Context

Tackling abuse has been a core component of Nominet’s work for many years, demonstrated between the social impact initiatives we are involved in, ongoing targeted investigations, previous Protective DNS work, and collaborating in the European TLD ISAC. We take this role very seriously – and have been working on making these initiatives more transparent and integrated.

Nominet’s role as Guardians of .UK sees us undertaking ongoing work to better establish our approach.  We are committed to sharing more information on what we’re doing to tackle abuse, observations as we do so, and our views on different elements of the challenges involved with tackling abuse proportionately.

This blog is a fresh starting point – as we look to hear from our members and stakeholders – to understand their views and challenges with regards to abuse, and where we seek to contribute more to the community at large in combatting abuse.

Introduction

While investigating online abuse, there are three categories of malicious indicators of compromise (IOCs) typically dealt with at the domain level:

1. Maliciously registered domains
2. Compromised domains
3. Exploitable services

The first of these is straight forward, these are domains that a threat actor is directly registering and so any infrastructure associated with them can be considered of interest to an investigation. The remaining two categories will be the subject of this blog and are more complicated for both investigations and in taking action to prevent online harm.

It’s our hope that by talking about these challenges, it encourages discussion around the nuances of investigating and taking proportionate action on compromised domains and domains belonging to exploitable services, as well as how they are reported by researchers and reputational block lists (RBLs).

Compromised Domains

Compromised domains are domains registered non-maliciously by legitimate registrants, but which are hosting malicious content. This is in most cases due to the domain itself being compromised by malicious actors and content being added to the site unknowingly to the registrant.

These IOCs can be of great impact if not tackled due to their earned reputation as a benign site, allowing for possible harms to be amplified in several ways at once:

• Site visitors become victims of the malicious activity hosted after compromise.
• RBLs are less likely to quickly categorise the site as containing abuse, therefore, not mitigating harm to innocent users.
• In addition to the harm caused to the registrant and their business at the time it is compromised, domains once listed on RBLs may not be removed quickly despite a registrant’s intervention to address the compromise, thus further harming the registrant’s interests. This causes continued connection issues for legitimate visitors of the domain, even after the compromise has been remediated.

Due to these concerns, some may take the approach that action depends on the severity of the impact of malicious activity, versus the popularity and criticality of the legitimate services offered by a domain. Some examples are listed below to prompt thinking on how to action such cases:

• A local business domain compromised and now hosting a ransomware download
• A charity that a local council works with closely has its domain compromised, with both organisations relying heavily on emails between their respective teams
• A major news organisation is compromised, and the domain is being used to inject malware on unsuspecting site visitors
• An infrequently visited healthcare domain has been compromised and hosting ransomware, this domain provides crucial resources to the health service
• Subdomains of government websites hosting malware due to dangling DNS records not being correctly managed and poor hygiene (subject of government security guidance)

Currently, Nominet is looking at how best to help registrants and registrars handle compromised domains in a way that is timely and proportional. We’d appreciate any thoughts and feedback that may be offered in relation to these challenges.

To initiate conversation on our current practice, at present (July 2025) Nominet will notify registrants and registrars of any detected abuse on a likely compromised domain so that it may be remediated. We are not looking to suspend compromised domains, instead identify means to ensure that issues are addressed.

Exploitable Services

Exploitable services are domain names that are operated by lawful businesses offering established and benign services to users that may be abused by threat actors as part of a wider attack chain.

This therefore makes actioning an exploitable service domain very challenging, and from a suspension point of view it is not something Nominet is currently looking to action.

Some examples of exploitable services may include: 

• URL shorteners
• File sharing services
• Website hosting providers
• Advertising services
• Dynamic DNS providers

These services are often listed in RBLs as they can be associated with a variety of attack types. URL shorteners, for example, are used by malicious actors as a method of delivering attacks as they allow obfuscation of a true destination from end users until they click the link provided. Enabling a more concealed initial delivery method.

However, URL shortening is a mostly benign service that is used by many organisations, and it has multiple valid uses. As suspension cannot prevent abuse at the URL level, a suspension against a URL shortener would interrupt these benign use cases and impact business operations of the service’s users.

Alternatively, some of these services use subdomains, rather than URLs, to delineate their services or customer-specific deployments. This can often be the case with content distribution networks (CDNs) or hosting provider domains, which provide free website builders and attract many malicious actors to create free phishing sites.

Nominet maintains a custom “Extended Public Suffix List” which is used in addition to the public suffix list, to designate domains that act as parents to a large number of customer or service-specific subdomains. These parent domains should never be actioned in either use case due to the collateral impact on the customer-specific subdomains.

The CDNs in these cases will host resources on a subdomain provisioned to each customer or service of the CDNs parent domain (e.g., badfreesite1[.]cdnparent[.]tld). This is an example where blocking the hostname could be a valid use case for protective DNS services and other security controls, but not actionable for suspension at a registry level.

Closing thoughts

It is often the case in RBLs that a compromised domain is either listed alongside phishing, malware, etc as its own abuse type or will not be flagged differently at all. Understandably the users of these lists have many use cases and often only need them to block their company users at the URL level, so the level of classification we care about for suspension consideration may not be of concern for these users.

However, it should be argued that ‘Compromised’ is not an abuse type, but instead its own distinct classification that adds context to an IOC in addition to the type of abuse such as phishing, malware, or botnets. Therefore, it is more useful for investigations to list whether a domain is “Compromised” alongside a more specific malicious activity being hosted on the domain, as this gives security analysts the best context for informing their investigation, and infrastructure operators the best context for taking suitable a remediation action. Similarly, it can be argued any exploitable service used as an IOC should be flagged in provided metadata as such.

Reporting abuse

If you observe any malicious activity on a .UK, .CYMRU, or .WALES domain then we would please urge you to consider reporting this to Nominet through abuse@nominet.uk.

We would appreciate any additional evidence, context, and classification you can provide with your report so that we can ensure this is actioned proportionately to the threat presented.

Author – Dominic Rivett, Nominet Threat Analyst