country. Further, India, France, and the United States dominate responses. In terms of response rates, however, India,
Pakistan, and Bulgaria have the highest response rates than
any other countries (furthest away from the diagonal). The
United States, although a dominant target and responder,
has the lowest resulting response rate of any country, followed by Japan and Taiwan.
However, the countries with predominant response rates
do not appear to reflect a heightened interest in users from
those countries in the specific spam offerings. Figure 10
plots the rates for the most prominent countries responding
to self-propagation vs. pharmacy spams. The median ratio
between these two rates is 0.38 (diagonal line). We see that
India and Pakistan in fact exhibit almost exactly this ratio
(upper-right corner), and Bulgaria is not far from it. Indeed,
only a few TLDs exhibit significantly different ratios, including the United States and France, the two countries other
than India with a high number of responders; users in the
United States respond to the self-propagation spam substantially more than pharmaceutical spam and vice versa
with users in France. These results suggest that, for the
most part, per-country differences in response rate are due
to structural causes (quality of spam filtering, user education) rather than differing degrees of cultural or national
interest in the particular promises or products conveyed by
the spam.
8. coNcLuSioN
This paper describes what we believe is the first large-scale
quantitative study of spam conversion. We developed a methodology that uses botnet infiltration to indirectly instrument spam emails such that user clicks on these messages
are taken to replica Web sites under our control. Using this
methodology we instrumented almost 500 million spam messages, comprising three major campaigns, and quantitatively
figure 10. Response rates (stage D in the pipeline) by TLD for
executable download (x-axis) vs. pharmacy visits (y-axis).
IND PAK
BGR
2e − 04 5e − 04 2e − 03
Response rate for pharmacy e-mail
FRA POL CHN
GBR
CAN
RUS
BRA
AUS
DEU
MYS
ZAF
KOR
THA
SAU
TUR
ITA
CZE
UKR
EGY
NLD
ISR ROM
PHL VNM
HUN
MEX CHL
ARG
TWN
5e − 05
USA
JPN
2e − 04
5e − 04 1e − 03 2e − 03 5e − 03
Response rate for self−prop email
1e − 02
106 commuNicaTioNS of The acm | sEPTEMBER 2009 | voL. 52 | No. 9
characterized both the delivery process and the conversion
rate.
We would be the first to admit that these results represent a single data point and are not necessarily representative of spam as a whole. Different campaigns, using different
tactics and marketing different products will undoubtedly
produce different outcomes. Indeed, we caution strongly
against researchers using the conversion rates we have measured for these Storm-based campaigns to justify assumptions in any other context. At the same time, it is tempting
to speculate on what the numbers we have measured might
mean. We succumb to this temptation below, with the understanding that few of our speculations can be empirically validated at this time.
After 26 days, and almost 350 million email messages,
only 28 sales resulted—a conversion rate of well under
0.00001%. Of these, all but one was for male-enhancement
products and the average purchase price was close to $100.
Taken together, these conversions would have resulted in
revenues of $2,731.88—a bit over $100 a day for the measurement period or $140 per day for periods when the campaign
was active. However, our study interposed on only a small
fraction of the overall Storm network—we estimate roughly
1.5% based on the fraction of worker bots we proxy. Thus,
the total daily revenue attributable to Storm’s pharmacy
campaign is likely closer to $7000 (or $9500 during periods
of campaign activity). By the same logic, we estimate that
Storm self-propagation campaigns can produce between
3500 and 8500 new bots per day.
Under the assumption that our measurements are representative over time (an admittedly dangerous assumption
when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly
3. 5 million dollars of revenue in a year. This number could
be even higher if spam-advertised pharmacies experience
repeat business, a bit less than “millions of dollars every
day,” but certainly a healthy enterprise.
The next obvious question is, “How much of this revenue
is profit?” Here things are even murkier. First, we must consider how much of the gross revenue is actually recovered
on a sale. Assuming the pharmacy campaign drives traffic
to an affiliate program (and there are very strong anecdotal
reasons to believe this is so) then the gross revenue is likely
split between the affiliate and the program (an annual net
revenue of $1.75 million using our previous estimate). Next,
we must subtract business costs. These include a number of
incidental expenses (domain registration, bullet-proof hosting fees, etc.) that are basically fixed sunk costs, and the cost
to distribute the spam itself.
Anecdotal reports place the retail price of spam delivery
at a bit under $80 per million. 14 In an examination we conducted of some spam-for-hire service advertisements, we
found prices ranging from $70 to over $100 per million for
delivery to US addresses, with substantial discounts available for large volumes. This cost is an order of magnitude
less than what legitimate commercial mailers charge, but
is still a significant overhead; sending 350M emails would
cost more than $25,000. Indeed, given the net revenues we
