APWG Malicious Domain Suspension Program

A governed process for suspending maliciously registered domains securely, auditably, and with manageable scale

APWG’S Malicious Domain Suspension (AMDoS) system enables Accredited Interveners to submit suspected malicious domain names for investigation by Sponsoring Registrars and Top-Level Domain Registries

Allied with governance bodies and operational directorates tasked with brand integrity, APWG navigated technical and policy challenges that domain suspensions needed to address for a scalable suspension protocol

AMDoS orders and systematizes suspension requests through a formal process that ensures the credibility of malicious domain reporters and the integrity of their suspension requests − and speeds them on their way to the Registrars of record.

APWG vets candidate malicious domain reporters (Accredited Interveners) with the vigor and diligence required for a responder with such potent authority.

The AMDoS process safeguards against error and, all the while affording quick action in the suspension of malicious sites, matching cybercrime’s speed. The AMDoS process application manages suspension requests through a formal, auditable process that:

• Establishes formal criteria for defining malevolent domain names eligible for suspension.

• Examines and confirms bona fides of Accredited Interveners regarding their capacity to judge
suspect domain names against formal criteria;

• Provides an auditable platform for submission of suspension requests by Accredited Interveners
that curates communications between interveners and Registrars and Registries;

• Presents Attestations to Registrars and Registries based on explicit, verifiable testimony
describing violations of RAAs and/or Registrar customers’
terms of service agreements.

Instead Of Ad Hoc Correspondence, a Centrally Administered and Auditable Process

When an Accredited Intervener issues a Suspension Request via the Attestation page [Figure 1], AMDoS populates the new suspension request with the available data from a domain name WHOIS data query.
After being signed and submitted, the AMDoS system allows the Accredited Intervener to upload supporting documents such as screenshots and attach them to the attestation.

AMDoS distributes the request and attestation to the sponsoring Registrar or Registry based on the Top-Level Domain (TLD) identified in the request. (If a Registrar or Registry User from the TLD is enrolled on AMDoS, it will be forwarded to that user;

if not, AMDoS will perform a look-up in GNSO data and forward a notification of interest by an Accredited Intervener to the Registry’s Technical Contact email address, notifying the Registry that a suspension request has been filed on a domain name in its TLD space.)

Figure 1

Thereafter, the Accredited Intervener can track the progress of the request from the My Suspensions list, and determine if a domain name has previously been reported by searching the list of Suspension Items in the archive. Registry Users automatically see Attestations assigned to their TLDs in their own My Suspensions list. With a click on the record, the Accredited Intervener’s personnel can assign Team Members to manage the record or to advance the processing of the suspension request and attestation.

Accredited Interveners

The AMDoS process begins with vetting of Accredited Interveners, with each applicant subject to an expert committee review for accreditation before they can access the AMDoS application.

In order to be considered for application as an Accredited Intervener, applicants will be required to be a member in good standing of APWG and represent an enterprise relevant to the active management of cybercrime.

A request for application is made to our Enrollment Manager, who then determines a candidate’s eligibility for enrollment with the AMDoS vetting committee.

Accredited Interveners are the personnel of fully vetted APWG member organizations

Once a candidate has passed this pre-screening process, they must complete a formal application [Figure 2] and provide proof of valid incorporation and other documentation. Once the candidate satisfies these documentation requirements, their application is processed by the APWG’s AMDoS managers and review committee.

Registrar & Registry Users

Registrars and Registry users’ bona fides are confirmed, focusing on their level of correspondence – and commensurate authority – within the enterprise to animate a domain suspension.

Once the AMDoS Enrollment Manager admits an intervener or registry user, their institutions will have access to the AMDoS console and be able to process Domain Name Resolution Suspension Request and Attestations [Figure 2] (if an intervener) and (if a Registry User) manage those suspension requests records relating to their domain spaces.

Figure 2