For years, the domain industry has debated what is an appropriate timeline for registrars to respond to websites implicated in phishing, malware, and other threats. Now ICANN is moving from debate into enforcement. A new compliance report issued on June 2nd provides a look at how contract holders have responded to DNS abuse allegations during the first two years of the strengthened policy going into effect.
The initial results illustrate a change in approach. Handling DNS abuse complaints goes beyond goodwill. Registrars and registry operators need to be able to justify what action they took, when they took it, and why their response was warranted.
Over 25K Abusive Domains Cleaned Up
Between April 5th 2024 and April 5th 2026, ICANN Contractual Compliance initiated just under 530 investigations related to the DNS abuse mitigation requirement. Over 480 were closed, with about 66% causing contracted parties to take direct action to mitigate abusive domains. This generally involves domain suspension. The other 8% of closed cases required action designed to disrupt abuse without suspension.
Taken together, those percentages show that the updated requirements are making a difference. ICANN says investigations have led to over 25,000 abusive domains being cleaned up. It also notes that “follow-up improvements” made to some contracted parties abuse mitigation processes after receiving a compliance notice has resulted in hundreds of thousands more domains being mitigated. Those larger numbers are significant, because the aim is not to clean up the internet one bad domain at a time. The goal is to make it harder for abusive domains to exist at all.
Details of the New Requirements
The rules are not new. Enforcement is based on contract amendments that have been in effect since April 5th, 2024. ICANN defines DNS abuse to include malware, botnets, pharming, phishing, and spam (used to send malware, botnets, pharming or phishing). If a registrar receives credible evidence of abuse, it must take reasonably prompt action to stop or disrupt it.
That doesn’t always mean immediate suspension. There is a difference between a newly registered website made for a phishing scam and an established business whose website was compromised on a single page. Suspension of the entire domain would knock out legitimate email and support services. ICANN addresses this situation in its compliance guide. Response times should be prompt but still proportional to the situation.
That said, there is a 24 hour rule of sorts. Each registrar must designate an abuse contact dedicated to receiving notifications from law enforcement or similar authorities within that country. If that authority contacts the registrar about a specific registrant engaged in illegal activity, then a senior employee must evaluate the complaint and decide how to respond within 24 hours. This isn’t the blanket 24 hour takedown policy that some news stories have suggested. It applies only to authoritative contacts from legitimate agencies who supply their own evidence.
Visibility Improvements With Domain Metrica
Contract enforcement is just one part of the equation. ICANN has also made it easier for industry watchers to track DNS abuse trends with Domain Metrica. Originally created as Domain Abuse Activity Reporting project but expanded over time into a resource that provides an online dashboard as well as an API.
Members of the general public can view summarized data about reported domains used in phishing, malware distribution, spam, and so forth. Contracted parties can use the API to pull more detailed information about reports tied to their own portfolio of registered names.
Domain Metrica combines zone and registrant reputation signals from multiple sources into one easy-to-read format. The data is refreshed daily, so anyone who wants to learn how to use Domain Metrica for abuse reporting can expect to see useful trends. It won’t catch every malicious domain that ever existed. But it can highlight where problems are concentrated so registrars can compare their own actions with the industry at large.
Domain Metrica isn’t public court though. According to ICANN, “The Dashboard provides a starting point for understanding reported abusive activity, but it does not provide a comprehensive list of all known abusive domains.” If a domain shows up on the list, that doesn’t prove someone was intentionally trying to do bad things. But if multiple reports cluster around the same registrant, it might show where registrars need to take another look.
EU pushes with NIS2 Directive
ICANN isn’t the only regulator putting pressure on domain registration providers to clean up their act. The EU’s new NIS2 Directive now includes language directed at abusive domain registrations in Article 28.
Essentially, EU Member States have to require that registrars collect accurate and complete registration data for each domain name. Reasonable procedures to verify registration data must be in place, as must policies ensuring those records are accessible by competent authorities who comply with EU data protection rules.
One thing to keep in mind about NIS2 is that it doesn’t override data privacy protections. Around the world, many registrars have reacted to NIS2 by saying they will not collect certain registration data. That isn’t what EU legislators had in mind. NIS2 requires timely responses to requests for access by law enforcement, security agencies, or other legitimate actors who have a legally supported reason to request that information. Agencies are expected to reply to those requests without undue delay and, where possible, within 72 hours.
Tips For Building an Abuse Checklist
ICANN recommends everyone start with an abuse reporting channel that is easy to find. If someone reports abuse, they should receive confirmation that the message was received. Records should also be kept showing when abuse reports were received and what actions were taken in response. Sometimes fraudulent registrations are easy to spot. Others involve situations where legitimate sites were compromised. Cleanup efforts should consider the differences.
It also doesn’t hurt to pay attention to the daily reports. ICANN now issues monthly DNS abuse reports, and Domain Metrica provides another resource for viewing reported abuse data. Registration workflows are another area reviewers can focus on. What happens if multiple registrations use the same phone number? What if someone registers hundreds of names in a short period? Then takes no action to point them all? Investors can take similar steps by seeing where domains are pointed, watching for unexpected changes, and protecting who can access their accounts.
DNS abuse cleanup isn’t optional. It’s a part of doing business that will be measured. ICANN’s enforcement report makes one thing clear. It isn’t saying that every domain accused of abuse should be taken down. Domain providers need to have a process that is followed each time. And they need to be able to document that process was followed as necessary.