I have recently become aware of a blog post from Recorded Future that attempts to analyze the effects of the GDPR on online security. Unfortunately, it starts by asking an irrelevant question and then goes on to use irrelevant metrics to come to a meaningless answer.
The premise of Recorded Future’s article — that spammers would send more spam and register more domains because GDPR came into effect — tells us nothing useful about how GDPR affects anything. It’s the wrong question, it’s not a question most security people are concerned with, and it ignores how spam and spammers work.
The goal of spam is to get the recipients to do something, usually to click through to a landing page containing phish or a malware. Spammers use botnets, hijacked IP space, and deceptively registered snowshoe IP addresses. More IP addresses let them evade filters and send more spam; more domains make no difference.
Spam volumes increase as spammers start campaigns, and decrease as the campaign ends, or as security researchers and law enforcement take down the networks of compromised machines used to send most spam.
Spam domains are the ones that spammers want people to end up on, the destination sites. Spammers only need to run a certain number of redirection and destination sites, and a lot of the redirectors they use are on other people’s hacked sites. Sending spam doesn’t need any domains at all, since the return addresses in spam are invariably fake, either addresses taken from the spam lists, or just made up.
Using more domain names gives spammers little if any advantage. If more domains were better, and if detection and takedown were easier before GDPR, spammers would have been buying ever-ballooning numbers of domains before GDPR, but they weren’t.
Indeed, GDPR would mean spammers now have an easier time and need fewer domains, because less spam will be detected, more will get through to users, and landing domains will stay up longer so more of the spam will have working landing pages.
Some of the Recorded Future analysis is just puzzling and suggests a lack of familiarity with spamming techniques.
For example, it looks at the number of registrations in heavily abused TLDs, such as .men and .fun and doesn’t see many new ones. But the reason those TLDs are heavily abused is that they had promotions to sell cheap bulk domains. Once the promotions are over and the price goes back up, the number of new registrations drops to the usual trickle, GDPR or no.
To understand the effect of GDPR, the relevant questions are: Is GDPR enabling damage, because it makes detection, blocking, and mitigation harder?
Criminals do use domains for spam payloads, redirectors, and landing pages. WHOIS has been a key tool not just to identify individual domains, but to find connections among domains (which tend to be registered with similar information, even if it’s false) to take down a whole network of them at a time. I can’t find any public numbers about takedowns, but the security researchers I know tell me that lack of WHOIS is a significant impediment to research, and the half-hearted measures that some registrars provide to reveal one domain at a time is no substitute when you’re looking at clusters of thousands or tens of thousands of domains.
At this point, we do not have the data to say how GDPR is affecting the Internet’s security, and we certainly do not have data to claim there is no effect.
Written by John Levine, Author, Consultant & Speaker