Spamonomics

Since last Wednesday, the torrent of junk e-mail coursing through the internet has been slowed dramatically, with 40 percent or more of it cut off at the source.

The source of all that spam? San Jose, California. That’s where a group of servers responsible for much of the world’s spam had been operating until they were severed from the internet last week.

The servers had controlled some of the world’s biggest botnets, the legions of hijacked personal computers that flood your inbox with ads for male-enhancement drugs.

The shutdown could be a major blow to spammers’ finances. Every day the botnets remain down means revenue lost. But how much revenue?

Nobody knows for sure, but a team of computer scientists at U.C. Berkeley and U.C. San Diego with an ingenious plan recently reported the first-ever hard numbers on the economics of spam.

After taking over part of an existing botnet, the Berkeley team waged its own spam campaign, sending out almost 350 million pieces of junk e-mail over 26 days. By the end of their trial, they had netted a whopping 28 sales. That’s about one response for every 12.5 million e-mails sent, a conversion rate of less than 0.00001 percent.

They estimate the yearly revenue of the botnet they had infiltrated at around $3.5 million (their full paper is available here).

To put that in perspective, spam costs U.S. companies $33 billion a year in lost productivity, according to one estimate, and $100 billion worldwide.

That means it seems likely the spam industry generates far less wealth than it destroys.

But the parasitic scam will remain with us as long as one in every 12 million or so of us buys the product they’ve been spammed for.

So what are the characteristics of the 28 good souls who decide to click on through and make a purchase?


James

The types of people who actually 'click through' on spam are the same types who get suckered into 419s and other 'Nigerian scams'.

In a way, it's digital Darwinism. If you get ripped off, perhaps you should've been aware of who you're dealing with in the first place.

Robert

I'm a small business (15 employees - we get about about 100K spam attempts a day) and my reports (from GFI Mail Essentials) don't show any signifiant drop off in spam over the past 2 weeks. There was a drop on 11/12 but my spam is back to the normal levels for the most part.

frankenduf

i'm 1 of the 28- what i wanna know is what all the other untold minions do for enhancement

RKReed

The 28 good souls? They're probably impotent, single, and of a mind that they're just a replica watch and a good penny stock tip away from turning it all around.

Also, as an aside, the whole "spam dropped 40-50% overnight" story was totally bogus. I work for a good-sized hosted email filter service, and we saw something like a 5-10% drop in traffic that day, and then a return to normal traffic the very next day. What the articles all failed to mention was that the day in question was Veteran's Day - a holiday.

Derick

I'm really tired of Darwin comparisons excusing bad behavior. That's not how it works.

Caliphilosopher

#1 -

Darwinism? What you're describing isn't Darwinism at all. More like folk biology/sociology (at the most charitable).

Kevin H

isn't this a good target for government involvement. Create a international cyber crime type unit, that basically just gives Russia 1 billion dollars to hunt out spammers, saving us 20 billion? Some safeguards would be needed of course to make sure the spam actually gets taken down.

Also, there is another way to cut down on costs, teach people to use anti-virus software and remove the botnet which allows these creeps to do this all nearly cost free.

Joe Smith

As governments look for ways to revive the economy and boost productivity, a crack down on the dead weight losses from spam would be one good place to start.

Robert

What really gripes me is is that these spammers are obviously smart enough to create this botnet - why can't they use their smarts to make legit money?

tim

The ISP in question was not the "source" of the spam. It contained a fair number of machines used for controlling the machines that send the spam out (usually peoples personal computers).

@RKReed

Whether it was a holiday or not is irreverent. Botnets don't take days off. But I do agree with you that the percentage reported is too high. Besides - the number has returned to normal by now.

Charles

Two comments:

1) I know corporations are opposed to giving away something for nothing, but it seems to me that donating 1/1000th of your anti-spam budget to an organization that would create good, free antivirus software would help to prevent the botnet problem, ultimately reducing everyone's costs. I know a lot of people know that viruses are out there, but don't really want to pay the $50 for antivirus software (esp. younger people more likely to be on the net). This really is a collective action problem where a collective approach is more likely to result in a lower priced solution.

2) I think we will always be stuck with spam so long as it costs nothing to send spam. Introducing an email "stamp" system, where every email cost some de minimis amount would eliminate most of the problems with spam. My guess is that most ISPs would set things up so that you had 1000 or more free emails a month, beyond that it was like one cent. Legitimate businesses would still send out their emails, because sales would likely outweigh costs. But spam operators could not survive. Based on the extremely low rate of return, you could probably make it 100 emails per cent and still dissuade most spammers (but not hamper nonprofits, political campaigns, etc.).

Read more...

PaulK

You all are missing the real headline number: "One in 10 people clicking through to receive the malware is a pretty sobering number," - that is, 10% of the people getting email with links to download malware (making their machine into a bot) clicked the link! This would be the "see naked pictures of x", "click here to restore your paypal account", and "to stop us canceling your Visa card, click here" type emails. This is how these bot-nets get so big and why shutting down a few servers really does little good. Even shutting those down does not help since many of the infected machines have multiple malware instances installed and/or have more than one lookup location to get new instructions.

Aaron

The business model for most spammers doesn't rely on the sale of enhancement products anymore. These are pretty much all phishing scams now so look at it as 28 accounts they now have access to instead of just 28 sales

Bobby G

Note to self: don't open up any emails from "frankenduf" (#3)...

JimJ

Free anti-virus: AVG free by grisoft is free for home use. They don't always make it easy to find (since they would rather sell the commercial version), but ... it is a way to avoid the costs.

Statler

I was wondering why the amount of spam I receive had dropped of recently.

G

My GF fell for some MSN spam. "Her friend" sent her a message about some "cool service". I guess her friend has a virus on her computer that sends out these messages... Anyway, my GF who's not native in the language of the message proceeded to sign up for some SMS service. It cost her something like $4 dollars and the messages keep on coming.

Jonathan

The whole 'donate to make free antivirus available' is the classic prisoners dilemma.
If everyone ELSE puts in YOU are better off NOT to put in. So the business that doesn't put in wins, and those that don't lose.Nobody will be fore first in (first loser) and everyone will be the first out.
This is a clear example where a free market doesn't work, and some sort of regulation would be required.

RKReed

From a technology perspective, the government could end spam permanently, inexpensively, and in a matter of days if it were motivated to do so. The big question becomes whether spam (not phishing, viruses, etc, just spam) is a crime or a costly annoyance. And if you argue the former, how do you then differentiate between electronic advertising and physical advertising? There's a potential for an ugly, slippery legislative slope.

@tim

Holidays definitely matter, as do the days of the week as far as spam traffic goes. Even as botnet traffic grows, the patterns are clear and distinct. Weekday holidays will generally bring ~10% less traffic. Sunday mornings you see about 30% of normal traffic. Tuesday around lunchtime EST traffic tends to peak around 125% normal. Of course we see anomalies, but the trend lines are pretty stable.

Mo

I remember in college about 6 years ago hearing a woman from MSFT discuss some ideas to reduce spam that they were working on. The one I specifically remember matches with my economic intuition:

Each email sent to someone not on your "friends" list would cost a small amount. This could be a fraction of a cent OR a delay of 5 seconds to send it. The point is that it would change the incentives for the spammers but only mildly cost the average guy/company.

In fact, by reducing all the spam, it should net benefit everyone (except the spammers). It seems like the best solution to an out of control negative externality.

That lecture though was the last I ever heard of it.