Spam Campaigns Work, But Don't Generate Big Profits

It's a question all computer users ask from time to time, as we delete yet another advertisement that has squeaked past our spam filters:

Does anybody really buy this stuff?

A group of California university researchers last week published a research paper that attempts to answer this very question. In a detailed study on spam conversion rates (PDF), the researchers tested the ability of the well-known Storm botnet to deliver advertisements and "convert" the recipients into paying customers.

The researchers found that, yes, there are people who buy products from spam ads, and, yes, it is possible to make money from spam campaigns. But they also found that the potential profit from a successful campaign may not be nearly as high as some pundits have speculated.

In a series of experiments, the researchers set out to determine just how much money could be made by sending spam. Their first problem was overcoming the ethical question of how to do a spam study without actually adding to the huge volume of spam on the Web -- or actually selling an illegal product.

That's why researchers decided to infiltrate Storm. "[We] convinced it to modify a subset of the spam it already sends, thereby directing any interested recipients to servers under our control, rather than those belonging to the spammer," the paper says. "In turn, our servers presented Websites mimicking those actually hosted by the spammer, but 'defanged' to remove functionality that would compromise the victim's system."

Using this approach, the researchers documented three spam campaigns comprising more than 469 million email messages. They determined how much of the spam is successfully delivered, how much is filtered by antispam tools, and how many users clicked through to the advertised site. They also set up processes for the illegal sale of pharmaceuticals and the download of malware, creating errors at the very end of the process so that no final sales could be completed and no malware was actually distributed.

Having infiltrated Storm and set up three ethical experiments, the researchers measured the results. The first test was an online pharmacy that offered several different kinds of drugs. In this test, the researchers observed the transmission of nearly 350 million spam messages. They estimate that approximately 24 percent (more than 82 million) reached the mail systems of the recipients, though they could not tell how many actually reached the destination mailbox.

Of the delivered messages, about 10,500 resulted in a user clicking over to the destination Website, the paper says. Only 28 users went through the process required to purchase a drug; all but one of the sales were for a male enhancement product. The average sale was about $100.

Extrapolating the results mathematically, the researchers estimate that a pharmaceutical spammer using the full bandwidth of the Storm botnet for a single campaign might hope to make between $7,000 and $9,500 per day, or about $3.5 million a year. If the revenue was split between the spammer and the botnet operator, the income would be significantly lower for each. "This number could be higher if spam-advertised pharmacies experience repeat business -- a bit less than the 'millions of dollars every day' [estimated by some experts], but still a healthy business," the study says.

However, the researchers also extrapolated possible costs associated with maintaining the botnet and executing the campaign, estimating that the retail cost of sending 350 million email messages would be more than $25,000. This suggests that renting a botnet may not be a very profitable pursuit, and that the operators of Storm may actually be doing much of the spamming themselves, the paper postulates.

Experiments with sending "postcard" spam and malware yielded similar results in delivery -- about 25 percent reached the target email system -- and slightly higher percentages of click-through. The postcard "attack" was sent to nearly 84 million addresses and successfully "infected" 316 recipients. The malware attack was sent to approximately 40 million addresses and infected 225.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message