Skip to content


Registry Operators and Registrars Obligations

Registry Operators

Registry Agreement Reference: Specification 11.3B: Registry Operator will periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. Registry Operator will maintain statistical reports on the number of security threats identified and the actions taken as a result of the periodic security checks. Registry Operator will maintain these reports for the term of the Agreement unless a shorter period is required by law or approved by ICANN, and will provide them to ICANN upon request.

Framework for Registry Operator to Respond to Security Threats (ICANN): This framework addresses Registries’ responses to notifications of security threats. The framework describes how a Registry Operator (RO) may respond to identified security threats. This framework is a voluntary and non-binding document designed to articulate the ways registries may respond to identified security threats.

ICANN Accredited Registrars

Registrar Accreditation Agreement 2013 – 3.18 Registrar’s Abuse Contact and Duty to Investigate Reports of Abuse.

  • 3.18.1: Registrar shall maintain an abuse contact to receive reports of abuse involving Registered Names sponsored by Registrar, including reports of Illegal Activity. Registrar shall publish an email address to receive such reports on the home page of Registrar’s website (or in another standardized place that may be designated by ICANN from time to time). Registrar shall take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.
  • 3.18.2: Registrar shall establish and maintain a dedicated abuse point of contact, including a dedicated email address and telephone number that is monitored 24 hours a day, seven days a week, to receive reports of Illegal Activity by law enforcement, consumer protection, quasi-governmental or other similar authorities designated from time to time by the national or territorial government of the jurisdiction in which the Registrar is established or maintains a physical office. Well-founded reports of Illegal Activity submitted to these contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report. In responding to any such reports, Registrar will not be required to take any action in contravention of applicable law.
  • 3.18.3: Registrar shall publish on its website a description of its procedures for the receipt, handling, and tracking of abuse reports. Registrar shall document its receipt of and response to all such reports. Registrar shall maintain the records related to such reports for the shorter of two (2) years or the longest period permitted by applicable law, and during such period, shall provide such records to ICANN upon reasonable notice.

RegistryOffice Abuse Monitor categorizations and resource feeds

RegistryOffice Abuse Monitor offer two products for monitoring, both in compliance with te RA Spec. 11.3B.


Pharming is a cyber attack intended to redirect a website’s traffic to another, fake site. (Source: Wikipedia)

Abuse Monitor resource feeds for Pharming

  • Basic: Google Safebrowsing, hpHosts
  • Standard: Google Safebrowsing, hpHosts, SURBL, Spamhaus


Malware (a portmanteau for malicious software) is any software intentionally designed to cause damage to a computer, server or computer network. Malware does the damage after it is implanted or introduced in some way into a target’s computer and can take the form of executable code, scripts, active content, and other software. The code is described as computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware, among other terms. Malware has a malicious intent, acting against the interest of the computer user – and so does not include software that causes unintentional harm due to some deficiency, which is typically described as a software bug. (Source: Wikipedia)

Abuse Monitor resource feeds for Malware

  • Basic: Google Safebrowsing, hpHosts, Ransomware Tracker
  • Standard: Google Safebrowsing, hpHosts, Ransomware Tracker, SURBL, Spamhaus


Phishing is the fraudulent attempt to obtain sensitive information such as usernames, password and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. (Source: Wikipedia)

Abuse Monitor resource feeds for Phishing

  • Basic: Google Safebrowsing, hpHosts, Phishtank, Openphish
  • Standard: Google Safebrowsing, hpHosts, Phishtank, Openphish, SURBL, Spamhaus

Botnets and other types of security threats

A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection.

Abuse Monitor resource feeds for Botnets

  • Basic: Google Safebrowsing
  • Standard: Google Safebrowsing, SURBL, Spamhaus



List updated: May 2018


%d bloggers like this: