Post #4 on Why Spam Filters Suck "trickle blog" series

"Spamonomics": The Economics of Spamming

Spammers earn billions of dollars annually. The business is efficient, hierarchical, and organized. In much the same way that the global trade in narcotics involves every conceivable method of smuggling (from submarines to drug mules), the spam trade employs software engineers to develop increasingly sophisticated delivery technologies. Just as the drug trade will continue until the end of humanity, so too will the illegal delivery of spam.

To understand how spamming has become such an intractable problem, it serves to analyze the economics that drive spamming. Spammers make money if one in every 30,000 recipients makes a purchase. And given this response rate, a spammer advertising pharmaceutical products can expect to make roughly $5,000 per million email messages sent.

Finding out what it costs to send spam is not difficult: Botnet operators advertise their spamming services via online forums. One forum mentioned a price of $100 to send one million spam messages. If we assume that $100 is the cost per million spam messages, and $5,000 is the revenue, then the gross margin from spamming is approximately 98 percent.

Although some spam filters provide better accuracy than others, filter accuracy across the board is approximately 90 per cent, meaning that only one in ten spam messages reach a recipient. If global anti-spam effectiveness could be improved from 90 to 95 per cent, earning $5,000 from spamming would require sending 2 million spam messages, rather than 1 million. This increase in volume would reduce the spammers’ profit margin from 98 per cent to 96 per cent assuming sending costs remained constant. If global anti-spam accuracy reaches 99 per cent -- a figure that experts will tell you is nearly inconceivable given the innovative methods of spammers -- sending costs would reduce spamming margin to 80 per cent. Google is one of the world’s most profitable advertising companies with a margin of 25 per cent -- imagine 80 per cent? This is a business that won’t be going away any time soon.

Before botnets arrived, spammers could be stopped by blocking their IP addresses. DNSBLs like Spamhaus and Habeas block between 60-70%. With the introduction of botnets, blocking no longer provides a sufficient solution to the spam problem.

NEXT: Post #5 Why Are Botnets So Difficult To Stop?

PREVIOUS: Post #3 Final Ultimate Solution to the Spam Problem (FUSSP)

Google Caches Virus Popup

This evening I was looking at some of the spam found in my Gmail Spam folder. I started using Google Search to see if I could correlate some websites related to the spam. I did find some interesting things, such as the bad English "recorded for security purpose", found on one spam-related website, is copied across several spam-related sites. I was looking for some casual correlation to hopefully find some bad IP addresses not found in one of the top RBL sites, such as Spamhaus. Alas, Spamhaus had me beat. It knew them all.

But then I found something rather interesting. I came across a website with a pop-up, trying to get me to download a Windows executable file.



In order for this to work I'd have to click on the fake dialogue button "Continue". Then a real dialogue with an option for "Save As" appears, I download it, open it, and enjoy using my new virus. Okay, so nothing new and exciting there. It's a pretty simple website trying to con me into running their malicious code.

Now I was curious how many duplicate pages out there had the same pop-up, so I did a search for the text "You need to download new version of Video ActiveX Object to play this video file.".

I clicked on the first result.



But the page was gone.



I was really looking forward to that virus pop-up. Never mind, maybe Google Cache can help me out.





Excellent! The spammer took down the webpage linking to their exploit code, but luckily Google Cache was able to save a copy of the page, which popped-up the "Save As" dialogue, so I can now download it and enjoying start using my new virus, as it silently rips through my machine, stealing my personal data and emailing spam around world.

I uploaded this file to the Kaspersky Virus Scanner and it was identified as being "infected by Trojan-Downloader.Win32.Zlob.eob".

Oh no, I just realized. This exploit is not platform independent and will not run on my machine. It only runs on Windows and I'm using Ubuntu Linux. I guess I'll have to keep googling...