Industry Committee on Nov. 7th, 2017

We do. I'm specifically looking at botnets, but I do see what's going on elsewhere. There is considerably less of what you would call “white spam”, which is somebody making a mistake and sending out stuff they shouldn't have. We're seeing the criminal side. There is more grey. More black is predominating. We are still tracking down people who are running botnets with a Canadian affiliate, and that sort of thing. We're seeing a lot of that. We're tracking back all sorts of stuff to Canadians. We're tracking all sorts of stuff to Canadian hosting, which is where the CRTC has been doing really well in being able to go to a hoster—

An example is advertising fake pills. These are being done by groups of people, many people, who when they send out their spam will have a link on it so that when someone follows that link to the illegal pill site, there's a cha-ching that gives the affiliate a penny. It's that sort of thing.

The other form is when I said hosting—

And that affiliate was Canadian.

They are. I don't know if any of them have gone all the way through yet, but they are looking at that.

The other thing they are working on, at a less than “in front of a judge” level, is dealing with Canadian hosting environments or hosting providers who provide web services to someone when, through one way or another, they take on part of a criminal spamming infrastructure, meaning that the website for pills is there, or a command and control point for malicious botnets—

It's quite good. The CRTC needs more time and experience in dealing with them.

Yes. It's a matter of experience and time and working away at it. Mr. Lau is not seeing it, but I'm seeing how the CRTC is interacting with international organizations, law enforcement, and regulatory bodies.

I'm seeing it. There's a lot more going on than we used to see.

Absolutely.

Spamhaus offers its threat intelligence data to individuals and small organizations for free. It always has. We are all believers in doing that. However, when we get into a big organization, we figure that we are saving them millions of dollars and making their customers happier. It costs us money to run our organization and to buy equipment, so they need to pay for it. All the small guys get it for free, though.

All the country-based incident response teams get our data for free so they can help secure their countries. CCIRC gets our data for free. CRTC gets some of our data for free. We are doing a lot of that. Not very many other companies do that; some do.

In terms of small companies trying to protect themselves, they can use our data as we suggest. They can go with other organizations that have similar data or with software techniques. We tend not to require the user to buy software. They are buying the information and they are using the software they already have to use it, but there are other solutions that do a much better job.

Yes. In fact—as she was referring to with the question about how small organizations do their marketing and whether they are going to worry about trying to do it themselves—there is a burgeoning market of companies that are specifically intended to run mail and marketing campaigns for small companies. Some of them are free, or virtually free. You can use their machinery, their software, and their stuff, and for very small amounts of money you can be pretty sure that you are very close to being fully in compliance with CASL.