Guide
TrainingSupportCommunity

Take down fraudulent domains

Suggest Edits

You can request that ​Akamai​ take down domains that are an active spoofing and phishing threat to your organization. When you enable Zone Protection for a zone, Akamai monitors the domain for these threats. The related domains report shows all domains that pose a threat. From this report, you can submit a takedown request. For more information on zone protection and the related domains report, see Monitor and protect zones.

After you submit a request, the request enters a workflow where ​Akamai​ reviews the request and determines whether the domain should be taken down.

Workflow for takedowns

After you submit a takedown request, the request enters a workflow where Akamai reviews and processes the request.

If you provide evidence for a takedown, a takedown request transitions through these four main states:

DRAFT -> REQUESTED -> SUBMITTED -> ACCEPTED

where the states are defined as:

  • DRAFT. The request is in this state until you submit the request.
  • REQUESTED. The request enters this state after you submit the request. The Operations team reviews and processes the request. This review is usually completed in one business day.
  • SUBMITTED. The disruption network processes the takedown request.
  • ACCEPTED. The fraudulent domain is removed.

Alternate workflows

Depending on the takedown scenario, there can be alternate workflows with additional states. For example, this workflow can apply if no evidence was provided in the draft state.

DRAFT -> REQUESTED -> EVIDENCE REQUIRED -> REQUESTED -> SUBMITTED -> ACCEPTED

In this workflow, the following events occur:

  1. The account owner is drafting the takedown request, and it is in the DRAFT state.

  2. After completing the draft and submitting the request, it transitions to the REQUESTED state.

  3. The operations team reviews the request, determines that evidence files are needed, and transitions the request to the EVIDENCE REQUIRED state.

  4. The account owner uploads evidence files and resubmits the takedown request. The request transitions back to the REQUESTED state.

  5. The operations team reviews and approves the request, transitioning it to the SUBMITTED state. The disruption network begins processing.

  6. After the fraudulent domain is removed, the request transitions to the ACCEPTED state.

If the takedown request is denied or it cannot be completed, these states may apply:

  • DENIED. Indicates the request doesn't meet the criteria for takedown, or the network denies the request for removal.
  • DOWN ON ARRIVAL. Indicates the request can't be completed because the fraudulent domain is down.

If you cancel a takedown request, the workflow varies depending on the request state at the time you initiate cancelation:

  • If the request form is in the DRAFT state, it is updated to CANCELED.
  • If the request is in the REQUESTED or SUBMITTED state, it is updated to CANCEL REQUESTED.
    Later, after the takedown request is reviewed, the state is updated to either CANCELED, DENIED, or DOWN ON ARRIVAL.

For more information on takedown statuses, see Takedown statuses.

Takedown statuses

The status of your takedown request appears in the related domains report. The following table describes these statuses. To learn more about the workflow that is followed for a takedown request, see Workflow for Takedowns.

Takedown StatusDescription
DraftThe request for a takedown was started, but it was not submitted.
RequestedThe request was submitted to ​Akamai​. The operations team reviews the request.
Evidence Required​Akamai​ has reviewed the request and requires evidence of the threat before proceeding. Evidence can include copyright or trademark notices or email phishing headers.
Submitted​Akamai​ has allowed the takedown request to proceed, and it will be processed by the disruption network.
AcceptedThe fraudulent domain is removed.
Cancel requestedA cancellation of the takedown was requested by you or another administrator.
CanceledThe takedown request was canceled and is no longer in progress.
DeniedThe request doesn't meet the criteria for takedown, or the network denies the request for removal.
Down on ArrivalThe request can't be completed because the fraudulent domain is down.

Start a domain takedown

Complete this procedure to initiate a takedown request.

Before you begin:

Authorization letters are required to take down a domain. If an authorization letter is not already on file in your Control Center account, you must upload one. After you upload a letter and it’s approved, the authorization letter associated with the account is used for all subsequent takedown requests. For more information, see Authorization letter for domain takedowns.

To take down a domain:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS > Zone Protection. The Zone dashboard appears.

  2. In the Zone Threats widget, click View Report. You are directed to the related domains report.

  3. Apply filters to narrow the list of domains. You can apply a number of filters including one that shows domains with a high or critical risk level. For instructions, see Filter the related domains report.
    If you already know the domain that you want to take down, you can also enter it in the search box.

  4. For the domain that you want to take down, click Takedown. A confirmation message appears.

  5. Click Yes. The Takedown Request Form appears.

  6. Complete the Draft state of the form:

    1. If you submitted an authorization letter and it was approved, the Authorization letter toggle is enabled and this setting is grayed out. If you did not submit an authorization letter, you will need to submit one. For instructions, see Authorization letter for domain takedowns.
    2. Optional. Submit one or more evidence files. Evidence files can include copyright or trademark notices or email phishing headers.
      Evidence files may expedite the takedown request.
    3. Click Submit Takedown.

      📘

      If you click Save instead of Submit Takedown, you can return to the request at a later time. When you view the domain in the related domains report, it will have a Draft takedown status.

    4. Confirm that you want to submit the takedown request.
      After you submit the request, the Operations team reviews the request.
      The request enters the Requested state. Information about the request is shown, including the time the request was submitted, the violation type, associated tags, and more.

Next Steps:

View the status of your request. If additional evidence is required, you may need to provide evidence before ​Akamai​ can process your request. To view the status, see View takedown status. For more information about a takedown workflow, see Workflow for Takedowns.

Authorization letter for domain takedowns

A Control Center account must have a signed authorization letter on file to request a domain takedown.

For the first domain takedown, you must download an authorization letter from Control Center, sign it, and then upload it to Control Center. After you upload a signed authorization letter and it is approved by Akamai, it is then associated with the account and used for all subsequent takedown requests.

An account can only have one acceptance letter on file. If you need to replace an acceptance letter, you must delete the letter and replace it with a new one.

Download an authorization letter

Complete this procedure to download an authorization letter.

To download an authorization letter:

  1. On a Domain Takedown page, click Takedown Settings.
  2. In the Download authorization letter to sign section, click Download. An unsigned authorization letter is downloaded to your computer.

Next Steps:

  1. Sign the letter and save the file with a new name that includes your account name. You may also want to include the date. For example, you can use this filename for the file:
    MyAccount_Signed_Auth_Letter_2023-02-01
  2. Upload a signed authorization letter

Upload a signed authorization letter

Complete this procedure to upload a signed authorization letter.

To upload a signed authorization letter:

  1. On the Domain Takedown page, click Takedown Settings.
  2. If you already have a authorization letter that you want to replace, complete these steps:
    1. In the Existing signed authorization letter section, click Delete to delete the existing authorization letter. A confirmation dialog appears.
    2. Click Yes. The letter on file is deleted, and the Upload signed authorization letter section now appears on the page.
  3. In the Upload signed authorization letter section, upload the letter you signed.

View takedown status

Complete this procedure to view the takedown status of a domain.

To view a takedown status:

  1. Navigate to the related domains report page. For instructions, see View the related domains report.
  2. Go to the domain that you requested for takedown.
  3. In the Takedown column of the report, click the status for your domain and select View Status. The workflow page and information about the request appears.

Cancel a takedown request

After you submit a takedown request, you can cancel it. This operation stops the takedown in progress. Note that any action completed before the cancelation request was made may be irreversible. This means even though the takedown was canceled, the domain may have already been taken down or removed from the internet.

To cancel a takedown request:

  1. Go to the Domain Takedown page:
    1. Navigate to the related domains report page. For instructions, see View the related domains report.
    2. Go to the domain that you requested for takedown.
    3. In the Takedown column of the report, click the status for your domain and select View Status.
  2. In the top toolbar of the Domain Takedown page, click Cancel Takedown.
    A confirmation dialog opens.
  3. Click Yes. When you view takedown history or view the domain in the related domain report, the state of the takedown is updated.

Updated about 2 months ago