Is spamming more profitable than anti-spamming? Researchers cast doubt

The BBC is reporting today about a study conducted by researchers at the Universities of California, Berkeley and San Diego, wherein the researchers infiltrated the “Storm” botnet (by creating command and control proxies), routing Storm victims to the researchers’ web servers rather than the usual Storm web servers. The researchers’ web servers were configured to run look-a-like spam sites such as Internet pharmacies, except that any attempted purchases were met with an error message.

The results are rather shocking: spamming is not nearly as profitable as has been reported in the media over the past few years. Indeed, of the 347,590,389 pharmacy spam messages that the botnet attempted to deliver, only 10,522 visitors actually clicked on the pharmacy URL embedded within the message. Of these visitors, only 28 attempted to make a purchase, for a conversion rate of just 0.0000081%.

The researchers also investigated the accuracy of three of the major free email providers as well as one major anti-spam vendor (Barracuda Networks) by creating test accounts and watching how much spam from their botnet managed to reach each account. Of the pharmacy spam, Barracuda fared worst, with 0.131% of spam getting through. Google’s Gmail service allowed 0.00683% of the spam to get through; Yahoo permitted 0.00173%; and Hotmail completely blocked the spam.

If I was to hazard a guess, I would say that Hotmail has probably figured out how to detect and block the Storm botnet using connection-layer techniques, such as those employed within MailChannels Traffic Control.

Blacklisting was shown by the researchers to be an enormously effective way to stem the effectiveness of the Storm botnet. This nifty chart shows how blacklisted zombies have a vastly lower delivery rate than blacklisted zombies:

When the researchers extrapolated their results to the entire Storm botnet, they estimated that the annual net revenue of Storm is in the range of $1.75M. Depending on how many people are behind Storm, that’s not a whole lot of bottom line to write home about.

In any case, whether spamming is enormously profitable, or highly marginal, the damage it does to the legitimate economy is enormous – in the billions each year, and that’s only counting the cost of anti-spam systems. If I am encouraged by anything in this paper, it is that continued efforts to create better anti-spam solutions are likely to make spamming more marginal, and the cost of defense against spam less costly.