General Policy and Stance on Botnet Reports

The DNS Abuse Framework identifies botnets as an actionable abuse and defines them as follows:

Botnets are collections of Internet-connected computers that have been infected with malware and commanded to perform activities under the control of a remote administrator.


The CleanDNS team will investigate evidenced reports and act against domains that are being involved in a botnet. Without evidence (identified below), CleanDNS may not be able to assist.  


Overview of a Well-Evidenced Botnet Report


The purpose of a well-evidenced botnet report is to ensure the reported abuse is accurately escalated to the Registrar/ Registry to act on the reported abuse in hopes of minimizing the harm inflicted on users. Strong reports consist of the alleged abusive domain, the URL, evidence of the reported abuse, and a brief explanation of the suspected observed abuse. Ensure you have contacted the registrant (if they're unlikely to be a malicious actor), the hosting provider, the registrar, registry, and queried the WHOIS record to determine the status of the domain. Include the evidence and the correspondence from the prior level with each escalation.


The following is intended to guide users in reporting botnets. CleanDNS is not responsible for any damages that stem from use, misuse, or misunderstanding of this guidance nor anything that stems from reporting the botnet. 


Gathering Evidence


To properly evidence a Botnet report CleanDNS deems the following methods effective in gathering Botnet evidence.


  • A screenshot of a sandbox tool (ex. Any.run) depicting the botnet. 
  • A link to a VirusTotal page, blacklist site, any.run report, etc. that supplements your observed Botnet attack.
  • Any other screenshots, logs, or other details that support abuse claims against the domain.

 


Lastly, a brief written explanation of the observed Botnet is required when submitting the abuse report. 



CleanDNS recommends using a virtual machine or a sandbox tool (ex. any.run) to inhibit harming your machine when gathering the evidence. 


Submitting a Report


A report that is too technical may not be actioned because the connection is not clear enough to the individual reviewing the report. A report without enough detail is likely to be dismissed as inadequate. Once all the required information is gathered for the report, please submit via the appropriate form or email the appropriate abuse email address.