It caught me off guard the other day when a couple spam messages slipped into my Gmail inbox. Gmail’s spam filter so rarely lets them slip by nowadays, I hadn’t recalled seeing one for months.
Via TechRadar, a study from the University of California, Berkeley, and UC San Diego (PDF link) has revealed some interesting statistics about the success rate of spam. Researchers sent out 350 million fake spam messages, linking to a fake pharmacy site. Of all those messages, only 28 sales resulted, a response rate of less than 0.00001%, or 1 in 12.5 million. However, this still results in potentially USD$100 revenue per day.
Especially interesting is how they conducted this study: they hijacked control of 75,869 zombie PCs that were already part of an active botnet under malicious control. The Storm botnet started in January 2007 through a trojan horse distributed by email spam. Despite having been targeted in Microsoft’s monthly Malicious Software Removal Tool, the botnet flourished, peaking at up to 50 million systems, and maintaining numbers in the hundreds of thousands up until October 2008, when three of the four major control servers were shut down. The botnet appears to have been run “for rent” as a black market enterprise, with the primary function of sending out spam email. Based on the study results, the researchers estimate that the controllers of the botnet are making more than USD$2M per year. Revenues are likely higher if the botnet is also being used as hosts for bank phishing scams, “pump and dump” penny stock manipulation or performing distributed denial of service attacks. Infrastructure costs are low when most of the work is done by compromised zombie Windows PCs.
TechRader’s post on this story, ironically, had four blog spam comments on it.