Your Spammer May Be a Victim, Too

Opinion: No, I don't feel sorry for them, but it could be that the people selling items through spam don't make a living at it. It's the botnet owners who make money on this business.

Security vendors like to report spam numbers, including the overall percentage of e-mail that is spam. The consensus on this number is north of 90 percent now. You'll see some lower numbers, including about 60 percent from Symantec, but that number discounts certain classes of spam.

Essentially, the percentage of e-mail that is spam is approaching 100. Recent history tells us that it will continue to approach 100 asymptotically, as the raw growth of spam exceeds the raw growth of ham, the techie term for legitimate e-mail.

At the same time—and I have no hard data on this—I have to think that the success rate for spammers, meaning the number of actual sales they make per message they send out, is going down, and from am already very low number. In other words, it's asymptotically approaching 0. There's no way to know the actual success numbers; in fact, I doubt anyone does or can know the numbers. Is this a winning formula?


The massive Storm worm botnet is being segmented into smaller, more nimble networks of zombie PCs through the use of 40-byte encryption. Click here to read more.

You often hear people presume that spamming must be profitable and that someone must be buying the things being sold because they keep sending out more spam. I don't think this conclusion necessarily follows from the facts. First, we need to separate two classes of people involved in spamming you.

First there are the actual people—let's call them merchants—pushing penny stocks, selling "body enhancement" pills, fake Rolexes and business leads. They aren't the ones who do the actual spamming; the spammers are a direct marketing service agency to them. Second there are botherders, the people who "0wn" the botnets and do the actual mechanics of sending the e-mail.


There is no doubt in my mind that the people in the second group are making money, at least some of them. The more resourceful of them construct large networks of other people's computers out of nothing but their own effort (combined with an absence of morals, of course). This gives them a platform they can sell to the first class of spammers, those with the actual phony products, and also to identity thieves and other nefarious types.

The merchants get no feedback on how many of their messages get through to end users and especially into the inbox. Certainly none of them publicly report how successful a campaign is; after all, they are often selling products that are illegal or embarrassing to talk about. And it's in the botherders' interest to sell at the highest price they can get. I have no trouble believing that few, if any, of the merchants make money, and certainly not good money.

I spoke to Adam O'Donnell, director of Emerging Technologies at Cloudmark, which lives in the world of spam every day, about these issues and trends they are observing in the world of spam. He feels that the merchants are doing well, but we're both basically guessing. Neither of us has good information on this issue, nor does anyone else.

O'Donnell pointed out the strong position of the botherders. To the extent they have time on their hands in 2008, he expects them to spend it reinforcing their networks, making them more defensible against security vendors and other botherders out to poach bots from their networks.

On the merchant side, O'Donnell expects a wave of spam pushing schemes related to refinancing and foreclosures to take advantage of problems in the mortgage markets. We've already seen some of this, but he's right. Spammers would do better with this than penny-stock scams.

Of course, it's largely an academic question, since the problem remains and the spam numbers continue to go up. It's a shame we don't know more about the actual economics of businesses that rely on spam—it could provide some useful information.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer


Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog, Cheap Hack.