Introduction

Takedowns are a common part of the internet. Companies and individuals regularly seek to have harmful or unauthorized content removed, but the process is rarely straightforward. As a victim, the goal is binary: is the offending content gone or not? As practitioners, we know the answer is incredibly nuanced.

While the outcome is black-and-white, getting there requires navigating a grey area of jurisdictions, policies, and technical details. The right path depends on the specific properties of the domain in question. This article explores the major factors that practitioners, registrars, and registries weigh when considering a domain suspension—known as a clientHold when issued by a registrar or serverHold by a registry.

This article assumes that the domain reported is engaging in DNS abuse, such as phishing or distributing malware.

The Domain Name Itself

The words in a domain name often reveal its purpose. When a domain's name clearly signals malicious intent, the case for suspension becomes much stronger. Registrars and registries look for names that include:

• Well-known trademarks, especially when combined with action words (e.g., chase-secure-login.com).
• Generic but sensitive terms like account, bank, service, reset, or payment.
• Common typosquatting variations of popular brands (e.g., gooogle.com or microsaft.com).
• Incoherent strings of letters and numbers, which are often programmatically generated for short-lived phishing campaigns.

When a domain like this is reported with evidence of a login form or PII collection, its intent is substantiated. This combination of a suspicious name and malicious use makes for a straightforward takedown request.

(This article is part of PhishFort's The Nuance of Takedowns series.)

Domain Age

Domain age is one of the most heavily weighted factors in a takedown request.

• Newly Registered Domains: The industry generally agrees that domains used for abuse within a week or two of their creation were registered for that specific purpose. Suspending them is considered low-risk.
• Aged Domains: Registrars are more conservative with older domains. An aged domain is more likely to be a legitimate, established asset that was compromised or hacked. Suspending it could cause significant collateral damage. For this reason, takedown requests for older domains require much stronger evidence to rule out a compromise.

This is why early detection and rapid reporting are crucial. The faster an issue is raised with solid evidence, the better the chance of a timely resolution.

Domain Context within the Zone and Other Zones

Registrars and registries don't just look at a domain in isolation; they consider its context and connections. This "guilt by association" can be a powerful indicator of abuse.

• Bulk Registrations: A single actor registering hundreds of similar domains at once (e.g., account-reset-1.xyz, account-reset-2.xyz) is a red flag. This pattern indicates a pre-planned, potentially at-scale attack, not a collection of individual website. Note, however, that this alone is not necessarily enough. Showing a meaningful sample abusive domains within batch is paramount to potentially having it all mitigated.
• Shared Infrastructure: If a domain shares nameservers, an IP address, or registrant information with other domains already known for malicious activity, it's more likely to be considered abusive itself.

For trademark holders, identifying and reporting these related domains as a group strengthens the case against the entire network, potentially leading to a much broader and more effective takedown.

The Registrar and Registry

The organizations governing a domain dictate the rules of engagement. They generally fall into two categories:

• ICANN Accredited: These entities manage generic TLDs (gTLDs) like .com or .org. They are bound by ICANN contracts to mitigate abuse and provide a trademark dispute process (UDRP). This creates a clear, predictable path for takedowns.
• Country or Region Serving: Many country-code TLDs (ccTLDs), like .ru (Russia) or .cn (China), are run by government-appointed entities. This may mean that the registrar and registry reside and operate exclusively inside the respective country. These are sovereign domains bound only by local laws and policies. If a country is lax on abuse or doesn't recognize international trademark claims, takedown requests may be ignored.

Things get tricky when an ICANN-accredited registrar sells a ccTLD. The registrar may be obligated to act on an abuse report, but the ccTLD's registry may not be. Understanding the policies of every entity involved is key to setting expectations.

The Domain is a Platform or Service

When abuse occurs on a platform like facebook.com, duckdns.org, or blogspot.com, the game changes. Registrars and registries will not suspend a major platform's domain due to the actions of a single user. The risk of massive commercial harm and collateral damage is too high.

In these cases, the responsibility for handling the abuse falls to the platform's internal trust and safety team. Reporting a fake bank page hosted on github.io to the domain's registrar is a waste of time; it must be reported directly to GitHub's abuse team. Going to the registrar first only delays the resolution.

Conclusion

By analyzing factors like the domain's name, age, "neighborhood," governing bodies, and its function as a website or a major platform, practitioners can determine the most effective takedown strategy. This nuance is why a one-size-fits-all approach to mitigating online abuse is rarely effective.

Navigating this complex landscape is what we do every day. If your brand is facing threats from phishing or online impersonation, contact the experts at PhishFort to learn how we can help protect you.