Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Internet

05 Sep 2018

GDPR didn't affect spam? Not so fast. Internet

I have recently become aware of a blog post from Recorded Future that attempts to analyse the effects of the GDPR on online security. Unfortunately, it starts by asking an irrelevant question, and then goes on to use irrelevant metrics to come to a meaningless answer.

The premise of Recorded Future's article -- that spammers would send more spam and register more domains because GDPR came into effect -- tells us nothing useful about how GDPR affects anything. It's the wrong question, it's not a question most security people are concerned with, and it ignores how spam and spammers work.

The goal of spam is to get the recipients to do something, usually to click through to a landing page containing phish or malware. Spammers use botnets, hijacked IP space, and deceptively registered snowshoe IP addresses. More IP addresses let them evade filters and send more spam; more domains make no difference.

Spam volumes increase as spammers start campaigns, and decrease as the campaign ends, or as security researchers and law enforcement take down the networks of compromised machines used to send most spam.

Spam domains are the ones that spammers want people to end up on, the destination sites. Spammers only need to run a certain number of redirection and destination sites, and a lot of the redirectors they use are on other people's hacked sites. Sending spam doesn't need any domains at all, since the return addresses in spam are invariably fake, either addresses taken from the spam lists, or just made up.

Using more domain names gives spammers little if any advantage. If more domains were better, and if detection and takedown were easier before GDPR, spammers would have been buying ever-ballooning numbers of domains before GDPR, but they weren't.

Indeed, GDPR would mean spammers now have an easier time and need fewer domains, because less spam will be detected, more will get through to users, and landing domains will stay up longer so more of the spam will have working landing pages.

Some of the Recorded Future analysis is just puzzling, and suggests a lack of familiarity with spamming techniques.

For example, it looks at the number of registrations in heavily abused TLDs, such as .men and .fun and doesn't see many new ones. But the reason those TLDs are heavily abused is that they had promotions to sell cheap bulk domains. Once the promotions are over and the price goes back up, the number of new registrations drops to the usual trickle, GDPR or no.

To understand the effect of GDPR, the relevant questions are: Is GDPR enabling damage, because it makes detection, blocking, and mitigation harder?

Criminals do use domains for spam payloads, redirectors, and landing pages. WHOIS has been a key tool not just to identify individual domains, but to find connections among domains (which tend to be registered with similar information, even if it's false) to take down a whole network of them at a time. I can't find any public numbers about takedowns, but the security resarchers I know tell me that lack of WHOIS is a significant impediment to research, and the half-hearted measures that some registrars provide to reveal one domain at a time is no substitute when you're looking at clusters of thousands or tens of thousands of domains.

At this point we do not have the data to say how GDPR is affecting the Internet's security, and we certainly do not have data to claim there is no effect.

posted at: 11:11 :: permanent link to this entry :: 2 comments
posted at: 11:11 :: permanent link to this entry :: 2 comments

comments...        (Jump to the end to add your own comment)

Whois redaction has absolutely impeded our ability to correlate malicious domains, and has placed increased importance of services like passive DNS for identifying common infrastructure and “bad neighborhoods”.

With respect to how it impacts spam.. newly registered domains are always going to be suspicious simply owing to the fact they have no established reputation. It makes no sense for spammers to run out and start buying massive sets of new domains because it wouldn’t help them get in anyhow.

As time goes on I expect this whole situation to get worse, as some of attackers domain infrastructure remains undetected for longer. I believe you are correct that this means they will need fewer domains in the long run.

(by Jaeson Schultz 06 Sep 2018 07:07)

Thanks for bringing sanity and clarity to a topic clouded by many loud, less-informed voices. This was really refreshing to read!

(by Scott Pinzon 08 Sep 2018 11:22)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

Email: you@wherever (required, for confirmation)
Title: (optional)
Show my Email address
Save my Name and Email for next time


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

It turns out you don’t need a license to hunt for spam.
83 days ago

A keen grasp of the obvious
Italian Apple Cake
641 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.