It’s easy to advocate for fast takedowns, but that can hurt legitimate businesses.
On February 20, 2020, Domain Name Wire was down.
Anyone who operates a website knows that horrible feeling of finding out your site is down and not being able to understand what’s happening.
My day got worse as it progressed. It turned out that all of my websites were down. So were my wife’s sites, including the site we use to host her podcast RSS feed.
All of my businesses were shuttered—all at the same time.
It took a while to find the culprit. It turns out that someone made a spam complaint to Vultr, the cloud service that hosted our sites. I used them through a cloud management platform and didn’t have a direct connection to them, so I had to work through the support of the management platform. Worse, they didn’t notify me of the suspension; I had to reach out to them to find out what was going on.
Obviously, I’m not a spammer. You’ll be surprised to learn all it took to get my site taken down: someone sent an email to someone that included a copy of the HTML of my home page, which included links to Domain Name Wire. This is all it took for Vultr to take down all of my businesses.
I couldn’t move the content to another host, either, because our backups were at Vultr. (There’s a lesson here — always back up someplace that isn’t your host. Backing up at your host is like backing up your laptop on your laptop.)
I thought about writing about this traumatic experience for a while. I think it’s relevant to bring it up now because of my stories about DNS Abuse and the many parties wanting hosts and registrars to take down malicious sites quickly.
Yes, we should do something about DNS Abuse. But a false positive (as in my case) can be detrimental to a business.
I was reminded of this when reading the story of CNX Software today. Jean-Luc Aufranc, who owns the business, said his domain was down for days. It appears that there were some malicious links downstream, thanks to an affiliate redirect system he used. But it was difficult for him to find out exactly why his domain was suspended, and that’s a problem.
I understand that registrars and hosts don’t want to give too many details to people when they suspend a site because they don’t want to teach the bad guys how to circumvent the system. But many times, a site is used for phishing because of malware or malicious redirects that the site owner isn’t aware of. The only way the site owner can fix this is if they know what the issue is.
Aufranc said he learned a lot from his experience. First, he used a reseller to register his domain. The back and forth communication between the reseller and the reseller registrar caused delays:
I have to contact the reseller, which then contacts the registrar, which then replies, and the reseller feedbacks the answer from the registrar. This could take 36 to 48 hours to get a reply from the companies involved in this particular case.
Without throwing all reseller registrars under the bus, I can’t think of a single reason to register a domain through a reseller rather than an ICANN-accredited registrar.
Second, his contact info with the reseller was an email address on his domain, which was now suspended. So he couldn’t get any email updates from the reseller. It’s always smart to use a contact email address on a different domain than the domain you’re hosting.
But stepping back further, it’s important for registrars and hosts to work with their clients when there’s an abuse claim. There need to be robust systems to work with people who might be victims, not perpetrators. Suspending a domain or taking down a website is a big deal to a legitimate business. It’s not OK to snare legitimate website operators in the name of quickly taking down some abusive websites. Customers should have 24×7 access to an abuse team that will work with them to restore their business in the case of a hack or false positive complaint.
It sucks you were caught in ‘Friendly Fire’ that took down your stuff. I frequently hear stories of overzealous, kneejerk takedowns like this in reaction to abuse reports without reviewing them to know they’re firing at their own troops. There are also jackals who abuse abuse reporting tools as means to disrupt competitors or just do basic mischief.
The point is, fast action is often half-assed. The majority of abuse activity is at the hosting provider or is content-related, which is a fact that registrars often bring to the opinion fight when dealing with the emotional narrative of ‘The DNS Abuse Problem’ at ICANN.
The majority of hosting companies, where content is served, are not regulated. Because there is a ‘regulatory’ framework with ICANN, and Registries and Registrars are under contractual obligations and a compliance regime, do-gooders seeking to address abuse keep attempting to force all of their issues into the broad category of DNS Abuse.
Nerfing all your services at the account level seems a bit inelegant on the part of your hosting provider, as it really is something best addressed at the lowest possible level, which merited closer attention to the specifics of the report.
What is even less elegant is taking down your domain name. That’s the option available to registries and registrars. DNS Off Switch. No elegance.
If my neighbor is playing really loud music at 3am, I can go knock on his door, I can call if I have his telephone number. I can call the police to address it if those other remedies are unsuccessful. Lowest level first. Taking down the domain name at the registry or registrar level is like starting with taking down the whole power grid for the county.
Effective yes, but inelegant and someone going right for the grid first needs to be authentic with themselves about how irresponsible it is.
Reports of abuse are often mis-directed, contain typos, and can tend to be aggressively liberal in the inclusion of cc/bcc pool of recipients. Not to mention the emotional payload often included when folks share their feelings in the report.
My point is, the report should have been reviewed and some care taken in how it was addressed in order to have avoided taking down all your stuff. That hosting company held the tools to have looked more closely and been a bit more surgical in taking action or not in your particular circumstances.
The hosting company where content or email servers live (not always the same company, and not often the registrar of record for the domain name) should impact individual services specific to the report vs entire servers.
Less elegant is taking action upon a whole domain name, which is the only tool available to the majority of registrars – where they are not the hosting company or providing DNS.
It is expensive to gain a customer, and cheap to lose one. No tears are lost on the commercial impact though where the reporting parties are concerned.
Thanks for your thoughtful comment. You bring up another lesson I learned: don’t host all of your sites in the same account.
I’ve thought about this quite a bit. If we’re asking Registrars to be more aggressive on abuse, there will inevitably be false positives and impacted registrants. I’d kicked off the work when i was RrSG chair (though it’s production and publication were after my tenure), but the RrSG published some thoughts on appeals mechanisms here: https://rrsg.org/wp-content/uploads/2021/10/Appeal-Mechanisms-following-DNS-Abuse-Mitigation-22-October-2021-.pdf
One of the initiatives the DNSAI has pondered is to provide a light-weight 3rd party DNS Abuse review/appeals mechanism. We may return to that idea in the future, but it needs a bunch more work.
I am gently hopeful that continued work on the distinction between malicious registrations vs. compromised websites will reduce experiences like those of Jean-luc’s.
“Customers should have 24×7 access to an abuse team that will work with them to restore their business in the case of a hack or false positive complaint.”
Yes, that.
The lesson often is don’t pick the very cheapest hosting – pick one wher you can talk to someone when there’s a problem.
Andrew
Sorry to hear you had this kind of problem.
We always engage with our hosting clients when there are allegations of abuse, be that spam or anything else. We’d never pull a site or server based off a single complaint. There would have to be a lot more going on for that to happen and even so we’d usually do our best to contact clients first.
More often than not the abuse is due to a hack or similar.
Of course there are some clients who are abusing our platform, but they generally start doing that shortly after creating an account.
Michele