In this blog I am going to talk about mitigation of DNS abuse in zero-click domains. But let me start with a caveat for those who don’t know me: I am a defender of the open, global Internet. I believe DNS abuse or any other kind of abuse mitigation should be handled with care so that it does not hamper people’s access to online services. I am not a die-hard “take down everything even at the expense of people’s rights” and I am not an advocate for purifying the web, and I even have a different approach to handling violators than the binary “good and bad” lists that remind me of Santa’s naughty-or-nice ledger.

But I work on DNS abuse mitigation and I sometimes go after abusive domains to see how the mitigation processes really work. My motivations are threefold: First, to demonstrate that we don’t need the Uniform Domain Name Dispute Resolution Policy (UDRP) in most cases to fight abusive domains—DNS abuse is not an intellectual property issue. Second, to identify and shed light on the real governance problems we face in the domain name system. And third, to push back against the narrative that DNS abuse has made the Internet unusable. It hasn’t. 

What is DNS Abuse?

By DNS abuse, I mean abuse that is “technical” in nature and does not venture into the murky territories of content abuse. According to ICANN’s contractual definition, DNS abuse encompasses phishing, malware, botnets, and spam when used for delivery. A few years ago, ICANN developed a contractual amendment to facilitate enforcing abuse mitigation. I thought this meant reporting and taking action on truly abusive domains would be easier. 

Discovering Zero-Click Redirects

In my hunt for abusive domains, I recently came across a very interesting phenomenon that I’m calling “zero-click redirect.” Infoblox has an interesting recent article on it.

Here’s how it works: The registrant registers and parks a domain that could be  a mistype of a famous name. You misspell a word in your browser’s address bar. The parked domain immediately redirects you to some other website through a redirect chain—often a site that wants to download malware onto your computer. No clicking required. Just a typo.

I recently encountered YouTubee[.]com (note the extra ‘e’) which was exactly the kind of zero-click redirect on parked domains that I’ve been documenting.

The Investigation Begins

I first reported YouTubee[.]com directly to the registrar. After a few back and forth, they recommended that I go to the hosting company. Then I reported them via different abuse reporting portals like NetBeacon. The registrar’s response was… illuminating. First see the video documenting the abuse.

The Registrar’s Response

“Dear Brand Protection,

We are writing in response to your recent complaint concerning the domain name in question. We understand that you find the content on the website associated with this domain name abusive, offensive or otherwise objectionable; however, neither Above.com and or its subsidiary registrar brands (collectively, ‘Above.com’) is the registrant of the domain name, nor providing hosting services for the domain name. Above.com is simply the registrar of record, providing domain registration services. As such, we are also not in a position to determine whether a particular domain name registration violates a third party’s rights.

Above.com will only take action with respect to a particular domain registration pursuant to (i) a request from the current domain name registrant; (ii) the terms of the Uniform Domain Name Dispute Resolution Policy (‘UDRP’) issued by the Internet Corporation for Assigned Names and Numbers (‘ICANN’), the international regulatory body that oversees the administration of domain names; or (iii) an order from a court or arbitral tribunal of competent jurisdiction.

If you would like to file a domain dispute against the registrant of the domain, please visit the following link for more information: https://www.icann.org/resources/pages/dispute-resolution-2012-02-25-en

Please note that under the U.S. Communications and Decency Act, an Internet Service Provider or Web host is immune from liability for the content posted on a website by a customer and therefore, neither Above.com nor its affiliates would be a party to any potential court, arbitral or regulatory proceedings.

We consider the matter closed.”

Why This Response is Problematic

First of all, this response is very offensive to me personally. I am not a “brand protectionist,” and I will never ask for content to be taken down because I don’t agree with it. I believe in freedom of expression and the human rights of even my enemies. This is not about trademark protection—it’s about technical abuse.

Aside from being offended personally, Above.com has a contractual obligation to investigate these cases. I responded to Above.com explaining all of this. I told them they need to look into this matter seriously. I am not going to file a UDRP—this isn’t an intellectual property dispute. According to ICANN’s recent contractual amendment on DNS abuse, they have an obligation to investigate. They should not give me a boilerplate answer designed for trademark disputes and consider the matter closed.The 2024 Global Amendment to the Registrar Accreditation Agreement, effective April 5, 2024, is explicit in Section 3.18.1: registrars “shall take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.” Furthermore, Section 3.18.2 requires that when a registrar has “actionable evidence” that a domain is being used for DNS abuse—which the amendment defines as including malware, botnets, phishing, pharming, and spam—the registrar “must promptly take the appropriate mitigation action(s)” to stop the abuse. My report included evidence of zero-click redirects to malware distribution sites.

But as they said in their response, they believed the matter was closed. So I waited a bit, and then at some point, I reported them to ICANN.

ICANN Compliance

This is the automatic response I received from ICANN compliance:

“Thank you for submitting a complaint to ICANN Contractual Compliance.

The case number that has been assigned to your complaint is 01512939. Please take note of this number as you may need to refer to it in future communications with ICANN.

Upon completing review of your submission, ICANN Contractual Compliance will send you a confirmation that your complaint is under process or will request any additional information or evidence needed to assess your complaint.

ICANN’s authority extends to the enforcement of the requirements outlined in the agreements that it has with its contracted parties, registrars and registry operators. If the issue described in your complaint is outside the scope of these agreements, you will receive an explanation as to why it is not within ICANN’s authority to address your complaint, along with suggestions of alternative avenues which you may wish to pursue…”

I reported it on December 2, 2025. It’s been 25 days, and ICANN has not processed or even started reviewing this case. There are several process improvements for ICANN compliance to consider. One is to give a clear timeline so that the complainant does not think the complaint went to the abyss. Another is making the form more user friendly. 

Medusa Continues

I monitored the domain after reporting thinking perhaps something has been done about YouTubee[.]com in the meantime. 

For a few days, quite possibly after they had found out that somebody was reporting, the domain was redirected to some legitimate website about how to create YouTube premium domains. But I knew they would give it some time and get back to their malicious activities.

So I checked again. And as of yesterday, you can see in the screen recording how it’s taking me to a website that tries to download malware on my computer.

A Silver Lining: Browser Protection

One interesting thing I noticed was that Google Chrome gave me a warning and asked, “Do you mean YouTube?” and you could click on that and continue to YouTube. This is an excellent initiative by the browser to protect users from typosquatting. I checked Safari, and it doesn’t offer this feature yet. This could suggest that real solutions to DNS abuse might come from browser vendors and other technical actors, not from the slow-moving contractual compliance machinery.

What This Case Reveals

The YouTubee[.]com saga illustrates several critical failures in the current DNS abuse mitigation framework:

1. Some registrars misunderstand their obligations. They conflate DNS abuse with intellectual property disputes and use boilerplate responses designed for trademark conflicts, even when dealing with clear technical abuse like malware distribution.

2. The ICANN compliance process needs improvement. Twenty-five days without even beginning to process a complaint about active malware distribution is unacceptable. 

3. Reporting systems are inadequate for zero-click redirects. Neither NetBeacon nor ICANN’s reporting portal accepts video evidence, which is essential for documenting zero-click redirects. Because these parked domains redirect to multiple different websites at different times, registrars could argue—weakly—that DNS abuse is not the “sole purpose” of the domain, exploiting a technicality to avoid their mitigation obligations. The reporting infrastructure itself creates barriers to addressing this form of abuse.

It is clear that reporting mechanisms aren’t designed to handle the evidence needed for this type of abuse, and the dynamic nature of zero-click redirects makes things complicated.

4. Abusers change their approach. The temporary switch to legitimate content when under scrutiny shows that these actors monitor for complaints and adapt their tactics. They also give different content depending on what IP / device / browser /referrer you arrive from.They understand the system’s weaknesses and the loopholes that our processes have.

5. Real solutions may come from elsewhere. Chrome’s typosquatting warning is more effective than months of reporting through official channels. 

Moving Forward

I will continue documenting these cases. These real-world examples are necessary to inform better policy. Perhaps these case studies are as valuable as stats and research that miss the points about governance. We need to shine a light on the governance problems in the domain name system—not to create panic about the unusability of the Internet and not to create directives and laws such as NIS2 that insists on identifying the domain name registrant, but to build more effective, rights-respecting solutions.

The YouTubee[.]com case is now documented. Case number 01512939 sits in ICANN’s queue. The domain continues to redirect users to malware. And somewhere, a registrar’s automated system has marked my complaint as “closed.”