Fighting DNS Abuse Globally: Insights from the 2025 Abuse Workshop at Nordic Domain Days

In May 2025, the eco Association’s topDNS Initiative and iQ Global co-hosted the Abuse Workshop at Nordic Domain Days in Stockholm. A cross-sector group of stakeholders across the Internet infrastructure ecosystem – including registrars, registries, hosting providers, and ISPs – joined to collaborate in the fight against DNS abuse. What stood out this year was a marked shift from technical problem-solving in silos to a vision of globally coordinated, AI-supported, trust-driven abuse mitigation.

Traditionally, registries, registrars, hosting providers and other infrastructure operators have worked in isolation – often pointing fingers rather than partnering to resolve incidents. The workshop, co-hosted by eco’s topDNS Initiative and iQ Global, built upon momentum from the Internet Infrastructure Forum (IIF) in Amsterdam earlier this year to tackle this fragmentation head-on.

Moving beyond silos

At the workshop, I emphasized that historically, different segments of the industry – like registries and hosting providers – have operated in silos, often blaming each other rather than working together. But I’m seeing growing momentum to bridge those gaps. It’s critical that we start by truly understanding each other’s operational realities. The volume and nature of abuse reports, for example, can vary dramatically between segments, which affects how each of us can respond. At the workshop, I also stressed the need for a robust legal framework that supports, rather than inhibits, collaboration. You might not have a 100% solution or absolute certainty in every action – but if we want real change, we need to act. We need to move, not just analyze and come up with excuses for why something can’t be done. That call for pragmatic, collective action clearly resonated throughout the workshop.

Keith Drazek of Verisign reinforced this theme, highlighting the importance of aligning regulatory frameworks with industry self-regulation to effectively combat domain abuse. He underscored that collaboration between policy and technical communities is essential for a resilient, long-term strategy, and asserted the need to balance oversight with industry-led initiatives to protect the DNS ecosystem. This sentiment was also echoed by Dennis Dayman from M3AAWG, who reiterated the long-standing value of global, cross-sector cooperation.

Bertrand de la Chapelle of the Internet & Jurisdiction Policy Network called for proportional, jointly governed spaces beyond ICANN’s DNS-only mandate, laying the groundwork for the IIF – a multi-stakeholder forum where registries, registrars, hosting providers, content platforms and others can exchange intelligence, coordinate takedowns and develop best practices.

Practical approaches that work

The workshop highlighted several promising models already yielding results. For example, Adam Eisner of CIRA shared how .ca registry maintains relatively low abuse rates through a combination of practical policies – including Canadian residency requirements and modest but stable pricing – and strong partnerships with law enforcement. While effective, Eisner acknowledged that manual processes must evolve toward more automated detection as threats and regulations escalate.

From his angle, Kristian Ørmen of Internetstiftelsen (.SE) shared how Sweden’s ccTLD improves abuse handling by leveraging invalid WHOIS data as an enforcement trigger. Updated registrar agreements require registrars to validate or deactivate flagged domains within set deadlines, shifting the verification workload away from the registry. This approach sidesteps debates about content or intent and enables .SE to scale mitigation efforts while focusing on priority cases.

Mo Zaman and Ivan Hadzhiev from DMARC Advisor illustrated how seemingly minor DNS misconfigurations can enable massive abuse. In one case, a client’s outdated SPF record referencing shared-host IPs allowed attackers to send 2.3 million spam messages before correction. In another, forgotten CNAME records pointing to decommissioned Azure resources were exploited by criminals who re-registered the hostnames to launch large-scale phishing campaigns. Their presentation emphasized the need for rigorous DNS record decommissioning, formal change-control procedures, and strong access controls – including role-based authentication and password policies – to prevent such abuses.

The IIF Framework: Four critical workstreams

Under the IIF umbrella, four coordinated workstreams have been launched to systematically address abuse across the digital ecosystem:

1. Legal and Regulatory Harmonization: This track focuses on clarifying legal constraints under frameworks like NIS2, the Digital Services Act, and global privacy regimes to enable timely, risk-informed information sharing.
2. Automation in Abuse Handling: Developing standardized APIs and structured notice formats to scale and streamline response workflows.
3. Phishing as a Cross-Layer Case Study: Piloting interventions that span multiple layers of infrastructure to assess systemic vulnerabilities and countermeasures.
4. Combating CSAM and Non-Consensual Imagery: Enhancing coordination with trusted notifiers to address high-impact, harmful content.

Across all tracks, the IIF emphasizes a shift from reactive content removals to proactive prevention, improved deterrence through post-incident data sharing, and the cultivation of systemic resilience. I acknowledged that legal caution can sometimes slow collaboration, but I stressed that a robust, harmonized legal framework – one that accommodates measured risk – is essential for enabling rapid, coordinated responses to online abuse.

Automation and standardization: The path forward

As abuse volumes grow, automation becomes increasingly critical. Rowena Schoo of the NetBeacon Institute advocated for scalable, automated tools to support abuse mitigation across operators of all sizes. Their service NetBeacon Reporter transforms unstructured reports into enriched, standardized formats and routes them via APIs and threat feeds to the appropriate registrars and hosts. Schoo highlighted the challenges smaller providers face and called for collaborative, trust-based solutions and underscored the importance of aligning with the IIF to drive consistent, ecosystem-wide progress.

Theo Geurts of Realtime Register emphasized the need for consistent abuse indicators and standardized feedback loops to improve trust and coordination. He noted that weak enforcement, due to high costs and legal backlogs, fuels abuse, and advocated for prevention through stricter reseller vetting and mitigation via automation. This includes API-based reporting, enriched reports with threat intel, and formats like XARF (eXtended Abuse Reporting Format). Geurts highlighted emerging tools like AI-driven intake systems and multilingual reporting agents that help convert unstructured reports into actionable data, stressing the importance of global standardization for faster, more effective mitigation.

The workshop participants strongly endorsed standardization in reporting formats, with XARF emerging as a leading candidate. Rather than debating preferred channels (email vs. web form vs. API), the focus shifted to ensuring reports are easy to submit while delivering structured, actionable data. As Michael Halvorsen of iQ Global noted, AI can serve as an effective intermediary – parsing incoming emails, automatically requesting missing evidence, and forwarding fully-formed reports to backend systems.

Overall, one could feature IQ a bit more with the AI chatbot, which queries the information required for abuse prevention in the dialogue.

Toward a new ecosystem of trust

Perhaps the most significant development emerging from the workshop is the concept of a two-sided marketplace of notifiers and receivers, bridged by intermediary platforms that aggregate, enrich, prioritize, and dispatch abuse notices. This ecosystem approach accommodates everyone – from solo reporters to brand-protection teams – by offloading complexity to specialized intermediaries.

We also saw broad support for a centralized abuse coordination function – a hub where stakeholders can see who has taken action on abuse reports, reducing duplication and closing communication gaps. Coupled with transparent feedback systems, such a hub would ensure that everyone is aware of actions taken, fostering accountability and trust.

Next steps: From theory to implementation

As we look ahead, three concrete imperatives emerged from our discussions:

1. Adopt a shared data format (XARF or equivalent) to enable seamless communication between different actors in the ecosystem.
2. Establish a neutral coordination hub to track actions and provide feedback, ensuring transparency and accountability.
3. Pilot playbooks that define when and how hosting providers, registrars, and registries should be alerted about different types of abuse.

Call to action

The path forward requires commitment from all stakeholders. I invite you to the following:

• If you are interested in joining the discussion to tackle abuse, join eco’s topDNS initiative - we can also introduce you to the IIF
• Adopt standardized reporting formats within your organization
• Share your successes and challenges to help refine our collective approach
• Participate in pilot programs to test cross-industry coordination mechanisms

Only through sustained collaboration can we hope to stay ahead of those who would exploit our digital infrastructure for harm. The silos that have defined our industry’s approach to abuse must give way to bridges – and building those bridges is a responsibility we all share.

Attorney-at-law and domain law expert Thomas Rickert is Director of the Names & Numbers Forum at eco - Association of the Internet Industry (international.eco.de). Thomas Rickert is a member of the GNSO (Generic Names Supporting Organization) Council of the Internet Corporation for Assigned Names and Numbers (icann.org). In 2022, he initiated the topDNS Initiative (topdns.eco) that unites members of the eco Association to fight DNS abuse. Furthermore, Thomas Rickert is Managing Director of the law firm Rickert Rechtsanwaltsgesellschaft mbH (rickert.law), which is specialized in legal issues of the digital economy.