How has GDPR affected Spam?

GDPR, WHOIS and Spam - how is it all panning out?

The real answer is that it is far too early to tell. Various articles currently state that "nothing has happened" as a result of GDPR or "spam has fallen slightly"; however, the true effects of GDPR providing anonymity to domain owners will take a long time to play out. The main crux of the matter isn’t the effect GDPR is having on spam levels, but how it’s hampering organizations from effectively stopping career cybercriminals from defrauding innocent people.

GDPR and WHOIS

Unless you have been marooned on a desert island with no contact to the outside world for the past year, you will be aware that Europe’s General Data Protection Regulation (GDPR) was implemented on 25th May 2018. In relation to “WHOIS”, the protocol used to determine who owns a domain or IP address, the interpretation of this regulation has led to limitations on the information that registrars are disclosing. In some cases not only is the information related to EU natural persons being withheld, but also non-EU persons and company information.

How do security researchers use WHOIS data?

Before GDPR came into effect, records such as a domain’s registered owner and registered contacts could be looked up in WHOIS databases maintained by individual registrars governed by ICANN.

WHOIS information was used by researchers in organizations such as Spamhaus to help determine a domain’s reputation. Domains determined from this and other factors to have a bad reputation would have potentially been listed on our Domain Block List (DBL).

An example is when a WHOIS privacy service was utilized on a domain registration. To a security researcher this would indicate that an individual wished to remain anonymous, and would immediately raise suspicion as to why the owner of the domain wanted to ‘hide’.

Whilst the lack of some of this information is tiresome and makes a security researcher’s job a little more difficult, it isn’t insurmountable. Spam will be blocked. Domains will continue to be added to our DBL and email will be filtered accordingly.

Why have spam levels dropped post GDPR?

It’s true, spam rates have dropped marginally since May 2018. Spamhaus never anticipated a tsunami of spam to follow GDPR, however current claims that spam has fallen as a result of GDPR are unconvincing.

Of course, it could be that legitimate companies, who are concerned about being GDPR compliant, have started purging email lists and are sending less ‘legit’ spam. However, one needs to remember that spam from legitimate companies accounts for a very small percentage of overall spam numbers, so any reduction in this area would have a minute impact on the figures.

Another theory could be that due to the changes on WHOIS fewer bad domains are being identified and therefore some anti-spam systems are flagging less email.

Nonetheless, this small reduction in spam is more than likely down to the natural ebb and flow of spam volumes, which have always been highly variable, just like botnet traffic, as illustrated here:

There are numerous non-GDPR related reasons as to why there’s been a recent drop in spam email ranging from the spambots which are currently in operation (or not in operation as the case may be) to who has been arrested recently!

Also, let’s not forget that criminal organizations, just like most businesses, are focused on return on investment (ROI) i.e. why send a billion spam ‘pillz’ emails and make a few thousand dollars when a few successful business phishes or a few thousand lucrative banking trojans can net a criminal millions of dollars? Whilst there may be lower volumes of spam, the negative impact of it can be greater.

There is no hard evidence we have seen proving that this current decline in spam is as a direct result of GDPR…it will be interesting to see what the volumes of spam are like over Black Friday and the subsequent Christmas holidays.

Can the drop in domain name registrations be attributed to GDPR?

Likewise, this is a vacuous claim, unless it’s worth considering that snowshoe spammers don’t need as many new identities now that their current ones are withheld on WHOIS.

A more likely explanation to the drop in domain name registrations could be something as simple as top-level domains (TLDs) not having run any ‘specials’ recently (everyone loves a bargain, even a cybercriminal).

So what is the issue?

At this point, you would be excused for asking yourself “If spam hasn’t increased then what’s the issue with GDPR prohibiting personal details being visible on WHOIS?”

It’s simple. It will hamper, if not stop, organizations being able to join the dots and identify gangs of professional cybercriminals who have a mechanism of fraud that is proving successful.

How?

Researchers collect all kinds of information from WHOIS. This data allows us to identify patterns in spamming activity, and build intelligence to attribute it to specific spam gangs.

Additionally, these small but critical pieces of data can become crucial to investigations later down the line, although they may not be obvious at the time. This evidence can assist law enforcement agencies to pursue these prolific gangs who are defrauding significant amounts of people of vast quantities of money.

Really? Is visibility over this WHOIS data that important?

Yes. Even fraudulent information that is used in a WHOIS record can be used against criminals. For example, the notorious spammer Alan Ralsky was finally indicted for, among other things, "using falsely registered domain names to send the spam."

Certain types of fraudulent techniques can be used by spammers to misrepresent and disguise their identity, location, or the nature of their message in order to defeat spam filtering programs e.g. by using false information to register a domain name used to send the spam.

Under 18 USC § 1037, it is unlawful for a person to send “multiple commercial electronic mail messages” if such a person uses materially false registration information for two or more domain names that are used to send the messages.

Ralsky and the other defendants employed several fraudulent means to accomplish the common goals of sending out as much unlawful spam email as possible in order to make as much money as possible, including registering domain names with false information to avoid detection.

Last but not least, we need to remember the good guys. As a result of WHOIS going dark, it's not only harder to track and bring down criminal activity but it's also harder for the good guys to prove that they are legitimate when a domain’s legitimacy is questioned.

Transparency builds trust

As more of our lives revolve around online activity, more opportunities are available to the bad guys to monetize an asset (a computer) over which they have gained control. Those guys are motivated, intelligent, and creative. Losing a tool like WHOIS, which helps to shine a little more light into the darker corners of the Internet, doesn’t do any favors to those who want to protect Internet users.