Quick Answer
To report domain abuse, start with the domain's registrar (find it via WHOIS lookup) and submit a complaint to their abuse contact. For phishing, also report to Google Safe Browsing, Microsoft, and the Anti-Phishing Working Group. For persistent issues, file with ICANN Contractual Compliance. Malware domains should be reported to security organizations like abuse.ch. Include complete evidence: URLs, screenshots, headers, and timestamps. Reports are free and can result in domain suspension or takedown.
Table of Contents
Types of Domain Abuse
Before reporting, identify the type of abuse you're dealing with:
Phishing
Definition: Domains used to impersonate legitimate organizations to steal credentials, financial information, or personal data.
Examples:
- Fake login pages (bank-secure-login.com)
- Credential harvesting sites
- Brand impersonation
- CEO fraud/business email compromise
Malware Distribution
Definition: Domains hosting or distributing malicious software.
Examples:
- Drive-by download sites
- Exploit kit hosting
- Command and control (C2) servers
- Ransomware distribution
Spam Operations
Definition: Domains used to send unsolicited bulk email or host spam-related content.
Examples:
- Spam email campaigns
- Pharmaceutical spam sites
- Dating/romance scam sites
- Lottery/prize scam pages
Fraud and Scams
Definition: Domains used for fraudulent schemes to deceive and steal from victims.
Examples:
- Fake e-commerce stores
- Investment scams
- Romance scams
- Tech support scams
Trademark Abuse
Definition: Domains that infringe on trademarks for commercial benefit.
Examples:
- Counterfeit goods sales
- Brand impersonation
- Typosquatting for traffic
- Competitor sabotage
Child Safety Violations
Definition: Domains hosting illegal content involving minors.
Reporting: Contact law enforcement immediately, plus organizations like NCMEC (National Center for Missing & Exploited Children).
Finding the Right Reporting Channel
Quick Reference Table
| Abuse Type | Primary Report To | Secondary Reports |
|---|---|---|
| Phishing | Registrar + Google Safe Browsing | Anti-Phishing Working Group |
| Malware | Registrar + abuse.ch | Google Safe Browsing, VirusTotal |
| Spam | Registrar + SpamHaus | ICANN (if unresolved) |
| Fraud | Registrar + FTC | Law enforcement, IC3 |
| Trademark | Registrar + UDRP provider | ICANN (policy issues) |
| Child Safety | Law enforcement + NCMEC | FBI, Registrar |
Step-by-Step Process
- Identify the domain: Document the exact domain name and URL
- Perform WHOIS lookup: Find the registrar and abuse contact
- Gather evidence: Screenshots, headers, timestamps
- Report to registrar: Primary abuse contact
- Report to specialized organizations: Based on abuse type
- Escalate if needed: ICANN, law enforcement, or legal action
Registrar Abuse Contacts
How to Find Abuse Contacts
Step 1: WHOIS Lookup
Use a WHOIS lookup tool to find the registrar:
- ICANN Lookup: lookup.icann.org
- DomainTools: whois.domaintools.com
- Our lookup tool: domaindetails.com
Step 2: Find Abuse Email
Look for the "Registrar Abuse Contact Email" in the WHOIS record. It typically follows a pattern like:
Step 3: Use Registrar Abuse Portal
Many major registrars have dedicated abuse reporting portals:
Major Registrar Abuse Contacts
| Registrar | Abuse Email | Abuse Portal |
|---|---|---|
| GoDaddy | abuse@godaddy.com | supportcenter.godaddy.com/AbuseReport |
| Namecheap | abuse@namecheap.com | namecheap.com/support/knowledgebase/article.aspx/9196 |
| Cloudflare | abuse@cloudflare.com | cloudflare.com/abuse/form |
| Google Domains | registrar-abuse@google.com | support.google.com/domains/answer/3251241 |
| Tucows/Hover | domainabuse@tucows.com | tucows.com/report-abuse |
| Network Solutions | abuse@web.com | networksolutions.com/report-abuse |
| Name.com | abuse@name.com | name.com/abuse-policy |
| Dynadot | abuse@dynadot.com | dynadot.com/community/forums |
| Porkbun | abuse@porkbun.com | porkbun.com/support |
What to Expect from Registrars
Response Times:
- Urgent (phishing, malware): 24-48 hours
- Standard abuse: 3-5 business days
- Complex cases: May require follow-up
Possible Outcomes:
- Domain suspended
- Content removed
- Warning to registrant
- Referral to law enforcement
- No action (insufficient evidence)
ICANN Contractual Compliance
When to Report to ICANN
Report to ICANN Compliance when:
- Registrar doesn't respond to abuse reports
- Registrar refuses to take action on clear violations
- WHOIS data is demonstrably false
- Transfer or renewal policies are violated
- Registrar fails to implement UDRP decisions
ICANN Complaint Portal
URL: icann.org/compliance
Types of Complaints:
- WHOIS Inaccuracy
- Domain Name Registrar Issues
- Domain Name Registry Issues
- Transfer Problems
What ICANN Can Do
| Can Do | Cannot Do |
|---|---|
| Investigate registrar policy violations | Take down websites |
| Require registrar corrective action | Order content removal |
| Impose financial penalties | Make trademark decisions |
| Terminate registrar accreditation | Provide legal remedies |
Filing an Effective ICANN Complaint
- Demonstrate registrar contact: Show you tried the registrar first
- Identify policy violation: Reference specific ICANN requirements
- Provide evidence: Documentation of the violation
- Be specific: Clear statement of what you want resolved
Reporting Phishing Domains
Phishing is one of the most common and dangerous forms of domain abuse. Report through multiple channels:
Google Safe Browsing
URL: safebrowsing.google.com/safebrowsing/report_phish/
Effect: Adds site to Google's blocklist, warning Chrome, Firefox, and other browsers.
Response Time: Usually reviewed within 24 hours
Microsoft SmartScreen
URL: microsoft.com/en-us/wdsi/support/report-unsafe-site-guest
Effect: Adds site to SmartScreen filter in Edge, Windows, and Outlook.
Anti-Phishing Working Group (APWG)
Email: reportphishing@apwg.org
Effect: Shares data with member organizations (banks, ISPs, law enforcement).
Targeted Brand
If the phishing impersonates a specific company, report directly to them:
- Most large companies have security or phishing reporting contacts
- Banks often have dedicated phishing emails (e.g., phishing@yourbank.com)
- They may have faster takedown capabilities than general reporting
PhishTank
URL: phishtank.org
Effect: Community-verified phishing database used by security products.
Reporting Malware Domains
abuse.ch
URL: abuse.ch
Services:
- URLhaus: Report malware distribution URLs
- MalwareBazaar: Submit malware samples
- ThreatFox: IOC sharing platform
VirusTotal
URL: virustotal.com
Use: Scan URLs/files and flag as malicious. Detection alerts security vendors.
Google Safe Browsing
URL: safebrowsing.google.com/safebrowsing/report_badware/
Use: Report malware distribution sites for browser warnings.
National CERTs
Computer Emergency Response Teams by country can help with malware:
- US-CERT (cisa.gov/report)
- UK NCSC (ncsc.gov.uk)
- CERT-EU (cert.europa.eu)
Anti-Abuse Organizations
Blocklists and Reputation Services
| Organization | Focus | URL |
|---|---|---|
| Spamhaus | Spam, botnets, malware | spamhaus.org |
| SURBL | Spam URLs | surbl.org |
| abuse.ch | Malware infrastructure | abuse.ch |
| AbuseIPDB | IP reputation | abuseipdb.com |
| PhishTank | Phishing sites | phishtank.org |
Industry Working Groups
Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG)
- Industry consortium
- Best practices development
- Member companies collaborate on abuse mitigation
Anti-Phishing Working Group (APWG)
- Global coalition
- Phishing research and prevention
- Incident reporting and sharing
Internet Watch Foundation (IWF)
- UK-based
- Focuses on child safety
- URL blocking and takedown
Government Agencies
United States:
- FBI IC3 (ic3.gov) - Internet crime
- FTC (reportfraud.ftc.gov) - Consumer fraud
- CISA (cisa.gov) - Cybersecurity threats
European Union:
- Europol EC3 - Cybercrime
- National police cyber units
International:
- Interpol Cybercrime
- National cyber agencies
What to Include in Abuse Reports
Essential Information
Every abuse report should include:
| Element | Purpose | Example |
|---|---|---|
| Domain name | Identify the target | example-phish.com |
| Full URL(s) | Specific malicious pages | https://example-phish.com/login.php |
| Date/time | Establish timeline | 2025-01-15 14:30 UTC |
| Abuse type | Classification | Phishing impersonating Bank XYZ |
| Evidence | Prove the abuse | Screenshots, source code |
| Your contact | For follow-up | Email or phone |
Screenshots and Evidence
Best Practices:
- Capture full page, not just partial
- Include browser address bar showing URL
- Timestamp visible if possible
- Save original URLs, not shortened versions
- Archive pages (archive.org or archive.today)
For Phishing Reports
Additional useful information:
- Brand being impersonated
- Where you received the phishing link (email, social media)
- Email headers if applicable
- Whether you submitted any data (helps assess impact)
For Malware Reports
Additional useful information:
- Malware sample hash (SHA256)
- Malware family if known
- How you discovered it
- IP addresses involved
- Network traffic logs if available
Sample Abuse Report Template
Subject: Abuse Report - Phishing at [domain.com]
To: abuse@[registrar].com
I am reporting the following domain for phishing abuse:
Domain: fake-bank-login.com
URL: https://fake-bank-login.com/secure/login.php
Registrar: [Registrar Name]
Type of Abuse: Phishing
This site impersonates [Bank Name] to steal customer credentials.
Evidence:
- Screenshot attached showing fake login page
- Page archived at: [archive.org link]
- Discovered on: 2025-01-15 at 14:30 UTC
- Phishing link received via email (headers available upon request)
Request: Please suspend this domain immediately to prevent further fraud.
Contact: [your email]
After You Report
Expected Timelines
| Abuse Type | Typical Response | Typical Resolution |
|---|---|---|
| Active phishing | 24-48 hours | 2-7 days |
| Malware hosting | 24-48 hours | 2-7 days |
| Spam operations | 3-5 days | 1-2 weeks |
| Trademark abuse | 1-2 weeks | Varies (UDRP: 60 days) |
| ICANN compliance | 5-10 days acknowledgment | Weeks to months |
If No Action Is Taken
Escalation Path:
- Follow up with registrar (cite original report)
- Report to ICANN Compliance
- Report to registry operator
- Engage hosting provider (separate from registrar)
- Contact law enforcement for criminal matters
- Consider legal action for trademark/damages
Tracking Your Reports
Keep records of:
- Date and time of each report
- To whom you reported
- Ticket/reference numbers
- Responses received
- Outcome and timeline
Frequently Asked Questions
How long does it take to get a domain taken down?
For active phishing or malware: 24-72 hours is common with responsive registrars. Complex cases or uncooperative registrars may take weeks. UDRP trademark disputes take approximately 60 days.
Is reporting abuse free?
Reporting to registrars, ICANN, and anti-abuse organizations is free. Legal action (UDRP, lawsuits) has costs.
What if the domain is at a foreign registrar?
ICANN policies apply globally to gTLD registrars regardless of country. For ccTLDs, contact the national registry. Law enforcement cooperation varies by jurisdiction.
Can I report anonymously?
Many reporting channels allow anonymous tips, but providing contact information allows follow-up and clarification, leading to better outcomes.
What if I accidentally reported a legitimate site?
Registrars investigate before taking action. Legitimate sites with good evidence of their authenticity won't be affected. If you realize your mistake, notify the registrar to withdraw the report.
Does reporting actually work?
Yes. Major registrars take thousands of enforcement actions monthly. Success depends on:
- Quality of evidence
- Responsiveness of registrar
- Clarity of the abuse
- Proper reporting channels used
Key Takeaways
- Start with the registrar: Always report to the domain's registrar first
- Use multiple channels: Phishing should go to registrar, Safe Browsing, and APWG
- Provide complete evidence: Screenshots, URLs, timestamps, and clear descriptions
- Know when to escalate: ICANN Compliance for unresponsive registrars
- Report promptly: Active abuse harms more victims over time
- Follow up: Track your reports and escalate if no action taken
- Specialized organizations exist: Use Spamhaus, abuse.ch, etc. for technical threats
- Free to report: All primary channels accept reports at no cost
Next Steps
- Learn about phishing: Understand typosquatting protection
- Know your options: Review cybersquatting remedies
- File UDRP if needed: Learn the UDRP process
- Protect your brand: Implement domain monitoring
Reporting Resources Quick Reference
| Purpose | Primary Resource | URL |
|---|---|---|
| Find registrar | ICANN Lookup | lookup.icann.org |
| Registrar complaint | See registrar list above | - |
| ICANN policy violation | ICANN Compliance | icann.org/compliance |
| Phishing | Google Safe Browsing | safebrowsing.google.com |
| Malware | abuse.ch URLhaus | urlhaus.abuse.ch |
| Spam blocklist | Spamhaus | spamhaus.org |
| US fraud | FTC | reportfraud.ftc.gov |
| US cybercrime | FBI IC3 | ic3.gov |