Industry Resources
Internet & Jurisdiction Policy Network Toolkit
This toolkit from the Internet & Jurisdiction Policy Network, a multi stakeholder working group, is the result of years of collaborative work on how abuse intersects with the DNS. It provides essential educational outputs for operators, policy makers, law enforcement and other interested parties.
DNS Abuse Framework
A precursor to the 2024 gTLD contractual amendments on DNS Abuse, this framework sets out when and how registries and registrars should act on various types of harm. It was a collaborative and voluntary effort from leading operators.
Frequently Asked Questions
NetBeacon Reporter
What online abuse can I report with NetBeacon?
What abuse can’t I report with NetBeacon?
Currently, you CANNOT use NetBeacon to attempt to report Child Sexual Abuse Materials (CSAM). Doing so could be a crime and you will be reported to law enforcement. If you have CSAM to report, please visit https://www.iwf.org.uk/report/ or your relevant local authority.
Who can report online abuse?
What happens when I file a report?
Your report is converted into an Internet industry standard format called XARF. The URL you submit is then checked across a number of online abuse databases, and the results appended to your report. This standardized, enriched report, including your email, is then sent to the appropriate domain registrar or registry for investigation, and potentially, action.
Is this service related to Law Enforcement?
No. NetBeacon Reporter is not a service for law enforcement investigations or judicial processes. It is a service for simplifying the generation of reports to disrupt online harms. The organization that receives your abuse report may reach out to you for clarification or for more information.
Are there any risks in reporting online abuse to NetBeacon Reporter?
No. Thousands of people report online harms everyday. Failure to use this service responsibly by submitting false or vexatious abuse reports may result in losing privileges to use the NetBeacon Reporter service, and limit your ability to report to domain registries and registrars in the future.
Where can I view the Privacy Policy and Terms of Service for the NetBeacon Reporter App?
Both policies are open and available within the NetBeacon Reporter app. Please view the Privacy Policy and Terms of Service.
NetBeacon MAP
What are you measuring?
NetBeacon MAP focuses on the use of the Domain Name System (DNS) for phishing and malware.
Phishing is an attempt to trick people into sharing important or sensitive information, for example logins, passwords, credit card numbers, or banking information in either a personal or business context.
Malware is malicious software designed to compromise a device on which it is installed.
How is 'mitigation' measured?
Our methodology includes a process to determine whether any mitigation has been observed. This involves taking an initial measurement of various factors related to the URL and repeating these measurements for one month.
The information collected by KOR Labs includes the content of the malicious URL and the home page of the registered domain name, DNS, and RDAP/WHOIS records. KOR Labs extract features used to determine whether the maliciously registered domain has been removed from the zone and/or hosting service has been suspended and/or abusive content has been removed from the website. After the initial measurement, performed at the time of acquiring the malicious URL, KOR Labs repeat the measurements for one month: 5 minutes after blocklisting, 15m, 30m, 1 hour, 2h, 3h, 4h, 5h, 6h, 12h and then once every 12 hours.
Typically, malware delivery and phishing attacks are mitigated within the first day after blocklisting. Therefore, KOR Labs perform more granular scans at the beginning of the measurements and less frequent measurements later. See our Methodology for more information.
Who took the mitigating action?
What is your methodology?
We have published a transparent and comprehensive methodology.
What is a “special domain name”?
We define a special domain as a domain name that provides subdomains or a redirection that can be abused by attackers, but the original purpose of the registered domain name is legitimate. Those domain names are generally registered by operators of URL shorteners (e.g., bitly.com) or subdomain providers, for example, dynamic DNS providers (e.g., duckdns.org), free subdomain providers (e.g., 000webhost.com), or file sharing services (e.g., docs.google.com). KOR Labs maintains and manually updates a list of special domains which is available to the research community. KOR Labs NetBeacon MAP methodology keeps only domain names likely to have been registered by end users and excludes special domain names, to avoid, for example, google.com being flagged as abusive. See our Methodology for more information.
Do you report registrar / TLD level data?
Yes. See our Monthly Reports. Registrars and registries can also view their own data in their MAP Dashboard.
Who runs MAP?
MAP is a collaboration between The NetBeacon Institute and KOR Labs, led by Dr. Maciej Korczynski, a professor at Grenoble Alpes University in France. This data is then provided to the Institute. The Institute works with PIR’s Data Analytics team to create the interactive charts and for the purposes of writing these reports.
How do you define the labels for mitigation?
The four labels used to measure mitigation are Mitigated, Not Mitigated, Uncategorized, or Unprocessed.
Mitigated: We believe a mitigating action has occurred. This action could be taken by a registrar, registry, a hosting provider, or another relevant actor.
Not Mitigated: We did not detect any indication of mitigation.
Uncategorized: We were unable to determine whether or not mitigation occurred.
Unprocessed: The domains were not processed due to network connectivity or server problems.
How do you define the labels for registration type (compromised vs malicious)?
Our methodology includes three labels:
Malicious: a domain registered for malicious purposes (i.e., to carry out DNS Abuse).
Compromised: A benign domain name that has been compromised at the website, hosting, or DNS level.
Uncategorized: A domain that our methodology was unable to categorize for a number of reasons, including problems in collecting the metadata necessary to categorize domain names accurately.