Home / Blogs

GDPR Didn't Affect Spam? Not So Fast

John Levine

I have recently become aware of a blog post from Recorded Future that attempts to analyze the effects of the GDPR on online security. Unfortunately, it starts by asking an irrelevant question and then goes on to use irrelevant metrics to come to a meaningless answer.

The premise of Recorded Future's article — that spammers would send more spam and register more domains because GDPR came into effect — tells us nothing useful about how GDPR affects anything. It's the wrong question, it's not a question most security people are concerned with, and it ignores how spam and spammers work.

The goal of spam is to get the recipients to do something, usually to click through to a landing page containing phish or a malware. Spammers use botnets, hijacked IP space, and deceptively registered snowshoe IP addresses. More IP addresses let them evade filters and send more spam; more domains make no difference.

Spam volumes increase as spammers start campaigns, and decrease as the campaign ends, or as security researchers and law enforcement take down the networks of compromised machines used to send most spam.

Spam domains are the ones that spammers want people to end up on, the destination sites. Spammers only need to run a certain number of redirection and destination sites, and a lot of the redirectors they use are on other people's hacked sites. Sending spam doesn't need any domains at all, since the return addresses in spam are invariably fake, either addresses taken from the spam lists, or just made up.

Using more domain names gives spammers little if any advantage. If more domains were better, and if detection and takedown were easier before GDPR, spammers would have been buying ever-ballooning numbers of domains before GDPR, but they weren't.

Indeed, GDPR would mean spammers now have an easier time and need fewer domains, because less spam will be detected, more will get through to users, and landing domains will stay up longer so more of the spam will have working landing pages.

Some of the Recorded Future analysis is just puzzling and suggests a lack of familiarity with spamming techniques.

For example, it looks at the number of registrations in heavily abused TLDs, such as .men and .fun and doesn't see many new ones. But the reason those TLDs are heavily abused is that they had promotions to sell cheap bulk domains. Once the promotions are over and the price goes back up, the number of new registrations drops to the usual trickle, GDPR or no.

To understand the effect of GDPR, the relevant questions are: Is GDPR enabling damage, because it makes detection, blocking, and mitigation harder?

Criminals do use domains for spam payloads, redirectors, and landing pages. WHOIS has been a key tool not just to identify individual domains, but to find connections among domains (which tend to be registered with similar information, even if it's false) to take down a whole network of them at a time. I can't find any public numbers about takedowns, but the security researchers I know tell me that lack of WHOIS is a significant impediment to research, and the half-hearted measures that some registrars provide to reveal one domain at a time is no substitute when you're looking at clusters of thousands or tens of thousands of domains.

At this point, we do not have the data to say how GDPR is affecting the Internet's security, and we certainly do not have data to claim there is no effect.

By John Levine, Author, Consultant & Speaker
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

+1Less we forget history:Afilias and .INFO was Charles Christopher  –  Sep 05, 2018 11:07 AM PDT

+1

Less we forget history:

Afilias and .INFO was the original proof of this point. Afilias ran a free registration promotion which ENOM took full advantage of given its customers the adjacent .INFO for the other TLDs they had in their account. I am not saying the ENOM regs were responsibly for the spam, etc, just that is was easy for spammer to hide riding coat tail. If memory serves the total promotion registrations were 2.5 million. One year later 1.25 million domains were RENEWED. The promotion in fact significantly built up the registration base of .INFO. If you look at the .INFO reg history that "blip" in the graph is very obvious.

That resulted in Google "depreciating" .INFO search result as the .INFO TLD became so polluted during the first year after that promotion. I use an .INFO email and had many problems with the widespread filtering that was taking place, and continued after that ... And STILL continues ...

So there is a clear conflict of interest here. Also stated here:

http://www.seobook.com/poor-info-strategy-afilias

The nTLDs have the same desire, build reg counts to maximize profit, that is what businesses do. There is nothing wrong with that.

What still staggers me is the never ending focus on securing everything BUT email. Sorry, the argument of it being "too hard" is not compelling, its a lazy excuse. After 20 years if we really wanted a solution we'd have one, humanity is NOT that stupid. But without a solution what do we all do?

Route ALL our email through Microsoft, Google, etc, to "filter spam" .... Hmm:

http://www.circleid.com/posts/20180807_traceability/

We each are a much better "product" when our emails are easy to read by third parties ... There is no desire to eliminate spam.

See page 2 of this PDF:https://info.info/direct-download/2671 million Charles Christopher  –  Sep 05, 2018 11:36 AM PDT

See page 2 of this PDF:

https://info.info/direct-download/267

1 million to 3.5 millions registrations, 2.5 millions of which were free via the promotion mentioned above.

1.25 millions were renewed, doubling the .INFO reg count because of those free registrations.

And note well, I am not trying to pick on Afilias here. My view is they did nothing wrong. They tried to creatively build their reg count and did, which is why other TLDs follow their lead to this day. Traders have been doing this since the beginning of humanity, free product to try out.

Free domains are not the problem, but they make the registries easy fall guys for the problems not being addressed, and being made worse by the likes of GDPR.

Humanity is not stupid. Humanity is easy to deceive ....

The title of the Recorded Future post Kevin Murphy  –  Sep 05, 2018 11:39 AM PDT

The title of the Recorded Future post is "90 Days of GDPR: Minimal Impact on Spam and Domain Registration". It looks at spam volumes and domain registrations. Two things. You only address one of them here.

It may well be the case that the domain registration data is irrelevant, but the Cisco-provided data Recorded Future cites shows that spam volume has not risen since GDPR came into effect.

Is the spam volume data also irrelevant? I can imagine a couple of ways it might be, but I'd be interested to hear what you think.

yes, it's irrelevant John Levine  –  Sep 06, 2018 6:14 AM PDT

As the third and fourth paragraphs say, spam volumes vary for all sorts of reasons. Since post-GDPR measures make spam harder to filter, you'd expect more of it to be delivered, so spammers could send less to get the same results. We haven't observed that, but we haven't observed anything else relevant either.

Also, as is well-known in the operator and anti-abuse communities, spam volumes are extremely difficult to measure because nobody has more than a narrow snapshot of mail. There are large spammers that target only Gmail or only Yahoo or only Hotmail, whose volume only the recipient systems know, and they're not publicly saying. You'll also see vastly different profiles at ISPs in the US or in Europe or South America or China.

Kevin: spam volume (the number of spam Greg Aaron  –  Sep 06, 2018 6:03 AM PDT

Kevin: spam volume (the number of spam email messages sent) has nothing to do with the number of domains used.  Think of it this way: how many emails can you send from your email address, on your one domain?  Millions and more.  As many as your hardware and bandwidth (and provider) will allow.

Spam is sent via botnets, hijacked IP space, and deceptively-registered snowshoe IP addresses.  Sending spam is more about getting IP addresses, less about domain names to send from.

As Levine said, spammers are advertising destinations they want people to go to. Those destinations are the domains that spammers put in the bodies of the email addresses and are trying to get through spam filters.  You can send one spam message advertising spamdomain.com, or you can send ten million.  Then on your next run you'll switch to advertising another domain, because spamdomain.com may have been blocklisted.  The number of domains a spammer uses can be a matter of how much spam he sends in a time period.

The Recorded Future article and its premise are irrelevant to the question of GDPR.  The stats they use don't measure what they said they do.

Greg, I'm not talking about domains, I'm Kevin Murphy  –  Sep 07, 2018 4:42 AM PDT

Greg, I'm not talking about domains, I'm talking specifically about spam volume. Forget the domains. The Recorded Future article ALSO talks about spam volume, and says it has not gone up post-GDPR. It does not use the number of registered domains to make this point. It's a separate point entirely, using different data, unrelated to domains.

Unrelated to anything John Levine  –  Sep 07, 2018 5:01 AM PDT

It's not only unrelated to domains, it's unrelated to anything.
Is there perhaps some phrasing problem in the third and fourth paragraphs of the post that makes them hard to understand?

Your post is perfectly comprehensible, thanks.What it Kevin Murphy  –  Sep 07, 2018 6:07 AM PDT

Your post is perfectly comprehensible, thanks.

What it does not do at any point is directly address the source Cisco data that shows spam levels basically unchanged post-GDPR.

https://www.talosintelligence.com/reputation_center/email_rep

Are we meant to infer from your fourth para that empirical data about spam volume over time is irrelevant to the question of whether spam volumes have changed over time?

I would disagree with that.

We could question the data, of course (which is what I was trying to nudge you towards and which you seem to be doing in your comment above).

We could say, for example, that Cisco has gotten worse at detecting spam because of GDPR. That might be a reasonable thing to say — I don't know how much Whois availability plays into Cisco's spam detection methodology. Maybe Cisco cross-references Whois records in order to root out dormant spam domains before they launch campaigns? Maybe GDPR has made that harder to do?

These might be good reasons to dismiss the data. Simply dismissing it out of hand as irrelevant does not strike me as a good argument.

>It's not only unrelated to domains, it's Charles Christopher  –  Sep 07, 2018 7:49 AM PDT

>It's not only unrelated to domains, it's unrelated to anything.

https://en.wikipedia.org/wiki/Email_spam

"many contain disguised links that appear to be for familiar websites but in fact lead to phishing web sites or sites that are hosting malware."

https://en.wikipedia.org/wiki/Phishing

"Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication."

https://www.spamhaus.org/news/article/724/ongoing-abuse-problems-at-nic.at-and-denic

"At that time, we saw a massive amount of the "Rock Phish" gang's phishing domain names being registered within .at for the exclusive purpose of hosting phishing sites."

"Providing the name of the sponsoring registrar of a domain name in the whois service, including a valid and working abuse reporting address of the sponsoring domain registrar."

Perhaps I am just dense, but going back to first principles and the definition of the words being used, it seems to me domains are involved.

>or as security researchers and law enforcement take down
>the networks of compromised machines used to send most spam.

https://www.securityweek.com/what-are-criminals-doing-typos-domain-names

"Recent research shows that the exploitation of confusingly similar Internet domain names is not just a threat to brand equity and consumer trust; it’s now in use by those seeking to steal confidential corporate data."

Sorry, but I have no idea John Levine  –  Sep 07, 2018 9:54 AM PDT

what point you're trying to make. Yes, bad guys use domains maliciously, and losing access to Whois makes that harder to remediate.
But it still has nothing to do with the number of spam messages someone claims they're seeing.

Perhaps we have to agree to disagree.The Charles Christopher  –  Sep 07, 2018 10:34 AM PDT

Perhaps we have to agree to disagree.

The links I provide are consistent with my understanding, domains are used to create confusion:

>"The goal of spam is to get the recipients to do something"

They are used to bait the victim via the return address in the spam email, and then again on the website the victim clicks though to.

If domains could not be used this way, spam traffic would decrease. Thus spam house (above) trying to shame DeNic into opening their whois.

>more domains make no difference.

On that I would agree, but a point need to be teased out here as the comment is somewhat academic.

Remove the list of domains that create the confusion the spammers wish to create and successful spam decreases because people are no longer confused.

For example:

"[if one] looks at the number of registrations in heavily abused TLDs, such as .men and .fun and doesn't see many new ones. But the reason those TLDs are heavily abused is that they had promotions to sell cheap bulk domains."

Yes.

For some reason the spammers think more domains are of value to them, even if we think they are of no value to them. Even if domains are "free" there is actual work to managing them. Why bother if you don't need them?

Its not about what we think spammers value, its what spammers are doing that tells us what they value. And they clearly value more domain names when available.

It is also worth noting that spammers "steal" domain registrations from registrars. They know the domain will have value for a limited time. Thus when the registrar find the fraudulent change and deletes the domain, its value to the spammer is gone so they don't care if its deleted. Again, that takes work and risk for the spammer, why do it if its of no value?

>GDPR would mean spammers now have an easier time and need fewer domains,

Does that mean future nTLD releases that have "cheap" registrations will now be devoid of registrations intended for spam and other malicious activities?

I doubt it.

>https://www.talosintelligence.com/reputation_center/email_rep"45 billion legit emails per day">http Charles Christopher  –  Sep 07, 2018 1:19 PM PDT

>https://www.talosintelligence.com/reputation_center/email_rep

"45 billion legit emails per day"

>https://internetworldstats.com/stats.htm

"4 billion internet users"

That gives 10 emails per day per user, 365 days a year, that is far more than I get. With texting and a cell phone on me at all times, not to mention video conferencing, WhatsApp, etc, my email usage gets less and less.

>https://www.businessinsider.com/chart-of-the-day-number-of-texts-sent-2013-3

"According to Experian, U.S. smartphone owners aged 18 to 24 send 2,022 texts per month on average — 67 texts on a daily basis — and receive another 1,831.
That's nearly double their slightly older peers, smartphone users aged 25 to 34 [33 per day].

Young Americans send almost ten times as many texts as Americans over 55 [7 per day]."

67 texts per day, perhaps 1 every ten minutes. Yes, that seems reasonable to what I see in the world around me. People not even letting driving a car get in the way of their texting activity.

The “tech” parents I know generally say their kids have little clue what email is, using other forms of communication like social media and texting.

The 10 emails per day per user is tough to believe when compared against texting. The lower age bracket's lack of use of email suggests the legit email traffic is in the older age brackets. Making it what, 15 to 20 emails per day?

Tough to believe their numbers, 105 to 140 legit emails per week, 450 to 600 legit emails per month?

Tough to believe their numbers, 105 to John Levine  –  Sep 07, 2018 1:47 PM PDT

Tough to believe their numbers, 105 to 140 legit emails per week, 450 to 600 legit emails per month?

I don't believe them either. They seem very high.

I suppose I could say three or four more times that their numbers are wild guesses and the absolute number of spams, even if we knew it which we don't, tells us nothing useful, but if people didn't understand it the last three times, there doesn't seem any point.

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC