New research shows impact of GDPR on global spam levels

28 Aug 2018

iPad with Gmail app on display. Image: BigTunaOnline/Shutterstock

There was a lot of concern prior to GDPR that the regulation would cause an uptick in spam, but has it been in vain?

The enforcement of GDPR has already had an effect on cookie usage by media websites, even though it has been active just three months.

The regulation has far-reaching consequences and another that was often cited prior to the deadline was a predicted uptick in spam volumes around the world.

Is GDPR having an effect on spam?

Many people feared the increase in spam would be an unintended consequence of GDPR. Experts were concerned that security researchers might no longer be able to use Whois information to track new domain registrations. Previously, researchers used Whois to monitor new registrations and weed out bad domains. As a result of GDPR, people feared spammers would proliferate with no real way to identify them.

New research from Allan Liska and Bruce Liska of Recorded Future shows that spammers are actually in no hurry to launch new campaigns because of GDPR’s effect on the use of Whois.

The Cisco Talos report from 1 May 2018 shows the total volume of email was 433.9bn messages, with spam accounting for 85.28pc of all email (370.04bn messages). On 1 August, total message volume was 361.83bn, with 85.14pc (308.05bn) identified as spam. Total email fell, due to a combination of seasonal fluctuations and new privacy standards. Notably, spam stayed relatively static.

“Spam is still a big problem but it has not become a bigger problem, counter to popular opinions among security researchers,” the report said.

Is spam stabilising?

While it may seem like spam is in stasis, it could well be that spammers are biding their time. Some experts wager they are registering a number of domains anonymously to launch campaigns in the future.

According to Recorded Future, average daily new domain registrations have actually fallen slightly since 25 May. In the month leading up to GDPR, researchers collected an average of more than 223,500 new domain registrations each day. From 26 May to 2 July, this daily figure was at 213,500, a drop of around 10,000.

Top-level domains

Spammers may be focused on registering top-level domains (TLDs). These have a reputation for delivering a lot of spam, but the Recorded Future research shows this may not be the case.

Research cited from Spamhaus brought up some domain trends. Spamhaus collects statistics on the most abused TLDs, and the current list of global top-level domains (gTLDs) includes the domains ‘.men’, ‘.fun’ and ‘.review’. Each of these domains experienced a major dip post-GDPR.

There has been an increase in the percentage of ‘.com’ domains registered, close to 5pc more after the 25 May GDPR deadline. Spammers do not often use this domain type for their schemes.

The report said: “The ‘.com’ space is relatively spam free, with only 4.8pc of .com domains classified as bad by Spamhaus.”

Tim Chen, CEO of DomainTools, said, “ICANN’s response to GDPR has effectively granted default anonymity to domain registrants”, referring to the organisation that governs Whois policy.

Chen added: “While it is heartening that over the first 90 days we’re not seeing a spike in spam, it is important to evaluate the full spectrum of cybercrime, cyber-espionage and generally bad behaviour online before concluding this new law does not impact internet security.”

iPad with Gmail app on display. Image: BigTunaOnline/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects