Effective DNS Abuse Management: Abuse Team Training Strategies and Insights

iQ not only offers Abuse Management Software, but we also provide our clients with managed abuse services and assistance on how best to manage DNS abuse reports .

In her recent talk at the DNS Symposium in Da Nang, Vietnam, our COO, Su Wu, outlined some points that you should consider when setting up a team to manage DNS abuse cases.

The article provides a comprehensive overview of DNS abuse management, covering policies, procedures, staffing, automation, and the well-being of abuse agents

Today, we'd like to share these with the wider community.

Abuse policies and terms

Abuse policies and terms will vary depending on each organisation.

However, once you have an abuse policy, in order for your abuse team to act on abuse, you need to clearly define procedures for your abuse team.

The more you can define these procedures the easier it will be for your abuse team to manage.

These are some items that you may wish to consider:

• Who should be responsible for dealing with the report?
  For example, Registries do not deal with end users, so a Registrar may be in the best position to deal with the report. Or if you are a Registrar, a reseller may be the most appropriate. Generally speaking whoever "owns" the end user is best placed to manage the report.  
• What types of reports will you deal with?
  There may be some categories of reports that you will not take action on.  Today we are mainly talking about DNS abuse as outlined in the current Base gTLD RA and RRA Contract Obligations. But reports will also include content abuse such as CSAM, IP infringement, hate speech, etc.: Will you act on these as well?
• Define how you will act for different types of reports or reporters.
  For example, you may place high priority on evidenced-based reports. You may prioritise phishing and malware.   You may also have different processes from reporters such as Law Enforcement Agencies and trusted notifiers.
  
  You may also need to consider what you can legally do in your jurisdiction or different jurisdictions.
• How long will you wait before taking action?
  You have referred the case to the responsible party or to your end user.  How long will you wait before you take further action?  And what will this action be? In some cases, you may just close the case, in others you may put the domain on server or client hold.
  
  Cases that are doing harm may be put on hold immediately, whereas in other cases you may wait for a response for 48 hours or several days.
• Monitoring your namespace for abuse
  We recommend that you monitor your namespace for abuse, so you can identify abuse, prior to harm being experienced by users. While you can just act on inbound reports, this may have occurred after the harm has been done.
  
  To monitor your namespace you need to choose what sources you are going to use and decide how often you will check these sources.  There are many different sources of abuse information that report on different types of abuse.
• Staffing your team
  Are you going to have an abuse team managing abuse 24/7, or just business hours?  Think about the types of people who will staff your abuse team, as they may be reviewing dubious and nasty content on a day to day basis.

Overall, it is important that your processes go into as much detail as possible, so your abuse agents have clear guidelines and can handle cases consistently.  

Procedures should be regularly reviewed and improved where possible.

Abuse Management Systems

A system to manage abuse is necessary to monitor your zone and to track, manage and report on abuse activities.

Generally speaking, abuse systems take reports from a list of reputation service providers (such as APWG, Phishtank, Spamhaus), inbound reports and other reporting sources.  The system then creates abuse cases for abuse agents to investigate.

Your abuse system should be able to support the procedures that you have documented, and if possible, create a workflow for agents to follow.  Where possible, the system should be able to automate your defined procedures, so that less cases need to be dealt with by your abuse team.

Automation can include functions such as automatically closing cases when they are no longer being reported or are no longer in the zone or on hold, sending / sharing cases to the responsible party, or prioritising reports for abuse agents to deal with.

There will always be cases that need to be acted on by your abuse team.  

Cases that are clearly evidenced should be clearly acted on as per your defined processes.  This type of evidence may include screenshots of the abuse, email headers, specified URLs, or trusted notifiers who have already verified the abuse.

Where possible the handling of these cases should be automated as much as possible.

However, there will be many reports that are not well evidenced and will need investigation, and a judgement call must be made by the case agent as to whether abuse is present.

Once again, clear parameters and tools for agents can assist in making these calls.

If possible, where abuse is found on a domain name, you should see if there are other domains registered by the same user that may be being used for abuse, which should be investigated as well.

Taking care of your abuse agents

You need to consider the wellbeing of your abuse agents. Abuse management can be a demanding task, and agents are exposed to sensitive or challenging aspects of online content.  

Training and coaching is important, along with well documented procedures and systems.

You should also provide an escalation path within your abuse team.  Cases where the initial abuse agent is uncertain about, can be escalated to a more experienced team member.

Remember, it is also ok for your abuse agents to make the wrong call.  It can be hard to identify abuse, and erring on the side of caution and putting a hold on a legitimate domain is possible.  Server or client holds can be removed if an error is made.

It is also valuable for management to be an abuse agent at regular intervals.  This allows managers to understand the types of abuse and assess how the processes are working.

Key Take-Aways

1. Comprehensive DNS Abuse Management: Ensure you have a well-defined DNS abuse management strategy, including abuse policies, clear procedures, and responsible teams.
2. Diverse Types of Abuse: Abuse reports can cover various forms of abuse, such as DNS abuse, content abuse (e.g., CSAM, IP infringement, hate speech). Determine how to address each type effectively.
3. Timely Action: Define response times and actions for abuse reports. Consider immediate action for cases causing harm and setting specific timelines for responses.
4. Proactive Monitoring: Monitor your DNS namespace proactively to identify abuse before it affects users, rather than relying solely on inbound reports.
5. Team Staffing: Decide whether to have an abuse team available 24/7 or during business hours only. Consider the well-being of team members exposed to challenging online content.
6. Abuse Management Systems: Ensure you have a system to monitor, track, manage, and report on abuse activities. Use automation to streamline processes wherever possible.
7. Support for Agents: Provide clear guidelines, tools, and support to abuse agents to ensure consistent handling of cases.
8. Agent Well-Being: DNS abuse management can be demanding on staff. Training, coach, and provide an escalation path for agents. Rememebr, making the occasional error is acceptable.
9. Management Involvement: Management should periodically assume the role of abuse agents to gain insight into the types of abuse and assess the effectiveness of processes.
10. Adaptation to Specific Situations: Adapt the considerations to fit the unique circumstances of your organization.

We hope you found this article of interest and we'd love hear us some ways that your team are dealing with DNS Abuse!

‍