Important Community Update on domain being flagged by an anti-spam blocklist

February 19, 2023 Edit: Spamhaus as removed from its blocklist.

1. TL;DR

On February 15 2023, Spamhaus, an organization that publishes a Domain Block List used by some service providers, added the domain to its blocklist. The immediate impact is that the usage of on social media or emails may be flagged as spam. A further potential consequence may be that some ISPs may no longer route traffic to the domain. As a result, some users may no longer be able to directly access the dapps on the Internet Computer (IC) that use the domain. Currently, no such cases are known but to address this risk this post explains to users what they can do as a precautionary measure and how they could regain access.

As an immediate action, we recommend that all users:

  • Create a recovery phrase for your Internet Identity anchors if you have not already done so (How to create a recovery phrase). Please note that a recovery device cannot be used to access your account on the new URL, you must use a phrase.
  • Reset your Internet Identity recovery phrase if you cannot remember or have lost your existing phrase (How to reset your recovery phrase).
  • Setup your Internet Identity anchors to be usable with the newly introduced URL Please note that we are working on UX improvements that will make the process easier. UPDATE: Now that has been removed from the block list, we recommend that users wait to migrate their devices until we complete work on the migration path. In case of an emergency, make sure that you have a usable recovery phrase following the instructions listed above.

Last but not least, it is worth noting: DNS blocking is a very common industry practice. Indeed, there are many blocklists around the world with varying policies. Every ISP and/or government does some form of this for legal, security or content policy reasons. Domains which serve user-generated content / apps have a history of being at risk of DNS block lists.

2. Background

ISPs and service providers use blocklists to minimize the exposure of users to spam and malicious websites. Spamhaus is one of the organizations that maintain such blocklists. Since ICP smart contracts can host entire web apps at affordable rates, ICP has seen a few malicious actors publishing content that ISPs and other services block for their users, e.g. phishing sites. Social media and communication services, such as email providers, may additionally flag messages including links to as spam.

As explained in the recent forum post Content Filtering via Boundary Nodes, the DFINITY foundation actively scans for such content and blocks it in accordance with the Code of Conduct established with the ICP community. The smart contracts remain untouched on-chain but are no longer accessible through a regular web browser. There may also be a few false negatives that are not detected.

Spamhaus added to its blocklist. The DFINITY Foundation is actively working with Spamhaus to explain the use of and asked Spamhaus to remove from the blocklist. However, it’s uncertain whether this request will be successful.

Please note this incident is different from a “takedown request”. This is an entire domain being added to a blocklist. This is a foreseen event so there are both mitigations and plans for the community to be aware of.

3. Precautions

This section describes measures that can be taken today to minimize the impact of potentially becoming inaccessible.

Recommended For Users

We encourage all users to perform the following activities immediately:

  • Create a recovery phrase for your II anchors: The following instructions show you how to create a recovery phrase for your II anchors. Once you have created a recovery phrase, store it in a safe place. As a reminder, your recovery phrase will allow you to recover your II and NNS wallet (where you may be holding ICP) in case they are in an environment where is blocked. (How to create a recovery phrase?). If is blocked, you would use your recovery phrase to access your anchor on the new domain. (How to recover account with recovery phrase?) Please note: You will not be able to recover your account with a FIDO device, so you must create a recovery phrase if you want to ensure your account is safe.
  • Connect your II anchors to The following instructions guide you through the process of setting up your Internet Identity (II) anchors on the new II domain Once you have performed these steps, you can keep using II on the new domain even if was no longer accessible. We are working on making this process more user-friendly. Note: for this setup to be successful, must be accessible to you. UPDATE: Now that has been removed from the block list, we recommend that users wait to migrate their devices until we complete work on the migration path. In case of an emergency, make sure that you have a usable recovery phrase following the instructions listed above.

What are the risks if you don’t follow these precautionary measures?

ELI5: If you don’t have access to the domain and you haven’t performed these steps, then you cannot reach your Identity, which means you cannot access your ICP in the NNS Frontend dapp.

  • Is it guaranteed that users will lose access to No, but best be careful and take preventive measures.
  • Are there ways to regain access to domain? Yes, most notably a VPN.
  • Why are these precautions necessary? Because they mitigate the impact of “not having access to domain”. These measures remove the risk tied to

What DFINITY Foundation is doing

Short-term (Now)

  • System canisters under separate domain: DFINITY has created a proposal, that was subsequently adopted by the NNS, to add an additional domain for Internet Identity ( and the NNS Frontend dapp ( so users are able to access these URLs without being affected by any regional blocking of
  • Switch to new default domain for new canisters: Spamhaus has communicated that ICP can create an environment for “massively automated malice”. Therefore, DFINITY has set up the domain as an alternative default domain to access canisters. If you previously used the URL, you can now alternatively use
  • API calls through decoupled domain: So far, HTTP requests and API calls both used the domain. We introduced the domain for API calls and to decouple the two use cases. As a result, API calls will not be affected by reduced availability of domains used to serve HTTP. The Service Worker has been updated to automatically make the API calls to the new domain.
  • Accelerate code of conduct enforcement: We plan to further reduce the time between a malicious content being detected and it being blocked.

Mid-term (1 week)

  • II domain migration: As shown in the December 2022 II roadmap update, the II team has been working on a simple flow to migrate anchors set up under to As documented as one of the user precautionary actions above, a migration to this new domain is possible today. However, we will work on making this transition more seamless and self-explanatory.
  • Custom domains: Just a few days ago, the foundation released custom domain support for canisters. As more developers will use this new capability, the dependency on will decrease.

Long-term (months)

  • The DFINITY team is working on a new boundary node architecture. By introducing HTTP gateways that are accessible through different domains and operated by different community members, the dependency on a single domain, such as, will be significantly reduced.

4. Mitigation

Should a social media post or electronic message containing the domain be flagged as spam, you can alternatively use the domain All new canisters are accessible through the newly created domain Instead of accessing your canister through, you can alternatively use

In the event of being blocked for you, we recommend the following:

  • VPN: Use a VPN to connect to a network that is not affected by the Spamhaus blocklist.
  • Check your local settings: A local program or system configuration, e.g. a virus scanner, may block using the Spamhaus list. Check these settings and exclude from being blocked.

Worth noting that another route for users who want to retrieve their IIs, is that they can also modify the hosts file to locally map to You can see instructions on how to do this here: how to change a hosts file on your computer

5. Potential Questions

Q: What should be the main take-away for users?

A: All ICP users should (A) set up their II anchor under and (B) create recovery phrases for their internet identity anchors, if they do not already have one yet.

(C) Users can also change the hosts file to locally map to

You can see instructions on how to do this here: how to change a hosts file on your computer.

Q: I’m a developer, what do I need to do?

A: Your canisters will be available at as well as If you do nothing, your users will have the same level of access as they do today. If you start to encounter reports of your app not being available, you can configure your agent to use as an alternative or fallback host.

To ensure that your dApp continues to work properly:

  • If you are serving your own service worker, you should make sure you are serving at least version 1.5.2.
  • The Custom Domains feature is now widely available and you can use your own domain to serve your dApp.
  • We will post more updates and instructions in the coming days.

Q: What about users not paying attention when this announcement was posted? Are they out of luck? How much time do they have?

A: It would be naive to expect all users to be paying attention to announcements. Still, we hope to reach as many as possible. We also hope to rely on the community to help create awareness.

If more places add to a blocklist, sharing or accessing links may get increasingly more difficult. However, we expect that for those people immediately affected, using a VPN it will be possible to access for a while. But let’s not count on it and execute the precautionary measures now.

Q: How can I help?

A: ICP is a protocol and a community so of course all help is always appreciated. The ICP community is known for its helpful culture.There are a few ways you can help:

  • Share this post widely
  • Remind people to set up their II anchor under and to create recovery phrases
  • Review NNS proposals coming
  • Offer any help or any advice on this thread!

For context, some of the people at DFINITY working closest on this are:


Thanks for the heads up. I guess it’s a good thing everyone pushed for recovery phrases back in the day.


So say goodbye to the blockchain url? (which was hosted on a centralized domain anyways)

What’s going to happen to and the sns?

What does this mean for less technical people who have elected to “set and forget” in their NNS dapp.


Good question.

Id say the simple version is this: (I did try to make post above simple, seems I fell short of that!)

  1. will continue to work
  2. We expect most people to not have any issues
  3. If any do have any issues accessing that domain, they have two options:

a. If they had set a recovery, they can go to the new url and use the recovery

b. If they have not set a recovery, they may need to use a vpn, to create a new recovery

Does this answer your question in a helpful way?


I don’t intend to minimize this or fall into “this is good for Bitcoin” meme, but I genuinely believe these kinds of things are signs of a blockchain making real contact with the wider internet world.

It is truly fascinating to watch blockchain and web2/web1 collide into each other, negotiate, iterate, and become part of our daily lives.


Why do they have to do that? Isn’t there support for same principal auth on multiple dApps now?

This looks like an antipattern, the moment your recovery phrase is shown it might already not be in a safe place unless you generated it on a brand new device with a clean OS install, a safe place is supposed to be an airgapped device never connected to the internet, that is what FIDO/security keys are for. On a technical level I don’t understand why recovering account with a secret key is possible, but not with an hardware wallet.

1 Like

This just hit my radar (thanks @lomesh ) … @peterparker @rckprtr @kpeacock @icme … is this maybe connected to this:

and if so, I would assume the @dfinity sdk would need to be updated with a new URI for the fetch calls it makes …i.e. … they are intermiittantly timing out in the last few days and we have been grasping at “why” … this might be it and the timing fits … thoughts?

1 Like

Thanks for the heads up.

For someone paranoid like me :

(a) I have a recovery phrase (“locked”) that is stored in a distributed fashion, so not easily accessible.

(b) I was able to add the first device without recovery phrase (first option); but NOT without confusion; even with the instructions. I think a quick video explaining this process would help.

(c) The act of adding a second (and subsequent) devices to the same IIA has an exception flow; which will confuse people. However I can verify that I am able to add a second device.

(d) As noted in the instructions, the existing devices registered on ic0 WILL NOT work on You will need to re-add them.


Is there any way to add a second recovery phrase if you don’t have access to your protected recovery phrase?

Have to say it’s really unfortunate that recovery devices aren’t of any help. I thought I was pretty well prepared with a good mix of auth devices. Falling back to a single recovery phrase was not something I had planned for.


There is no way to add a second recovery phrase; I think, by design.

More than one hardware recovery key would sure be nice.

Copy. I knew we could protect one. I didn’t realize we couldn’t add more. Really sucks.

1 Like

Hi @Zane

Isn’t there support for same principal auth on multiple dApps now?

Honestly? I wrote multiple draft answers, but as I wrote them, it was clear I did not have clarity of thought. Let me ping the Internet Identity Team or Crypto team to better explain,

On a technical level I don’t understand why recovering account with a secret key is possible, but not with an hardware wallet.

I want to make sure I get your question. Are you asking why you cannot use a hardware wallet to recover an II account, but why you have to type it in manually? Is that right?

1 Like

I asked SDK team and they are not sure it is connected, but have been looking into this.

1 Like

Agreed. I know II team is working on improving the flow as well as the user-facing docs on this. Lots of low hanging fruit the team sees.


Copying some folks from Research and Internet Identity team so they see the feedback:

@frederikrothenberger @nmattia @bjoern @marydwyer @maria


Thanks @diegop for the update. IMHO these are great developments.

We’re it not for the Casino front end being blocked, work would not be as urgent for boundary node decentralization. We’re it not for this domain being censored, work would not be as urgent to address this issue.

The more we block and tackle these issues the more hardened and decentralized the system becomes. I personally think it’s really great as we are seeing decentralization unfold before our very eyes.


After this migration, I can also verify that I am able to access nns at through both of my devices.

The migration mistakenly inherits the devices from ic0. After adding the same device with a different name, I deleted the device with original name at

Hmm interesting, let me pass this along.

Sorry; my bad;

The migration inherits the devices from ic0. Adding another device also add this device to ic0. So the same device can exist with two separate names; each for different domains (ic0 and internetcomputer)

1 Like