To all registrars - welcome to the European Spam Wiki.
The purpose of this section of the Wiki is to provide you with explicit information about how to respond to complaints.
There are 4 specific guides on how to remove domains used by spammers and criminals. You make your selection based on whether or not you are removing an EPP domain, and whether you are removing a domain or a domain name server.
Domains used as web hosts
- How to shut down a domain which is defined under the EPP domain protocol
- How to shut down a domain which is not defined under the EPP domain protocol
Domains used as name servers
- How to shut down a name server which resolves domains, where the name server is defined under the EPP domain protocol
- How to shut down a name server which resolves domains, where the name server is not defined under the EPP domain protocol
Removal selection table
|EPP domain||Not EPP domain|
|Web Site||Web Site|
|Name Server||Name Server|
Why to remove
Most countries have enacted laws that define spamming as illegal under defined circumstances. Spamming which is in violation of those laws represents a criminal act. A domain which has been advertised via this criminal act is complicit in the crime.
The standard method of shutting down a spammed web site's domain has been to remove its address record in the domain's zone file. Spammers have adopted methods to circumvent these removals. They
- select different registrars for each of the name server domains (typically 3 or 4 registrars)
- select different registrars for the name server domain and for the spammed domains
- register hundreds of spammed domains per day, each pointing to the same IP address
The first strategy is to make more registrars become involved in the removal of the domains. If some registrars are slower than others to act on complaints, then the life-span of the access to illegal spammed sites can be extended. Therefore, all registrars need to act promptly to remove name servers and comply with complaints.
The second strategy is an attempt to make the removal of the spammed domains more complex.
The third strategy is to ensure that as each spammed site is removed, there are others ready to take their place. Registrars should adopt a positive attitude towards the efficiency of shutting down name servers so as to lock out the hundreds of domains defined under them. The procedures described in the "How to" sections are designed to achieve the most efficient removals possible, preventing spammed sites from being reused and hindering the criminal activity.
What to remove
If a complaint concerns a spammed domain name, verify the complaint and remove that domain. Check that the removal has been successful.
If a complaint concerns a name server, verify that the request is valid, and remove the name server. Check to ensure that the removal has been successful before closing the request.
When to remove
Today's spammers know that the life-span of a spammed site is short. It is not uncommon for a website to be registered, propagated, and spammed to several million mailboxes in one day. In fact, one spamming operation may perform this cycle for 50 spammed domain names targetting the one physical web server in the same day. The life of a spammed domain name may be as short as 3 days. Spammers are exploiting the time lapse between
- a spam run being detected
- a complaint being laid with the registrar
- the registrar examining the evidence
- and taking down the site
- the propagation delay on the removal
Registrars need to act quickly and decisively on complaints to reduce the spammers' effectiveness in exploiting these delays.
How to remove
Different registrars have different methods and procedures. The above links are designed to provide a guaranteed and tested method to ensure effective removals under all circumstances. Registrars need to examine their current procedures to ensure that they are effective in removing both spammed domains, and spammers' domain name servers. Every removal should be followed up after 24 hours to ensure its effectiveness, and to reduce the likelihood of further complaints for the same spam.
Compliance with the laws of a country supersedes the legal clauses of service agreements between registrars and their customers.
In most countries, there are laws that prevent companies from assisting in crime, or failing to act to prevent crime. It may be known under different terms
As evidence is collected on cyber-criminals and their crimes, there is a risk that registrars may be seen to have been party to their customers' crimes. Where complaints can be shown to have been sent to registrars, and sufficient evidence exists to leave no reasonable doubt that a crime is involved, those registrars who have chosen not to act, or to have failed to take effective action, run the risk that their failures will be presented as part of the evidence. The presentation of such evidence may show beyond reasonable doubt that such registrars are liable to criminal charges.
Furthermore, all companies rely on an element of "good will". Companies that act responsibly to improve the Internet community will have a higher reputation and a higher degree of good will, than their competitors who do not. Both the value of a business and its prospects for success rely on this good will. Any company that does not take action to dissociate itself from crime runs the risk of a lower reputation, loss of good will, and eventual failure in business.