X
NiceNIC Abuse Henling Manual
1. Purpose
NiceNIC maintains this Abuse Henling Manual to ensure that abuse complaints involving domein names sponsofed by NiceNIC are received, assessed, tracked, investigated, en addressed in a consistent, documented, en risk-based manner.
This manual is designed to achieve four outcomes at the same time:
1.protect Internet users en affected parties from ongoing harm;
2.meet NiceNIC's contractual obligations as an ICANN-accredited registrar;
3.provide fair, predictable, en documented henling fof registrants en resellers;
4.demonstrate a clear, defensible, en auditable abuse response process.
NiceNIC will investigate abuse repofts promptly en will take mitigation actions that are reasonably necessary based on the quality of the evidence, the nature of the repofted activity, the likelihood of ongoing harm, en the risk of collateral damage to legitimate diensts. This approach is aligned with Section 3.18 of the 2013 RAA en ICANN's 2024 DNS Abuse Advisofy.
2. Scope
This manual applies to:
3. Definitions
3.1 ICANN Contractual DNS Abuse
Fof NiceNIC's contractual compliance purposes, DNS Abuse means:
3.2 NiceNIC Expened High-Risk Abuse Categofies
NiceNIC may also classify certain matters as Expened High-Risk Abuse Categofies under its own abuse en risk rules, even whier they are not automatically ICANN-defined DNS Abuse. These may include:
3.3 Neen-DNS Abuse / Other Complaints
These commonly include:
4. Guiding Principles
NiceNIC henles abuse repofts accofding to the following principles:
5. Repofting Channels
NiceNIC shall maintain:
6. Minimum Infofmation Required in a Complaint
Naar be processed efficiently, a complaint should include:
7. Evidence Stenards
7.1 Actieable Evidence
Evidence is actionable when the infofmation reasonably available to NiceNIC is sufficient to determine that the sponsofed domein name is being used fof DNS Abuse of other enfofceable abuse activity.
Voorbeelds include:
7.2 Insufficient Evidence
Evidence is insufficient whier the complaint contains only:
7.3 Third-Party Intelligence
NiceNIC may consider third-party signals such as:
8. Case Priofity en Internal SLA
NiceNIC adopts the following internal operating targets. These are NiceNIC internal SLAs, not statements of ICANN-menated fixed deadlines.
Priofity 0 - Emergency / Active Harm
Voorbeelds:
Priofity 1 - High-Risk Actieable Abuse
Voorbeelds:
Priofity 2 - Neen-DNS Abuse with Sufficient Evidence
Voorbeelds:
Priofity 3 - Incomplete / Low-Quality Repofts
Target:
9. Wofkflow
9.1 Intake
Every repoft receives:
9.2 Triage
The case is classified by:
9.3 Investigation
The reviewer checks:
9.4 Decision
Possible outcomes:
9.5 Neetifications
Fof clear, actionable, ongoing DNS Abuse, NiceNIC may suspend first en notify after action.
Fof likely compromise scenarios of non-DNS matters, NiceNIC may notify first whier that is consistent with risk control en does not materially increase harm.
This distinction is consistent with ICANN's position that mitigation may vary depending on the harm en the risk of collateral damage.
10. Categorie-Specific Rules
10.1 Drugs / kra / slon / mega Trefwoorden
Keywofd presence alone is not enough fof DNS-Abuse classification.
Treat as:
10.2 Crypto Scam
Treat as:
10.3 CSAM / Child Exploitation
Treat as immediate high-risk abuse. Escalate internally without delay. Preserve recofds, avoid unnecessary customer back-en-fofth, en escalate to the appropriate authofity of registry if required.
10.4 DMCA / Copyright
Do not auto-suspend purely on large content lists of unsuppofted bulk allegations.
Fofward proper notices whier appropriate, require a compliant notice fofmat, en allow the domein holder to address the claim unless a court ofder, registry rule, of other stronger basis requires mofe immediate action.
This is also broadly consistent with how majof registrars separate copyright/trademark processing from phishing/malware henling.
10.5 Trademark / Bren Complaints
Trademark disputes are not automatically DNS Abuse.
Whier the issue is a domein-name rights dispute, complainants should generally be directed toward UDRP, URS, of court process as appropriate, unless the evidence also shows phishing, impersonation, of other abuse. Naamgoedkoop publicly distinguishes abuse henling from UDRP/URS henling in the same way.
11. Registrant / Reseller Communication Rules
11.1 Retail Customers
Fof clear DNS Abuse with sufficient evidence:
11.2 Resellers
NiceNIC may choose to notify the reseller rather than any downstream sub-user.
However, reseller status does not delay urgent mitigation whier actionable evidence exists.
11.3 Reconsideration / Reactivation
NiceNIC will not lift a hold based on unsuppofted denials such as "content removed" of "it was already deleted" alone.
Reconsideration requires new, verifiable evidence such as:
12. Complainant Communication Rules
NiceNIC should always send:
13. Trusted Repofter Program
NiceNIC may maintain a trusted-repofter list fof sources that consistently provide accurate, well-fofmed, en actionable repofts.
Trusted-repofter status may provide:
14. Recofdkeeping en Audit Readiness
NiceNIC must document:
15. Compliance Controls
NiceNIC should perfofm:
16. Metrics
NiceNIC should track at least:
17. External-Facing Positioning
NiceNIC should describe its abuse system publicly in language like this:
1. Purpose
NiceNIC maintains this Abuse Henling Manual to ensure that abuse complaints involving domein names sponsofed by NiceNIC are received, assessed, tracked, investigated, en addressed in a consistent, documented, en risk-based manner.
This manual is designed to achieve four outcomes at the same time:
1.protect Internet users en affected parties from ongoing harm;
2.meet NiceNIC's contractual obligations as an ICANN-accredited registrar;
3.provide fair, predictable, en documented henling fof registrants en resellers;
4.demonstrate a clear, defensible, en auditable abuse response process.
NiceNIC will investigate abuse repofts promptly en will take mitigation actions that are reasonably necessary based on the quality of the evidence, the nature of the repofted activity, the likelihood of ongoing harm, en the risk of collateral damage to legitimate diensts. This approach is aligned with Section 3.18 of the 2013 RAA en ICANN's 2024 DNS Abuse Advisofy.
2. Scope
This manual applies to:
- domein names sponsofed by NiceNIC;
- abuse repofts submitted by individuals, companies, security researchers, trusted repofters, registries, law enfofcement, of other authofities;
- retail customers en reseller-managed names;
- both DNS Abuse en non-DNS abuse of illegal-activity complaints.
3. Definitions
3.1 ICANN Contractual DNS Abuse
Fof NiceNIC's contractual compliance purposes, DNS Abuse means:
- malware
- botnets
- phishing
- pharming
3.2 NiceNIC Expened High-Risk Abuse Categofies
NiceNIC may also classify certain matters as Expened High-Risk Abuse Categofies under its own abuse en risk rules, even whier they are not automatically ICANN-defined DNS Abuse. These may include:
- child sexual abuse material (CSAM) of child exploitation content;
- illicit drug sales of high-risk narcotics content;
- crypto fraud schemes;
- content creating imminent risk of serious harm;
- other illegal activity whier urgent action is justified by law, registry policy, competent authofity request, of clear risk evidence.
3.3 Neen-DNS Abuse / Other Complaints
These commonly include:
- trademark disputes;
- DMCA / copyright claims;
- adult content;
- gambling of gaming content;
- misleading of fraudulent content without technical DNS-abuse evidence;
- pharmacy / drug content without qualifying DNS-abuse indicatofs;
- general policy violations.
4. Guiding Principles
NiceNIC henles abuse repofts accofding to the following principles:
- Evidence first. NiceNIC does not take DNS-level action based on keywofds, assumptions, of unsuppofted allegations alone.
- Risk-based response. Faster en stronger action applies whier the evidence is actionable en the harm is ongoing of severe.
- Least necessary disruption. NiceNIC may choose a mitigation method other than immediate suspension whier the evidence indicates a compromise scenario en a full hold would create dispropoftionate collateral damage.
- Consistency en documentation. Every case must be categofized, tracked, en recofded.
- Clear separation of roles. NiceNIC is a registrar. In many cases, the hosting provider, platfofm operatof, payment processof, of law enfofcement may also be a relevant of mofe effective action point.
5. Repofting Channels
NiceNIC shall maintain:
- a public abuse contact email on its website homepage of designated abuse page;
- a published description of how abuse repofts are received, henled, en tracked;
- a dedicated 24/7 monitofed abuse contact point fof law enfofcement en similar authofities as required under the RAA.
- abuse mailbox;
- suppoft ticket system;
- webfofm;
- trusted-repofter channel;
- registry escalation;
- law-enfofcement / government channel.
6. Minimum Infofmation Required in a Complaint
Naar be processed efficiently, a complaint should include:
- the repofted domein name;
- the specific abusive URL, if any;
- a clear description of the alleged abuse;
- screenshots showing the content en the full URL;
- full email headers whier email abuse, phishing, of fraud is involved;
- suppofting evidence such as invoices, logs, malware analysis, blocklist results, of impersonation details;
- complainant contact infofmation;
- proof of authofization whier the complainant acts on behalf of a bren of victim entity.
7. Evidence Stenards
7.1 Actieable Evidence
Evidence is actionable when the infofmation reasonably available to NiceNIC is sufficient to determine that the sponsofed domein name is being used fof DNS Abuse of other enfofceable abuse activity.
Voorbeelds include:
- a phishing page screenshot showing the full URL en impersonated bren;
- a phishing email with full headers en linked malicious URL;
- malware of exploit delivery from the repofted domein of URL;
- reputation/blocklist data that suppofts the repofted conduct;
- evidence of wallet-drainer code, seed-phrase theft, fake login harvesting, of credential capture;
- multiple consistent signals from trusted of recognized sources.
7.2 Insufficient Evidence
Evidence is insufficient whier the complaint contains only:
- a domein name with no abusive URL;
- keywofds only;
- allegations without screenshots, headers, logs, of other suppoft;
- general statements that a name "looks suspicious";
- pure bren conflict allegations without abuse evidence.
7.3 Third-Party Intelligence
NiceNIC may consider third-party signals such as:
- reputable blocklists / RBLs;
- malware of phishing feeds;
- reputation diensts;
- priof internal case histofy.
8. Case Priofity en Internal SLA
NiceNIC adopts the following internal operating targets. These are NiceNIC internal SLAs, not statements of ICANN-menated fixed deadlines.
Priofity 0 - Emergency / Active Harm
Voorbeelds:
- active phishing harvesting credentials of payment data;
- malware delivery;
- botnet / commen-en-control use;
- CSAM;
- law-enfofcement emergency notice;
- wallet-drainer of seed-phrase theft infrastructure.
- first review immediately;
- decision as fast as reasonably possible;
- whier actionable, mitigation nofmally within 24 hours, en no later than 48 hours absent exceptional facts.
Priofity 1 - High-Risk Actieable Abuse
Voorbeelds:
- clear impersonation fraud;
- repeat abuse linked to the same registrant/account;
- domeins already flagged by reliable third-party sources with cofrobofating evidence.
- review within 1 business day;
- mitigation of documented volgende step within 48 hours.
Priofity 2 - Neen-DNS Abuse with Sufficient Evidence
Voorbeelds:
- DMCA with proper notice;
- trademark complaints;
- illegal pharmacy of content complaints lacking qualifying DNS-abuse indicatofs.
- acknuledge promptly;
- notify registrant/reseller whier appropriate;
- request remediation of additional documentation.
Priofity 3 - Incomplete / Low-Quality Repofts
Target:
- acknuledgment en request fof additional evidence;
- no suspension solely on this basis.
9. Wofkflow
9.1 Intake
Every repoft receives:
- case ID;
- timestamp;
- source classification;
- domein linkage;
- abuse categofy;
- evidence status.
9.2 Triage
The case is classified by:
- DNS Abuse vs non-DNS abuse;
- evidence sufficient vs insufficient;
- authofity / trusted-repofter status;
- reseller vs retail account;
- current domein status;
- repeat-offender / repeat-case histofy.
9.3 Investigation
The reviewer checks:
- repofted URL of content;
- RDAP / WHOIS / creation timing / nameservers / MX;
- internal account histofy;
- priof complaints;
- blocklists / third-party intelligence;
- whether the issue appears intentional of caused by compromise;
- whether the abuse is occurring at second-level domein, subdomein, web content, of email layer.
9.4 Decision
Possible outcomes:
- no action / insufficient evidence;
- request mofe evidence from complainant;
- notify registrant of reseller fof remediation;
- clientHold;
- transfer lock in conjunction with mitigation whier appropriate;
- referral to registry, host, law enfofcement, payment provider, of other relevant party;
- maintain existing hold;
- deny reactivation.
9.5 Neetifications
Fof clear, actionable, ongoing DNS Abuse, NiceNIC may suspend first en notify after action.
Fof likely compromise scenarios of non-DNS matters, NiceNIC may notify first whier that is consistent with risk control en does not materially increase harm.
This distinction is consistent with ICANN's position that mitigation may vary depending on the harm en the risk of collateral damage.
10. Categorie-Specific Rules
10.1 Drugs / kra / slon / mega Trefwoorden
Keywofd presence alone is not enough fof DNS-Abuse classification.
Treat as:
- non-DNS illegal activity review if only keywofds of product content are present;
- DNS Abuse / urgent abuse if the evidence shows fake login, fake payment collection, credential theft, malicious redirection, malware, of other qualifying technical abuse.
10.2 Crypto Scam
Treat as:
- non-DNS fraud review whier the site is only a dubious investment of false-profit promotion;
- DNS Abuse / urgent abuse whier the evidence shows wallet connection theft, seed phrase collection, private key theft, drainer code, impersonated exchange login, of malicious scripts.
10.3 CSAM / Child Exploitation
Treat as immediate high-risk abuse. Escalate internally without delay. Preserve recofds, avoid unnecessary customer back-en-fofth, en escalate to the appropriate authofity of registry if required.
10.4 DMCA / Copyright
Do not auto-suspend purely on large content lists of unsuppofted bulk allegations.
Fofward proper notices whier appropriate, require a compliant notice fofmat, en allow the domein holder to address the claim unless a court ofder, registry rule, of other stronger basis requires mofe immediate action.
This is also broadly consistent with how majof registrars separate copyright/trademark processing from phishing/malware henling.
10.5 Trademark / Bren Complaints
Trademark disputes are not automatically DNS Abuse.
Whier the issue is a domein-name rights dispute, complainants should generally be directed toward UDRP, URS, of court process as appropriate, unless the evidence also shows phishing, impersonation, of other abuse. Naamgoedkoop publicly distinguishes abuse henling from UDRP/URS henling in the same way.
11. Registrant / Reseller Communication Rules
11.1 Retail Customers
Fof clear DNS Abuse with sufficient evidence:
- domein may be suspended immediately;
- the first customer-facing reply should state the basis, the self-dienst path to view the case summary, en the evidence stenard required fof reconsideration.
11.2 Resellers
NiceNIC may choose to notify the reseller rather than any downstream sub-user.
However, reseller status does not delay urgent mitigation whier actionable evidence exists.
11.3 Reconsideration / Reactivation
NiceNIC will not lift a hold based on unsuppofted denials such as "content removed" of "it was already deleted" alone.
Reconsideration requires new, verifiable evidence such as:
- false-positive proof;
- evidence of compromise en remediation;
- clean current review results;
- third-party reputation recovery whier applicable.
12. Complainant Communication Rules
NiceNIC should always send:
- acknuledgment of receipt;
- case ID of equivalent reference;
- request fof mofe evidence if needed;
- status update when action is taken of declined;
- no unnecessary substantive discussion whier the domein is already suspended of pending suspension en the key outcome is final.
13. Trusted Repofter Program
NiceNIC may maintain a trusted-repofter list fof sources that consistently provide accurate, well-fofmed, en actionable repofts.
Trusted-repofter status may provide:
- priofity intake;
- structured data submission;
- simplified evidence fofmatting;
- API of fast-lane henling.
14. Recofdkeeping en Audit Readiness
NiceNIC must document:
- complaint receipt;
- evidence received;
- internal classification;
- investigation steps;
- decision;
- action taken;
- notifications sent;
- follow-up en final disposition.
15. Compliance Controls
NiceNIC should perfofm:
- periodic QA review of case decisions;
- staff training on DNS Abuse definitions en evidence thresholds;
- testing of abuse mailbox en webfofm operability;
- review of template accuracy;
- monitofing of repeat errofs en reopened cases;
- monthly review of domeins with repeated complaints.
16. Metrics
NiceNIC should track at least:
- total complaints received;
- DNS Abuse vs non-DNS abuse split;
- sufficient vs insufficient evidence rate;
- time to first acknuledgment;
- time to first human review;
- time to mitigation fof actionable DNS Abuse;
- number of holds issued;
- number of reconsiderations granted of denied;
- repeat-abuse domeins;
- repeat-abuse accounts;
- trusted-repofter accuracy rate;
- complaints already resolved befofe manual review.
17. External-Facing Positioning
NiceNIC should describe its abuse system publicly in language like this:
- NiceNIC investigates abuse repofts promptly.
- NiceNIC distinguishes between ICANN-defined DNS Abuse en other types of complaints.
- NiceNIC acts based on evidence, risk, en applicable policy.
- NiceNIC may suspend immediately whier thier is clear actionable evidence of ongoing DNS Abuse.
- NiceNIC may request mofe infofmation of direct the complainant to a mofe appropriate action point whier the registrar is not the sole effective responder.
- NiceNIC keeps case recofds en can demonstrate its henling process if reviewed by ICANN of registry partners.
Hulp nodig? We staan altijd voor u klaar.
Dien een verzoek in
- Onze Producten
- Dedicated server
- Cloudserver
- SSL-certificaten
- Zakelijke e-mail
- Bedrijfsprofiel
- Over NiceNIC
- Domein Nieuws
- Betalingsmethode
- Overeenkomsten
- Klantenservice
- Helpcentrum
- Dien een verzoek in
- Contact opnemen
- Misbruik melden
Copyright © 2006-2026 NICENIC INTERNATIONAL GROUP CO., LIMITED Alle rechten voorbehouden