Your Spammer May Be a Victim, Too

By Larry Seltzer  |  Posted 2007-12-19 Print this article Print

Opinion: No, I don't feel sorry for them, but it could be that the people selling items through spam don't make a living at it. It's the botnet owners who make money on this business.

Security vendors like to report spam numbers, including the overall percentage of e-mail that is spam. The consensus on this number is north of 90 percent now. You'll see some lower numbers, including about 60 percent from Symantec, but that number discounts certain classes of spam. Essentially, the percentage of e-mail that is spam is approaching 100. Recent history tells us that it will continue to approach 100 asymptotically, as the raw growth of spam exceeds the raw growth of ham, the techie term for legitimate e-mail.

At the same time—and I have no hard data on this—I have to think that the success rate for spammers, meaning the number of actual sales they make per message they send out, is going down, and from am already very low number. In other words, it's asymptotically approaching 0. There's no way to know the actual success numbers; in fact, I doubt anyone does or can know the numbers. Is this a winning formula?

The massive Storm worm botnet is being segmented into smaller, more nimble networks of zombie PCs through the use of 40-byte encryption. Click here to read more.

You often hear people presume that spamming must be profitable and that someone must be buying the things being sold because they keep sending out more spam. I don't think this conclusion necessarily follows from the facts. First, we need to separate two classes of people involved in spamming you.

First there are the actual people—let's call them merchants—pushing penny stocks, selling "body enhancement" pills, fake Rolexes and business leads. They aren't the ones who do the actual spamming; the spammers are a direct marketing service agency to them. Second there are botherders, the people who "0wn" the botnets and do the actual mechanics of sending the e-mail.

There is no doubt in my mind that the people in the second group are making money, at least some of them. The more resourceful of them construct large networks of other people's computers out of nothing but their own effort (combined with an absence of morals, of course). This gives them a platform they can sell to the first class of spammers, those with the actual phony products, and also to identity thieves and other nefarious types.

The merchants get no feedback on how many of their messages get through to end users and especially into the inbox. Certainly none of them publicly report how successful a campaign is; after all, they are often selling products that are illegal or embarrassing to talk about. And it's in the botherders' interest to sell at the highest price they can get. I have no trouble believing that few, if any, of the merchants make money, and certainly not good money.

I spoke to Adam O'Donnell, director of Emerging Technologies at Cloudmark, which lives in the world of spam every day, about these issues and trends they are observing in the world of spam. He feels that the merchants are doing well, but we're both basically guessing. Neither of us has good information on this issue, nor does anyone else.

O'Donnell pointed out the strong position of the botherders. To the extent they have time on their hands in 2008, he expects them to spend it reinforcing their networks, making them more defensible against security vendors and other botherders out to poach bots from their networks.

On the merchant side, O'Donnell expects a wave of spam pushing schemes related to refinancing and foreclosures to take advantage of problems in the mortgage markets. We've already seen some of this, but he's right. Spammers would do better with this than penny-stock scams.

Of course, it's largely an academic question, since the problem remains and the spam numbers continue to go up. It's a shame we don't know more about the actual economics of businesses that rely on spam—it could provide some useful information.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. More from Larry Seltzer Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog, Cheap Hack.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel