With all that email that piles in for vi*gra and unlucky Nigerian princes, we assume that someone, somewhere, makes tons of money on it all. But some stealthy University of California researchers at Berkeley and San Diego concluded that spammers may be easier to thwart than we thought.
They tell the story in “Spamalytics: An Empirical Analysis of Spam Marketing Conversion,” published about one year ago. (Download the PDF here.)
To gather data, they devised trickery of their own: They infiltrated an existing spam botnet.
By infiltrating the botnet parasitically, we convinced it to modify a subset of the spam it already sends, thereby directing any interested recipients to Web sites under our control.
The team studied three campaigns: one selling pharmaceuticals and two propagating malware. They tracked nearly a half billion spam emails to count successful deliveries to mail servers, successful passes through anti-spam defenses, user visits to advertised sites, and sales and infections. Throughout, researchers were careful to avoid doing any harm; users responding to infiltrated bots could never actually buy drugs or download malware.
In the study’s small sample, only about a quarter of the all spam leaving their cave ever reached a mail server. Only about 16 percent reached users’ inboxes that targeted Hotmail, Gmail, Yahoo, or Barracuda. Only about one in about 12,500,000 users originally targeted ever took the bait — a 0.00001 percent conversation rate.
Researchers extrapolated from their tiny sample — roughly 1.5 percent of all traffic on this network — that the spammers might gross about $3.5 million per year, and higher if users come back for more.
But low conversion is what we’ve always assumed. What’s critical, and tricky, is estimating costs. The researchers figured that even at $80 per million, an average derived from anecdotal evidence, costs would be too great unless the spammers were vertically integrated — the vi*gra and the spam delivery all operates under one roof.
This discovery is “heartening,” says the paper.
“… profitable spam campaigns require organizations that can assemble complete “soup-to-nuts” teams. Put another way, the profit margin for spam (at least for this one pharmacy campaign) may be meager enough that spammers must be sensitive to the details of how their campaigns are run and are economically susceptible to new defenses.”
Spam may be easier to beat than we thought. Anyone for a “surge”?