Spamhaus News | Sept. 8, 2018

GDPR, WHOIS and Spam – how is it all panning out?

The real answer is that it is far too early to tell. Various articles currently state that “nothing has happened” as a result of GDPR or “spam has fallen slightly”; however, the true effects of GDPR providing anonymity to domain owners will take a long time to play out. The main crux of the matter isn’t the effect GDPR is having on spam levels, but how it’s hampering organizations from effectively stopping career cybercriminals from defrauding innocent people.


Unless you have been marooned on a desert island with no contact to the outside world for the past year, you will be aware that Europe’s General Data Protection Regulation (GDPR) was implemented on 25th May 2018. In relation to “WHOIS”, the protocol used to determine who owns a domain or IP address, the interpretation of this regulation has led to limitations on the information that registrars are disclosing. In some cases not only is the information related to EU natural persons being withheld, but also non-EU persons and company information.

How do security researchers use WHOIS data?

Before GDPR came into effect, records such as a domain’s registered owner and registered contacts could be looked up in WHOIS databases maintained by individual registrars governed by ICANN.

WHOIS information was used by researchers in organizations such as Spamhaus to help determine a domain’s reputation. Domains determined from this and other factors to have a bad reputation would have potentially been listed on our Domain Block List (DBL).”

Read full article by Quentin Jenkins here.

SOURCE The Spamhaus Project