Re: [gnso-ff-pdp-may08] Domain takedown through 100% automation - kicking the hornet's nest of controversy

[Marc Perkel <marc@xxxxxxxxxx>]

Joe St Sauver wrote:
> Dave mentioned:
>
> #It's not the automation itself that some registrars may find worrisome, 
> #it's the non-zero probability of false positives that some registrars 
> #may feel calls for a human decision.  I'm not suggesting that the human 
> #factor is infallable, but that the human decision may say, "before I 
> #take down ebay.com, even if every marker in the universe of possible 
> #markers  says this is bogus, I'm going to make a call". Perhaps you 
> #could program an automaton to think like this, but I think it would be 
> #harder and more expensive.
> As I've previousl mentioned, I too like human participation in the
> decision making chain, but a lot of automated checks CAN be easily
> built into the process, and routinely are for things like anti-spam
> (or potential anti-fastflux) services.
>   
I'm not saying the humans be excluded. What I'm saying is that under 
some circumstances that the registrar can choose to use automation if 
they want to and use it in cases where that are 100% sure.
> For example, you mentioned ebay.com as an example of a domain that
> would merit extra decision making care, and we all instinctively
> grok that, but we can actually lay out specific criteria that could
> be used to mechanically send up a "red flag" including things like:
>   
If I were writing automated takedow software for a registrar eBay would 
not be able to be taken down due to automation. In face I would probably 
restrict automation to domains under 2 weeks old. Mostly focused on 
domain still in the "tasting" period. I also doubt ebay would be using 
fast flux.
> -- is the domain from a TLD that is known to have its own aggressive
>    security policies and controls in place? For example, is the
>    domain from .mil? No, it's not in this case, but if it were, that
>    would be enough to trigger extra review.
>   
I'm not suggesting automated takedown be required. I'm saying that it 
should be allowed should registries/registrars choose to do it.
> -- is the domain on various rankings of "top sites"? For example,
>    just to check one such list, Alexa's, eBay is #18 (see
>    http://www.alexa.com/site/ds/top_sites?lang=none&ts_mode=global )
>    which would, in and of itself, be sufficient IMHO to flag this
>    domain for extra review before any action were to be taken
>   
I would say that any domain more than a month old or has prepaid more 
than one year should be excluded from automated takedown.
> -- if you google for the domain, is it prominent? (in ebay.com's
>    case, at 220 million hits, I'd suggest, "Yes", again triggering
>    extra review)
>
> -- is the domain one that has been around for some time? (in ebay.com's
>    case, its provenance dates to 04-aug-1995, again potentially 
>    triggering extra review)
>   
Mostly focused on new domains. Aren't new domains usually used for abuse?
> -- are there indicia that the domain is one where the registrant 
>    wants extra scrutiny applied before changes are made? yes, in
>    ebay.com's case, the domain has been set to "clientDeleteProhibited,
>    clientTransferProhibited, and clientUpdateProhibited" status,
>    again potentially triggering extra review)
>   
If there are any factors that would indicate that the domain could be a 
false positive then humans should be involved.
> I would also expect to see 3rd party domain reputation services 
> to take an active role in this area, whitelisting or bonding
> domains against allegations of abuse, just as services of that
> sort have emerged for the convenience of email senders and
> receivers.
>
>
>   
I am a huge fan of creating white lists.

But - here's what I'm really saying. Generally a fast flux domain that 
is driven by a spam campaign has certain identifiable characteristics 
that only spammers do. It is likely that most of these fraud campaigns 
can be identified through automation. What I'm suggesting is that in the 
cases where automation is in the 100% accurate range and the domain if 
very new (hence the damage from a rare false positive is very low) that 
registrars be ALLOWED to use automation if they CHOOSE to do so. I'm not 
suggesting that anyone be REQUIRED to use automation.
I also suggest that registrars share common tools and technologies so 
that registrars don't have to individually figure out what works. The 
idea here is to make life easy for registrars.