Domain Health
Domain Health
Domain Health is a free service to help all .UK registrars to combat cybercrime on domains managed by them and is subject to the general provisions of the .UK Registry-Registrar Agreement.
As abuse of domain names by criminals evolves and increases in sophistication, we continue to look for ways to meet these threats alongside our registrars. Domain Health has been introduced to alert .UK registrars to domains they administer which are implicated in spam, phishing, malware and botnet activity, and to provide registrars with practical advice as to what they can do to address these problems.
We hope that this service will help combat domain abuse within .UK, together with the associated registrar costs, by providing registrars with information from credible security feeds in a user friendly format.
Read our frequently asked questions
How does Domain Health work?
We collect and collate security information from a number of suppliers which highlight .UK domains implicated in abusive use, and make this available for registrars to view in Online Services. The data supplied will only be relevant to each registrar’s domains. We recommend that registrars take appropriate action as per the guidelines below based on the data provided.
| Abuse Category | Description | Recommendations for Mitigation |
|---|---|---|
| Abuse | Abuse is a used as a general term. The domain may be being used by any of the other categories. | We recommend that you investigate why this domain has been identified with abuse. Use the recommendations from the other categories in this table. |
| C&C | C&C stands for command and control. This domain is acting as a control centre for a botnet. A botnet is a collection of compromised computers running unwanted software, often to send spam or execute DDOS (Distributed Denial of Service) attacks. | It is likely that the domain was registered for the purpose of being a C&C. We advise that you investigate further as soon as possible to remedy the issue. It is possible that upon your further investigation you need to suspend the domain. |
| Compromised | This domain has been hijacked. Hijacked domains are under the full control of a malicious third party. | We recommend that you investigate the vector of the hijack and remove any unexpected content from this domain. We advise that you change all passwords and update any software on the computer. If you do not host this domain, we advise that you notify the registrant and offer the advice above. |
| DGA | This domain has been associated with a DGA (domain generating algorithm) which are often used in malware or botnets. | The domain could have been registered for the purpose of being part of a botnet or as malware. We advise that you investigate further before deciding if you should suspend the domain.
Note that security professionals sometimes register DGA domain names to conduct analysis. |
| Malware | The domain is serving malware. Malware is malicious software used to disrupt computers, gather sensitive information, or gain access to private computer systems. Viruses and Trojans are common examples. | We advise that you investigate whether this domain has been hijacked; clean up any affected files/accounts; change all passwords; and update any software on the server.
If you do not host this domain, we advise that you notify the registrant and offer the advice above. |
| Phishing | Phishing is the act of acquiring usernames, passwords, bank details etc. by masquerading as a trustworthy entity. This domain has either sent phishing emails, or been linked to by phishing emails. | We advise that you remove any unexpected content from this domain and use best practices for any bulk email marketing on this domain.
If you do not host this domain, we advise that you notify the registrant and offer the advice above. |
| Spam | This domain has either sent spam, or been linked to by spam. Spam is mass unsolicited advertising emails. | We advise that you remove any unexpected content from this domain and use best practices for any bulk email marketing on this domain.
If you do not host this domain, we advise that you notify the registrant and offer the advice above. |
The data displayed in Online Services is based on a rolling ten day period and is updated on a daily basis. There are search facilities in the display and the data can be downloaded into a csv file. An acknowledge checkbox has been added in order to help registrars track their progress.
Comparative performance
A score is given to each tag to measure and monitor the levels of domains reported to be associated with abuse. The score is marked out of 10 where 10 is a perfect score with no known abuse associated with that tag. The score is calculated using the proportion of ‘bad’ domains on a tag. Not all abuse data will be used for the score calculation; only those domains where data indicates a strong likelihood of abuse in more severe categories will be highlighted.
Tags will also be compared with other tags of a similar size and ranked according to the level of abuse. Registrars will only be able to see their own ranking and scores. Your data is private to you, and we hope that the rankings will help you understand how you are performing against your competitors and decide how and where to take action across your tags to address any systemic vulnerabilities.
Nominet are not able to verify each individual report so the scores and rankings may not always be 100% accurate in every situation, however we believe that the data will give you a strong indication of where follow up action is necessary.
Additional Features
Features include a choice of either daily emails or API integration, as well as graphical reporting.
Daily Emails
Daily Emails provide a timely alert of any domains in your tags associated with abuse such as malware and phishing, delivered via email (csv format). We strongly recommend that you populate your Domain Health email contact within Online Services to receive these. You can do this by visiting the new mailing list preferences within your Online Services account.
An API allows you to automatically pull all information regarding Domain Health into your systems. You can pull your data in a variety of ways including:
- Pull all domains associated with abuse
- Pull information regarding a single domain associated with abuse
- Pull all domains associated with abuse from a single tag
- Pull domains by abuse category
Graphical Reporting
Domain Health reporting in Online Services provides useful charts that visualise Domain Health data over time, detailing tag health, tag rank and abuse categories.
For more information or if you have any further queries please contact us on +44 (0) 330 236 9480 or via email.
Frequently asked questions
- How much does Domain Health cost?
It’s free to all Nominet .UK registrars.
- What’s in it for registrars?
We hope that by using Domain Health, registrars will be able to reduce the amount of abuse which occurs on their .UK domains, which should be an incentive in itself, but registrars should also be able to see a reduction in the amount of support time and direct abuse costs such as charge backs.
- Where does the feed data come from exactly and how do we know that it can be relied on?
The data feeds come from a range of sources, which we continually review and may change over time. We are not publishing which feeds we are using, because that could provide assistance to the criminals who seek to abuse .UK domain names. The source of the specific abuse report will however generally be displayed for transparency or in case of queries. As with all data feeds of this nature there is no guarantee that all abuse will be caught. Despite all efforts, innocent domains may occasionally be reported or a problem is rectified between the report being generated and the registrar being notified.
- How can I check if a domain contains malware?
A registrar should not check a domain has malware by visiting the website. Instead it is recommended to use a malware scanning service such as virustotal (free service at www.virustotal.com). You can input a URL to the site and it will show the results if it has been previously scanned or you can do a new scan.
- Do I have to use Domain Health?
Domain Health is an open beta service which is not mandatory. We do however encourage all .UK registrars to use the service, act upon alerts of .UK domains which are implicated in abuse, and help us continue in our efforts to keep the .UK namespace secure.
- What do you need me to do, and how do I share my feedback?
We would like all registrars to download and act upon the reports of abusive domains, to investigate and to resolve any problems that have been highlighted. You may also want to inform the relevant registrants or the web hosting provider of the abuse on their domains and of any action required or action that has been taken.
We would welcome your feedback for us to consider any additional requirements that may be useful to you and other registrars as this will help inform how we might improve the service and each benefit from Domain Health in the future.
Minerva House, Edmund Halley Road, Oxford Science Park, OX4 4DQ, United Kingdom