Economies of Scale in the Spam Business
"Barak Obama Is on the Verge of Death!"
This header on a piece of pre-election spam had credibility problems (spelling the candidate's first name correctly might have helped), but it got people's attention. It was one of a slew of junk-mail blasts that used campaign-related topics to trick unwary readers into opening the message. This particular missive carried an image that, when clicked, jumped credulous recipients to an online pharmacy site.
Other pre-election spam promised nude pictures of a candidate's wife, blamed the death of a (perfectly healthy) public figure on President Bush, or warned that "The State is in peril." Each example (captured by antispam company Cloudmark) shows spammers trying to make their mass-mailings more enticing by fronting them with fake headlines about prominent people in the news. But who falls for this garbage?
The good news is that few people do. An infiltration of spam networks by researchers offers a rare glimpse into spam "conversion rates"--the percentage of people who respond to each displayed online ad, piece of direct mail, or spam sent. According to the study, "Spamalytics: An Empirical Analysis of Spam Marketing Conversion," only 1 in 12.5 million pieces of spam ended up snaring someone foolish enough to buy from a fake online pharmacy. But even that minuscule response rate is enough to reward spammers with a tidy profit.
A host of quiet cookie trackers and other tools help marketers gauge the conversion rate for banner ads and the like, but such numbers for spam are normally very difficult to obtain. To overcome this problem, computer science researchers at University of California campuses in Berkeley and San Diego effectively hijacked a portion of the Storm botnet, which uses a huge network of malware-infected PCs to send spam and conduct other dirty business.
A Better Mousetrap
The researchers captured some of the work orders sent across the botnet's control network and surreptitiously substituted Web links of their own into the spam content. When clicked, the modified links brought up sites that mimicked the spammer's pharmacy site, complete with a shopping-cart checkout, or downloaded and installed a harmless file in place of the bad guys' Storm malware. The computer users in question would otherwise have wasted real money (and possibly exposed their credit card numbers to further fraud), or been infected by real malware--strengthening the researchers' case that their actions were ethical and helped prevent harm, even as they gathered fascinating data.
From March 21 through April 15, 2008, the study tracked 347 million pieces of e-mail hawking pharmaceuticals and 124 million more attempting to infect computers with malware. Only a tiny fraction reached addressees' inboxes, and the researchers found that "the popular Web mail providers all [did] a very good job at filtering the campaigns we observed."
Of the people who did receive the spam, 28 attempted to buy items from the researchers' fake site (all but one of them went for "male-enhancement products"). The average take of $100 or so pulled in from those visitors might sound like a pittance, but the study's authors estimate that if the Storm botnet sent the pharmaceutical spam at the same rate throughout the year and enjoyed the same success rate, the annual revenue would add up to a tidy $3.5 million dollars. Even with operating costs such as hosting Web sites and botnet command servers (a cost the authors couldn't be sure of) subtracted, the potential profit is large.
It's disheartening that the economics of spam mean that it won't be going away any time soon. But a recent good-guy win offers an uncommon ray of hope in the fight against the black hats.
Botnet operations like the Storm worm need a place to host their command centers, which distribute orders--send spam, launch an Internet attack, and the like--to their army of bot-infected PCs. "Bullet-proof" hosting providers offer that service, and typically ignore complaints from investigators who try to get them shut down. But recently, one major hosting center proved not so bullet-proof.
The companies that provided Internet access for the McColo Corp. datacenter, a provider in San Jose, yanked that access in November after the Washington Post shined the light on the black-ops taking place there. The move had an immediate, drastic effect on spam levels. Matt Sergeant, a senior antispam technologist at MessageLabs, says that junk e-mail in his company's spam traps fell to about a third of its normal level after McColo's servers were cut off.
Sergeant and others expect the spam to return as spammers find new hosts. "But even if spam levels go back up as of tomorrow," he says, "it's absolutely a victory. Billions and billions of spam messages weren't sent."