Naar hoofdinhoud springen
    How can I report malicious activity on a domain?
    Learn how to report phishing, malware, spam, and other abuse on .ga.nu domains to GA.NU’s Abuse team. This guide explains what to include, where to send it, and what to expect next.
    abusesecuritydomains

    How can I report malicious activity on a domain?

    If you encounter malicious or policy‑violating activity on a .ga.nu subdomain, please report it to GA.NU so we can investigate and take appropriate action. This article explains what to report, how to submit a report, and what happens after you do.

    What counts as malicious activity?

    Common categories include:

    • Phishing or credential theft
    • Malware distribution (downloads, drive‑by exploits)
    • Botnet command-and-control (C2) or abuse infrastructure
    • Fraud, impersonation, or brand abuse
    • Mass unsolicited spam originating from or pointing to the domain
    • Child sexual abuse material (CSAM) or exploitation content (see Special cases)
    • Content that incites or facilitates violence or terrorism (see Special cases)

    If you’re unsure whether something qualifies, report it with as much context as possible, and our team will triage it.

    Before you report: gather essential details

    Providing complete information helps us act faster:

    • The exact domain and full URL(s)
      • Example: https://secure-login.ga.nu/paypal/update?session=123 (not just the homepage)
    • Date and time you observed the activity, with timezone
    • Category of abuse (e.g., phishing, malware, spam)
    • Evidence
      • Screenshots or a short screen capture (avoid including sensitive personal data)
      • Raw email headers for spam/phishing emails
      • Network indicators (IP, file hashes, DNS records)
      • Server responses (HTTP status, redirects)
    • Reproduction steps (brief and safe)
    • Impact summary (who is affected, e.g., customers in a specific region)

    Safety tips:

    • Do not run suspicious executables. Share hashes or analysis links instead.
    • For CSAM or other illegal imagery, do NOT send the media itself. See Special cases below.

    How to submit a report

    You can report abuse via our web form or by email.

    Option A: Web form (recommended)

    • Go to: https://ga.nu/abuse
    • Complete all required fields and attach supporting evidence
    • Submit and note the ticket number shown on the confirmation screen

    Option B: Email

    • Send an email to: abuse@ga.nu
    • Subject line: “Abuse report: [category] – [domain]” (e.g., “Abuse report: Phishing – secure-login.ga.nu”)
    • Include the details listed above. You may attach screenshots, .eml files (zipped), or plaintext logs.

    You can use this template:

    To: abuse@ga.nu
    Subject: Abuse report: [CATEGORY] – [DOMAIN]
    
    Domain: [example.ga.nu]
    URLs: [list full URLs]
    First observed: [YYYY-MM-DD HH:MM TZ]
    Last observed: [YYYY-MM-DD HH:MM TZ] (if applicable)
    Category: [Phishing | Malware | Spam | Fraud | C2 | Other]
    Description: [Concise summary and reproduction steps]
    Evidence: [Screenshots, links to VT/analysis, IPs, file hashes]
    Reporter type: [Individual | Organization | Security vendor | LEA]
    Contact: [Name, email, organization]
    Impact: [Who is targeted/affected]
    Additional notes: [Any extra context]
    

    Including raw email headers (for email-based abuse)

    Attach the original message as a .eml file when possible, or paste headers:

    Return-Path: <phisher@example.com>
    Received: from mail.badhost.tld (203.0.113.25)
     by mx.example.org with ESMTPS id ABC123;
     Tue, 12 Dec 2025 15:04:05 +0000 (UTC)
    From: "PayPal" <no-reply@secure-login.ga.nu>
    To: victim@example.org
    Subject: Verify your account
    Message-ID: <...>
    DKIM-Signature: ...
    SPF: fail (example.org: domain of phisher@example.com does not designate 203.0.113.25 as permitted sender)
    ...
    

    Practical examples

    • Phishing page hosted under a .ga.nu subdomain:

      • Domain/URL: https://secure-login.ga.nu/paypal/update
      • Category: Phishing
      • Evidence: Screenshot of login prompt mimicking PayPal; HTTP 200 response; page source referencing known phishing kit
      • Report via: Web form with attached screenshot and timestamps
    • Malware download link:

      • Domain/URL: http://dl-files.ga.nu/update/setup.exe
      • Category: Malware distribution
      • Evidence: SHA256 hash of setup.exe, VirusTotal report URL, HTTP headers showing content type, server IP
    • Spam campaign pointing to a .ga.nu landing page:

      • Domain/URL: https://promo-offer.ga.nu/win
      • Category: Spam
      • Evidence: .eml samples with raw headers; multiple recipients; timestamps and mail-from IPs

    What happens after you report

    • Acknowledgment: You’ll receive an automated confirmation with a ticket ID.
    • Triage: We prioritize active phishing, malware distribution, and life-safety threats.
    • Investigation: We validate evidence, identify hosting, and coordinate with relevant providers.
    • Actions we may take (as appropriate):
      • Suspend or disable DNS for the .ga.nu subdomain
      • Lock the domain to prevent changes during investigation
      • Notify the registrant and request remediation
      • Coordinate with hosting providers, CERTs, and trusted partners
    • Updates: We provide status updates via the ticket. If we need more details, we’ll reach out.

    Typical timeframes (targets, not guarantees):

    • High-severity (active phishing/malware): initial review within 4 hours
    • Other abuse: initial review within 24 hours

    Note: GA.NU manages .ga.nu subdomains. We cannot directly remove content from third‑party hosts, but we can mitigate at the domain/DNS level when warranted.

    Special cases

    • Child Sexual Abuse Material (CSAM)

      • Do NOT forward or attach illegal images or videos.
      • Report the URLs immediately via our web form or to abuse@ga.nu with “URGENT: CSAM” in the subject.
      • In your report, include only links/URLs, timestamps, and a brief description.
      • Also report to your national hotline (e.g., via https://report.iwf.org.uk/ or https://hotline.ie/ depending on your location) or law enforcement as applicable.
    • Imminent harm or life-safety threats

      • Email abuse@ga.nu with “URGENT: Life-safety” in the subject.
      • If you are law enforcement, include your official contact details and case reference. We will prioritize and coordinate promptly.
    • Law Enforcement requests

      • Send official requests from an agency domain to legal@ga.nu, including scope, legal basis, and a reply-to contact. For time-sensitive matters, note “URGENT.”

    If the domain is not a .ga.nu subdomain

    GA.NU can only act on domains under .ga.nu. If the domain is different (e.g., example.com):

    • Identify the registrar/host using WHOIS and DNS lookups
    whois example.com
    nslookup -type=ns example.com
    
    • Report abuse to the registrar’s or host’s abuse contact shown in WHOIS.
    • If email-related, also report to the sending network’s abuse contact (from headers) and any brand being impersonated.

    Appeals and false positives

    If your .ga.nu domain was suspended and you believe this was in error:

    • Reply to the original ticket email with “Appeal” in the subject, and provide remediation details and evidence.
    • Or email abuse@ga.nu referencing your ticket ID.
    • Our team will re-review and respond with next steps. Proven remediations may allow reinstatement.

    Data protection

    • We collect only the information needed to investigate abuse reports.
    • Evidence you provide may be shared with affected parties (e.g., hosting providers, CERTs, law enforcement) strictly for abuse mitigation.
    • We retain abuse reports and related logs for a limited period consistent with legal and operational requirements.

    Need more help?

    Providing clear, complete information helps us protect users and act quickly against malicious activity on .ga.nu domains.

    How can I report malicious activity on a domain? | GA.NU