A tiny response means spammers still cash in (PA)
Spammers are turning a profit despite only getting one response for every 12.5m e-mails they send, finds a study.
By hijacking a working spam network, US researchers have uncovered some of the economics of being a junk mailer.
The analysis suggests that such a tiny response rate means a big spam operation can turn over millions of pounds in profit every year.
It also suggests that spammers may be susceptible to attacks that make it more costly to send junk mail.
The spam study was carried out in early 2008 by computer scientists from University of California, Berkeley and UC, San Diego (UCSD).
For their month-long study the seven-strong team of computer scientists infiltrated the Storm network that uses hijacked home computers as relays for junk mail.
At its height Storm was believed to have more than one million machines under its control.
The team, led by Assistant Professor Stefan Savage from UCSD, took over a chunk of the Storm network to make it easier to run their study.
"The best way to measure spam is to be a spammer," wrote the researchers in a paper describing their work.
They created several so-called "proxy bots" that acted as conduits of information between the command and control system for Storm and the hijacked home PCs that actually send out junk mail.
The team used these machines to control a total of 75,869 hijacked machines and routed their own fake spam campaigns through them.
The research team created a legitimate looking pharmacy site.
Two types of fake spam campaign were run through these machines. One mimicked the way Storm spreads using viruses and the other tried to tempt people to visit a fake pharmacy site and buy a herbal remedy to boost their libido.
The fake pharmacy site was made to resemble those run by Storm's real owners but always returned an error message when potential buyers clicked a button to submit their credit card details.
While running their spam campaigns the researchers sent about 469 million junk e-mail messages. The vast majority of these were for the fake pharmacy campaign.
"After 26 days, and almost 350 million e-mail messages, only 28 sales resulted," wrote the researchers.
The response rate for this campaign was less than 0.00001%. This is far below the average of 2.15% reported by legitimate direct mail organisations.
"Taken together, these conversions would have resulted in revenues of $2,731.88—a bit over $100 a day for the measurement period," said the researchers.
Scaling this up to the full Storm network the researchers estimate that the controllers of the vast system are netting about $7,000 (£4,430) a day or more than $2m (£1.28m) per year.
While this was a good return, said the researchers, it did suggest that spammers were not making the vast sums of money that some people have predicted in the past.
They suggest that the tight costs might also open up new avenues of attack on spammers.
The researchers concluded: "The profit margin for spam may be meagre enough that spammers must be sensitive to the details of how their campaigns are run and are economically susceptible to new defences."