Spammers can turn a profit even when there is a minuscule probability that a sent spam e-mail will result in a sale, according to a study by researchers from the University of California at Berkeley and San Diego.
The researchers say it is possible that spammers can generate $3.5 million in revenue a year based on their "admittedly dangerous assumption" that their "measurements are representative over time."
The team led by Stefan Savage, computer scientist at UC-San Diego's Department of Science and Engineering, conducted the study by infiltrating the Storm botnet and sending almost 500 million spam e-mails, mostly advertising male enhancement, to see how many people "clicked through" to the fake e-commerce pharmacy Web site they created.
"In effect," the study says, "the best way to measure spam is to be a spammer."
The researchers, however, sidestepped any ethical or legal problems by simply redirecting spam that the botnet already sends to their fake Web site. Recipients who clicked on the url within the spam e-mail were sent to the fake pharmacy site and if they tried to purchase anything, the site returned an error message.
"Unlike the sites normally advertised by Storm, our sites do not infect users with malware and do not collect user credit card information," wrote the researchers. "Thus, no user should receive more spam due to our involvement, but some users will receive spam that is less dangerous that it would otherwise be."
After 26 days and approximately 350 million spam e-mails sent, the researchers only had 28 sales, a dismal conversion rate of under .00001 percent. All but one of the purchases were for male enhancement products that sold for just under $100 each. By the end of the study, the researchers would have had revenues of $2,731.88, just over $100 a day. While this seems meager, the researchers note they only redirected 1.5 percent of the Storm botnet. Using their data and extrapolating it to the entire botnet, researchers believe spammers can make at least $7000 a day or roughly $3.5 million a year.
The good news, the researchers conclude, is that profit margins are probably slim, meaning there probably isn't a retail market for spam where people pay spammers to send out their messages. The researchers hypothesize that the same people that run the Storm botnet also design and send out the spam messages distributed by it.
"Put another way," the researchers explain, "the profit margin for spam (at least for this one pharmacy campaign) may be meager enough that spammers must be sensitive to the details of how their campaigns are run and are economically susceptible to new defenses."