Cyber Interview: SPAM Email and GDPR

While SPAM email has been flooding our inboxes for many years now, what do we really know about who’s sending them and where they come from? And how is SPAM impacted by the upcoming – and increasing – data privacy and security regulations states are implementing worldwide?

Our very own cybersecurity expert, Julien Patriarca, Professional Services Director at WALLIX, helps answer some burning questions about SPAM.

What is SPAM email?

In short, a SPAM is unsolicited email. But, if I were to send you an email now that would, in a sense, be an unsolicited email, but it would still make it safely to your inbox. It would arrive, of course, because it’s being sent from an email address that is known, verifiable, etc. So then, a SPAM email is an unsolicited email, yes, but one that is also harmful or a nuisance. That is to say, an email that is irrelevant to you, maybe is of no interest, or aims to take advantage of you.

So then, SPAM email is unsolicited email that is also harmful or a nuisance

How does SPAM arrive in email inboxes?

These days, anti-SPAM filters are very powerful, especially for corporate email inboxes. For a filter to identify a SPAM email, it must match a set of specific criteria and achieve what’s called a score. Filters block emails that reach a certain score, based on key terms, an analysis of the sender, email addresses flagged as spammers, and email servers that maintain what’s known as a Real-Time Blacklist (RBL) which identifies which domains are legitimate and blocks those that are not.

So, in fact, of the millions and millions of SPAM emails that are sent out, at least 90% are blocked by anti-SPAM filters. Those that are not blocked have managed to disguise themselves to be perceived as legitimate email. This means that in order to get even a small fraction of emails to slip through and actually make it to a person’s inbox, they need to mass-mail literal billions of emails at a time.

What is the difference between SPAM and Phishing?

While conceptually different, phishing is, in fact, a type of SPAM, as they both use the same vector: email. SPAM emails are just mass-mailed messages which often have real people and real (albeit shady) businesses behind them. Phishing emails, however, have malicious intentions, pure and simple. Phishing generally aims to trick recipients into clicking a link by pretending to be your bank, your utility company, or other legitimate sites, in order to steal your password and login credentials or other valuable personal data.

Contrary to what people often think, clicking a link in a SPAM email and even entering your credit card details typically poses very little risk.

SPAM, on the other hand, are actually typically quite safe. Counterintuitive as it might be, spammers are very cautious about protecting their customer data. They often represent real businesses with real products and revenue, and unhappy clients threaten their livelihood. Take, for example, a stereotypical SPAM email selling some sort of pharmaceutical. It might be a knock-off medication, but it exists, and the company is going to take your payment and ship you a real product. Spammers will do everything possible to secure these transactions and prevent your credit card number from being stolen. As soon as a customer complains to Visa or MasterCard, their ability to process bank transactions is revoked and they’re out of business, so they are quite highly invested in providing good customer service and protecting their clients.

How do spammers find email addresses?

Ultimately, a spammer’s most valuable asset is their database of email addresses.

To build up a database, hackers scour the web every minute to scrape all email addresses they can find. As we said, they need millions of addresses to have enough chance that some make it through the filters and then a minimum number of people actually open them and click. It’s actually an enormous amount of work, and highly competitive – spammers often hack each other to steal their databases.

In order to send emails at this volume, spammers use Botnets, networks of connected objects that have been hacked and exploited to send emails. That’s right, your connected refrigerator and home assistant – anything in the Internet of Things (IoT) – could be being used to send SPAM without your knowledge. These Botnets, rented out by the hackers that build them, allow spammers to send billions of emails via millions of devices at all times.

SPAM and the GDPR

The General Data Protection Regulation (GDPR), which goes into effect May 25th of this year, aims to protect the privacy of EU citizens by requiring organizations to secure all personal data to certain minimum standards. If email addresses are considered personal data, they may fall under GDPR regulations.

How will the GDPR impact SPAM email?

As spammers technically operate outside of the law, government data security regulations won’t necessarily have a significant effect on their actions. That said, with regards to the GDPR, it might change a little bit. Why? Because, as we said, the key to SPAM is their databases of email addresses. If we consider email addresses to be personal, private data, and GDPR requires companies that possess this type of data to protect it well, that could have an impact on the volume of SPAM by making the source of the data harder to access. If hackers can’t acquire email addresses, they’re out of business. So yes, it’s possible that GDPR will have an impact on the volume of SPAM email in the world.

But it’s important to consider, GDPR or not, it’s always good to protect your databases.

But it’s important to consider, GDPR or not, it’s always good to protect your databases, to ensure that they are not accessible, that they can’t be distributed.

How can we strengthen cybersecurity ourselves?

At the individual level, if everyone ensures their own level of security is higher, they can play a role in decreasing SPAM and other malicious cyber activity. For companies and for individuals, increasing security is simple, with even a minimum understanding of cybersecurity. If every single person chooses a password that is not easily guessed, with basic complexity criteria (mix of caps and lowercase, numbers, symbols) for their accounts and connected devices, they could increase security exponentially.

If I buy say, a Google Home or Amazon Alexa, it’s directly connected to the internet. Well I need to ensure that it is at least secured – that is, I change the default login credentials, using a more secure password (not just password123), etc. to prevent the IoT object from being hacked and used in a Botnet to distribute millions of SPAM.

Ultimately, each and every person is responsible for the volume of SPAM. If I put “password123” on my device, potentially, unbeknownst to me, I am participating every day in SPAM.


Want to learn more about password management, the IoT, and GDPR? Get in touch with a WALLIX cybersecurity expert!