Illicit email volumes and suspicious domain registrations provide early looks at presidential candidates market strength

Share with your network!

Update, March 5, 2020: This post has been updated to include additional data from January 1-8 in Figures 1-3 to provide a complete year-to-date summary of election-related UCE. Further updates will occur in subsquent blog posts throughout the election season.


During the 2016 United States election season, Proofpoint found a strong correlation between apparent brand strength and volumes of “Unsolicited Commercial Email” (UCE — junk mail, defined as unsolicited and often illicit email sent by actors operating for shady, if not outright illegal purposes) associated with particular presidential candidates. We know that threat actors and illicit emailers regularly leverage major events, seasonal occurrences, natural disasters, and more to improve the effectiveness of their lures, and further research over US and international election cycles confirmed a relationship between illicit email volumes and election outcomes. In 2016, such email mentioning Donald Trump dramatically outpaced illicit email with Hillary Clinton in the subject line, while in 2017, UCE mentioning Emanuel Macron topped volumes for his competitors leading up to the French national election.  

We saw similar trends in UK and German elections in 2017. To that end, we began analyzing UCE volumes associated with candidates in the 2020 US primaries, We will be updating our results regularly this year as the election season moves forward but are already finding that illicit emailers continue to update and modify subject lines to track shifting brand strength and major campaign events. 

This year for the first time we also began tracking registration of suspicious domains leveraging the names and brands of each candidate and noted similar relationships. As we explained in 2017.  

“As with most things, causation and correlation are difficult to differentiate without extensive historical data. However, UCE volumes do appear to have predictive value in high-profile elections given how carefully spammers apparently track public opinion and align themselves with strong brands. This also speaks to how candidate branding relates to success in modern elections and gives a path for us to further study potential causal relationships between spam and election outcomes. High-volume spam with well-crafted clickbait lures not only reinforce brands through familiarity but address Cialdini’s principles of influence relating to authority and social proof.” 

The results of our analysis for the first two months of 2020 are below. 

Analysis: Candidate-related UCE volumes 

As in 2016, we tracked subject lines in UCE mentioning the last names of candidates in the 2020 elections. Illicit email was identified using proprietary Proofpoint algorithms and differentiated from legitimate bulk email. This year, we began analyzing subject lines much sooner in the primary season, and present data on candidates still in the race through February 29 (including Tom Steyer, who dropped out of the race that day). As the Democratic field narrows, future analyses will continue to focus on active candidates. 

Year-to-date overall UCE volumes mentioning individual candidates suggests that Donald Trump not only has the incumbent’s advantage but also maintains the strongest brand as he did in 2016. While we did not conduct a complete sentiment analysis of subject lines, anecdotal examination suggests that subjects included a mix of both positive and negative language for all candidates. Polarizing brands simply give illicit email actors more fodder for subject lines in emails that may lead to anything from affiliate spam landing pages unrelated to the presidential campaign to attack or misinformation sites. 

As shown in Figure 1, Trump-related UCE continues to dominate, with almost three times the volume of the Democratic front-runners combined. These identified front-runners include Joe Biden, Michael Bloomberg, Pete Buttigieg, Amy Klobuchar, Bernie Sanders, and Elizabeth Warren; both Buttigieg and Klobuchar dropped out of the race after the closing date of this analysis. 


Figure 1: Relative overall candidate-related UCE volumes through February 29, 2020 

Looking at UCE volumes over time paints a more nuanced picture. While Figure 2 continues to show Trump-related illicit email appearing in high volumes throughout the study period, both Figures 2 and 3 (the latter of which removes Trump data to allow a zoomed view of other candidates) demonstrate an ebb and flow of UCE volumes roughly corresponding to shifts in polling, major events in the election season, and changes in relative market strength. For example, Bloomberg-related UCE increased dramatically in the leadup to the Nevada debate (the first featuring Bloomberg). Sanders-related volumes increased steadily after that point, as did Biden-related illicit email, though at lower volume. Note that these are four-day moving averages to allow trends to emerge without being overshadowed by daily noise and substantial intra-day variation. 


Figure 2: Daily UCE volumes for all Democratic and Republican candidates as of February 29, 2020 


Figure 3: Daily UCE volumes for all Democratic candidates as of February 29, 2020 

Analysis: Candidate-related domain registrations 

In 2020, Proofpoint also began tracking domain registrations related to the US presidential candidates. Using the official candidate websites as seeds in our proprietary digital risk monitoring tools, we identified suspicious domains registered from January 1 to February 29. Suspicious domains could include those used for fraud, those potentially violating copyright, brand infringement, and more.  

As with UCE volumes, suspicious sites with “trump” in the URL made up over half of the suspicious domains identified in our analysis. Unlike illicit email volumes, in which Sanders-related email subjects were within a few percentage points of other top Democratic candidates, Sanders-related domains made up over a quarter of new suspicious domains (Figure 4).  

Figure 4: Overall relative volumes of identified suspicious domains by candidate, January 1 through February 29 

While looking over the two-month study period at suspicious domain registrations does not reveal obvious event-related spikes as we observed with UCE volumes, Figure 5 shows a steady increase in Sanders-related domains from mid-February as the candidate emerged as a front-runner. Relative numbers of Trump-related domain registrations dropped in February as threat actors appeared to turn their attention to Sanders, and, to a lesser extent, Biden, Warren, and Klobuchar. 

Figure 5: Daily suspicious domain registrations for Democratic and Republican candidates with new registrations as of February 29, 2020 


We will continue to monitor these trends throughout the election season. Extended events like national election cycles provide insight into actor tactics, highlighting ways in which they capitalize on media coverage and brand strength to shift resources and increase the effectiveness of their campaigns. As in years past, the old trope that there is no such thing as “good” or “bad” publicity appears to hold true for election-related UCE. Using illicit email volumes as a surrogate for brand strength suggests that both positive and negative coverage garners eyeballs and clicks and bad actors know this as well or better than political pundits and pollsters.