The one concrete suggestion I've seen is to induce a delay in zone creation and publish a list of newly created names within the zone. The problem with this is that is sort of assumes:
What are your thoughts on basic suggestions such as: 1. Allowing registrars to terminate domains based on abuse, rather than just fake contact details.
This is very, very dangerous. Registrars such as GoDaddy who have tried this could be well-meaning, but are not in the correct position to be able to reliably determine what is going on. What constitutes abuse? You received a spam message with our domain forged in the headers? You received a spam message with one of our IP's and domain names forged in the headers (this is becoming common)? You received one actual spam because some customer installed their own web-to- mail script on the web server and it got 0wn3d? Someone got their web server here 0wn3d and it is acting as a controller for pr0n/etc spam spewing bots? What constitutes a fraudulent registration? No phone number? An old phone number? A current phone number where the SIP registration has failed because the VoIP provider made some changes? A current phone number that isn't answered? No address? An old address? And so on... I'll remind you that in all of these cases, removing a domain name is not going to be mitigation. It might *feel* good but it has the potential to do lots of damage for little result. Is there a difference between a decade-old domain with contact information where a web server got hacked, and a 1-day old domain with garbage for contact information that was set up explicitly for Bad Stuff? How do you tell?
5. Enforcing that registrars act in say, not a whitehat fashion, but a not blackhat fashion?
"Whitehat" does not mean what many seem to think. A whitehat would have the philosophy of trying to take the course of action that was the most equitable and did the least amount of harm possible. Many people have equated "whitehat" to mean "we nuke things when problems are reported," and that isn't whitehat - that's simply stupidly malicious. I would go so far as to call the reported behaviour of registrars such as GoDaddy to be virtually blackhat. Look at this crud: http://domainnamewire.com/2007/02/28/godaddy-responds-to-deletion-over-inval... So, *knowing* that the contact e-mail wasn't working, they sent requests for current contact info *to* the broken contact e-mail. When they didn't get a response, they then didn't bother calling or writing via snail mail, which were apparently valid, but instead cancelled the domain and then sold it to someone who had paid for backorder, so they've collected twice for the domain *and* then also for the backorder. Profitable for them. As far as I'm concerned, also highly unethical. A whitehat would have called. A whitehat would have written a letter. A whitehat would have even gone to the web site to look for further contact info. A whitehat that felt action was mandatory would have suspended the domain (not redirected, merely suspended) as a way to try to get the domain holder to contact. This is essentially a big loophole in 3.7.7.2. GoDaddy can probably make a reasonably valid claim that they followed the ICANN policy, and yet it is obvious that they didn't really do anything sensible in this case. So to get back to Gadi's point #1, if they can't even do a reasonable job of terminating for incorrect information in domain registrations, do we really want registrars trying to handle abuse? (Note that GoDaddy has some bad history here too, see seclists.org for example). ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.