Mail traffic to cancelled domain names

SIDN is the organisation that operates the .nl domain. That involves registering .nl domain names and making sure that registered domains are always reachable from anywhere in the world. Every time you type in a .nl domain name, we point you to the website you want. That involves processing more than two billion search queries every day. The .nl domain is one the most secure and trustworthy internet domains in the world. Each registered .nl domain name is managed by a .nl registrar (service provider), who acts as your first point of contact for everything connected with the domain name.

As the operator of the .nl domain, we think it's very important that the internet is safe for everyone to use. So we're always working to make the internet -- and .nl in particular -- more secure and trustworthy.

It's fine to cancel a domain name, but be careful how you do it

Of course, we're sorry to hear that you no longer want your .nl domain name. But, if you have no further use for it, we think it's best that the name is made available for other people to re-register and make use of. Nevertheless, we recommend taking a careful approach to cancellation.

Risk

If you cancel a domain name, but some people aren't aware (or forget) that your old mail addresses are no longer valid, they may go on using them to mail you. That can lead to personal data or commercially sensitive information getting into the wrong hands. That isn't just a theoretical risk. It's actually happened to the Dutch police and to certain care providers, for example. In those cases, domain names previously used and then cancelled by the relevant organisations were picked up and re-registered by other people. The new registrants consequently received mail intended for the former registrants. In a situation like that, it's easy for personal or sensitive information to fall into the hands of someone inappropriate.

One-off mail from SIDN

With a view to preventing problems like that, we keep an eye on cancelled domain names for a while to see whether it looks as if mail is still going to addresses linked to the domains. If we think that may be happening, we contact the cancelling registrant to draw their attention to the situation. We only contact them once, so that they can take action if they want to.

No. We can see and analyse only the DNS traffic for the cancelled domain name. We don't see the mail traffic, so we don't know where it comes from. See also What can SIDN see from the DNS traffic? If you really want to know who is still mailing your old addresses, you'll need to reinstate the quarantined domain name. See also What can we do now?

No. We can see and analyse only the DNS traffic for the cancelled domain name. We don't see the mail traffic, so we can't tell exactly how many messages are involved. In some cases, thousands of end users will use the same DNS resolver. So our response to a single DNS query can in principle enable any number of end users to mail the relevant domain.

You have a number of options.

1. Inform your contacts

Tell everyone that used to mail your cancelled domain that the name is no longer in use and/or that you've got a new domain name. Your contacts need to remove your old addresses from their address books and make a note of your new ones. Otherwise they may accidentally send mail to old addresses. It also pays to check carefully whether your old contact details are given anywhere, e.g. on the Chamber of Commerce website, a partner's website or via any social networks.

2. Reinstate the quarantined domain name

When a domain name is cancelled, it initially goes into quarantine for forty days -- a sort of cooling off period. In that time, only the registrant that cancelled the domain name can reinstate (re-activate) it. The system serves to protect the registrants of domain names that get cancelled by mistake. So, if you really want to know what mail traffic is being sent to the cancelled domain name, you can get it reinstated. Then no one else will be able to register it or receive mail that's actually meant for you. Reinstating a quarantined domain name has to be done through a registrar. Read more After reinstating a domain name, you have a number of options. One is to restore the mail service, and configure it to forward mail addressed to the cancelled domain to your new one. That will also enable you to see who is still using old addresses, so that you can get in touch with them. Your hosting service provider or the firm that manages your domain name will be able to help with that. See also Who can reinstate a cancelled domain name for us? If there's no mail server configured for your cancelled domain name, anyone who sends mail to an address at that domain will get an error message. So, if you leave the name without a server, you won't be able to see who's mailing old addresses, but you will have the reassurance of knowing that their mail isn't going to someone else.

3. Do nothing

If you're sure that no important mail will be going to your cancelled domain name, you have the option of doing nothing at all. Then, at the end of the forty-day quarantine period, the domain name will be available for anyone to re-register.

As operator of the .nl domain, it's our job to make sure that all .nl domain names are reachable. Every time that someone enters a .nl domain name (e.g. sidn.nl) into their browser or sends mail to a .nl address (e.g. info@example.nl), one of our servers is invisibly contacted. That's because the user's computer needs the IP address of the example.nl website or the mail server for example.nl, and they get that address from us.

Domain Name System

Getting the IP address of a website or mail server happens in the blink of an eye. The process is enabled by something called the Domain Name System (DNS). When someone sends an e-mail to info@example.nl, the sending mail server uses the DNS to look up the recipient's mail server, in this case the server for example.nl. We operate the DNS servers for .nl, which help the sending mail server look up the server for example.nl. The messages that go back and forth between the servers when a lookup is performed are known as DNS traffic.

DNS traffic

From the DNS traffic processed by our systems, we can see whether anyone has looked up the mail servers for a given .nl domain name. That's because a lookup involves what experts call an MX query, which is normally sent on a mail server's behalf by a DNS resolver. We know that people have tried to mail your cancelled domain name because we saw their MX queries in the DNS traffic to our servers when we checked the traffic after the cancellation. Because DNS resolvers cache data (save it temporarily in case they need it again), and because it's common for numerous internet users to share a resolver, we don't know how many people have tried to reach your cancelled domain name. We just know that someone has.

We have defined three estimated risk categories to indicate how likely we think it is that mail is still going to a cancelled domain name. When deciding what category to put a cancelled domain name in, we look not only at the DNS traffic, but also at things such as the name itself and the type of website that was previously linked to it. If, for example, a cancelled name includes the Dutch word for 'doctor' and was used for a website that has the characteristics of a care sector website, we may well decide that the risk of continued mail flow is high.

Low

We can still see mail traffic, but the number of DNS queries is quite low (fewer than five a day). We didn't detect any other risk factors.

Moderate

We are still seeing a slightly higher number of DNS queries (up to ten a day), or we detected an additional risk factor. That might be an e-mail address at the cancelled domain, given on a live .nl website. If an old address is given on a live site, that may well mean that people are using it.

High

We're still seeing quite a lot of DNS queries for the cancelled domain name, or we detected additional risk factors, such as signs that the domain name was previously used by a care provider or law firm. Domains used by organisations like that are more likely to get mail that contains privacy-sensitive information.

We perform a number of analyses to try to establish whether legitimate mail is still being sent to a cancelled domain name. After all, the mail sent to a domain isn't all equally important. It's common for spam and other insignificant mail to be sent to an cancelled domain name, for example. We try to identify and disregard that mail, so that you're alerted only if we think there's a real risk of legitimate mail being addressed to your cancelled domain name. We do that using special filters that we've developed. DNS queries from 'suspect' systems that send a lot of spam and advertising mail are automatically filtered out of the analysed traffic. If the filtered traffic for your domain name includes queries from 'trustworthy' systems, we're more likely to alert you.

Nature of the former registrant

Another thing we consider is whether a cancelled domain name seems to have been used by an organisation that's likely to get privacy-sensitive mail, such as a care service provider or a law firm. Cancelled domain names of the following types are automatically placed in a higher estimated risk category:

1. Domain names that include the Dutch words for things such as 'family doctor' and 'law firm' (e.g. advocatenkantoor-jansen.nl)

2. Domain names previously used for websites with content suggesting an organisation whose activities may well involve sensitive mail, such as a care service provider or government body

3. Domain names used for e-mail addresses that still appear on live .nl websites

Disclaimer

We provide the service described here to the best of our ability. However, our analyses are not perfect, because we cannot see all DNS traffic and because it can be difficult to reliably filter out all DNS queries associated with non-legitimate mail (spam, advertising, etc). As a result, we cannot guarantee that legitimate mail is in fact still being sent to a cancelled domain name for which we send an alert. Nor can we guarantee that no legitimate mail is being sent to a cancelled domain name for which we don't send an alert.

The system that we use to analyse DNS traffic includes filters designed to remove DNS queries that we think are probably linked to spam, advertising and other activities that we regard as unimportant. We filter out traffic like that because we want alerts to go out only for domain names that we strongly suspect important/legitimate mail is being sent to.

We use various filters to remove traffic that we think is linked to unimportant mail such as spam and social media mail (e.g. Facebook notifications). The filters scan for DNS queries from 'suspect' IP addresses, which are discounted when estimating the risk associated with a cancelled domain name. The filters are based on, for example:

1. Abuse feeds, such as APWG and Spamhaus

2. DNS resolvers identified as suspect because they:

   1. Send a lot of DNS queries for domain names that don't have mail servers

   2. Send a lot of DNS queries for non-existent domain names

   3. Send all their DNS queries on the same day

   4. Are new

3. Open DNS resolvers

4. Botnet client IP addresses detected using our Sinkhole

5. A static list of 'suspect'

   1. IP addresses

   2. Autonomous systems

   3. Countries

We have your contact details from when you registered a .nl domain name with us through a registrar. Naturally, we take great care of registrants' data. The general privacy principles we follow are set out in Article 23 of our General Terms and Conditions for .nl Registrants. We also have a privacy policy for this particular activity. The policy explains how we process the data we need to estimate the risk associated with a domain name and to alert the registrant that cancelled it. The privacy policy can be found on our website.

Our DNS traffic analysis doesn't reveal anything about the mail itself. So, for example, we don't know the sender's name, the recipient's name, the subject, or anything about the content of the mail. What we can see is that someone has asked for the IP addresses (A or AAAA records) and mail servers (MX records) linked to a given .nl domain name. We can also see the IP address of the server that asked for the information. Such requests usually come from DNS resolvers. A resolver is a sort of intermediary, so we very rarely see the IP address of the end user who needs the information.

Because DNS resolvers cache data (save it temporarily in case they need it again), we don't see all MX record requests.

Yes, there is usually a charge for reinstating a quarantined domain name. The exact amount payable depends on the registrar who arranges the reinstatement for you. It's often cheaper to get a domain name reinstated by the registrar that managed it prior to cancellation. The registrar in question is named in the e-mail we sent you warning about the cancellation risk.

When a domain name is cancelled, it initially goes into quarantine for forty days. The quarantine period is a sort of cooling off period, during which only the cancelling registrant is allowed to get the domain name re-activated. The system serves to protect the registrants of domain names that get cancelled by mistake. If we think that mail traffic is still being sent to your cancelled domain, we'll send you an alert 30 days after the cancellation date. So, if you've had an alert, you have a maximum of ten days before the quarantine period ends and the domain name is made available for anyone to re-register.

You didn't register your domain name directly with SIDN. It was registered through a 'registrar': an intermediary who can access our systems to register and manage domain names on behalf of registrants like you. The registrar responsible for your cancelled domain name is named in the e-mail we sent to alert you to the risk. If the registration was arranged for you by a service provider, such as a website designer, we advise contacting the service provider.

During the monitoring period that follows the cancellation of a domain name, we save the data that's needed for monitoring. The data is saved in a separate database, not in the .nl registration database.

At the end of the monitoring period, we anonymise the privacy-sensitive data held in this separate database (e.g. registrants' names and e-mail addresses). The remaining data is kept for up to three years. We keep it to help us improve our services and for use in scientific research.

No. All the data we retain is treated as strictly confidential. So, for example, we don't share it or sell it to anyone else. We may, however, publish aggregated statistics on our website or in academic publications. Such aggregated data might include things such as the total number of alerts sent or the overall average number of DNS queries detected per domain name. It won't be possible to identify individual domain names or registrants from data of that kind.

Whenever you plan to cancel a domain name, we recommend contacting everyone you deal with to tell them clearly that your e-mail addresses are changing. See also What can we do now?

If you're switching to a new domain name, we recommend keeping both domain names for a while and actively approaching people who still send mail to your old addresses.

Don't cancel the old domain name until the flow of significant mail to the old addresses has dried up.

After all, keeping a domain name registered usually costs only a few euros a year. So you might even consider keeping your old domain name indefinitely, even though it's no longer in active use. Ask your service provider about the options. See also What can we do now? Other useful reading includes Z-CERT's guide to expired domain names and an article published a while ago on Computable.