At-Large Meets ICANN Contractual Compliance and NetBeacon Institute
12 May 2026
VIDEO | AUDIO | RECAP EN / ES / FR | ARCHIVE | PERMALINK
Speakers: Leticia Castillo-Sojo - Sr. Director, Contractual Compliance, ICANN; Graeme Bunton - Executive Director, NetBeacon Institute
Moderator: Claire Craig - ALAC Vice Chair
Facilitator: Jessica Benitez - Policy Operations Coordinator, ICANN
Opening Remarks and Context
Claire Craig opened the webinar by framing DNS abuse mitigation as a continuing priority for the At-Large and ALAC community. She noted that while DNS abuse cannot realistically be eliminated, it can be mitigated through collaborative and complementary actions by multiple actors across the DNS ecosystem. She explained that this webinar was the third in a series focused on DNS abuse and end-user protection.
Craig outlined the agenda, introducing Leticia Castillo-Sojo from ICANN Contractual Compliance and Graeme Bunton from the NetBeacon Institute. She emphasized that the session aimed to help the At-Large community better understand enforcement mechanisms, reporting processes, and practical mitigation efforts.
ICANN Contractual Compliance Overview
Leticia Castillo-Sojo explained that ICANN Contractual Compliance is responsible for ensuring that registrars and gTLD registry operators comply with ICANN agreements and policies in order to maintain DNS stability, security, and reliability. She described the department as a 24-person global team operating across Singapore, Los Angeles, and Istanbul.
She outlined three core operational areas:
Operations and enforcement
Audit programs
Metrics and reporting
The operational team processes complaints by category, including transfers, renewals, abuse, and UDRP-related matters, using specialized workflows and subject matter expertise. Castillo-Sojo stressed that this structure allows consistency in investigations and data collection.
She also described ICANN’s audit work, conducted with KPMG support, and the organization’s commitment to transparency through dashboards, reports, and public metrics.
Scope and Limits of ICANN Compliance Authority
Castillo-Sojo emphasized several important limitations on ICANN Compliance authority. She explained that ICANN can only enforce obligations that are explicitly contained within ICANN agreements and policies. It cannot enforce national laws, ccTLD policies, or take direct action on domains such as suspending websites or renewing registrations.
She noted that the majority of complaints ICANN receives fall outside its contractual authority. In those cases, the organization provides educational guidance to complainants about alternative avenues for resolution instead of opening formal investigations.
DNS Abuse Mitigation Requirements and Enforcement Results
Castillo-Sojo reviewed the 2024 DNS abuse mitigation amendments added to ICANN agreements after negotiations between registrars, registries, and ICANN Org. The rules defined DNS abuse for contractual purposes as:
Malware
Botnets
Phishing
Pharming
Spam used to deliver the above abuses
The amendments also required registrars and registries to:
Promptly mitigate well-evidenced DNS abuse
Maintain accessible abuse contacts
Confirm receipt of abuse reports
She then presented enforcement statistics covering April 2024 through April 2026:
Nearly 38,000 complaints received across all complaint categories
Approximately 49% related to abuse
More than 4,600 investigations opened
35 notices of breach issued
17 registrar accreditations terminated
Four additional terminations occurring immediately after the reporting period
Specific to DNS abuse mitigation requirements, ICANN launched approximately 530 investigations. Of those:
Around 66% resulted in abuse being stopped
Approximately 8% resulted in abuse being disrupted
Four formal breach notices were issued directly under DNS abuse obligations
Castillo-Sojo stressed that most enforcement activity occurs before public breach notices are issued. Much of the work involves reviewing evidence, working with registrars on remediation plans, monitoring implementation, and improving systemic processes. She described public notices as “the visible tip” of a much larger compliance effort.
Root Cause Remediation and Proactive Enforcement
A major theme of Castillo-Sojo’s presentation was the importance of addressing root causes rather than isolated abusive domains. She explained that remediation plans often involve operational changes, staff training, system upgrades, and monitoring improvements within registrars or registries.
She cited one example where remediation measures following a breach notice enabled a registry operator to identify and mitigate more than 450,000 malicious domains after an initial case involving only 92 domains.
Looking ahead, Castillo-Sojo introduced a forthcoming proactive enforcement framework intended to supplement complaint-driven investigations and audits. The initiative would identify high-risk registrars and registries using data-driven criteria, including:
Concentration of reported abuse
Speed of mitigation
Prior compliance issues
Effectiveness of previous remediation efforts
Industry reporting indicators
Each quarter, ICANN plans to review approximately five to seven contracted parties using a scoring system. The process will include data collection, information requests, remediation verification, and KPI tracking related to operational timelines, transparency, and measurable abuse reduction.
Questions on Enforcement, Transparency, and Regional Outreach
Eduardo Diaz asked whether ICANN publishes average resolution times for complaints. Castillo-Sojo responded that timelines vary widely because many cases involve extensive remediation and root-cause correction rather than simple domain takedowns. Some cases resolve within days while others require months of operational changes and verification.
Jonathan Zuck asked about de-accreditation practices and whether DNS abuse violations had resulted in registrar terminations. Castillo-Sojo confirmed that no registrar had yet been terminated specifically for DNS abuse obligations, although terminations had occurred for other contractual failures such as unpaid fees, data escrow failures, and RDAP noncompliance. She also acknowledged the longstanding community perception that de-accreditation historically occurred mainly for fee nonpayment.
Rabie asked how ICANN could better support regions such as North Africa where awareness and enforcement may be limited. Castillo-Sojo explained that ICANN coordinates across multiple organizational teams, including Global Stakeholder Engagement and Global Domains Division outreach efforts, to provide training, localized guidance, multilingual resources, and regional support.
Dr. Adebunmi Adeola Akinbo asked whether ICANN’s DNS abuse data could be shared with external organizations. Castillo-Sojo highlighted ICANN’s public dashboards, open-data initiatives, and willingness to publish additional metrics based on community requests. She emphasized that community feedback has directly influenced ICANN’s data publication practices.
ICANN Webinar on Actionable DNS Abuse Complaints
Claire Craig asked Castillo-Sojo to discuss ICANN’s upcoming webinar on actionable DNS abuse complaints. Castillo-Sojo explained that most complaints ICANN receives are not actionable because they lack sufficient evidence or fall outside contractual scope. The planned webinar would provide practical guidance, examples, and detailed explanations about how to submit complaints that ICANN Compliance can meaningfully investigate.
NetBeacon Institute Mission and Structure
Graeme Bunton introduced the NetBeacon Institute as a nonprofit initiative created by Public Interest Registry (.org operator) to address gaps in DNS abuse tooling, education, and operational coordination beyond ICANN’s direct enforcement role. He explained that PIR identified a broader ecosystem need for neutral resources and collaborative infrastructure around DNS abuse mitigation.
Bunton stressed that NetBeacon operates without commercial incentives or sales goals, allowing it to focus entirely on improving Internet safety through education, measurement, and operational support.
He outlined two principal initiatives:
NetBeacon MAP (Measurement and Analytics Platform)
NetBeacon Reporter
NetBeacon MAP and DNS Abuse Measurement
Bunton described MAP as a transparent and academically grounded effort to measure malicious domain activity across the DNS ecosystem. The project works with Professor Maciej Korczynski of the University of Grenoble to analyze reputation feeds and identify reliable abuse indicators.
MAP focuses specifically on phishing and malware because those categories have the most reliable datasets. Bunton argued that:
Botnet-related domains are now relatively uncommon
Pharming overlaps substantially with phishing and malware
Spam datasets are often too unreliable for rigorous measurement
This prompted an extended exchange with Jonathan Zuck regarding definitions of phishing and pharming. Bunton argued that pharming fundamentally involves local DNS hijacking or malware infection outside registrar control, whereas phishing directly concerns malicious domains impersonating legitimate services.
Mitigation Rates, Abuse Trends, and Registrar Performance
Bunton presented several findings from NetBeacon MAP data:
Approximately 90–95% of malicious domains observed are offline within 30 days
Most malicious domains are mitigated within 48 hours
Registrars appear to be improving mitigation speed following the 2024 ICANN amendments
However, he cautioned that mitigation attribution remains difficult because domains may go offline for multiple reasons, including registrar action, hosting provider action, or attackers voluntarily abandoning campaigns.
Bunton also discussed registrar-level reporting and transparency efforts. NetBeacon publishes rankings of highly abused and low-abuse registrars, using safeguards such as six-month consistency requirements before publicly naming registrars. He explained that this avoids unfairly penalizing registrars that temporarily experience abuse spikes but rapidly remediate problems.
He further highlighted emerging trends in coordinated abuse campaigns. In January 2026, roughly half of all malicious domains observed belonged to campaigns involving ten or more domains, including some campaigns exceeding one thousand domains. Bunton identified associated-domain detection and coordinated campaign analysis as critical future mitigation areas.
NetBeacon Reporter and Abuse Reporting Practices
Bunton then turned to NetBeacon Reporter, a public reporting platform that allows anyone to report malicious domains without needing technical knowledge of registrars or DNS operations.
The system supports reporting of:
Phishing
Malware
Botnets
Spam
Child sexual abuse material
Crypto and investment scams
Reporter automatically enriches and routes reports to registrars, registries, or hosting providers as appropriate. Bunton explained that the platform prioritizes operational disruption of abuse rather than large-scale data warehousing.
He stressed that high-quality reporting is essential. According to Bunton, the single most important factor in achieving mitigation success is providing screenshots. Concise explanations and clear identification of the targeted brand or victim also significantly improve outcomes.
He shared an example involving a phishing domain impersonating Scotiabank, where only a few sentences and a screenshot were sufficient to produce registrar action.
Questions on Reporting, Accessibility, and Community Outreach
Claire Craig asked Bunton how NetBeacon’s work could better support underrepresented regions and communities. Bunton acknowledged substantial language and regional biases in current abuse-reporting ecosystems, which remain heavily focused on North America and Western Europe. He noted that translation efforts are ongoing but admitted there are still major gaps in abuse visibility and reporting within the Global South.
Craig also asked how NetBeacon tools complement ICANN Compliance efforts. Bunton explained that NetBeacon Reporter serves as the first line of reporting to registrars, while ICANN Compliance becomes relevant when registrars fail to respond appropriately to well-supported abuse reports.
Justine Chew reinforced the distinction between registrar reporting and ICANN enforcement, emphasizing that users should first contact registrars before escalating to ICANN Compliance. She also asked whether registrars object to NetBeacon Reporter’s simplified submission format. Bunton replied that registrars generally appreciate the standardized and enriched reports, and that the system handles roughly 25,000–30,000 reports per month.
Dr. Adebunmi Adeola Akinbo asked whether At-Large Structures could help bring NetBeacon tools to grassroots communities and end users. Bunton welcomed the idea and acknowledged that while most current reports come from professional organizations such as law enforcement and brand protection firms, greater end-user participation would be valuable. He invited feedback on improving usability and accessibility.
Closing Remarks
Claire Craig concluded by thanking both speakers for their transparency and practical insights. She highlighted the value of NetBeacon’s public reporting model and ICANN Compliance’s evolving enforcement work. She noted that the webinar directly supported ALAC and At-Large capacity-building priorities and encouraged participants to attend ICANN’s upcoming webinar on actionable DNS abuse complaints.
RESOURCES
ICANN DNS Abuse Mitigation Program — central program page for ICANN’s cross-functional work on DNS abuse
ICANN Contractual Compliance Dashboard — monthly enforcement metrics, including the DNS abuse dashboard Leticia Castillo-Sojo described
ICANN Compliance 12-month Trends — rolling-series view of complaint and enforcement trends
ICANN EMEA Webinar — 27 May 2026 — follow-up session on what makes a DNS abuse complaint to ICANN actionable
NetBeacon Institute — Graeme Bunton’s organization, a PIR-funded nonprofit working on DNS abuse reporting and measurement
NetBeacon Reporter — the free abuse-reporting tool any end user can use (25,000–30,000 reports/month)
INFERMAL Project — ICANN-funded research by KOR Labs analyzing attacker preferences in malicious domain registration
Internet Watch Foundation — NetBeacon Reporter’s partner for child sexual abuse material reporting
ICANN At-Large Advisory Committee (ALAC) — the host community for this webinar series
DNS Abuse Playbook — Glenn McKnight’s e-book companion guide shared in the session chat