Tuesday, 9 October 2012

Does spamming make people rich?

We have all been annoyed by them - advertisements, pop-ups, spam letters, 'you-won' windows and the list goes on. And many ask: why are spam emails being spent at all? The answer would seem obvious: because they are (at least somewhat) effective as a method of marketing. But is that assumption testable, and the profits measurable? It would appear that they are - and seven computer scientists at the UCLA, Los Angeles did just that.

Source: Washington Post

What is a spam?

Spam - the term comes from a Monty Python sketch - is a collective term for all forms of unwanted online advertising. In it's most basic form, hundreds of thousands of e-mails are being sent from computers infected by malware, with the advertisers hoping that their links will have a high conversion rate - that is, the number of people buying the product divided by the total amount of advertisement viewers.
Organising the distribution of these spam e-mails is once again hard work - a common method is the usage of a Storm Botnet, a centralised network of infected computers, headed by the bot master and the master servers. These provide commands for the proxy bots, which act as 'leaders' of their own respective groups of infected computers. Due to the multiple layers of organisation, the culprits remain untraceable, and the entire activity falls into the so-called informal economy.

Business model

Spammers set up the bot networks and send out the e-mails, but they aren't the ones whose products are needed to be sold. How does the business network of the spam industry look like, then? Thanks to a former spammer (whose experiences have been referenced to in the study above), we can provide a near-complete picture - even though it has to be noted that the model varies case by case.
The complete chain involves merchants, e-mail list traders, spammers, botnet managers, and the target audience.

  • Merchants are the companies and entrepreneurs who would like to sell their goods online, using spam marketing. They are the 'bad guys' - their goods, which include so-called 'male enhancement products', prescription drugs and online gambling subscriptions, are often of low quality or even worse, fake.
  • E-mail list traders are programmer specialists responsible for the creation of target lists, writing malicious software themselves which helps them collect a list of addresses, often tematically. Traders sell their lists to spammers, who can utilise these with regard to the actual advertisement scenario.
  • Spammers are the 'organisers', who buy lists from traders, rent time from botnet managers and combine these resources to spread the messages of the merchants. Their profit is conversion rate-based; hence the more buyers they are able to attract, the more income will they generate.
  • Botnet managers are the technicians responsible for creating spam-delivering networks like the Storm Botnet listed above. They get their share through lending computer time to the spammers.
  •  Target audience is finally the proportion of Internet users who are brave, naive or inattentive enough to buy products from such obscure sources. While their numbers are small, they form a devoted community (usually due to gambling or prescription drug addictions). And just how big and devoted? See the results of the paper below.

Research method

So how do we assess the profitability of the business model described above, and measure conversion rates? Due to the reasons mentioned above (the illegality of the scheme), there is a huge range of uncertainty for any empirical assessment - the best shot of anyone trying to investigate the field is to become part of the chain themselves, and that is what the researchers did.
The scientists have focused solely on e-mail spams, distributed by Storm bot networks. They created a set of fake e-mail addresses (with different amounts of spam filtering at service providers). Exact methodology of the process can be found here, but when they were done, they created two fake websites, one pharmaceutical and one selling post-cards, which have guided purchasers checking-out to an Error 404 site, counting in the process.


After a measurement period of 26 days and some 350 million spam e-mails, the number of resulting sales was a mere 28. Conversion rate was hence well under 0.00001%. Considering this, spamming doesn't seem like a particularly profitable business - but then we have underestimated the number of spam emails spent during campaigns. To quote the researchers,
Of these [28 purchases], all but one were for male-enhancement products and the average purchase price was close to $100. Taken together, these conversions would have resulted in revenues of $2,731.88—a bit over $100 a day for the measurement period or $140 per day for periods when the campaign was active. However, our study interposed on only a small fraction of the overall Storm network — we estimate roughly 1.5 percent based on the fraction of worker bots we proxy. Thus, the total daily revenue attributable to Storm’s pharmacy campaign is likely closer to $7000 (or $9500 during periods of campaign activity). [...]
Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year.

Not so small anymore, right? Hence we have proven the profitability of spam marketing - when the costs of advertising are virtually zero for the advertiser, unscrupulous manufacturers will naturally hire spammers who will send hundreds of millions of e-mails to their victims. According to the Message Anti-Abuse Working Group,  around 89% of all sent e-mails in 2011 were abusive. Welcome to the brave new world of spam.

No comments:

Post a Comment