Spam Not So Profitable?


Professional spamming continues at record levels despite the best efforts of security researchers, Internet stakeholders and law enforcement groups to kill it off — making spam seem like a business too profitable to die.

Yet while spam groups do make money off their increasingly elaborate efforts, it’s not nearly as lucrative as you might think.

A new report by researchers at the University of California at San Diego (UCSD) and the International Computer Science Institute at Berkeley, Calif., concludes that the widespread, spam-distributing Storm botnet earns only about $3.5 million per year.

“The total daily revenue attributable to Storm’s pharmacy campaign is likely closer to $7,000 (or $9,500 during periods of campaign activity,)” the researchers wrote. Nevertheless, Storm is “certainly a healthy enterprise.”

The researchers based their finding on a rough estimate based on trending extrapolated from their brief use of the botnet to send out measurable but harmless spam and phishing messages.

Their research reported 569 conversions on close to 500 million spam messages. They sent three different kinds of messages, two of which were similar to the spam the botnet uses to propagate.

A third message contained faux pharmaceutical spam similar to how the botnet makes money. The researchers sent 347,590,389 pharmaceutical spam messages which generated 10,522 site visits and 28 sales — conversion rate of 0.0000081 percent.

That small rate of return means that for spammers to make serious money, they have to trade in bulk. It also means that due to the high overhead of running such an operation, the pharmaceutical spammers have to own the botnet to make money from the business, the report said.

“Storm continues to distribute pharmacy spam — suggesting that it is in fact profitable,” the report said. “One explanation is that Storm’s masters are vertically integrated and the purveyors of Storm’s pharmacy spam are none other than the operators of Storm itself (i.e., that Storm does not deliver these spams for a [third-party] in exchange for a fee).”

Caveat computer user

So how does a business that’s not too profitable manage to account for 85 percent to 90 percent of worldwide e-mail?

The answer may be that users are not being as careful as they should be, according to a recent report from the Messaging Anti Abuse Working Group (MAAWG) called “A Look at Consumers’ Awareness of Email Security and Practices or ‘Of Course, I Never Reply to Spam — Except Sometimes.'”

“The finding that worries me the most is that about 80 percent don’t think they will get a bot,” MAAWG chair Michael O’Reirdan told “Given that bots are designed to be subtle pieces of code that operate under the radar, and given figures on infection rates from reputable security researchers, people are not alert enough to something that is a real problem.”

“People have to be more proactive,” he said. “They’re not as successful at protecting themselves as they think they are,” he said. “Microsoft, Apple, and Canonical make it easy to patch the operating system and people should be doing that and also patching their applications.”

[cob:Special_Report]For Windows users, he recommended a free tool from Secunia that scans for vulnerabilities.

Asked whether managers of corporate networks can blame residential users for the level of infection of the Internet as a whole, O’Reirdan said that finger-pointing is counterproductive and that corporate networks also contain bots.

“It’s everybody’s problem,” he said. “There’s a lot the enterprise can do in terms of deploying bot detection technologies. They can examine the DNS, not just deploy [an intrusion detection system]. ISPs are certainly starting to do that.”

News Around the Web