August 28, 2018 • Allan Liska and Bruce Liska
There were many concerns that after the European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018, there would be an uptick in spam. While it has only been three months since the GDPR went into effect, based on our research, not only has there not been an increase in spam, but the volume of spam and new registrations in spam-heavy generic top-level domains (gTLDs) has been on the decline.
Prior to the implementation of the GDPR, many researchers feared that an increase in spam would be an unintended consequence of the law because security researchers would no longer be able to use WHOIS information to track new domain registrations and identify potentially bad domains. As a result, spammers could run wild with no way to identify and stop them.
Cisco Talos tracks email and spam volume on a monthly basis. Their monthly report provides a broad overview of the state of spam, and the six-month trend report shows a clear drop-off in email between pre- to post-GDPR overall.
According to Cisco’s report, on May 1, 2018, the total volume of email was 433.9 billion messages; spam accounted for 370.04 billion messages, or 85.28 percent of all email. On August 1, 2018, the total volume of messages was 361.83 billion, with 85.14 percent, or 308.05 billion messages, identified as spam. While the total volume of email fell precipitously, most likely due to a combination of seasonal email fluctuations and as the result of newly enforced privacy standards, the percentage of spam remained roughly the same, as shown in Figure 1.
In other words, spammers are not — at least at this time — rushing to launch new campaigns because of GDPR-enforced WHOIS privacy rules. Spam is still a big problem, but it has not become a bigger problem, contrary to popular opinions among security researchers.
Of course, it is possible that spammers are biding their time, registering a number of domains anonymously and reserving them to launch spam campaigns in the future. At first glance, the data does not support that hypothesis.
Average daily new domain registrations have actually fallen slightly since May 25, 2018. For the month leading to the enactment of the GDPR, Recorded Future collected an average of more than 223,500 new domain registrations each day. From May 26 to July 2, 2018, the average number of new domain registrations was 213,300 — a slight drop off of 10,000 new domain registrations per day.
Even though the number of new domain registrations is flat, it is possible that spammers are focusing on registering new domains in top-level domains (TLDs) that have a reputation for delivering a lot of spam, but that also does not appear to be the case. Spamhaus collects statistics on the most abused TLDs and publishes that information on a regular basis, including the top 10 most abused TLDs. Focusing on just the generic top-level domains (gTLDs) — as they all fall under the auspices of ICANN and GDPR — the current list of most abused gTLDs include the domains .men, .fun, .review, .date, and .yokohama.
As a percentage of new domain registrations pre- and post-GDPR, each of these domains fell in total number of registrations. The gTLD .men accounted for 0.98 percent of all new domains registered prior to May 25, 2018, after which that percentage fell to 0.32 percent — less than one-third. The gTLD .review went from 0.4 percent of new domain registrations to 0.22 percent in that same time frame. Similarly, .date domains account for 0.46 percent of all new domain registrations prior to May 25, 2018, and 0.24 percent after — almost a 50 percent drop. Both .fun and .yokahoma also saw drops, but there are so few of these domains registered that they didn’t crack the top 50 of popular gTLDs.
A few other points contradict the idea that spammers are focusing on registering domains that might be used for spam later. The first and most obvious is the uptick in the percentage of .com domain registrations. Prior to May 25, 2018, .com gTLDs accounted for 50.91 percent of new domain registrations, and that has since increased to 54.97 percent post-GDPR. Even though .com gTLDs may account for a lot of spam, the .com space is relatively spam free, with only 4.8 percent of .com domains classified as bad by Spamhaus.
Some other interesting numbers emerge between Figures 2 and 3. The gTLD .biz dropped from 6.93 percent of all new domains registered to 0.6 percent. While .biz does make the Spamhaus top 10, roughly 42.4 percent of all .biz domains are classified as bad.
There are some anomalies in the registration data. For example, the gTLD .app, which is managed by Google and used for app developers, saw a drop from 3.63 percent to 0.59 percent of all new domain registrations. That is because the .app gTLD was introduced on May 1, 2018 to early-access registrants and opened to the public on May 8, 2018. There was a rush to register new .app domains and then a natural leveling off of new registrations.
The one exception to the rule that generally bad domains saw a drop in the number of registrations post-GDPR is the .loan gTLD. Prior to May 25, 2018, .loan domains accounted for 7.26 percent of new domains registered, while after that, the .loan gTLD accounted for 11.32 percent of all gTLDs registered — a sizable jump. According to Spamhaus, 29 percent of all .loan domains are rated bad.
However, not everyone is ready to hit the “all clear” button.
“ICANN’s response to GDPR has effectively granted default anonymity to domain registrants,” says Tim Chen, CEO of DomainTools, referring to the organization that governs WHOIS policy. “While it is heartening that, over the first 90 days, we’re not seeing a spike in spam, it is important to evaluate the full spectrum of cybercrime, cyberespionage, and generally bad behavior online before concluding this new law does not impact internet security.”
While there is, rightfully, a lot of concern about other types of malicious activity, it appears that in the very narrow category of mass spam, not only has there not been an uptick, but spam has fallen slightly. In addition, spammers are not taking advantage of the potential new anonymity afforded by GDPR to register new domains as part of new spam campaigns, at least not in the gTLD space. Obviously, this can change at any time, and Recorded Future will continue to monitor and note any changes in behavior. Watch this space for an update on this blog in 90 days.
1This graph is a screenshot taken on August 20, 2018 from talosintelligence.com/reputation_center/email_rep.