As promised in my last blog post, I wanted to share one of the interesting papers from MAAWG. “Spamalytics: An Empirical Analysis of Spam Marketing Conversion” describes a study into how spammers operate and why spam volume continues to grow: profit. The study was conducted by the International Computer Science Institute and the Department of Computer Science and Engineering at the University of California, San Diego.
The study had a simple purpose, measure the conversion rate of spam, i.e., the percentage of spam messages that actually lead to the intended action such as a purchase or malware download. As it turns out, actually measuring this is much more difficult as spammers generally don’t publicize their identity never mind their sales figures. Instead, the paper describes how the team was able to infiltrate the STORM botnet and change the target web sites in the message payload to point to their own servers. Those web servers contained copies of the spammer’s web site with any dangerous payload or actual shopping cart processing removed.
Using this method, the team was able to effectively measure the deliverability, access patterns, and conversion rates of spam victims, providing a complete picture of the spam value proposition (the income from the sales minus the cost of sending the spam and serving malware via web sites).
Both their methodology and their results are fascinating. They “participated” in three spamming campaigns over a 26 day period:, a pharmacy spamming for pushing pills sales as an affiliate and both a “postcard” and April Fools malware delivery system intended to spread the STORM bot to more machines. The results are summarized in Table 3 of the paper.
After discussing these results, including spam filtering effectiveness as well as countries most apt to receive the spam and those which responded, it concludes with what is at the heart of the matter, how profitable is spamming as a business? In their particular study, of the 28 purchasers, the average purchase price was $100 ($2731.88 in total). While this doesn’t sound profitable since product and spamming costs need to be accounted for, their study only measured 1.5% of the worker bots used by STORM. An estimate of the daily sales would likely be closer to $7000 or higher as new bots were created by the “postcard” infections. Extrapolated out, that would be about $3.5 million dollars per year in sales, of which the affiliate could make 10% or more. This proves out that spam continues to increase because it is a financially beneficial operation (until you get caught).
And in return it gives us a job, keeping our users from becoming one of these statistics