Thursday, November 13, 2008

Economics of Spam

The paper "Spamalytics: An Empirical Analysis of Spam Marketing Conversion", details how researchers hacked into a spam network to measure its effectiveness. I was interviewed about it ("Spammers making a profit") on ABC Radio for the PM program. The researchers suggest that Spam is not as profitable as previously thought. My main concern with the research was over the ethics and legality of the research technique.

Ever wondered how the companies that send out junk emails make any money, when most people delete the emails without reading them? Well, a group of computer scientists in California has found that spammers are turning a profit, despite only getting one response for every 12.5-million emails they send.

From: Spammers making a profit, PM, ABC Radio, Wednesday, 5:10pm on Radio National and 6:10pm on ABC Local Radio, 12 November, 2008 (audio also available)

The researchers hacked into the "Storm" botnet network and monitored how many messages were sent. They then set up two fake e-commerce web sites to see how many people would click through the spam ads to buy the products. They found only one in 12.5 million clicked through. Based on this they suggested Spam is not very profitable. It seems a reasonable conclusion and I suggested in the radio interview that the people doing this could probably earn more from the effort involved via legitimate e-commerce.

There are numerous research papers on the economics of Spam. The wall Street Journal covered this in 2002: For Bulk E-Mailer, Pestering Millions Offers Path to Profit. That spam may not be as profitable as previously thought is interesting, but does not necessarily lessen its appeal to criminals.

However, my main concern was the methodology of the research. It is ethically and legally questionable for the researchers to hack into a spam network. Like any citizen, when a researcher finds someone doing something illegal, they have a responsibility to report that to the appropriate authorities so it can be investigated and those involved prosecuted. In this case the researchers do not appear to have done that and instead monitored the network and even set up their own e-commerce store to exploit it.

The researchers are from Dept. of Computer Science and Engineering, Berkeley and University of California, San Diego. Those institutions have ethical guidelines for research which the researchers should have consulted before proceeding.

In the ethics section of the paper, the authors state: " First, our instrumented proxy bots do not create any new harm" and "Second, our proxies are passive actors and do not themselves engage in any behaviour that is intrinsically objectionable; they do not send spam e-mail, they do not compromise hosts, nor do they even contact worker bots asynchronously. " and "Finally, where we do modify C&C messages in transit, these actions themselves strictly reduce harm. Users who click on spam altered by these changes will be directed to one of our innocuous doppelganger Web sites.".

However, the authors do not address the issue of if they were taking part in a criminal activity or if they should have reported the criminal activities to the appropriate authorities. It seems a flawed argument for the researchers to say their activities were no more harmful than those being observed.
The “conversion rate” of spam — the probability that an unsolicited e-mail will ultimately elicit a “sale” — underlies the entire spam value proposition. However, our understanding of this critical behavior is quite limited, and the literature lacks any quantitative study concerning its true value. In this paper we present a methodology for measuring the conversion rate of spam. Using a parasitic infiltration of an existing botnet’s infrastructure, we analyze two spam campaigns: one designed to propagate a malware Trojan, the other marketing on-line pharmaceuticals. For nearly a half billion spam e-mails we identify the number that are successfully delivered, the number that pass through popular anti-spam filters, the number that elicit user visits to the advertised sites, and the number of “sales” and “infections” produced.

Categories and Subject Descriptors: K.4.1 [Public Policy Issues]: ABUSE AND CRIME INVOLVING COMPUTERS
General Terms: Measurement, Security, Economics

From: Spamalytics: An Empirical Analysis of Spam Marketing Conversion, Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, Vern Paxson, Stefan Savage, CCS'08 Conference, ACM, October 2008


Jim Birch said...

The link to the report should be

Tom Worthington said...

jim said November 13, 2008 10:26 AM:

"The link to the report should be

Apologies, I have fixed the link.