How-to Takedown

How to report a domain to its registrar

Find the right abuse contact, write a takedown report registrars will act on, and escalate if they don't.

24-72 hour resolution for clear phishing

TL;DR

  • 1Find the registrar via RDAP; the abuse email is in the published record.
  • 2Use a structured report with URL, evidence (screenshots, MX records, content scrapes), observed pattern, and business impact — vague reports get ignored.
  • 3Resolution typically 24-72 hours for clear phishing; escalate to ICANN compliance or the hosting provider if registrar stalls past 5 business days.

What a registrar abuse report does

When you file an abuse report with a registrar, you're asking them to suspend the domain — disable its DNS so it stops resolving — based on evidence that it's being used for phishing, malware distribution, or other policy-violating activity. Most major registrars have a published abuse policy and a documented turnaround time (usually 48-72 hours for clear cases).

The report isn't a legal complaint. It's an operational request the registrar's abuse team can act on without consulting a lawyer. That makes it the fastest takedown path: cheap (free), fast (hours to days), and doesn't require trademark proof. Reserve UDRP and litigation for cases where you actually need the domain transferred to you, not just taken down.

Registrars vary widely in responsiveness. Cloudflare, Namecheap, and Google Domains process abuse reports quickly; some retail registrars are slow or unresponsive. When the registrar stalls, escalate to ICANN's compliance form or to the hosting provider directly.

How to file an effective abuse report

  1. 1

    Identify the registrar. RDAP lookup (or WHOIS) on the offending domain returns the sponsoring registrar plus their abuse contact email. PhishFence's WHOIS / RDAP tool surfaces both in one shot.

  2. 2

    Gather evidence first. Screenshot the phishing page with timestamp, MX records (if it's also sending mail), the cloned brand assets (your logo, your color palette, your login form copy verbatim). PhishFence's alert detail page packages this automatically.

  3. 3

    Write a structured report. Subject: "Phishing — <variant-domain> impersonating <your-brand>". Body: what you saw, when, evidence (URLs to screenshots), the business impact ("users have reported losing credentials" is stronger than "we found this on a scan"). PhishFence's pre-filled abuse-report template covers the canonical structure.

  4. 4

    Send to the registrar's published abuse email. Not their general support — abuse is a separate inbox with abuse-team escalation. CC any hosting-provider abuse contact if the site is behind a different host than the registrar.

  5. 5

    Track and follow up. Most registrars send an acknowledgement within 24 hours and a resolution within 48-72 hours. If no acknowledgement after 24 hours, follow up; if no resolution after 5 business days, escalate to ICANN compliance.

Common pitfalls

  • Vague reports. "This is phishing, please take it down" without evidence gets deprioritized or ignored. Lead with the evidence and let the abuse team verify in 30 seconds.

  • Wrong contact (support vs abuse). Registrar support tickets get triaged on a different queue and may sit for days. Always use the published abuse@ mailbox.

  • Filing too early. If the lookalike is just registered (no MX, no website yet), a registrar will refuse to act — there's no active abuse. Wait for the infrastructure to come up OR file with crt.sh-evidenced phishing-page screenshots.

  • Reporting only to the registrar. If the hosting provider is different (very common with Cloudflare-fronted phishing), report to both in parallel. Hosting providers can null-route the site before the registrar processes the domain.

  • Skipping ICANN compliance escalation. When a registrar ignores or refuses to act on a clear phishing report, ICANN's compliance form (icann.org/compliance/complaint) is the next step. They have authority over registrar abuse handling.