Introduction

The "conversion rate" of spam — the probability that an unsolicited e-mail will ultimately elicit a "sale" — underlies the entire spam value proposition. However, our understanding of this critical behavior is quite limited, and the literature lacks any quantitative study concerning its true value. In the CCIED Spamalytics project, we introduced a methodology for measuring the conversion rate of spam. Using a parasitic infiltration of an existing botnet's infrastructure, we analyzed three spam campaigns: two designed to propagate a malware Trojan, the other marketing on-line pharmaceuticals. For nearly half a billion spam emails we identified the number that are successfully delivered, the number that pass through popular anti-spam filters, the number that elicit user visits to the advertised sites, and the number of "sales" and "infections" produced.

Key Results

The Storm botnet partitions its infected machines into worker and proxy bots. In essence, worker bots are responsible for instantiating and sending spam, while proxy bots serve as conduits for the command-and-control traffic. Please refer to our our Campaign Trail paper for detailed explanation of Storm's spamming mechanics.

We built an infiltration setup for the Storm botnet which allowed us to rewrite the botnet's command-and-control traffic at the proxy bot level, so that the rewritten spam templates and dictionaries caused worker bots to produce spam that contained links pointing to websites under our control, instead of the spammer's sites. Our sites operated real-looking but suitably disarmed pharmacy and infection setups that allowed us to measure the whole pipeline of spam delivery from the initial stage consisting of spam the botnet attempts to send, to the final stage consisting of the user activity that would have lead to a pharmacy purchase or a malware infection. The following diagram illustrates the stages of this pipeline:

Over the course of our experiment, we rewrote the content of nearly 470 million spams — 347 million pharmaceutical, 83 million greeting card, and 40 million April Fools' Day spams. This lead to 28 "purchases" and 541 "infections," shown here geographically and red and yellow, respectively:

This translates into the following conversion rates:

• 1 in 12,500,000 pharmacy spams lead to a purchase.
• 1 in 265,000 greeting card spams lead to an infected machine.
• 1 in 178,000 April Fool's Day spams lead to an infected machine.
• 1 in 10 people visiting an infection website downloaded the executable and ran it.

We caution the reader to generalize these numbers into other contexts. Our measurements represent individual data points, and different campaigns, tactics, or products may certainly yield different conversion rates.

For detailed discussion of our infiltration effort and a wide range of measurement results please refer to the CCS paper.

Links

• Schott's Vocab on "Spamalytics", New York Times, 25 May 2011.

Press

• Researchers Hijack Storm Worm to Track Profits, Washington Post, 7 Nov 2008.
• Spammen im Dienste der Wissenschaft, heise.de, 8 Nov 2008.
• Study shows how spammers cash in, BBC News, 10 Nov 2008.
• Researchers hijack botnet for spam study, The Register, 10 Nov 2008.
• Study: Viagra spam is profitable, but margins are tight, Network World, 11 Nov 2008.
• Jede 12,5-millionste Spam-Mail ist erfolgreich, Spiegel Online, 11 Nov 2008.
• The Economics of Spam, Bruce Schneier, 12 Nov 2008.
• Economies of Scale in the Spam Business, Erik Larkin, PC World, 12 Dec 2008.
• Spam grows up, Berkeley Science Review, 1 May 2009.
• Equation: How Much Money Do Spammers Rake In?, Wired Magazine, March 2011.
• Slashdot, Digg, Reddit, F-Secure, Circle ID, Ars Technica.

Related Publications

• Click Trajectories: End-to-End Analysis of the Spam Value Chain pdf bib

  K. Levchenko, A. Pitsillidis, N. Chachra, B. Enright, M. Felegyhazi, C. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, D. McCoy, N. Weaver, V. Paxson, G. M. Voelker, and Stefan Savage. IEEE Symposium on Security and Privacy, 2011, Oakland, USA.

• Spamalytics: An Empirical Analysis of Spam Marketing Conversion pdf html bib

  C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. 15th ACM Conference on Computer and Communications Security (CCS), 27-31 October 2008, Alexandria, VA.

• Spamalytics: An Empirical Analysis of Spam Marketing Conversion (invited article) pdf bib

  C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. Communications of the ACM, 52(9), pp. 99-107, September 2009.

• Spamcraft: An Inside Look At Spam Campaign Orchestration pdf bib

  C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. Second USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '09), 2009, Boston, USA.

• On the Spam Campaign Trail pdf html bib

  C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. First USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '08), 2008, San Francisco, USA.