated to suspend the relevant domain(s). If there are 20 other domains in the same registrar account that appear legitimate/benign, I don’t think anyone has ever suggested that those names be suspended too (as there would be no actionable evidence of DNS Abuse under 3.18.2 of the RAA). And if they are, it feels there is consensus that we can nip that line of policy in the bud. [Logo]<https://www.thenew.org/> Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org<mailto:brian@pir.org> | www.thenew.org | Power your inspiration. Connect your world. [cid2922828134*image003.png@01D94119.58E327D0][A green sign with a white star and black text Description automatically generated] Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete. From: trachtenbergm--- via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Date: Tuesday, April 14, 2026 at 8:35 PM To: volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>>, el@lisse.NA <el@lisse.NA>, gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Cc: dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na> <dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na>> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. Volker, I agree with most of these points and that these are important considerations for the registrar when deciding what mitigation action to take, but my point was that the takedown part is not part of the ADC. The takedown part already exists in the DNS Abuse amendments in the RAA. This discussion, while important, is outside the ADC. That’s why it is a rabbit hole for purposes of trying to create the ADC. Once again, it is the conflation of investigation with enforcement/mitigation. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street<https://www.google.com/maps/search/411+E.+Main+Street?entry=gmail&source=g> 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography<https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Volker Greimann <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>> Sent: Tuesday, April 14, 2026 3:38 PM To: el@lisse.NA; gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>; Trachtenberg, Marc H. (Shld-ASP-IP-Tech) <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>> Cc: dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na> Subject: Re: [Gnso-dnsabuse-pdp] Re: Another numbers request. Hi Marc, it is not really a rabbit hole since it is just the kind of issue that registrars face when dealing with associated domain names. Every takedown also carries with it a certain liability risk that has to be balanced as part of the review process before taking a decision to act. That is why we need actionable evidence of abuse, and that does not change for associated domain checks either. We have had cases where "Dumb Criminal A" defecated where he dined and had registered his personal (legal-use) domain names in the same account that also held the problematic ones. Do we take those down as well? We have had cases where we took down a significant number of domain names of a third-party privacy or trustee service that was not recognizable as such because of a high prevalence of abusive registrations using that registration data set, thereby affecting a significant number of non-abusive registrations. Justified? Maybe! Liability risk? For sure. We do see cases where criminals register domains through various resellers and even registrars, but never use more than one at a time. We can only ever detect one domain engaged in abusive activities. We see the associated domains as such and even without actionable evidence for every single one we will take action based on various indicators of likelihood of abusive use. But the risk remains of also taking down domains that were never intended for such use. We have seen domains registered for advertising or monetization purposes where the abuse originates from a bad advertiser of the parking provider that circumvented their internal review processes. Most of those domains are used by other advertisers for legitimate purposes. In fact, their registration pattern is similar to the case of the reservoir domains above. They would all fall into the classification of associated domains, but in this case, a takedown would be problematic. Just because a domain is associated somehow with an abusive registration does not mean it was registered for the same purpose, or even by or on behalf of the same end customer. As a registrar, it is our job to navigate those dangerous waters, balance legal obligations to our legitimate customers and our legal and policy obligations to take action on malicious registrations. It is easy when the ocean is clear and you can see the floor, but there are hidden reefs that we need to watch out for. And it does take an experienced captain and crew to navigate those shoals. But to do that successfully, we need room to navigate and trust in our experience. Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> Office: +49-172-6367025 Web: www.teaminternet.com<https://urldefense.com/v3/__http:/www.teaminternet.com__;!!DUT_TFPxUQ!Ah6Du0...> Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR<https://www.google.com/maps/search/44+Gutter+Lane,+London,+United+Kingdom,+E...>. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: trachtenbergm--- via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: 14 April 2026 8:26 PM To: el@lisse.na<mailto:el@lisse.na> <el@lisse.na<mailto:el@lisse.na>>; gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Cc: dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na> <dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na>> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. Eberhard, I think we are going down a rabbit hole here. This is outside the scope of the ADC as the ADC is not mandating that entire accounts get shut down or that the registrar take any action other than investigate for associated domains. Any resulting obligations to take action based on what the registrar finds already exist in the RAA. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street<https://www.google.com/maps/search/411+E.+Main+Street?entry=gmail&source=g> 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography<https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Tuesday, April 14, 2026 12:13 PM To: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> Cc: Dns-techs <dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na>> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. *EXTERNAL TO GT* Becky, you are the lawyer, I am not. I just mean a concept. Can you take down a Registered Name, just because (at least) another Name registered by same Registrant has been mitigated? If a single Registrant has 5 Names, 1 reported, investigated, proven as phishing, and mitigated accordingly, ADC done, and 3 of the others are mitigable, I still don't like that the 5th one would or could be mitigated as well. However as Marc wrote, you act against the Registrant (for violating the Terms and Conditions). How would that work? Can you really unilaterally decide to take Names down, or do you have to give notice of termination of the Registrant agreement (0 to n days notice)? So they transfer the Name elsewhere, and perhaps even register the mitigated Names again. Now you take a Reseller which has a Million Names. ADC finds 50, 500 or even 5000 in need of mitigation. Do you take the 50, 500 or 5000 names down or do you cancel the agreement with the Reseller (for violation the Terms and Conditions). What happens then to the Names left? Or if the Reseller is just irritated enough that they transfer significant Revenue elsewhere? There are enough accredited Registrars around, after all. The obviously even more difficult question is how to prevent them from becoming wise to the Policy and transferring the rest of a portfolio to another Registrar, when a single one is taken down, ie before the ADC can be done? We have not thought through the consequences of our considerations, and/or the cost. el -- Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (retired) el@lisse.NA<mailto:el@lisse.NA> / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht \ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply On Apr 14, 2026 at 18:50 +0200, Becky Burr <bburr@pir.org<mailto:bburr@pir.org>>, wrote: I am confused by the use of the term “guilt by association” here. That usually means you consider one person guilty of some bad act because that person is associated with someone else who is a known bad guy. And yes, in that context, there are significant human rights concerns. Here, we are just saying that if a registrant/account holder is known to be using one domain for DNS abuse then we are going to check to make sure the same registrant/account holder isn’t using other domains for DNS abuse. And, if the answer is no, then nothing happens to the associated domains. So, unless you are arguing that domains themselves have human rights, I don’t see what the guilt by association issue is. Am I missing something? [Logo]<https://urldefense.com/v3/__https:/www.thenew.org/__;!!DUT_TFPxUQ!GykcfK67cz...> Becky Burr ________________________________ If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com<mailto:postmaster@gtlaw.com>, and do not use or disseminate the information. _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org>

Farzaneh, We disagree with the premise that a confirmed violation under Section 3.18.2 is insufficient to trigger an ADC. The argument that we must first "calibrate" investigative responses based on the "severity" of an indicator fails to account for the unified nature of DNS Abuse and the systemic risk posed by malicious registrants. An actionable report under Section 3.18.2 is not a mere "indicator"—it is a confirmed breach of the RAA. Once a report is validated, malicious intent is established. To suggest that a domain like bankofamerica1 justifies an ADC while a malware-dropping typosquat like craigslit[.]com does not, creates an arbitrary hierarchy of harm. A registrar cannot claim to have "disrupted" abuse under 3.18.2 if they ignore five other domains in the same account registered with the same malicious signals. Proportionality must be measured against the severity of the threat to the public. With global cybercrime costs projected by Cybersecurity Ventures to reach $10.5 trillion annually by 2026, the ADC is a necessary and proportionate tool. Specifically, we must prioritize the fundamental rights of the global public to be secure from financial ruin and identity theft over the procedural "privacy" of a confirmed abuser. Also setting a higher threshold for ADCs than for 3.18.2 mitigation effectively grants professionalized abusers a "free pass" to keep the rest of their malicious infrastructure active. An ADC is a technical cross-reference, not a content-based inquiry. Because this process is strictly limited to the five technical categories of DNS Abuse, it does not infringe on freedom of expression or lawful speech. It is a technical inquiry into whether other domains are linked to verified malicious activity. A single, actionable proof of abuse should grant the registrar the latitude—and the obligation—to check associated domains. While registrars should have the discretion to determine the *depth* of the ADC based on available signals, the *initiation* of the check must be the default consequence of verified abuse. We should not use "calibration" as a justification for inaction. The ADC is the proportionate tool required to ensure that the "appropriate mitigation action" mandated by ICANN actually stops the abuse at the source. One actionable proof is enough to turn the key; to do less is to facilitate a $10.5 trillion criminal economy at the expense of global internet users. -Mary Penn IPC Representative <http://www.verizon.com/> Mary Penn (she/her) Managing Associate General Counsel Intellectual Property Law and Policy Group Verizon Consumer Group M 202 924 3132 1300 I Street, NW, Suite 500 East Washington, DC 20005 <http://www.facebook.com/verizon> <http://twitter.com/verizon> <http://www.linkedin.com/company/verizon> <http://www.instagram.com/verizon> On Wed, Apr 15, 2026 at 10:45 AM Tan Tanaka, Dennis via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> wrote:

+1, an actionable report pursuant to 3.18.2 should be enough to trigger ADC. After this first step, a registrar should have the latitude to determine the depth and breadth of ADC informed by the signals/indicators available to them and apply mitigation actions where appropriate.

*From: *Gabriel Andrews via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org

...

*Reply-To: *Gabriel Andrews <gfandrews@fbi.gov> *Date: *Wednesday, April 15, 2026 at 5:27 AM *To: *"Brian F. Cimbolic" <brian@pir.org>, farzaneh badii < farzaneh.badii@gmail.com> *Cc: *"trachtenbergm@gtlaw.com" <trachtenbergm@gtlaw.com>, " volker.greimann@centralnic.com" <volker.greimann@centralnic.com>, "el@lisse.NA" <el@lisse.NA>, "gnso-dnsabuse-pdp@icann.org" < gnso-dnsabuse-pdp@icann.org>, "dns-techs@na-nic.com.na" < dns-techs@na-nic.com.na> *Subject: *[EXTERNAL] [Gnso-dnsabuse-pdp] Re: [EXTERNAL EMAIL] - Re: Another numbers request.

*Caution:* This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

I'm going to speak for a moment on my own behalf to share experience as an investigator, and not on behalf of the GAC.

Farzi, I believe you correctly identify a commonly employed LE principle that the more privacy-invasive an investigative technique is, the more facts/circumstances that may be required to justify its use. Policy is often in place such that a LE investigation can only be opened when there are articulable facts indicating a crime has been committed (for which the agency has authority to investigate). Further, if the investigator wishes to use a particularly privacy-invasive technique, (such as a wiretap to surveil communications in realtime) extensive predication of facts must be presented as to why that level of privacy-invasion is required and couldn't be otherwise satisfied with less privacy invasive techniques.

I believe you incorrectly, however, apply that important principle when you suggest that evidence of a maliciously registered domain - sufficient to trigger 3.18.2 - would not justify taking a look at the other domains registered by that threat actor. This is a minimally invasive investigative step which would be one of the very first steps to take in an investigation once evidence is received of malicious registrations having been made by that customer. It makes use only of information already in possession of the registrar (or reseller), it doesn't piece the veil of protected communications, it's merely a step taken - after you have proof that a domain is maliciously registered - to see what other domains that threat actor is also using maliciously. To not take this step would be, in my view, irresponsible.

Following evidence of malicious registration, an ADC will allow informed mitigative action, which may especially be important to mitigate or prevent victim harm. Example: If a threat actor has registered 100 phishing domains in furtherance of a Business Email Compromise scheme, if a registrar takes piecemeal action only against the one or two domains first reported, the threat actor may yet continue their scheme to defraud the additional 98 victims. Worse, they may accelerate their scheme if already using some of those other 98 domains in communication with victim(s), knowing that the "heat is on". Whereas, if the Rr performed the ADC before taking mitigative action, they may see all 100 domains, and choose to take comprehensive mitigative action against all the phishing domains simultaneously, greatly mitigating potential harm. Recognition of this principle is, I believe, the driving purpose behind this PDP.

All this said - I would greatly benefit from any scenario you might provide in which conducting this simple check might in any way cause harm to an innocent party. I believe Brian asked for such a scenario/example previously, and I have eagerly awaited the same, recognizing that there may be a situation I simply haven't considered.

------------------------------

*From:* farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> *Sent:* Wednesday, April 15, 2026 3:44 AM *To:* Brian F. Cimbolic <brian@pir.org> *Cc:* trachtenbergm@gtlaw.com <trachtenbergm@gtlaw.com>; volker.greimann@centralnic.com <volker.greimann@centralnic.com>; el@lisse.NA <el@lisse.na>; gnso-dnsabuse-pdp@icann.org < gnso-dnsabuse-pdp@icann.org>; dns-techs@na-nic.com.na < dns-techs@na-nic.com.na> *Subject:* [EXTERNAL EMAIL] - [Gnso-dnsabuse-pdp] Re: Another numbers request.

I repeat my point, which reflects a global legal practice: *the initiation and scope* of an investigation must be necessary and proportionate to the available indicators of abuse. *We are not confusing investigation and enforcement*. Investigative methods *themselves*, not just penalties, are subject to these requirements. More intrusive or expansive methods must be justified by* an initial evidentiary threshold* and cannot be used as a default to determine that threshold.

I therefore disagree that ADC is required to assess the nature or extent of an alleged violation. Initial action should be based on indicators derived from the domain itself, such as corroborated abuse reports but also other domain-level signals. *We should not be using ADC to determine whether there is sufficient basis to conduct ADC.* The appropriate approach is to rely* on domain-level indicators first*, and only where those establish a sufficient basis, consider more expansive investigative steps, such as examining additional domains associated with an account.

That threshold can be derived from observable indicators of abuse. In phishing cases, for example, the domain string itself can be a strong signal. A domain like “bankofamerica1” may indicate a high likelihood of targeted financial phishing and could justify further scrutiny. By contrast, domains like “youtubee[.]com” or “craigslit[.]com” may suggest typosquatting and potential malware, but those indicators alone do not justify expanding the scope of investigation to associated domains.

The point is that not all indicators justify the same investigative response. The scope of the investigation must be calibrated to the strength and nature of the indicators, and ADC should be reserved for cases where those indicators establish a sufficient basis to expand beyond the domain itself.

Farzaneh

On Wed, Apr 15, 2026 at 1:38 AM Brian F. Cimbolic via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> wrote:

I agree with Marc - the determination to suspend an individual domain name found during an ADC should rely on the mechanisms already contained in the RAA - if the ADC provides actionable evidence of malicious DNS Abuse, the registrar would be obligated to suspend the relevant domain(s).

If there are 20 other domains in the same registrar account that appear legitimate/benign, I don’t think anyone has ever suggested that those names be suspended too (as there would be no actionable evidence of DNS Abuse under 3.18.2 of the RAA). And if they are, it feels there is consensus that we can nip that line of policy in the bud.

*[image: Logo] <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_14Jv5WkirU5LRqJYnzHl6Cjr7x-5F8j4E5V58r4z8nYLt9JO2ni51wIhln8OCmvffJF5mESr8zTwgJ7TsSmk5oQVoSHFxQB5uaF4pfLiIqBSRD9ZPWPAjZxSq7FvmeTT2cWeVgnzPx0gXT-2D04-5FzVWIGc5QbssBHjOLe2RLWrEFqlzSplqPRkdnvoI5mWxRVe5-5Fi46C3EYTTohVPX3EnmjU03z1Xf3SYOBdBxrEjZx13qlqoVNs3mo-2DQiX4nh9-5FdmzrCP1ubK5-5F4DUcg2DvfI1EPltc9YH9iMV3G7zIrNMa6rVQ_https-253A-252F-252Fwww.thenew.org-252F&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=kSN7rKN4aaf88g_DOHm5QMxYyc7HKQSM_P80UD9QRqU&e=>*

*Brian Cimbolic* *| Chief Legal and Policy Officer*

*brian@pir.org <brian@pir.org>* | *www.thenew.org <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.thenew.org&d=DwQGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=EVkmXoG72rs8SmREUhst98YU0-gVoqkJ9HVfENWo84E&e=>* | *Power your inspiration. Connect your world.*

*[image: A green sign with a white star and black text Description automatically generated]*

*Confidentiality Note:* Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete.

*From: *trachtenbergm--- via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> *Date: *Tuesday, April 14, 2026 at 8:35 PM *To: *volker.greimann@centralnic.com <volker.greimann@centralnic.com>, el@lisse.NA <el@lisse.NA>, gnso-dnsabuse-pdp@icann.org < gnso-dnsabuse-pdp@icann.org> *Cc: *dns-techs@na-nic.com.na <dns-techs@na-nic.com.na> *Subject: *[Gnso-dnsabuse-pdp] Re: Another numbers request.

Volker,

I agree with most of these points and that these are important considerations for the registrar when deciding what mitigation action to take, but my point was that the takedown part is not part of the ADC. The takedown part already exists in the DNS Abuse amendments in the RAA. This discussion, while important, is outside the ADC. That’s why it is a rabbit hole for purposes of trying to create the ADC. Once again, it is the conflation of investigation with enforcement/mitigation.

Best regards,

*Marc H. Trachtenberg* Shareholder

Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP

*Aspen Chicago*

411 E. Main Street <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...> 360 North Green Street

Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607

T +1.970.300.5313 T +1.312.456.1020

M +1.773.677.3305 M +1.773.677.3305 *trac@gtlaw.com <trachtenbergm@gtlaw.com>* | *www.gtlaw.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__secure-2Dweb.cisco.com_1-5FG8FTxuC4DigFwKHmWy-2D3tyX5VEQ92-2DSSyqGkXRGPb-5Fp9i19HOc7gZMo2zOS6kzN7iT3BYGXyLIJGfWPH0yJX9VvGbU4pLl3BIxUZPkBWcgJL5oZCxkc2g-2DVjuuu26NM-5FXtcLsBXIfNZxsdOYMdcjF400gpJcbVxUnIlYXTHhTAdfdBGcbTP-2DrqZyRuOpCZ26yrY-2Dnvqx5ODopNHkujptlSH0Lj9gJKsdpj8oMajnm10JdZUhEMaDMs-5Fzh-5Fofd3cU-2Dm-5FZtU2eBVcx2y35kSlfxXmwsNVwhYgHXG-5FuqwLvB8_http-253A-252F-252Fwww.gtlaw.com-252F&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=Ii2YvgQp9J6g_pPVBCiZiUSfwVKyJrXaXxLnFdQ3OM8&e=>* | *View GT Biography <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_13j79w4v7OS-5FTjRbxYBulxQosog3-2DHgGvzdpk2qOIf3j1eIdZ9zyJYyvBoMW5B7pW4Ym-5FY5hjsuceAb39ZExZusnFFGh1kj0CQqUGAPTylnMgxoBzAB7e-2DnjxmOjFuLRTTwDAPO7sl4mk0Bm-2DLnXTLJGn4rsBs4U-5F-5FgafiNI8vS0zXpK4Z5aC-2DC73-5FJa-5FUqIq7W-2D3cMmU355tVwkTSKsDVR2m7VG4HhLyqL9Ai-5F7cMwYKs-2DH4l3CoZZi5cvF8wLV0N-2D5E9lZHgVsgiRQcQyEmWfN25EAc9Zq9JvZ0RYk7kP4_https-253A-252F-252Fwww.gtlaw.com-252Fen-252Fprofessionals-252Ft-252Ftrachtenberg-2Dmarc-2Dh&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=FiEmtzKATkkQzxi2nrdmV5KIBqqIQMmDvhQ-nrOKjAA&e=>*

[image: Greenberg Traurig Logo]

[image: Greenberg Traurig Logo]

*From:* Volker Greimann <volker.greimann@centralnic.com> *Sent:* Tuesday, April 14, 2026 3:38 PM *To:* el@lisse.NA; gnso-dnsabuse-pdp@icann.org; Trachtenberg, Marc H. (Shld-ASP-IP-Tech) <trachtenbergm@gtlaw.com> *Cc:* dns-techs@na-nic.com.na *Subject:* Re: [Gnso-dnsabuse-pdp] Re: Another numbers request.

Hi Marc,

it is not really a rabbit hole since it is just the kind of issue that registrars face when dealing with associated domain names. Every takedown also carries with it a certain liability risk that has to be balanced as part of the review process before taking a decision to act. That is why we need actionable evidence of abuse, and that does not change for associated domain checks either.

We have had cases where "Dumb Criminal A" defecated where he dined and had registered his personal (legal-use) domain names in the same account that also held the problematic ones. Do we take those down as well?

We have had cases where we took down a significant number of domain names of a third-party privacy or trustee service that was not recognizable as such because of a high prevalence of abusive registrations using that registration data set, thereby affecting a significant number of non-abusive registrations. Justified? Maybe! Liability risk? For sure.

We do see cases where criminals register domains through various resellers and even registrars, but never use more than one at a time. We can only ever detect one domain engaged in abusive activities. We see the associated domains as such and even without actionable evidence for every single one we will take action based on various indicators of likelihood of abusive use. But the risk remains of also taking down domains that were never intended for such use.

We have seen domains registered for advertising or monetization purposes where the abuse originates from a bad advertiser of the parking provider that circumvented their internal review processes. Most of those domains are used by other advertisers for legitimate purposes. In fact, their registration pattern is similar to the case of the reservoir domains above. They would all fall into the classification of associated domains, but in this case, a takedown would be problematic.

Just because a domain is associated somehow with an abusive registration does not mean it was registered for the same purpose, or even by or on behalf of the same end customer. As a registrar, it is our job to navigate those dangerous waters, balance legal obligations to our legitimate customers and our legal and policy obligations to take action on malicious registrations. It is easy when the ocean is clear and you can see the floor, but there are hidden reefs that we need to watch out for. And it does take an experienced captain and crew to navigate those shoals. But to do that successfully, we need room to navigate and trust in our experience.

Sincerely,

*Volker Greimann* *General Counsel & Head of Policy and Compliance - Online Division*

*volker.greimann@centralnic.com <volker.greimann@centralnic.com>* Office: +49-172-6367025 Web: *www.teaminternet.com <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_18Dk0yBe9IcCYrqBP08pItBnkBkqDurEgKndpl1KNOFg6cm-5FHOffmQqmBMK-2Dyg-2DJ9YEnY35HBIDkVUfxZ6uF3Eb-2DaoigLEesubS43oTQgVhzJLQmpFoHUrNcbuiaZ4qsmwz9GfQAPUFmVCjU61d3r8A1RP9HNLsi3-2DyESN53uFs7hy3ZRWB4gWk7RQcMUvYv58JWuFNadFn4e2lUfPZN3564-2DzgRz2QSXjLaXNv8HvK6f-2DJ-5FOkBSkl3YkTlezRykXNfWGnPM-2Da1T6Vf0rZ3aH19M0dzPUikudnr7DYLAs0o0_https-253A-252F-252Furldefense.com-252Fv3-252F-5F-5Fhttp-253A-252Fwww.teaminternet.com-5F-5F-253B-2521-2521DUT-5FTFPxUQ-2521Ah6Du0mB4pVy12L6d-5FvdRazeSsG-5FM1F-2D04dCl257N-2Dd7NQfy-5F2Bt4PurYVJG9psr4DE7BN2BPT-5FtFAQazfqH9aBi5P5PLK0k-2524&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=Lj8tPAothKm5MlVoSeJc6MyToC89Gzqo3ptFJhviqzI&e=>*

Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...>. Team Internet is a company registered in England and Wales with the company number 8576358.

------------------------------

*From:* trachtenbergm--- via Gnso-dnsabuse-pdp <*gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>*> *Sent:* 14 April 2026 8:26 PM *To:* *el@lisse.na <el@lisse.na>* <*el@lisse.na <el@lisse.na>*>; *gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>* <*gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>*> *Cc:* *dns-techs@na-nic.com.na <dns-techs@na-nic.com.na>* <*dns-techs@na-nic.com.na <dns-techs@na-nic.com.na>*> *Subject:* [Gnso-dnsabuse-pdp] Re: Another numbers request.

Eberhard,

I think we are going down a rabbit hole here. This is outside the scope of the ADC as the ADC is not mandating that entire accounts get shut down or that the registrar take any action other than investigate for associated domains. Any resulting obligations to take action based on what the registrar finds already exist in the RAA.

Best regards,

*Marc H. Trachtenberg* Shareholder

Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP

*Aspen Chicago*

411 E. Main Street <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...> 360 North Green Street

Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607

T +1.970.300.5313 T +1.312.456.1020

M +1.773.677.3305 M +1.773.677.3305 *trac@gtlaw.com <trachtenbergm@gtlaw.com>* | *www.gtlaw.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__secure-2Dweb.cisco.com_1-5FG8FTxuC4DigFwKHmWy-2D3tyX5VEQ92-2DSSyqGkXRGPb-5Fp9i19HOc7gZMo2zOS6kzN7iT3BYGXyLIJGfWPH0yJX9VvGbU4pLl3BIxUZPkBWcgJL5oZCxkc2g-2DVjuuu26NM-5FXtcLsBXIfNZxsdOYMdcjF400gpJcbVxUnIlYXTHhTAdfdBGcbTP-2DrqZyRuOpCZ26yrY-2Dnvqx5ODopNHkujptlSH0Lj9gJKsdpj8oMajnm10JdZUhEMaDMs-5Fzh-5Fofd3cU-2Dm-5FZtU2eBVcx2y35kSlfxXmwsNVwhYgHXG-5FuqwLvB8_http-253A-252F-252Fwww.gtlaw.com-252F&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=Ii2YvgQp9J6g_pPVBCiZiUSfwVKyJrXaXxLnFdQ3OM8&e=>* | *View GT Biography <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_13j79w4v7OS-5FTjRbxYBulxQosog3-2DHgGvzdpk2qOIf3j1eIdZ9zyJYyvBoMW5B7pW4Ym-5FY5hjsuceAb39ZExZusnFFGh1kj0CQqUGAPTylnMgxoBzAB7e-2DnjxmOjFuLRTTwDAPO7sl4mk0Bm-2DLnXTLJGn4rsBs4U-5F-5FgafiNI8vS0zXpK4Z5aC-2DC73-5FJa-5FUqIq7W-2D3cMmU355tVwkTSKsDVR2m7VG4HhLyqL9Ai-5F7cMwYKs-2DH4l3CoZZi5cvF8wLV0N-2D5E9lZHgVsgiRQcQyEmWfN25EAc9Zq9JvZ0RYk7kP4_https-253A-252F-252Fwww.gtlaw.com-252Fen-252Fprofessionals-252Ft-252Ftrachtenberg-2Dmarc-2Dh&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=FiEmtzKATkkQzxi2nrdmV5KIBqqIQMmDvhQ-nrOKjAA&e=>*

[image: Greenberg Traurig Logo]

[image: Greenberg Traurig Logo]

*From:* Eberhard W Lisse via Gnso-dnsabuse-pdp <*gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>*> *Sent:* Tuesday, April 14, 2026 12:13 PM *To:* *gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>* *Cc:* Dns-techs <*dns-techs@na-nic.com.na <dns-techs@na-nic.com.na>*> *Subject:* [Gnso-dnsabuse-pdp] Re: Another numbers request.

**EXTERNAL TO GT**

Becky,

you are the lawyer, I am not.

I just mean a concept.

Can you take down a Registered Name, just because (at least) *another* Name registered by same Registrant has been mitigated?

If a single Registrant has 5 Names, 1 reported, investigated, proven as phishing, and mitigated accordingly, ADC done, and 3 of the others are mitigable, I still don't like that the 5th one would or could be mitigated as well.

However as Marc wrote, you act against the Registrant (for violating the Terms and Conditions).

How would that work? Can you really unilaterally decide to take Names down, or do you have to give notice of termination of the Registrant agreement (0 to n days notice)? So they transfer the Name elsewhere, and perhaps even register the mitigated Names again.

Now you take a Reseller which has a Million Names. ADC finds 50, 500 or even 5000 in need of mitigation.

Do you take the 50, 500 or 5000 names down or do you cancel the agreement with the Reseller (for violation the Terms and Conditions). What happens then to the Names left?

Or if the Reseller is just irritated enough that they transfer significant Revenue elsewhere? There are enough accredited Registrars around, after all.

The obviously even more difficult question is how to prevent them from becoming wise to the Policy and transferring the rest of a portfolio to another Registrar, when a single one is taken down, ie before the ADC can be done?

We have not thought through the consequences of our considerations, and/or the cost.

el

-- Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (retired) *el@lisse.NA <el@lisse.NA>* / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht \ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply

On Apr 14, 2026 at 18:50 +0200, Becky Burr <*bburr@pir.org <bburr@pir.org>*>, wrote:

I am confused by the use of the term “guilt by association” here. That usually means you consider one person guilty of some bad act because that person is associated with *someone else* who is a known bad guy. And yes, in that context, there are significant human rights concerns.

Here, we are just saying that if a registrant/account holder is known to be using one domain for DNS abuse then we are going to check to make sure t*he same registrant/account* holder isn’t using other domains for DNS abuse. And, if the answer is no, then nothing happens to the associated domains. So, unless you are arguing that domains themselves have human rights, I don’t see what the guilt by association issue is.

Am I missing something?

*[image: Image removed by sender. Logo] <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_17kGWYzHXkG-5FG-2Dd492Z6q-5F78vAQlKbrNF-5FYU5s7m5phcLXU3ASKNl1Rd57CcWENJ7FEbKO0zmmlLUT2wYCP6ALi0sArJhu8EDI08BUD-2DQz0jjp8FsDwN0o5gPDlaCyMc6xtXRzrnYpteecKvqx77fbMEBMqxJn1w3upvcxaTQbgnwtOH4VZxbmuUAA-2DmLnJfnx6tASjoWB2NOEaoxEOUyF7lOpNs59XyjrFV-2DRCFz1VLI3P2c-5Fq2L1J2fMp1Mlv-2DfH0g-2D3BRVfUI1UNeSpFNgpWpS10-5FfwanPNkJk3qrBD3M_https-253A-252F-252Furldefense.com-252Fv3-252F-5F-5Fhttps-253A-252Fwww.thenew.org-252F-5F-5F-253B-2521-2521DUT-5FTFPxUQ-2521GykcfK67czdDZOfupqIpOSPLjmf2z7tVTmIl2UIm6GnSNd4l5z2dIQq9Btz1pfxHax2iPFr6-5FoJkyRjFA6PVYwQUi-5Fk0-2DQ-2524&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=WJsg0vQfBiYxJOTNfsgvwWVoBjLbliJhA2a2_2zmTNk&e=>*

*Becky Burr*

------------------------------

If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at *postmaster@gtlaw.com <postmaster@gtlaw.com>*, and do not use or disseminate the information.

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

Hi Farell, That is not an accurate reflection of my intended message. The proportionality conversation thus far has been largely limited to the burden placed on registrars. My point is that this is a flawed perspective. Given the massive and actual harm caused by DNS Abuse, the impact on the public and global internet users must be prioritized over the potential administrative burden on a few companies in a position to make a real difference. Furthermore, the specific severity of the abuse is irrelevant. Abuse is abuse, and it should be addressed consistently. Best regards, Mary Penn <http://www.verizon.com/> Mary Penn (she/her) Managing Associate General Counsel Intellectual Property Law and Policy Group Verizon Consumer Group M 202 924 3132 1300 I Street, NW, Suite 500 East Washington, DC 20005 <http://www.facebook.com/verizon> <http://twitter.com/verizon> <http://www.linkedin.com/company/verizon> <http://www.instagram.com/verizon> On Mon, Apr 20, 2026 at 8:27 AM Farell FOLLY via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> wrote:

Dear Mary, for the detailed insights you have brought up.

Even if you disagree, I don't think you are rejecting most of what Farzi is suggesting. Actually there is an hierachy of harm otherwise why are talking about severity, impact and proportionality? It is indeed to ensure that reactions or responses are justified and proptórtionned to to the actions/triggers

Let me pick a few points in your email:

...

...

*A registrar cannot claim to have "disrupted" abuse under 3.18.2 if they ignore five other domains in the same account registered with the same malicious signals: *The group of words "five other domains in the same account registered with the same malicious signals" you are pointing out actually indicates that there is a level for the triggering mechanism, that multiple sources are stronger than one source!

...

...

*Proportionality must be measured against the severity of the threat to the public:* This actually indicates that there are different levels of harm!

...

...

*The ADC is the proportionate tool* *required to ensure that the "appropriate mitigation action" mandated by ICANN actually stops the abuse at the source:* If a proportionate tool treats all triggers equally, then it will lead to the same proportionate response, and that is contradictory to the fact that we want proportionality to be measured against different levels of severity.

Best regards.

FF

Am Mittwoch, 15. April 2026 um 23:05:36 +02:00, hat Penn, Mary via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> geschrieben:

Farzaneh,

We disagree with the premise that a confirmed violation under Section 3.18.2 is insufficient to trigger an ADC. The argument that we must first "calibrate" investigative responses based on the "severity" of an indicator fails to account for the unified nature of DNS Abuse and the systemic risk posed by malicious registrants.

An actionable report under Section 3.18.2 is not a mere "indicator"—it is a confirmed breach of the RAA. Once a report is validated, malicious intent is established. To suggest that a domain like bankofamerica1 justifies an ADC while a malware-dropping typosquat like craigslit[.]com does not, creates an arbitrary hierarchy of harm. A registrar cannot claim to have "disrupted" abuse under 3.18.2 if they ignore five other domains in the same account registered with the same malicious signals.

Proportionality must be measured against the severity of the threat to the public. With global cybercrime costs projected by Cybersecurity Ventures to reach $10.5 trillion annually by 2026, the ADC is a necessary and proportionate tool.

Specifically, we must prioritize the fundamental rights of the global public to be secure from financial ruin and identity theft over the procedural "privacy" of a confirmed abuser. Also setting a higher threshold for ADCs than for 3.18.2 mitigation effectively grants professionalized abusers a "free pass" to keep the rest of their malicious infrastructure active.

An ADC is a technical cross-reference, not a content-based inquiry. Because this process is strictly limited to the five technical categories of DNS Abuse, it does not infringe on freedom of expression or lawful speech. It is a technical inquiry into whether other domains are linked to verified malicious activity.

A single, actionable proof of abuse should grant the registrar the latitude—and the obligation—to check associated domains. While registrars should have the discretion to determine the *depth* of the ADC based on available signals, the *initiation* of the check must be the default consequence of verified abuse.

We should not use "calibration" as a justification for inaction. The ADC is the proportionate tool required to ensure that the "appropriate mitigation action" mandated by ICANN actually stops the abuse at the source. One actionable proof is enough to turn the key; to do less is to facilitate a $10.5 trillion criminal economy at the expense of global internet users.

-Mary Penn

IPC Representative <http://www.verizon.com/>

*Mary Penn* *(she/her)*

Managing Associate General Counsel Intellectual Property Law and Policy Group Verizon Consumer Group

M 202 924 3132 1300 I Street, NW, Suite 500 East Washington, DC 20005

<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_verizon...>

<https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_verizon&d=Dw...>

<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_company...>

<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.instagram.com_verizo...>

On Wed, Apr 15, 2026 at 10:45 AM Tan Tanaka, Dennis via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> wrote:

+1, an actionable report pursuant to 3.18.2 should be enough to trigger ADC. After this first step, a registrar should have the latitude to determine the depth and breadth of ADC informed by the signals/indicators available to them and apply mitigation actions where appropriate.

*From: *Gabriel Andrews via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org

...

*Reply-To: *Gabriel Andrews <gfandrews@fbi.gov> *Date: *Wednesday, April 15, 2026 at 5:27 AM *To: *"Brian F. Cimbolic" <brian@pir.org>, farzaneh badii < farzaneh.badii@gmail.com> *Cc: *"trachtenbergm@gtlaw.com" <trachtenbergm@gtlaw.com>, " volker.greimann@centralnic.com" <volker.greimann@centralnic.com>, "el@lisse.NA" <el@lisse.NA>, "gnso-dnsabuse-pdp@icann.org" < gnso-dnsabuse-pdp@icann.org>, "dns-techs@na-nic.com.na" < dns-techs@na-nic.com.na> *Subject: *[EXTERNAL] [Gnso-dnsabuse-pdp] Re: [EXTERNAL EMAIL] - Re: Another numbers request.

*Caution:* This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

I'm going to speak for a moment on my own behalf to share experience as an investigator, and not on behalf of the GAC.

Farzi, I believe you correctly identify a commonly employed LE principle that the more privacy-invasive an investigative technique is, the more facts/circumstances that may be required to justify its use. Policy is often in place such that a LE investigation can only be opened when there are articulable facts indicating a crime has been committed (for which the agency has authority to investigate). Further, if the investigator wishes to use a particularly privacy-invasive technique, (such as a wiretap to surveil communications in realtime) extensive predication of facts must be presented as to why that level of privacy-invasion is required and couldn't be otherwise satisfied with less privacy invasive techniques.

I believe you incorrectly, however, apply that important principle when you suggest that evidence of a maliciously registered domain - sufficient to trigger 3.18.2 - would not justify taking a look at the other domains registered by that threat actor. This is a minimally invasive investigative step which would be one of the very first steps to take in an investigation once evidence is received of malicious registrations having been made by that customer. It makes use only of information already in possession of the registrar (or reseller), it doesn't piece the veil of protected communications, it's merely a step taken - after you have proof that a domain is maliciously registered - to see what other domains that threat actor is also using maliciously. To not take this step would be, in my view, irresponsible.

Following evidence of malicious registration, an ADC will allow informed mitigative action, which may especially be important to mitigate or prevent victim harm. Example: If a threat actor has registered 100 phishing domains in furtherance of a Business Email Compromise scheme, if a registrar takes piecemeal action only against the one or two domains first reported, the threat actor may yet continue their scheme to defraud the additional 98 victims. Worse, they may accelerate their scheme if already using some of those other 98 domains in communication with victim(s), knowing that the "heat is on". Whereas, if the Rr performed the ADC before taking mitigative action, they may see all 100 domains, and choose to take comprehensive mitigative action against all the phishing domains simultaneously, greatly mitigating potential harm. Recognition of this principle is, I believe, the driving purpose behind this PDP.

All this said - I would greatly benefit from any scenario you might provide in which conducting this simple check might in any way cause harm to an innocent party. I believe Brian asked for such a scenario/example previously, and I have eagerly awaited the same, recognizing that there may be a situation I simply haven't considered.

------------------------------

*From:* farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org> *Sent:* Wednesday, April 15, 2026 3:44 AM *To:* Brian F. Cimbolic <brian@pir.org> *Cc:* trachtenbergm@gtlaw.com <trachtenbergm@gtlaw.com>; volker.greimann@centralnic.com <volker.greimann@centralnic.com>; el@lisse.NA <el@lisse.na>; gnso-dnsabuse-pdp@icann.org < gnso-dnsabuse-pdp@icann.org>; dns-techs@na-nic.com.na < dns-techs@na-nic.com.na> *Subject:* [EXTERNAL EMAIL] - [Gnso-dnsabuse-pdp] Re: Another numbers request.

I repeat my point, which reflects a global legal practice: *the initiation and scope* of an investigation must be necessary and proportionate to the available indicators of abuse.* We are not confusing investigation and enforcement*. Investigative methods *themselves*, not just penalties, are subject to these requirements. More intrusive or expansive methods must be justified by* an initial evidentiary threshold* and cannot be used as a default to determine that threshold.

I therefore disagree that ADC is required to assess the nature or extent of an alleged violation. Initial action should be based on indicators derived from the domain itself, such as corroborated abuse reports but also other domain-level signals. *We should not be using ADC to determine whether there is sufficient basis to conduct ADC.* The appropriate approach is to rely* on domain-level indicators first*, and only where those establish a sufficient basis, consider more expansive investigative steps, such as examining additional domains associated with an account.

That threshold can be derived from observable indicators of abuse. In phishing cases, for example, the domain string itself can be a strong signal. A domain like “bankofamerica1” may indicate a high likelihood of targeted financial phishing and could justify further scrutiny. By contrast, domains like “youtubee[.]com” or “craigslit[.]com” may suggest typosquatting and potential malware, but those indicators alone do not justify expanding the scope of investigation to associated domains.

The point is that not all indicators justify the same investigative response. The scope of the investigation must be calibrated to the strength and nature of the indicators, and ADC should be reserved for cases where those indicators establish a sufficient basis to expand beyond the domain itself.

Farzaneh

On Wed, Apr 15, 2026 at 1:38 AM Brian F. Cimbolic via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> wrote:

I agree with Marc - the determination to suspend an individual domain name found during an ADC should rely on the mechanisms already contained in the RAA - if the ADC provides actionable evidence of malicious DNS Abuse, the registrar would be obligated to suspend the relevant domain(s).

If there are 20 other domains in the same registrar account that appear legitimate/benign, I don’t think anyone has ever suggested that those names be suspended too (as there would be no actionable evidence of DNS Abuse under 3.18.2 of the RAA). And if they are, it feels there is consensus that we can nip that line of policy in the bud.

*[image: Logo] <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_14Jv5WkirU5LRqJYnzHl6Cjr7x-5F8j4E5V58r4z8nYLt9JO2ni51wIhln8OCmvffJF5mESr8zTwgJ7TsSmk5oQVoSHFxQB5uaF4pfLiIqBSRD9ZPWPAjZxSq7FvmeTT2cWeVgnzPx0gXT-2D04-5FzVWIGc5QbssBHjOLe2RLWrEFqlzSplqPRkdnvoI5mWxRVe5-5Fi46C3EYTTohVPX3EnmjU03z1Xf3SYOBdBxrEjZx13qlqoVNs3mo-2DQiX4nh9-5FdmzrCP1ubK5-5F4DUcg2DvfI1EPltc9YH9iMV3G7zIrNMa6rVQ_https-253A-252F-252Fwww.thenew.org-252F&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=kSN7rKN4aaf88g_DOHm5QMxYyc7HKQSM_P80UD9QRqU&e=>*

*Brian Cimbolic* *| Chief Legal and Policy Officer*

*brian@pir.org <brian@pir.org>* | *www.thenew.org <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.thenew.org&d=DwQGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=EVkmXoG72rs8SmREUhst98YU0-gVoqkJ9HVfENWo84E&e=>* | *Power your inspiration. Connect your world.*

*[image: A green sign with a white star and black text Description automatically generated]*

*Confidentiality Note:* Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete.

*From: *trachtenbergm--- via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> *Date: *Tuesday, April 14, 2026 at 8:35 PM *To: *volker.greimann@centralnic.com <volker.greimann@centralnic.com>, el@lisse.NA <el@lisse.NA>, gnso-dnsabuse-pdp@icann.org < gnso-dnsabuse-pdp@icann.org> *Cc: *dns-techs@na-nic.com.na <dns-techs@na-nic.com.na> *Subject: *[Gnso-dnsabuse-pdp] Re: Another numbers request.

Volker,

I agree with most of these points and that these are important considerations for the registrar when deciding what mitigation action to take, but my point was that the takedown part is not part of the ADC. The takedown part already exists in the DNS Abuse amendments in the RAA. This discussion, while important, is outside the ADC. That’s why it is a rabbit hole for purposes of trying to create the ADC. Once again, it is the conflation of investigation with enforcement/mitigation.

Best regards,

*Marc H. Trachtenberg* Shareholder

Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP

*Aspen Chicago*

411 E. Main Street <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...> 360 North Green Street

Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607

T +1.970.300.5313 T +1.312.456.1020

M +1.773.677.3305 M +1.773.677.3305 *trac@gtlaw.com <trachtenbergm@gtlaw.com>* | *www.gtlaw.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__secure-2Dweb.cisco.com_1-5FG8FTxuC4DigFwKHmWy-2D3tyX5VEQ92-2DSSyqGkXRGPb-5Fp9i19HOc7gZMo2zOS6kzN7iT3BYGXyLIJGfWPH0yJX9VvGbU4pLl3BIxUZPkBWcgJL5oZCxkc2g-2DVjuuu26NM-5FXtcLsBXIfNZxsdOYMdcjF400gpJcbVxUnIlYXTHhTAdfdBGcbTP-2DrqZyRuOpCZ26yrY-2Dnvqx5ODopNHkujptlSH0Lj9gJKsdpj8oMajnm10JdZUhEMaDMs-5Fzh-5Fofd3cU-2Dm-5FZtU2eBVcx2y35kSlfxXmwsNVwhYgHXG-5FuqwLvB8_http-253A-252F-252Fwww.gtlaw.com-252F&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=Ii2YvgQp9J6g_pPVBCiZiUSfwVKyJrXaXxLnFdQ3OM8&e=>* | *View GT Biography <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_13j79w4v7OS-5FTjRbxYBulxQosog3-2DHgGvzdpk2qOIf3j1eIdZ9zyJYyvBoMW5B7pW4Ym-5FY5hjsuceAb39ZExZusnFFGh1kj0CQqUGAPTylnMgxoBzAB7e-2DnjxmOjFuLRTTwDAPO7sl4mk0Bm-2DLnXTLJGn4rsBs4U-5F-5FgafiNI8vS0zXpK4Z5aC-2DC73-5FJa-5FUqIq7W-2D3cMmU355tVwkTSKsDVR2m7VG4HhLyqL9Ai-5F7cMwYKs-2DH4l3CoZZi5cvF8wLV0N-2D5E9lZHgVsgiRQcQyEmWfN25EAc9Zq9JvZ0RYk7kP4_https-253A-252F-252Fwww.gtlaw.com-252Fen-252Fprofessionals-252Ft-252Ftrachtenberg-2Dmarc-2Dh&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=FiEmtzKATkkQzxi2nrdmV5KIBqqIQMmDvhQ-nrOKjAA&e=>*

[image: Greenberg Traurig Logo]

[image: Greenberg Traurig Logo]

*From:* Volker Greimann <volker.greimann@centralnic.com> *Sent:* Tuesday, April 14, 2026 3:38 PM *To:* el@lisse.NA; gnso-dnsabuse-pdp@icann.org; Trachtenberg, Marc H. (Shld-ASP-IP-Tech) <trachtenbergm@gtlaw.com> *Cc:* dns-techs@na-nic.com.na *Subject:* Re: [Gnso-dnsabuse-pdp] Re: Another numbers request.

Hi Marc,

it is not really a rabbit hole since it is just the kind of issue that registrars face when dealing with associated domain names. Every takedown also carries with it a certain liability risk that has to be balanced as part of the review process before taking a decision to act. That is why we need actionable evidence of abuse, and that does not change for associated domain checks either.

We have had cases where "Dumb Criminal A" defecated where he dined and had registered his personal (legal-use) domain names in the same account that also held the problematic ones. Do we take those down as well?

We have had cases where we took down a significant number of domain names of a third-party privacy or trustee service that was not recognizable as such because of a high prevalence of abusive registrations using that registration data set, thereby affecting a significant number of non-abusive registrations. Justified? Maybe! Liability risk? For sure.

We do see cases where criminals register domains through various resellers and even registrars, but never use more than one at a time. We can only ever detect one domain engaged in abusive activities. We see the associated domains as such and even without actionable evidence for every single one we will take action based on various indicators of likelihood of abusive use. But the risk remains of also taking down domains that were never intended for such use.

We have seen domains registered for advertising or monetization purposes where the abuse originates from a bad advertiser of the parking provider that circumvented their internal review processes. Most of those domains are used by other advertisers for legitimate purposes. In fact, their registration pattern is similar to the case of the reservoir domains above. They would all fall into the classification of associated domains, but in this case, a takedown would be problematic.

Just because a domain is associated somehow with an abusive registration does not mean it was registered for the same purpose, or even by or on behalf of the same end customer. As a registrar, it is our job to navigate those dangerous waters, balance legal obligations to our legitimate customers and our legal and policy obligations to take action on malicious registrations. It is easy when the ocean is clear and you can see the floor, but there are hidden reefs that we need to watch out for. And it does take an experienced captain and crew to navigate those shoals. But to do that successfully, we need room to navigate and trust in our experience.

Sincerely,

*Volker Greimann* *General Counsel & Head of Policy and Compliance - Online Division*

*volker.greimann@centralnic.com <volker.greimann@centralnic.com>* Office: +49-172-6367025 Web: *www.teaminternet.com <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_18Dk0yBe9IcCYrqBP08pItBnkBkqDurEgKndpl1KNOFg6cm-5FHOffmQqmBMK-2Dyg-2DJ9YEnY35HBIDkVUfxZ6uF3Eb-2DaoigLEesubS43oTQgVhzJLQmpFoHUrNcbuiaZ4qsmwz9GfQAPUFmVCjU61d3r8A1RP9HNLsi3-2DyESN53uFs7hy3ZRWB4gWk7RQcMUvYv58JWuFNadFn4e2lUfPZN3564-2DzgRz2QSXjLaXNv8HvK6f-2DJ-5FOkBSkl3YkTlezRykXNfWGnPM-2Da1T6Vf0rZ3aH19M0dzPUikudnr7DYLAs0o0_https-253A-252F-252Furldefense.com-252Fv3-252F-5F-5Fhttp-253A-252Fwww.teaminternet.com-5F-5F-253B-2521-2521DUT-5FTFPxUQ-2521Ah6Du0mB4pVy12L6d-5FvdRazeSsG-5FM1F-2D04dCl257N-2Dd7NQfy-5F2Bt4PurYVJG9psr4DE7BN2BPT-5FtFAQazfqH9aBi5P5PLK0k-2524&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=Lj8tPAothKm5MlVoSeJc6MyToC89Gzqo3ptFJhviqzI&e=>*

Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...>. Team Internet is a company registered in England and Wales with the company number 8576358.

------------------------------

*From:* trachtenbergm--- via Gnso-dnsabuse-pdp <*gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>*> *Sent:* 14 April 2026 8:26 PM *To:* *el@lisse.na <el@lisse.na>* <*el@lisse.na <el@lisse.na>*>; *gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>* <*gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>*> *Cc:* *dns-techs@na-nic.com.na <dns-techs@na-nic.com.na>* <*dns-techs@na-nic.com.na <dns-techs@na-nic.com.na>*> *Subject:* [Gnso-dnsabuse-pdp] Re: Another numbers request.

Eberhard,

I think we are going down a rabbit hole here. This is outside the scope of the ADC as the ADC is not mandating that entire accounts get shut down or that the registrar take any action other than investigate for associated domains. Any resulting obligations to take action based on what the registrar finds already exist in the RAA.

Best regards,

*Marc H. Trachtenberg* Shareholder

Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP

*Aspen Chicago*

411 E. Main Street <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...> 360 North Green Street

Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607

T +1.970.300.5313 T +1.312.456.1020

M +1.773.677.3305 M +1.773.677.3305 *trac@gtlaw.com <trachtenbergm@gtlaw.com>* | *www.gtlaw.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__secure-2Dweb.cisco.com_1-5FG8FTxuC4DigFwKHmWy-2D3tyX5VEQ92-2DSSyqGkXRGPb-5Fp9i19HOc7gZMo2zOS6kzN7iT3BYGXyLIJGfWPH0yJX9VvGbU4pLl3BIxUZPkBWcgJL5oZCxkc2g-2DVjuuu26NM-5FXtcLsBXIfNZxsdOYMdcjF400gpJcbVxUnIlYXTHhTAdfdBGcbTP-2DrqZyRuOpCZ26yrY-2Dnvqx5ODopNHkujptlSH0Lj9gJKsdpj8oMajnm10JdZUhEMaDMs-5Fzh-5Fofd3cU-2Dm-5FZtU2eBVcx2y35kSlfxXmwsNVwhYgHXG-5FuqwLvB8_http-253A-252F-252Fwww.gtlaw.com-252F&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=Ii2YvgQp9J6g_pPVBCiZiUSfwVKyJrXaXxLnFdQ3OM8&e=>* | *View GT Biography <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_13j79w4v7OS-5FTjRbxYBulxQosog3-2DHgGvzdpk2qOIf3j1eIdZ9zyJYyvBoMW5B7pW4Ym-5FY5hjsuceAb39ZExZusnFFGh1kj0CQqUGAPTylnMgxoBzAB7e-2DnjxmOjFuLRTTwDAPO7sl4mk0Bm-2DLnXTLJGn4rsBs4U-5F-5FgafiNI8vS0zXpK4Z5aC-2DC73-5FJa-5FUqIq7W-2D3cMmU355tVwkTSKsDVR2m7VG4HhLyqL9Ai-5F7cMwYKs-2DH4l3CoZZi5cvF8wLV0N-2D5E9lZHgVsgiRQcQyEmWfN25EAc9Zq9JvZ0RYk7kP4_https-253A-252F-252Fwww.gtlaw.com-252Fen-252Fprofessionals-252Ft-252Ftrachtenberg-2Dmarc-2Dh&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=FiEmtzKATkkQzxi2nrdmV5KIBqqIQMmDvhQ-nrOKjAA&e=>*

[image: Greenberg Traurig Logo]

[image: Greenberg Traurig Logo]

*From:* Eberhard W Lisse via Gnso-dnsabuse-pdp <*gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>*> *Sent:* Tuesday, April 14, 2026 12:13 PM *To:* *gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>* *Cc:* Dns-techs <*dns-techs@na-nic.com.na <dns-techs@na-nic.com.na>*> *Subject:* [Gnso-dnsabuse-pdp] Re: Another numbers request.

**EXTERNAL TO GT**

Becky,

you are the lawyer, I am not.

I just mean a concept.

Can you take down a Registered Name, just because (at least) *another* Name registered by same Registrant has been mitigated?

If a single Registrant has 5 Names, 1 reported, investigated, proven as phishing, and mitigated accordingly, ADC done, and 3 of the others are mitigable, I still don't like that the 5th one would or could be mitigated as well.

However as Marc wrote, you act against the Registrant (for violating the Terms and Conditions).

How would that work? Can you really unilaterally decide to take Names down, or do you have to give notice of termination of the Registrant agreement (0 to n days notice)? So they transfer the Name elsewhere, and perhaps even register the mitigated Names again.

Now you take a Reseller which has a Million Names. ADC finds 50, 500 or even 5000 in need of mitigation.

Do you take the 50, 500 or 5000 names down or do you cancel the agreement with the Reseller (for violation the Terms and Conditions). What happens then to the Names left?

Or if the Reseller is just irritated enough that they transfer significant Revenue elsewhere? There are enough accredited Registrars around, after all.

The obviously even more difficult question is how to prevent them from becoming wise to the Policy and transferring the rest of a portfolio to another Registrar, when a single one is taken down, ie before the ADC can be done?

We have not thought through the consequences of our considerations, and/or the cost.

el

-- Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (retired) *el@lisse.NA <el@lisse.NA>* / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht \ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply

On Apr 14, 2026 at 18:50 +0200, Becky Burr <*bburr@pir.org <bburr@pir.org>*>, wrote:

I am confused by the use of the term “guilt by association” here. That usually means you consider one person guilty of some bad act because that person is associated with *someone else* who is a known bad guy. And yes, in that context, there are significant human rights concerns.

Here, we are just saying that if a registrant/account holder is known to be using one domain for DNS abuse then we are going to check to make sure t*he same registrant/account* holder isn’t using other domains for DNS abuse. And, if the answer is no, then nothing happens to the associated domains. So, unless you are arguing that domains themselves have human rights, I don’t see what the guilt by association issue is.

Am I missing something?

* <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_17kGWYzHXkG-5FG-2Dd492Z6q-5F78vAQlKbrNF-5FYU5s7m5phcLXU3ASKNl1Rd57CcWENJ7FEbKO0zmmlLUT2wYCP6ALi0sArJhu8EDI08BUD-2DQz0jjp8FsDwN0o5gPDlaCyMc6xtXRzrnYpteecKvqx77fbMEBMqxJn1w3upvcxaTQbgnwtOH4VZxbmuUAA-2DmLnJfnx6tASjoWB2NOEaoxEOUyF7lOpNs59XyjrFV-2DRCFz1VLI3P2c-5Fq2L1J2fMp1Mlv-2DfH0g-2D3BRVfUI1UNeSpFNgpWpS10-5FfwanPNkJk3qrBD3M_https-253A-252F-252Furldefense.com-252Fv3-252F-5F-5Fhttps-253A-252Fwww.thenew.org-252F-5F-5F-253B-2521-2521DUT-5FTFPxUQ-2521GykcfK67czdDZOfupqIpOSPLjmf2z7tVTmIl2UIm6GnSNd4l5z2dIQq9Btz1pfxHax2iPFr6-5FoJkyRjFA6PVYwQUi-5Fk0-2DQ-2524&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=WJsg0vQfBiYxJOTNfsgvwWVoBjLbliJhA2a2_2zmTNk&e=>*

*Becky Burr*

------------------------------

If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at *postmaster@gtlaw.com <postmaster@gtlaw.com>*, and do not use or disseminate the information.

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

From the quality of reporting we see, I would assume the burden on most reporters is negligible. And yet there somehow still are reporters that not only provide quality reports that can be acted on, but also report more than one domain name. Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com Office: +49-172-6367025 Web: www.teaminternet.com Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: trachtenbergm@gtlaw.com <trachtenbergm@gtlaw.com> Sent: 20 April 2026 3:12 PM To: mary.penn@verizon.com <mary.penn@verizon.com>; farell@benin2point0.org <farell@benin2point0.org> Cc: farzaneh.badii@gmail.com <farzaneh.badii@gmail.com>; gfandrews@fbi.gov <gfandrews@fbi.gov>; dtantanaka@verisign.com <dtantanaka@verisign.com>; brian@pir.org <brian@pir.org>; Volker Greimann <volker.greimann@centralnic.com>; el@lisse.na <el@lisse.na>; gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>; dns-techs@na-nic.com.na <dns-techs@na-nic.com.na> Subject: RE: [Gnso-dnsabuse-pdp] Re: [E] Re: [EXTERNAL EMAIL] - Re: Another numbers request. Building on Mary’s comment that “The proportionality conversation thus far has been largely limited to the burden placed on registrars.” This is a great point and I would add that there is no discussion of the burden on reporters of abuse. No one has discussed the time, effort and cost burden to even report one domain name that is being used for DNS Abuse, including collecting evidence, and to have to wait for the registrar response, and follow up when the reporter frequently gets no response and then keep checking the domain name and whois to see if the report was actioned. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<http://www.gtlaw.com/>  |  View GT Biography <https://www.gtlaw.com/en/professionals/t/trachtenberg-marc-h> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Penn, Mary <mary.penn@verizon.com> Sent: Monday, April 20, 2026 6:56 AM To: farell@benin2point0.org Cc: farzaneh.badii@gmail.com; gfandrews@fbi.gov; Tan Tanaka, Dennis <dtantanaka@verisign.com>; brian@pir.org; Trachtenberg, Marc H. (Shld-ASP-IP-Tech) <trachtenbergm@gtlaw.com>; volker.greimann@centralnic.com; el@lisse.NA; gnso-dnsabuse-pdp@icann.org; dns-techs@na-nic.com.na Subject: Re: [Gnso-dnsabuse-pdp] Re: [E] Re: [EXTERNAL EMAIL] - Re: Another numbers request. Hi Farell, That is not an accurate reflection of my intended message. The proportionality conversation thus far has been largely limited to the burden placed on registrars. My point is that this is a flawed perspective. Given the massive and actual harm caused by DNS Abuse, the impact on the public and global internet users must be prioritized over the potential administrative burden on a few companies in a position to make a real difference. Furthermore, the specific severity of the abuse is irrelevant. Abuse is abuse, and it should be addressed consistently. Best regards, Mary Penn [https://ss7.vzw.com/is/image/VerizonWireless/verizon-glowwordmark-99sm?$pngalpha$&scl=1]<https://urldefense.com/v3/__http:/www.verizon.com/__;!!DUT_TFPxUQ!ABBfJI4ajgJajCPAdFXXZswZBfj3axzELKKEMzVX2sLwD9qBtxXA_d5FY8oISnq2tmk9q-DXYA0FlF_Iddf7r4A$> Mary Penn (she/her) Managing Associate General Counsel Intellectual Property Law and Policy Group Verizon Consumer Group M 202 924 3132 1300 I Street, NW, Suite 500 East Washington, DC 20005 [https://ss7.vzw.com/is/image/VerizonWireless/fb-sig-logo?$defaultscale$]<https://urldefense.com/v3/__http:/www.facebook.com/verizon__;!!DUT_TFPxUQ!ABBfJI4ajgJajCPAdFXXZswZBfj3axzELKKEMzVX2sLwD9qBtxXA_d5FY8oISnq2tmk9q-DXYA0FlF_I_QgcHqg$> [https://ss7.vzw.com/is/image/VerizonWireless/x-sig-logo?$defaultscale$] <https://urldefense.com/v3/__http:/twitter.com/verizon__;!!DUT_TFPxUQ!ABBfJI4...> [https://ss7.vzw.com/is/image/VerizonWireless/linkedin-sig-logo?$defaultscale...] <https://urldefense.com/v3/__http:/www.linkedin.com/company/verizon__;!!DUT_T...> [https://ss7.vzw.com/is/image/VerizonWireless/insta-sig-logo?$defaultscale$] <https://urldefense.com/v3/__http:/www.instagram.com/verizon__;!!DUT_TFPxUQ!A...> On Mon, Apr 20, 2026 at 8:27 AM Farell FOLLY via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: Dear Mary, for the detailed insights you have brought up. Even if you disagree, I don't think you are rejecting most of what Farzi is suggesting. Actually there is an hierachy of harm otherwise why are talking about severity, impact and proportionality? It is indeed to ensure that reactions or responses are justified and proptórtionned to to the actions/triggers Let me pick a few points in your email:

...

A registrar cannot claim to have "disrupted" abuse under 3.18.2 if they ignore five other domains in the same account registered with the same malicious signals: The group of words "five other domains in the same account registered with the same malicious signals" you are pointing out actually indicates that there is a level for the triggering mechanism, that multiple sources are stronger than one source!

...

Proportionality must be measured against the severity of the threat to the public: This actually indicates that there are different levels of harm!

...

The ADC is the proportionate tool required to ensure that the "appropriate mitigation action" mandated by ICANN actually stops the abuse at the source: If a proportionate tool treats all triggers equally, then it will lead to the same proportionate response, and that is contradictory to the fact that we want proportionality to be measured against different levels of severity.

Best regards. FF Am Mittwoch, 15. April 2026 um 23:05:36 +02:00, hat Penn, Mary via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> geschrieben: Farzaneh, We disagree with the premise that a confirmed violation under Section 3.18.2 is insufficient to trigger an ADC. The argument that we must first "calibrate" investigative responses based on the "severity" of an indicator fails to account for the unified nature of DNS Abuse and the systemic risk posed by malicious registrants. An actionable report under Section 3.18.2 is not a mere "indicator"—it is a confirmed breach of the RAA. Once a report is validated, malicious intent is established. To suggest that a domain like bankofamerica1 justifies an ADC while a malware-dropping typosquat like craigslit[.]com does not, creates an arbitrary hierarchy of harm. A registrar cannot claim to have "disrupted" abuse under 3.18.2 if they ignore five other domains in the same account registered with the same malicious signals. Proportionality must be measured against the severity of the threat to the public. With global cybercrime costs projected by Cybersecurity Ventures to reach $10.5 trillion annually by 2026, the ADC is a necessary and proportionate tool. Specifically, we must prioritize the fundamental rights of the global public to be secure from financial ruin and identity theft over the procedural "privacy" of a confirmed abuser. Also setting a higher threshold for ADCs than for 3.18.2 mitigation effectively grants professionalized abusers a "free pass" to keep the rest of their malicious infrastructure active. An ADC is a technical cross-reference, not a content-based inquiry. Because this process is strictly limited to the five technical categories of DNS Abuse, it does not infringe on freedom of expression or lawful speech. It is a technical inquiry into whether other domains are linked to verified malicious activity. A single, actionable proof of abuse should grant the registrar the latitude—and the obligation—to check associated domains. While registrars should have the discretion to determine the depth of the ADC based on available signals, the initiation of the check must be the default consequence of verified abuse. We should not use "calibration" as a justification for inaction. The ADC is the proportionate tool required to ensure that the "appropriate mitigation action" mandated by ICANN actually stops the abuse at the source. One actionable proof is enough to turn the key; to do less is to facilitate a $10.5 trillion criminal economy at the expense of global internet users. -Mary Penn IPC Representative [https://ss7.vzw.com/is/image/VerizonWireless/verizon-glowwordmark-99sm?$pngalpha$&scl=1]<https://urldefense.com/v3/__http:/www.verizon.com/__;!!DUT_TFPxUQ!ABBfJI4ajgJajCPAdFXXZswZBfj3axzELKKEMzVX2sLwD9qBtxXA_d5FY8oISnq2tmk9q-DXYA0FlF_Iddf7r4A$> Mary Penn (she/her) Managing Associate General Counsel Intellectual Property Law and Policy Group Verizon Consumer Group M 202 924 3132 1300 I Street, NW, Suite 500 East Washington, DC 20005 [https://ss7.vzw.com/is/image/VerizonWireless/fb-sig-logo?$defaultscale$]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_verizon&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=tsd-4zwQ38mY9oirhsVfbHGu_iY_2-ebTqDN2V6DrcIvzfTaDjPXol7wFIB9lvnC&s=YaL2bxzS-In5VIrn_N2AUFYGA4EvemNOZath_5OJS-w&e=> [https://ss7.vzw.com/is/image/VerizonWireless/x-sig-logo?$defaultscale$] <https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_verizon&d=Dw...> [https://ss7.vzw.com/is/image/VerizonWireless/linkedin-sig-logo?$defaultscale...] <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_company...> [https://ss7.vzw.com/is/image/VerizonWireless/insta-sig-logo?$defaultscale$] <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.instagram.com_verizo...> On Wed, Apr 15, 2026 at 10:45 AM Tan Tanaka, Dennis via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: +1, an actionable report pursuant to 3.18.2 should be enough to trigger ADC. After this first step, a registrar should have the latitude to determine the depth and breadth of ADC informed by the signals/indicators available to them and apply mitigation actions where appropriate. From: Gabriel Andrews via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Reply-To: Gabriel Andrews <gfandrews@fbi.gov<mailto:gfandrews@fbi.gov>> Date: Wednesday, April 15, 2026 at 5:27 AM To: "Brian F. Cimbolic" <brian@pir.org<mailto:brian@pir.org>>, farzaneh badii <farzaneh.badii@gmail.com<mailto:farzaneh.badii@gmail.com>> Cc: "trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>" <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>>, "volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>" <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>>, "el@lisse.NA<mailto:el@lisse.NA>" <el@lisse.NA<mailto:el@lisse.NA>>, "gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>" <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>>, "dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na>" <dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na>> Subject: [EXTERNAL] [Gnso-dnsabuse-pdp] Re: [EXTERNAL EMAIL] - Re: Another numbers request. Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. I'm going to speak for a moment on my own behalf to share experience as an investigator, and not on behalf of the GAC. Farzi, I believe you correctly identify a commonly employed LE principle that the more privacy-invasive an investigative technique is, the more facts/circumstances that may be required to justify its use. Policy is often in place such that a LE investigation can only be opened when there are articulable facts indicating a crime has been committed (for which the agency has authority to investigate). Further, if the investigator wishes to use a particularly privacy-invasive technique, (such as a wiretap to surveil communications in realtime) extensive predication of facts must be presented as to why that level of privacy-invasion is required and couldn't be otherwise satisfied with less privacy invasive techniques. I believe you incorrectly, however, apply that important principle when you suggest that evidence of a maliciously registered domain - sufficient to trigger 3.18.2 - would not justify taking a look at the other domains registered by that threat actor. This is a minimally invasive investigative step which would be one of the very first steps to take in an investigation once evidence is received of malicious registrations having been made by that customer. It makes use only of information already in possession of the registrar (or reseller), it doesn't piece the veil of protected communications, it's merely a step taken - after you have proof that a domain is maliciously registered - to see what other domains that threat actor is also using maliciously. To not take this step would be, in my view, irresponsible. Following evidence of malicious registration, an ADC will allow informed mitigative action, which may especially be important to mitigate or prevent victim harm. Example: If a threat actor has registered 100 phishing domains in furtherance of a Business Email Compromise scheme, if a registrar takes piecemeal action only against the one or two domains first reported, the threat actor may yet continue their scheme to defraud the additional 98 victims. Worse, they may accelerate their scheme if already using some of those other 98 domains in communication with victim(s), knowing that the "heat is on". Whereas, if the Rr performed the ADC before taking mitigative action, they may see all 100 domains, and choose to take comprehensive mitigative action against all the phishing domains simultaneously, greatly mitigating potential harm. Recognition of this principle is, I believe, the driving purpose behind this PDP. All this said - I would greatly benefit from any scenario you might provide in which conducting this simple check might in any way cause harm to an innocent party. I believe Brian asked for such a scenario/example previously, and I have eagerly awaited the same, recognizing that there may be a situation I simply haven't considered. ________________________________ From: farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Wednesday, April 15, 2026 3:44 AM To: Brian F. Cimbolic <brian@pir.org<mailto:brian@pir.org>> Cc: trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com> <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>>; volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>>; el@lisse.NA<mailto:el@lisse.NA> <el@lisse.na<mailto:el@lisse.na>>; gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>>; dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na> <dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na>> Subject: [EXTERNAL EMAIL] - [Gnso-dnsabuse-pdp] Re: Another numbers request. I repeat my point, which reflects a global legal practice: the initiation and scope of an investigation must be necessary and proportionate to the available indicators of abuse. We are not confusing investigation and enforcement. Investigative methods themselves, not just penalties, are subject to these requirements. More intrusive or expansive methods must be justified by an initial evidentiary threshold and cannot be used as a default to determine that threshold. I therefore disagree that ADC is required to assess the nature or extent of an alleged violation. Initial action should be based on indicators derived from the domain itself, such as corroborated abuse reports but also other domain-level signals. We should not be using ADC to determine whether there is sufficient basis to conduct ADC. The appropriate approach is to rely on domain-level indicators first, and only where those establish a sufficient basis, consider more expansive investigative steps, such as examining additional domains associated with an account. That threshold can be derived from observable indicators of abuse. In phishing cases, for example, the domain string itself can be a strong signal. A domain like “bankofamerica1” may indicate a high likelihood of targeted financial phishing and could justify further scrutiny. By contrast, domains like “youtubee[.]com” or “craigslit[.]com” may suggest typosquatting and potential malware, but those indicators alone do not justify expanding the scope of investigation to associated domains. The point is that not all indicators justify the same investigative response. The scope of the investigation must be calibrated to the strength and nature of the indicators, and ADC should be reserved for cases where those indicators establish a sufficient basis to expand beyond the domain itself. Farzaneh On Wed, Apr 15, 2026 at 1:38 AM Brian F. Cimbolic via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> wrote: I agree with Marc - the determination to suspend an individual domain name found during an ADC should rely on the mechanisms already contained in the RAA - if the ADC provides actionable evidence of malicious DNS Abuse, the registrar would be obligated to suspend the relevant domain(s). If there are 20 other domains in the same registrar account that appear legitimate/benign, I don’t think anyone has ever suggested that those names be suspended too (as there would be no actionable evidence of DNS Abuse under 3.18.2 of the RAA). And if they are, it feels there is consensus that we can nip that line of policy in the bud. [Logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...> Brian Cimbolic | Chief Legal and Policy Officer brian@pir.org<mailto:brian@pir.org> | www.thenew.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.thenew.org&d=DwQGaQ&...> | Power your inspiration. Connect your world. [cid:image004.png@01DCD093.EF147EE0][A green sign with a white star and black text Description automatically generated] Confidentiality Note: Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete. From: trachtenbergm--- via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Date: Tuesday, April 14, 2026 at 8:35 PM To: volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>>, el@lisse.NA<mailto:el@lisse.NA> <el@lisse.NA<mailto:el@lisse.NA>>, gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Cc: dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na> <dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na>> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. Volker, I agree with most of these points and that these are important considerations for the registrar when deciding what mitigation action to take, but my point was that the takedown part is not part of the ADC. The takedown part already exists in the DNS Abuse amendments in the RAA. This discussion, while important, is outside the ADC. That’s why it is a rabbit hole for purposes of trying to create the ADC. Once again, it is the conflation of investigation with enforcement/mitigation. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street<https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...> 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__secure-2Dweb.cisco.com_1...>  |  View GT Biography<https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Volker Greimann <volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com>> Sent: Tuesday, April 14, 2026 3:38 PM To: el@lisse.NA<mailto:el@lisse.NA>; gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>; Trachtenberg, Marc H. (Shld-ASP-IP-Tech) <trachtenbergm@gtlaw.com<mailto:trachtenbergm@gtlaw.com>> Cc: dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na> Subject: Re: [Gnso-dnsabuse-pdp] Re: Another numbers request. Hi Marc, it is not really a rabbit hole since it is just the kind of issue that registrars face when dealing with associated domain names. Every takedown also carries with it a certain liability risk that has to be balanced as part of the review process before taking a decision to act. That is why we need actionable evidence of abuse, and that does not change for associated domain checks either. We have had cases where "Dumb Criminal A" defecated where he dined and had registered his personal (legal-use) domain names in the same account that also held the problematic ones. Do we take those down as well? We have had cases where we took down a significant number of domain names of a third-party privacy or trustee service that was not recognizable as such because of a high prevalence of abusive registrations using that registration data set, thereby affecting a significant number of non-abusive registrations. Justified? Maybe! Liability risk? For sure. We do see cases where criminals register domains through various resellers and even registrars, but never use more than one at a time. We can only ever detect one domain engaged in abusive activities. We see the associated domains as such and even without actionable evidence for every single one we will take action based on various indicators of likelihood of abusive use. But the risk remains of also taking down domains that were never intended for such use. We have seen domains registered for advertising or monetization purposes where the abuse originates from a bad advertiser of the parking provider that circumvented their internal review processes. Most of those domains are used by other advertisers for legitimate purposes. In fact, their registration pattern is similar to the case of the reservoir domains above. They would all fall into the classification of associated domains, but in this case, a takedown would be problematic. Just because a domain is associated somehow with an abusive registration does not mean it was registered for the same purpose, or even by or on behalf of the same end customer. As a registrar, it is our job to navigate those dangerous waters, balance legal obligations to our legitimate customers and our legal and policy obligations to take action on malicious registrations. It is easy when the ocean is clear and you can see the floor, but there are hidden reefs that we need to watch out for. And it does take an experienced captain and crew to navigate those shoals. But to do that successfully, we need room to navigate and trust in our experience. Sincerely, Volker Greimann General Counsel & Head of Policy and Compliance - Online Division volker.greimann@centralnic.com<mailto:volker.greimann@centralnic.com> Office: +49-172-6367025 Web: www.teaminternet.com<https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...> Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR<https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...>. Team Internet is a company registered in England and Wales with the company number 8576358. ________________________________ From: trachtenbergm--- via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: 14 April 2026 8:26 PM To: el@lisse.na<mailto:el@lisse.na> <el@lisse.na<mailto:el@lisse.na>>; gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Cc: dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na> <dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na>> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. Eberhard, I think we are going down a rabbit hole here. This is outside the scope of the ADC as the ADC is not mandating that entire accounts get shut down or that the registrar take any action other than investigate for associated domains. Any resulting obligations to take action based on what the registrar finds already exist in the RAA. Best regards, Marc H. Trachtenberg Shareholder Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP Aspen Chicago 411 E. Main Street<https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...> 360 North Green Street Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607 T +1.970.300.5313 T +1.312.456.1020 M +1.773.677.3305 M +1.773.677.3305 trac@gtlaw.com<mailto:trachtenbergm@gtlaw.com> | www.gtlaw.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__secure-2Dweb.cisco.com_1...>  |  View GT Biography<https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...> [Greenberg Traurig Logo] [Greenberg Traurig Logo] From: Eberhard W Lisse via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org>> Sent: Tuesday, April 14, 2026 12:13 PM To: gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> Cc: Dns-techs <dns-techs@na-nic.com.na<mailto:dns-techs@na-nic.com.na>> Subject: [Gnso-dnsabuse-pdp] Re: Another numbers request. *EXTERNAL TO GT* Becky, you are the lawyer, I am not. I just mean a concept. Can you take down a Registered Name, just because (at least) another Name registered by same Registrant has been mitigated? If a single Registrant has 5 Names, 1 reported, investigated, proven as phishing, and mitigated accordingly, ADC done, and 3 of the others are mitigable, I still don't like that the 5th one would or could be mitigated as well. However as Marc wrote, you act against the Registrant (for violating the Terms and Conditions). How would that work? Can you really unilaterally decide to take Names down, or do you have to give notice of termination of the Registrant agreement (0 to n days notice)? So they transfer the Name elsewhere, and perhaps even register the mitigated Names again. Now you take a Reseller which has a Million Names. ADC finds 50, 500 or even 5000 in need of mitigation. Do you take the 50, 500 or 5000 names down or do you cancel the agreement with the Reseller (for violation the Terms and Conditions). What happens then to the Names left? Or if the Reseller is just irritated enough that they transfer significant Revenue elsewhere? There are enough accredited Registrars around, after all. The obviously even more difficult question is how to prevent them from becoming wise to the Policy and transferring the rest of a portfolio to another Registrar, when a single one is taken down, ie before the ADC can be done? We have not thought through the consequences of our considerations, and/or the cost. el -- Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (retired) el@lisse.NA<mailto:el@lisse.NA> / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht \ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply On Apr 14, 2026 at 18:50 +0200, Becky Burr <bburr@pir.org<mailto:bburr@pir.org>>, wrote: I am confused by the use of the term “guilt by association” here. That usually means you consider one person guilty of some bad act because that person is associated with someone else who is a known bad guy. And yes, in that context, there are significant human rights concerns. Here, we are just saying that if a registrant/account holder is known to be using one domain for DNS abuse then we are going to check to make sure the same registrant/account holder isn’t using other domains for DNS abuse. And, if the answer is no, then nothing happens to the associated domains. So, unless you are arguing that domains themselves have human rights, I don’t see what the guilt by association issue is. Am I missing something? Becky Burr ________________________________ If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster@gtlaw.com<mailto:postmaster@gtlaw.com>, and do not use or disseminate the information. _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org> _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org> _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org> _______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org<mailto:gnso-dnsabuse-pdp@icann.org> To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org<mailto:gnso-dnsabuse-pdp-leave@icann.org>

Hello Mary, On Wed, Apr 15, 2026 at 5:05 PM Penn, Mary <mary.penn@verizon.com> wrote:

Farzaneh,

We disagree with the premise that a confirmed violation under Section 3.18.2 is insufficient to trigger an ADC. The argument that we must first "calibrate" investigative responses based on the "severity" of an indicator fails to account for the unified nature of DNS Abuse and the systemic risk posed by malicious registrants.

Disagree that there is a "unified" nature of DNS abuse. We disagree that a confirmed violation under 3.18.2 establishes malicious intent across an entire account. It establishes abuse on that domain.

An actionable report under Section 3.18.2 is not a mere "indicator"—it is a confirmed breach of the RAA. Once a report is validated, malicious intent is established. To suggest that a domain like bankofamerica1 justifies an ADC while a malware-dropping typosquat like craigslit[.]com does not, creates an arbitrary hierarchy of harm. A registrar cannot claim to have "disrupted" abuse under 3.18.2 if they ignore five other domains in the same account registered with the same malicious signals.

Malicious intent is established for that domain not for the whole account. But what you say here is interesting. We bring up the severity of harm because we thought that was a good evidentiary linkage. If not we go with "signals" as evidentiary linkage and we think one abusive domain is insufficient evidentiary linkage and signal. Evidentiary linkage or (association) cannot happen with just one domain and based on an account or some superficial abusive name pattern . That should happen based on putting together all the signals (high number of registration within a short amount of time-though even that is not a crime on its own people do legitimate campaigns etc) Proportionality must be measured against the severity of the threat to the

public. With global cybercrime costs projected by Cybersecurity Ventures to reach $10.5 trillion annually by 2026, the ADC is a necessary and proportionate tool.

We wholeheartedly agree that proportionality must be measured against the severity of the threat, but that cuts both ways. ADC triggered by a single domain would only be proportionate if it were our sole tool and if the $10.5 trillion in projected cybercrime were committed through domain name registration. That is not the case. ICANN is one of many actors with tools to address cybercrime. Invoking a global cybercrime figure to justify a sweeping investigation conflates the scale of the problem with the reach of this particular mechanism and proportionality requires distinguishing between the two. Specifically, we must prioritize the fundamental rights of the global

public to be secure from financial ruin and identity theft over the procedural "privacy" of a confirmed abuser. Also setting a higher threshold for ADCs than for 3.18.2 mitigation effectively grants professionalized abusers a "free pass" to keep the rest of their malicious infrastructure active.

Doing ADC on its own won’t contribute to all those great things. We are not only talking about privacy of the domain name registrant we are talking about two things: 1. targeted surveillance instead of blanket surveillance (which is a good democratic practice) 2. privacy of domain name registrants and end users. (there will be more things to add of course) Your argument on free pass to criminals is a typical criminal justice argument that we are moving away from more and more because we have seen the potential harm of such broad investigative measures on vulnerable communities while not even mitigating the harms we face. An ADC is a technical cross-reference, not a content-based inquiry. Because

this process is strictly limited to the five technical categories of DNS Abuse, it does not infringe on freedom of expression or lawful speech. It is a technical inquiry into whether other domains are linked to verified malicious activity.

We will provide a scenario on how it could potentially create harm. Even in your response you are relying on examples that are not DNS abuse (identity fraud, scam etc). The fact that ADC is limited to five technical categories does not mean the sweep is harmless. A registrar investigating a reseller account for technical DNS abuse will inevitably encounter every domain in that portfolio, including proxy registrations for sensitive but entirely legitimate services. The harm is not that the registrar makes a content judgment. It is that the sweep pierces the proxy and exposes the underlying registrant regardless of outcome. Technical scope doesn't mean limited exposure if we don't do proportionate evidentiary linkage. The abortion provider in that account has committed no DNS abuse, but they are now visible to the registrar, and potentially to anyone with access to that investigative record. A single, actionable proof of abuse should grant the registrar the

latitude—and the obligation—to check associated domains. While registrars should have the discretion to determine the *depth* of the ADC based on available signals, the *initiation* of the check must be the default consequence of verified abuse.

We should not use "calibration" as a justification for inaction. The ADC is the proportionate tool required to ensure that the "appropriate mitigation action" mandated by ICANN actually stops the abuse at the source. One actionable proof is enough to turn the key; to do less is to facilitate a $10.5 trillion criminal economy at the expense of global internet users.

This is the second time this figure has been invoked, so I am addressing it. Cybersecurity Ventures is a private research firm, not an independent or peer-reviewed source, and the $10.5 trillion projection covers the full spectrum of global cybercrime, well beyond what falls within the five categories of DNS abuse as defined by 3.18.2. For the purposes of this working group, we should be grounding our analysis in figures that directly relate to DNS abuse specifically, and drawing on peer-reviewed or independently verified sources. Broad cybercrime estimates, however striking, do not tell us what ADC can actually achieve or what harm it might prevent at the registrar level.

-Mary Penn

IPC Representative <http://www.verizon.com/>

Mary Penn (she/her)

Managing Associate General Counsel Intellectual Property Law and Policy Group Verizon Consumer Group

M 202 924 3132 1300 I Street, NW, Suite 500 <https://www.google.com/maps/search/1300+I+Street,+NW,+Suite+500?entry=gmail&...> East Washington, DC 20005

<http://www.facebook.com/verizon> <http://twitter.com/verizon> <http://www.linkedin.com/company/verizon> <http://www.instagram.com/verizon>

On Wed, Apr 15, 2026 at 10:45 AM Tan Tanaka, Dennis via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> wrote:

...

+1, an actionable report pursuant to 3.18.2 should be enough to trigger ADC. After this first step, a registrar should have the latitude to determine the depth and breadth of ADC informed by the signals/indicators available to them and apply mitigation actions where appropriate.

*From: *Gabriel Andrews via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> *Reply-To: *Gabriel Andrews <gfandrews@fbi.gov> *Date: *Wednesday, April 15, 2026 at 5:27 AM *To: *"Brian F. Cimbolic" <brian@pir.org>, farzaneh badii < farzaneh.badii@gmail.com> *Cc: *"trachtenbergm@gtlaw.com" <trachtenbergm@gtlaw.com>, " volker.greimann@centralnic.com" <volker.greimann@centralnic.com>, "el@lisse.NA" <el@lisse.NA>, "gnso-dnsabuse-pdp@icann.org" < gnso-dnsabuse-pdp@icann.org>, "dns-techs@na-nic.com.na" < dns-techs@na-nic.com.na> *Subject: *[EXTERNAL] [Gnso-dnsabuse-pdp] Re: [EXTERNAL EMAIL] - Re: Another numbers request.

*Caution:* This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

I'm going to speak for a moment on my own behalf to share experience as an investigator, and not on behalf of the GAC.

Farzi, I believe you correctly identify a commonly employed LE principle that the more privacy-invasive an investigative technique is, the more facts/circumstances that may be required to justify its use. Policy is often in place such that a LE investigation can only be opened when there are articulable facts indicating a crime has been committed (for which the agency has authority to investigate). Further, if the investigator wishes to use a particularly privacy-invasive technique, (such as a wiretap to surveil communications in realtime) extensive predication of facts must be presented as to why that level of privacy-invasion is required and couldn't be otherwise satisfied with less privacy invasive techniques.

I believe you incorrectly, however, apply that important principle when you suggest that evidence of a maliciously registered domain - sufficient to trigger 3.18.2 - would not justify taking a look at the other domains registered by that threat actor. This is a minimally invasive investigative step which would be one of the very first steps to take in an investigation once evidence is received of malicious registrations having been made by that customer. It makes use only of information already in possession of the registrar (or reseller), it doesn't piece the veil of protected communications, it's merely a step taken - after you have proof that a domain is maliciously registered - to see what other domains that threat actor is also using maliciously. To not take this step would be, in my view, irresponsible.

Following evidence of malicious registration, an ADC will allow informed mitigative action, which may especially be important to mitigate or prevent victim harm. Example: If a threat actor has registered 100 phishing domains in furtherance of a Business Email Compromise scheme, if a registrar takes piecemeal action only against the one or two domains first reported, the threat actor may yet continue their scheme to defraud the additional 98 victims. Worse, they may accelerate their scheme if already using some of those other 98 domains in communication with victim(s), knowing that the "heat is on". Whereas, if the Rr performed the ADC before taking mitigative action, they may see all 100 domains, and choose to take comprehensive mitigative action against all the phishing domains simultaneously, greatly mitigating potential harm. Recognition of this principle is, I believe, the driving purpose behind this PDP.

All this said - I would greatly benefit from any scenario you might provide in which conducting this simple check might in any way cause harm to an innocent party. I believe Brian asked for such a scenario/example previously, and I have eagerly awaited the same, recognizing that there may be a situation I simply haven't considered.

------------------------------

*From:* farzaneh badii via Gnso-dnsabuse-pdp <gnso-dnsabuse-pdp@icann.org

...

*Sent:* Wednesday, April 15, 2026 3:44 AM *To:* Brian F. Cimbolic <brian@pir.org> *Cc:* trachtenbergm@gtlaw.com <trachtenbergm@gtlaw.com>; volker.greimann@centralnic.com <volker.greimann@centralnic.com>; el@lisse.NA <el@lisse.na>; gnso-dnsabuse-pdp@icann.org < gnso-dnsabuse-pdp@icann.org>; dns-techs@na-nic.com.na < dns-techs@na-nic.com.na> *Subject:* [EXTERNAL EMAIL] - [Gnso-dnsabuse-pdp] Re: Another numbers request.

I repeat my point, which reflects a global legal practice: *the initiation and scope* of an investigation must be necessary and proportionate to the available indicators of abuse. *We are not confusing investigation and enforcement*. Investigative methods *themselves*, not just penalties, are subject to these requirements. More intrusive or expansive methods must be justified by* an initial evidentiary threshold* and cannot be used as a default to determine that threshold.

I therefore disagree that ADC is required to assess the nature or extent of an alleged violation. Initial action should be based on indicators derived from the domain itself, such as corroborated abuse reports but also other domain-level signals. *We should not be using ADC to determine whether there is sufficient basis to conduct ADC.* The appropriate approach is to rely* on domain-level indicators first*, and only where those establish a sufficient basis, consider more expansive investigative steps, such as examining additional domains associated with an account.

That threshold can be derived from observable indicators of abuse. In phishing cases, for example, the domain string itself can be a strong signal. A domain like “bankofamerica1” may indicate a high likelihood of targeted financial phishing and could justify further scrutiny. By contrast, domains like “youtubee[.]com” or “craigslit[.]com” may suggest typosquatting and potential malware, but those indicators alone do not justify expanding the scope of investigation to associated domains.

The point is that not all indicators justify the same investigative response. The scope of the investigation must be calibrated to the strength and nature of the indicators, and ADC should be reserved for cases where those indicators establish a sufficient basis to expand beyond the domain itself.

Farzaneh

On Wed, Apr 15, 2026 at 1:38 AM Brian F. Cimbolic via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> wrote:

I agree with Marc - the determination to suspend an individual domain name found during an ADC should rely on the mechanisms already contained in the RAA - if the ADC provides actionable evidence of malicious DNS Abuse, the registrar would be obligated to suspend the relevant domain(s).

If there are 20 other domains in the same registrar account that appear legitimate/benign, I don’t think anyone has ever suggested that those names be suspended too (as there would be no actionable evidence of DNS Abuse under 3.18.2 of the RAA). And if they are, it feels there is consensus that we can nip that line of policy in the bud.

*[image: Logo] <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_14Jv5WkirU5LRqJYnzHl6Cjr7x-5F8j4E5V58r4z8nYLt9JO2ni51wIhln8OCmvffJF5mESr8zTwgJ7TsSmk5oQVoSHFxQB5uaF4pfLiIqBSRD9ZPWPAjZxSq7FvmeTT2cWeVgnzPx0gXT-2D04-5FzVWIGc5QbssBHjOLe2RLWrEFqlzSplqPRkdnvoI5mWxRVe5-5Fi46C3EYTTohVPX3EnmjU03z1Xf3SYOBdBxrEjZx13qlqoVNs3mo-2DQiX4nh9-5FdmzrCP1ubK5-5F4DUcg2DvfI1EPltc9YH9iMV3G7zIrNMa6rVQ_https-253A-252F-252Fwww.thenew.org-252F&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=kSN7rKN4aaf88g_DOHm5QMxYyc7HKQSM_P80UD9QRqU&e=>*

*Brian Cimbolic* *| Chief Legal and Policy Officer*

*brian@pir.org <brian@pir.org>* | *www.thenew.org <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.thenew.org&d=DwQGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=EVkmXoG72rs8SmREUhst98YU0-gVoqkJ9HVfENWo84E&e=>* | *Power your inspiration. Connect your world.*

*[image: A green sign with a white star and black text Description automatically generated]*

*Confidentiality Note:* Proprietary and confidential to Public Interest Registry. If received in error, please inform sender and then delete.

*From: *trachtenbergm--- via Gnso-dnsabuse-pdp < gnso-dnsabuse-pdp@icann.org> *Date: *Tuesday, April 14, 2026 at 8:35 PM *To: *volker.greimann@centralnic.com <volker.greimann@centralnic.com>, el@lisse.NA <el@lisse.NA>, gnso-dnsabuse-pdp@icann.org < gnso-dnsabuse-pdp@icann.org> *Cc: *dns-techs@na-nic.com.na <dns-techs@na-nic.com.na> *Subject: *[Gnso-dnsabuse-pdp] Re: Another numbers request.

Volker,

I agree with most of these points and that these are important considerations for the registrar when deciding what mitigation action to take, but my point was that the takedown part is not part of the ADC. The takedown part already exists in the DNS Abuse amendments in the RAA. This discussion, while important, is outside the ADC. That’s why it is a rabbit hole for purposes of trying to create the ADC. Once again, it is the conflation of investigation with enforcement/mitigation.

Best regards,

*Marc H. Trachtenberg* Shareholder

Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP

*Aspen Chicago*

411 E. Main Street <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...> 360 North Green Street

Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607

T +1.970.300.5313 T +1.312.456.1020

M +1.773.677.3305 M +1.773.677.3305 *trac@gtlaw.com <trachtenbergm@gtlaw.com>* | *www.gtlaw.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__secure-2Dweb.cisco.com_1-5FG8FTxuC4DigFwKHmWy-2D3tyX5VEQ92-2DSSyqGkXRGPb-5Fp9i19HOc7gZMo2zOS6kzN7iT3BYGXyLIJGfWPH0yJX9VvGbU4pLl3BIxUZPkBWcgJL5oZCxkc2g-2DVjuuu26NM-5FXtcLsBXIfNZxsdOYMdcjF400gpJcbVxUnIlYXTHhTAdfdBGcbTP-2DrqZyRuOpCZ26yrY-2Dnvqx5ODopNHkujptlSH0Lj9gJKsdpj8oMajnm10JdZUhEMaDMs-5Fzh-5Fofd3cU-2Dm-5FZtU2eBVcx2y35kSlfxXmwsNVwhYgHXG-5FuqwLvB8_http-253A-252F-252Fwww.gtlaw.com-252F&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=Ii2YvgQp9J6g_pPVBCiZiUSfwVKyJrXaXxLnFdQ3OM8&e=>* | *View GT Biography <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_13j79w4v7OS-5FTjRbxYBulxQosog3-2DHgGvzdpk2qOIf3j1eIdZ9zyJYyvBoMW5B7pW4Ym-5FY5hjsuceAb39ZExZusnFFGh1kj0CQqUGAPTylnMgxoBzAB7e-2DnjxmOjFuLRTTwDAPO7sl4mk0Bm-2DLnXTLJGn4rsBs4U-5F-5FgafiNI8vS0zXpK4Z5aC-2DC73-5FJa-5FUqIq7W-2D3cMmU355tVwkTSKsDVR2m7VG4HhLyqL9Ai-5F7cMwYKs-2DH4l3CoZZi5cvF8wLV0N-2D5E9lZHgVsgiRQcQyEmWfN25EAc9Zq9JvZ0RYk7kP4_https-253A-252F-252Fwww.gtlaw.com-252Fen-252Fprofessionals-252Ft-252Ftrachtenberg-2Dmarc-2Dh&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=FiEmtzKATkkQzxi2nrdmV5KIBqqIQMmDvhQ-nrOKjAA&e=>*

[image: Greenberg Traurig Logo]

[image: Greenberg Traurig Logo]

*From:* Volker Greimann <volker.greimann@centralnic.com> *Sent:* Tuesday, April 14, 2026 3:38 PM *To:* el@lisse.NA; gnso-dnsabuse-pdp@icann.org; Trachtenberg, Marc H. (Shld-ASP-IP-Tech) <trachtenbergm@gtlaw.com> *Cc:* dns-techs@na-nic.com.na *Subject:* Re: [Gnso-dnsabuse-pdp] Re: Another numbers request.

Hi Marc,

it is not really a rabbit hole since it is just the kind of issue that registrars face when dealing with associated domain names. Every takedown also carries with it a certain liability risk that has to be balanced as part of the review process before taking a decision to act. That is why we need actionable evidence of abuse, and that does not change for associated domain checks either.

We have had cases where "Dumb Criminal A" defecated where he dined and had registered his personal (legal-use) domain names in the same account that also held the problematic ones. Do we take those down as well?

We have had cases where we took down a significant number of domain names of a third-party privacy or trustee service that was not recognizable as such because of a high prevalence of abusive registrations using that registration data set, thereby affecting a significant number of non-abusive registrations. Justified? Maybe! Liability risk? For sure.

We do see cases where criminals register domains through various resellers and even registrars, but never use more than one at a time. We can only ever detect one domain engaged in abusive activities. We see the associated domains as such and even without actionable evidence for every single one we will take action based on various indicators of likelihood of abusive use. But the risk remains of also taking down domains that were never intended for such use.

We have seen domains registered for advertising or monetization purposes where the abuse originates from a bad advertiser of the parking provider that circumvented their internal review processes. Most of those domains are used by other advertisers for legitimate purposes. In fact, their registration pattern is similar to the case of the reservoir domains above. They would all fall into the classification of associated domains, but in this case, a takedown would be problematic.

Just because a domain is associated somehow with an abusive registration does not mean it was registered for the same purpose, or even by or on behalf of the same end customer. As a registrar, it is our job to navigate those dangerous waters, balance legal obligations to our legitimate customers and our legal and policy obligations to take action on malicious registrations. It is easy when the ocean is clear and you can see the floor, but there are hidden reefs that we need to watch out for. And it does take an experienced captain and crew to navigate those shoals. But to do that successfully, we need room to navigate and trust in our experience.

Sincerely,

*Volker Greimann* *General Counsel & Head of Policy and Compliance - Online Division*

*volker.greimann@centralnic.com <volker.greimann@centralnic.com>* Office: +49-172-6367025 Web: *www.teaminternet.com <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_18Dk0yBe9IcCYrqBP08pItBnkBkqDurEgKndpl1KNOFg6cm-5FHOffmQqmBMK-2Dyg-2DJ9YEnY35HBIDkVUfxZ6uF3Eb-2DaoigLEesubS43oTQgVhzJLQmpFoHUrNcbuiaZ4qsmwz9GfQAPUFmVCjU61d3r8A1RP9HNLsi3-2DyESN53uFs7hy3ZRWB4gWk7RQcMUvYv58JWuFNadFn4e2lUfPZN3564-2DzgRz2QSXjLaXNv8HvK6f-2DJ-5FOkBSkl3YkTlezRykXNfWGnPM-2Da1T6Vf0rZ3aH19M0dzPUikudnr7DYLAs0o0_https-253A-252F-252Furldefense.com-252Fv3-252F-5F-5Fhttp-253A-252Fwww.teaminternet.com-5F-5F-253B-2521-2521DUT-5FTFPxUQ-2521Ah6Du0mB4pVy12L6d-5FvdRazeSsG-5FM1F-2D04dCl257N-2Dd7NQfy-5F2Bt4PurYVJG9psr4DE7BN2BPT-5FtFAQazfqH9aBi5P5PLK0k-2524&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=Lj8tPAothKm5MlVoSeJc6MyToC89Gzqo3ptFJhviqzI&e=>*

Team Internet Group PLC (AIM:TIG). Registered Office: 4th Floor, Saddlers House, 44 Gutter Lane, London, United Kingdom, EC2V 6BR <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...>. Team Internet is a company registered in England and Wales with the company number 8576358.

------------------------------

*From:* trachtenbergm--- via Gnso-dnsabuse-pdp <*gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>*> *Sent:* 14 April 2026 8:26 PM *To:* *el@lisse.na <el@lisse.na>* <*el@lisse.na <el@lisse.na>*>; *gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>* <*gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>*> *Cc:* *dns-techs@na-nic.com.na <dns-techs@na-nic.com.na>* <*dns-techs@na-nic.com.na <dns-techs@na-nic.com.na>*> *Subject:* [Gnso-dnsabuse-pdp] Re: Another numbers request.

Eberhard,

I think we are going down a rabbit hole here. This is outside the scope of the ADC as the ADC is not mandating that entire accounts get shut down or that the registrar take any action other than investigate for associated domains. Any resulting obligations to take action based on what the registrar finds already exist in the RAA.

Best regards,

*Marc H. Trachtenberg* Shareholder

Chair, Internet, Domain Name, e-Commerce and Social Media Practice Greenberg Traurig, LLP

*Aspen Chicago*

411 E. Main Street <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_...> 360 North Green Street

Suite 207 | Aspen, CO 81611 Suite 1300 | Chicago, IL 60607

T +1.970.300.5313 T +1.312.456.1020

M +1.773.677.3305 M +1.773.677.3305 *trac@gtlaw.com <trachtenbergm@gtlaw.com>* | *www.gtlaw.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__secure-2Dweb.cisco.com_1-5FG8FTxuC4DigFwKHmWy-2D3tyX5VEQ92-2DSSyqGkXRGPb-5Fp9i19HOc7gZMo2zOS6kzN7iT3BYGXyLIJGfWPH0yJX9VvGbU4pLl3BIxUZPkBWcgJL5oZCxkc2g-2DVjuuu26NM-5FXtcLsBXIfNZxsdOYMdcjF400gpJcbVxUnIlYXTHhTAdfdBGcbTP-2DrqZyRuOpCZ26yrY-2Dnvqx5ODopNHkujptlSH0Lj9gJKsdpj8oMajnm10JdZUhEMaDMs-5Fzh-5Fofd3cU-2Dm-5FZtU2eBVcx2y35kSlfxXmwsNVwhYgHXG-5FuqwLvB8_http-253A-252F-252Fwww.gtlaw.com-252F&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=Ii2YvgQp9J6g_pPVBCiZiUSfwVKyJrXaXxLnFdQ3OM8&e=>* | *View GT Biography <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_13j79w4v7OS-5FTjRbxYBulxQosog3-2DHgGvzdpk2qOIf3j1eIdZ9zyJYyvBoMW5B7pW4Ym-5FY5hjsuceAb39ZExZusnFFGh1kj0CQqUGAPTylnMgxoBzAB7e-2DnjxmOjFuLRTTwDAPO7sl4mk0Bm-2DLnXTLJGn4rsBs4U-5F-5FgafiNI8vS0zXpK4Z5aC-2DC73-5FJa-5FUqIq7W-2D3cMmU355tVwkTSKsDVR2m7VG4HhLyqL9Ai-5F7cMwYKs-2DH4l3CoZZi5cvF8wLV0N-2D5E9lZHgVsgiRQcQyEmWfN25EAc9Zq9JvZ0RYk7kP4_https-253A-252F-252Fwww.gtlaw.com-252Fen-252Fprofessionals-252Ft-252Ftrachtenberg-2Dmarc-2Dh&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=FiEmtzKATkkQzxi2nrdmV5KIBqqIQMmDvhQ-nrOKjAA&e=>*

[image: Greenberg Traurig Logo]

[image: Greenberg Traurig Logo]

*From:* Eberhard W Lisse via Gnso-dnsabuse-pdp <*gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>*> *Sent:* Tuesday, April 14, 2026 12:13 PM *To:* *gnso-dnsabuse-pdp@icann.org <gnso-dnsabuse-pdp@icann.org>* *Cc:* Dns-techs <*dns-techs@na-nic.com.na <dns-techs@na-nic.com.na>*> *Subject:* [Gnso-dnsabuse-pdp] Re: Another numbers request.

**EXTERNAL TO GT**

Becky,

you are the lawyer, I am not.

I just mean a concept.

Can you take down a Registered Name, just because (at least) *another* Name registered by same Registrant has been mitigated?

If a single Registrant has 5 Names, 1 reported, investigated, proven as phishing, and mitigated accordingly, ADC done, and 3 of the others are mitigable, I still don't like that the 5th one would or could be mitigated as well.

However as Marc wrote, you act against the Registrant (for violating the Terms and Conditions).

How would that work? Can you really unilaterally decide to take Names down, or do you have to give notice of termination of the Registrant agreement (0 to n days notice)? So they transfer the Name elsewhere, and perhaps even register the mitigated Names again.

Now you take a Reseller which has a Million Names. ADC finds 50, 500 or even 5000 in need of mitigation.

Do you take the 50, 500 or 5000 names down or do you cancel the agreement with the Reseller (for violation the Terms and Conditions). What happens then to the Names left?

Or if the Reseller is just irritated enough that they transfer significant Revenue elsewhere? There are enough accredited Registrars around, after all.

The obviously even more difficult question is how to prevent them from becoming wise to the Policy and transferring the rest of a portfolio to another Registrar, when a single one is taken down, ie before the ADC can be done?

We have not thought through the consequences of our considerations, and/or the cost.

el

-- Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (retired) *el@lisse.NA <el@lisse.NA>* / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 Bachbrecht \ / If this email is signed with GPG/PGP 10007, Namibia ;____/ Sect 20 of Act No. 4 of 2019 may apply

On Apr 14, 2026 at 18:50 +0200, Becky Burr <*bburr@pir.org <bburr@pir.org>*>, wrote:

I am confused by the use of the term “guilt by association” here. That usually means you consider one person guilty of some bad act because that person is associated with *someone else* who is a known bad guy. And yes, in that context, there are significant human rights concerns.

Here, we are just saying that if a registrant/account holder is known to be using one domain for DNS abuse then we are going to check to make sure t*he same registrant/account* holder isn’t using other domains for DNS abuse. And, if the answer is no, then nothing happens to the associated domains. So, unless you are arguing that domains themselves have human rights, I don’t see what the guilt by association issue is.

Am I missing something?

*[image: Image removed by sender. Logo] <https://urldefense.proofpoint.com/v2/url?u=https-3A__secure-2Dweb.cisco.com_17kGWYzHXkG-5FG-2Dd492Z6q-5F78vAQlKbrNF-5FYU5s7m5phcLXU3ASKNl1Rd57CcWENJ7FEbKO0zmmlLUT2wYCP6ALi0sArJhu8EDI08BUD-2DQz0jjp8FsDwN0o5gPDlaCyMc6xtXRzrnYpteecKvqx77fbMEBMqxJn1w3upvcxaTQbgnwtOH4VZxbmuUAA-2DmLnJfnx6tASjoWB2NOEaoxEOUyF7lOpNs59XyjrFV-2DRCFz1VLI3P2c-5Fq2L1J2fMp1Mlv-2DfH0g-2D3BRVfUI1UNeSpFNgpWpS10-5FfwanPNkJk3qrBD3M_https-253A-252F-252Furldefense.com-252Fv3-252F-5F-5Fhttps-253A-252Fwww.thenew.org-252F-5F-5F-253B-2521-2521DUT-5FTFPxUQ-2521GykcfK67czdDZOfupqIpOSPLjmf2z7tVTmIl2UIm6GnSNd4l5z2dIQq9Btz1pfxHax2iPFr6-5FoJkyRjFA6PVYwQUi-5Fk0-2DQ-2524&d=DwMGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=LyZ0GifjeLBq1lwzpa8wKUGknwsNc-o3LiY99ox7DlY&m=EtDh-6yrrxQnGPcjqoqDGHWahlU-x8jO4R78an0pyJJsTkzynQNa3HCbaFqwQArs&s=WJsg0vQfBiYxJOTNfsgvwWVoBjLbliJhA2a2_2zmTNk&e=>*

*Becky Burr*

------------------------------

If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at *postmaster@gtlaw.com <postmaster@gtlaw.com>*, and do not use or disseminate the information.

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org

_______________________________________________ Gnso-dnsabuse-pdp mailing list -- gnso-dnsabuse-pdp@icann.org To unsubscribe send an email to gnso-dnsabuse-pdp-leave@icann.org