Introduction

Takedowns are a common part of the internet today. Companies and individuals regularly seek to have harmful or unauthorized content removed, but the process is rarely straightforward. As a victim, the goal is binary: is the offending content gone or not? As practitioners, we know the answer is incredibly nuanced.

While the outcome is black-and-white, getting there requires navigating a grey area of jurisdictions, policies, and technical details. The right path depends on the type of abuse and the entities involved.

(This article is part of PhishFort's The Nuance of Takedowns series.)

For this article, we will explore why takedowns related to domain names often fail, even when the victim feels the case is clear.

Before Starting: Keep in Mind the Obligations

Broadly speaking, registrars and registries have an obligation to act on evidenced DNS abuse. This includes provable instances of phishing, spam, malware, pharming, and botnets. If you can prove that a domain is engaging in one of these activities, the registrar or registry involved is generally obligated to remediate the abuse.

However, outside of these specific categories, the obligation to act diminishes rapidly. Understanding where the line is drawn is key to understanding why a request might be rejected.

Lack of Verifiable Evidence

The mentality of most anti-abuse teams in the domain industry is "innocent until proven guilty." While the bar for proving guilt is much lower than in a criminal court, it still exists.

A screenshot of a phishing page, combined with a brand-new domain name, is usually enough to get a suspension. The review is quick, and the outcome is swift.

However, if a team receives a complaint that lacks verifiable evidence such as an alleged phish without a screenshot, or a link to a forensic tool that doesn't clearly show the attack, they will likely reject it. Evidence must be easily understood and reproducible. The mere threat that a domain might be used against your brand is never sufficient. The analyst on the other side deals in facts, not possibilities.

This rigidity serves a specific purpose: avoiding false positives. Registrars are terrified of accidentally suspending a legitimate business—imagine the liability if they mistakenly took down a real bank's new marketing microsite because a user reported it as "suspicious." Anti-abuse teams constantly weigh the risk of leaving a phish online against the massive commercial risk of disrupting a lawful business. Without 100% clear evidence of abuse, the default answer is "no" to avoid that liability.

No Obligation to Act (The "Solely Trademark" Issue)

One of the most difficult realities we educate our clients on is that "solely trademark" issues are incredibly hard to tackle at the domain level. By this, we mean cases where a domain uses your brand name unauthorizedly but is not engaging in technical abuse like phishing or malware distribution.

Why do these requests fail? Because registrars and registries view these as content disputes, not security threats. They are not the "internet police," and they generally refuse to adjudicate trademark rights.

For these issues, they will refer you to the UDRP process or require a court order. Some may tell you to contact the hosting provider instead, which can be a dead end if the host is hidden behind a proxy service or located in an unresponsive jurisdiction. Effectively, this leaves the client in a position where no one in the domain's ecosystem feels obligated to act, resulting in wasted time and money.

A Rushed Process

Takedowns take time. A report must be documented, evidenced, and reviewed by a human or an automated system at the registrar.

When a victim demands immediate action without allowing for proper investigation, the chance of failure increases. If the report is rushed and lacks critical details, the analyst at the registrar may reject it simply because the case isn't clear. Furthermore, aggressively pestering the registrar or registry can be counterproductive. Acting against abusive domains is a cost center for these entities; adding friction to their workload often results in them strictly adhering to policy and finding a reason to say "no" rather than going the extra mile to help.

The "Parked Page" Dilemma

Imagine you own acmeco.com. You are alerted that someone has just registered acmecompany.com. You visit the site and see a "parked page": a generic landing page full of random ad links. You are worried about what they might do next, so you ask for a takedown.

This request will almost certainly fail.

Registrars and registries do not act on potential future threats. In this scenario, there is no proof that acmecompany.com is targeting your customers. Furthermore, "domain parking" is a legitimate business model in the industry, often used by registrars themselves to monetize unused domains.Without proof that the domain is actively hosting malicious content or harvesting credentials, it is viewed as a harmless asset, regardless of how close the name is to your brand.

The Responsible Party Simply Won't Act

This is the hardest scenario to accept. Sometimes, you have a textbook case: a fake login page for a global brand on a domain registered yesterday. The evidence is perfect, and the contractual obligation to act is clear.

But the responsible party simply doesn't respond.

Perhaps their abuse reporting software is broken. Perhaps they are understaffed. Or, perhaps they are a "bulletproof" provider that implicitly ignores abuse reports to protect their revenue. Follow-ups and pleas go unanswered.

When the primary registrar refuses to do their job, your options narrow significantly. You can try escalating to the registry or filing a complaint with ICANN, but these processes are slow and often rely on the cooperation of the very entity that is ignoring you. In these cases, the takedown "fails" not because you were wrong, but because the system lacks an immediate enforcement mechanism for bad actors. When this happens, the strategy must shift from "takedown" to "mitigation," such as working with browser vendors to flag the site as dangerous to users.

Conclusion

Understanding why a takedown fails is just as important as knowing how to submit one. Whether it’s a lack of evidence, a policy gap regarding trademarks, or an unresponsive registrar, identifying the roadblock allows practitioners to pivot their strategy and find alternative ways to protect their organization.