San Francisco (CA) – Spam is without doubt one of the most annoying and dangerous negative sides of the Internet. However, if you begin looking into spam, the people behind it, the mechanisms, the technology and the economics it is also a fascinating component of a cat-and-mouse game we play in our email inboxes every day. Researchers from UC Berkeley dug deeper into researching the background of spammers and published the most comprehensive paper on the likely profit we are aware of. We admit that the result surprised us and we are sure you will be surprised as well.

The paper “Spamalytics: An Empirical Analysis of Spam Marketing Conversion ” released by seven researchers from UC Berkeley and UC San Diego describes three carefully crafted spam campaigns hitting users around the world on all the major email hosting services. The campaigns were carried out over the Storm botnet and included about 470 million messages – 350 million advertising pharmaceutical a product, 84 million in a postcard campaign and 40 million in a April Fools campaign.

It does not take much to figure out that many of those emails were caught by spam filters and most users would delete emails anyway, if they do not know a sender and see a subject line that looks suspicious. But then we also know that spam is a business, a generally believed very profitable business. But how profitable? And how many recipients of those emails open those emails, react to them and actually purchase a product?

In short, possibly very few. The researchers found that those 350 million emails promoting a pharmaceutical product resulted in 10,522 users (bots excluded) clicking through to the advertised website. 28 of them tried to purchase the product (which did not exist and resulted in an error message.) Those 10,522 came from all over the planet and there was no hint of people in certain geographies being more receptive to spam than others. The conversion rates in the other two campaigns were much higher – the postcard campaign brought 3827 click-throughs and 316 conversions, while the April Fools campaign delivered a click-through rate of 2721 and 225 direct conversions.         

The theoretical revenue in the pharmaceutical campaign was $2731.88, which is not really impressive for 350 million emails. But that is really only half the story. In the end, there were only 350 million emails, which is very low by any standard – even traditional email harvester applications are currently able to detect about 5000 to 10,000 emails per minute. Imagine what a network of computers is capable of. And we know that about 120 billion spam messages are being sent each day. With that in mind, the researchers estimated that a similar campaign run across the Storm network should generate about $7000 - $9500 of revenue per day. Storm-generated pharmaceutical spam therefore could produce roughly $3.5 million of revenue in a year.

That may sound much, but ignores the fact that even spammers have to pay to send spam. There are substantial expenses and it is generally assumed that it costs about $80 to send 1 million spam messages. If that is true, then a campaign as laid out by the researchers would not even be close to be turning in a profit. Just to break even, the described campaign would need to be ten times cheaper – or about $7.80 per million – and we are not even talking about product cost and profit margins.

There is not much we know about the profit margins of spam, but common sense suggests that spam is profitable one way or the other. And if that is the case, the UC Berkeley/ UCSD study may provide technical background, but remains in the dark when it comes to actual conversion rates and profitability of this business.

Author’s opinion

About five years ago, when Spamhaus was at the height of waging a big war against mastermind spammers Alan Ralsky and Scott Richter (complete list here), the German weekly Der Spiegel asked me to do some research and find out how far the influence of the world’s most significant spammers may reach. Back then, the world of spam was very different – spammers were just transitioning to collaborate with malware distributors and there were no botnets. However, as far as I could tell, spam back then was a massively profitable business – much more profitable than I would have imagined.

I was able to interview Ralsky, who was considered the world’s most influential spammer at the time, twice. Back then, he told me that he employed somewhere between 30 and 100 people, many of them software engineers that were looking for jobs after the dotcom bubble was gone. The servers were located in China and were capable of sending 70 million messages a day – or 2.1 billion per month. There was quite a bit of marketing involved, which hinted to much higher conversion rates - about 7000 to 15,000 purchases per campaign – and Ralsky took a share of 40% of every sale that was made. We leave it up to you to estimate how much revenue those campaigns yielded – but they were apparently high enough to pay for up to 100 skilled employees and they were certainly high enough to enable spammers to pay multi-million dollar fines without hurting.

A source told me at the time that the ten largest spammers employed more than 400 people back in 2004 and were in a monthly cut-throat competition for revenue. While actual revenues were kept under wraps from the public, I was told that those ten spamming organizations made more than $50 million in sales – each month. Not surprisingly, Ralsky declined to discuss his sales during the interview, but it was clear that there was more money in this business than the $120,000 of income he reported for himself in the 2003 tax year. And it was an open secret that island nations in the Caribbean such as St. Kitts and Nevis were a favorite among spammers to hide their profits.

The times may be different today and users may be much more careful opening emails and buying products advertised via spam. But spammers employ much more sophisticated technologies and approaches today  - and send a greater volume of spam that may compensate for the changed user behavior. The gap between profitability then and what the UC Berkeley/ UCSD study found is too big in my opinion – and even the researchers say that there is unknown information that makes spam profitable. And as long as it is profitable, we will see email inboxes – or at least spam filters - that are flooded with spam.

You can read the 2004 article on Alan Ralsky here (PDF here, translated version here, courtesy of Google. Note: The translation is very rough). In January of 2008, Ralsky and ten others – including his son-in-law – were indicted (nine were arrested) on accusations of manipulating stock prices in China, which allegedly brought Ralsky about $3 million in net profit. Ralsky is currently in jail and awaiting trial.