Is this scam DNS abuse? – Domain Name Wire

This is my personal opinion on this matter.

To be clear, speaking in the context as an ICANN Accredited registrar, this is not DNS Abuse.

This unfortunate scenario feeds a narrative that often comes from parties seeking to shove trademark policing into the DNS Abuse category so that registries and registrars absorb these burdens.

It is really inappropriate.

Yes, the domain name was used as one of the components in this scam, but it was one of many moving parts, as were telephones, their hosting provider, job boards and other more focused moving parts. The content hosting provider played a larger role in the delivery of the actual payload than the registrar.

Third party DNS providers and Hosting Companies are not under the dominion of the rulesets or oversight of ICANN. Additionally, ICANN’s bylaws exclude the content of websites as being within scope.

A domain name registration cannot be presumed to be for malintent any more than someone needing to suspect someone buying a hammer at the time of purchase at their hardware store as a lethal weapon.

This registration could have just as easily legitimately been an HR department staff member at the company setting up a local recruiting ‘pop-up’ event, as this type of scenario ocurrs all the time – where the benefits of frictionless registration processes enable use cases of good actors more universally.

It sounds like a terrrible situation for those who got scammed, but in the context of what other moving parts were involved in the perpetrator’s scam, there is no possible screening or registrar action that could have prevented this from being possible at the time of registration. There’s also not much tech dedicated to mind reading, and presuming your customer is a theif until they prove otherwise doesn’t cast a very attractive commercial vibe as a user experience.

At best, the argument has been made that there could be better screening information on the registrants. It is expensive to gain a new (potential) customer, and cheap to lose one. These days, folks don’t like being followed around in a store too much. They end up shopping somewhere else.

But let’s entertain a rediculous notion that a registrar should be expected to actively review and police their registrants – which would not have necessarily caught this. There are some tools and systems that report, reactively, how domains are used. These often cause legitimate websites to be taken down under “friendly fire” when they contain too many false positives.

It is not entirely clear that this particular reported scenario would have been caught by those type of data researcher products or services, as they are largely automated with respect to the sensor data or indicators that they use to inform or report trouble issues. In this case, the website, if it was legitimately hosted and presented itself as if it was futuretech, could likely not be caught until an affected party might have reported it.

Upon activation of the domain name, if the perpetrators of the scam were able to put enough of a facade in place to be effective for their campaign, but how would a registrar know this domain was not being used by futuretest.com, even if compelled to absorb the burdens of what would have gone into having some responsibility to do so.

Marketing, HR or other departments at companies spin up domain names all the time legitimately. Unless one is familiar with the specific business (such as the business itself), the issues related to business name and entitlements of TM rights of usage within domain names are a thorny matter that there are mechanisms in place for dispute.

Did futuretech.com have a trademark that they had registered with the TMCH?

Registrars use certain techniques to reduce credit card fraud that are commercially reasonable to put in place, but a fine balance is needed in going beyond that. Going too far on that can cause legitimate users and customers to be harmed, and the solutions out there for using forms of AI to predict/screen are either expensive or require too much data to be shared with third parties (often in violation of some privacy law).

Registration scanning for strings in the registration process isn’t something that scales, and putting shorter terms in to the registration scanning causes issues like ‘catsonyourhose.com’ to have positive match for the term ‘sony’, much less the complexities of dictionary words, class of goods and services related to the intent of use (how many companies are called united or delta?) that can coexist in the real world.

So the costs involved to address this, if it were shoved into the DNS Abuse category, are a hard sell to registrars, especially in the presence of small benefit, and because too much friction at the point of sale will reduce customer purchases.

Registrars need net registration growth in order to afford all the staffing involved in addressing the growing burdens of compliance.

My small registrar vets each and every new customer, so I have zero fraud. It doesn’t scale, and I refer to it as my “get rich never scheme”.

The benefit of any form of screening like I do at scale for larger registrars is unlikely to bear fruit.

The brand policing their own brand might have caught this, and if they did not, this is unfortunate, but don’t shove this into the domain name registration business as yet another responsibility.

An individual or group with mal-intent who might seek to perpetrate something as described in this situation would have had no qualms with making false statements about their intent or future purpose of the domain at the time of registration.

Be very careful about stuffing too much into the “DNS Abuse” category.



Menu