« Hidden Linux : Scripted video encoding | Main | Hidden Linux : Easy GRUB editing »

Thinking of starting your own spam network like these three enterprising Kiwis? You might like to read Spamalytics: An Empirical Analysis of Spam Marketing Conversion first. It's the rather dry title of a fascinating paper on the economics of spam.

Using a parasitic infiltration of an existing botnet’s infrastructure, we analyze two spam campaigns: one designed to propagate a malware Trojan, the other marketing on-line pharmaceuticals. For nearly a half billion spam e-mails we identify the number that are successfully delivered, the number that pass through popular anti-spam filters, the number that elicit user visits to the advertised sites, and the number of ”sales„ and ”infections„ produced.

The results? Very interesting...

After 26 days, and almost 350 million e-mail messages, only 28 sales resulted — a conversion rate of well under 0.00001%. Of these, all but one were for male-enhancement products and the average purchase price was close to $100. Taken together, these conversions would have resulted in revenues of $2,731.88—a bit over $100 a day for the measurement period or $140 per day for periods when the campaign was active. However, our study interposed on only a small fraction of the overall Storm network — we estimate roughly 1.5 percent based on the fraction of worker bots we proxy. Thus, the total daily revenue attributable to Storm’s pharmacy campaign is likely closer to $7000 (or $9500 during periods of campaign activity). By the same logic, we estimate that Storm self-propagation campaigns can produce between 3500 and 8500 new bots per day.

Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year. This number could be even higher if spam-advertised pharmacies experience repeat business. A bit less than ”millions of dollars every day„, but certainly a healthy enterprise.

But then the authors go on to examine how much of that is profit:

Anecdotal reports place the retail price of spam delivery at a bit under $80 per million. This cost is an order of magnitude less than what legitimate commercial mailers charge, but is still a significant overhead; sending 350M e-mails would cost more than $25,000. Indeed, given the net revenues we estimate, retail spam delivery would only make sense if it were 20 times cheaper still.

And don't forget to add in the maximum fine for spamming in NZ: $200,000.

And yet, Storm continues to distribute pharmacy spam — suggesting that it is in fact profitable. One explanation is that Storm’s masters are vertically integrated and the purveyors of Storm’s pharmacy spam are none other than the operators of Storm itself (i.e., that Storm does not deliver these spams for a third-part in exchange for a fee).

Like any other, spam is a business. If idiots didn't buy the stuff, it would simply go away.


Posted by Geoff Palmer on November 14, 2008 10:34 PM |

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)