An empirical analysis of spam marketing conversion
The "conversion rate" of spam — the probability that an
unsolicited e-mail will ultimately elicit a "sale" — underlies
the entire spam value proposition. However, our understanding of this
critical behavior is quite limited, and the literature lacks any
quantitative study concerning its true value. In the
CCIED Spamalytics project, we
introduced a methodology for measuring the conversion rate of spam.
Using a parasitic infiltration of an existing botnet's infrastructure,
we analyzed three spam campaigns: two designed to propagate a malware
Trojan, the other marketing on-line pharmaceuticals. For nearly half
a billion spam emails we identified the number that are successfully
delivered, the number that pass through popular anti-spam filters, the
number that elicit user visits to the advertised sites, and the number
of "sales" and "infections" produced.
The Storm botnet partitions its infected machines into worker
and proxy bots. In essence, worker bots are responsible for
instantiating and sending spam, while proxy bots serve as conduits for
the command-and-control traffic.
Please refer to our our Campaign Trail paper for
detailed explanation of Storm's spamming mechanics.
We built an infiltration setup for the Storm botnet which allowed us
to rewrite the botnet's
command-and-control traffic at the proxy bot level, so that the
rewritten spam templates and dictionaries caused worker bots to
produce spam that contained links pointing to websites under our
control, instead of the spammer's sites. Our sites operated
real-looking but suitably disarmed pharmacy and infection setups that
allowed us to measure the whole pipeline of spam delivery
from the initial stage consisting of spam the botnet attempts to send,
to the final stage consisting of the user activity that would have
lead to a pharmacy purchase or a malware infection. The following
diagram illustrates the stages of this pipeline:
Over the course of our experiment, we rewrote the content of nearly
470 million spams — 347 million pharmaceutical, 83 million
greeting card, and 40 million April Fools' Day spams. This lead to 28
"purchases" and 541 "infections," shown here geographically and red
and yellow, respectively:
This translates into the following conversion rates:
- 1 in 12,500,000 pharmacy spams lead to a purchase.
- 1 in 265,000 greeting card spams lead to an infected machine.
- 1 in 178,000 April Fool's Day spams lead to an infected machine.
- 1 in 10 people visiting an infection website downloaded the executable and ran it.
We caution the reader to generalize these numbers into other
contexts. Our measurements represent individual data points, and
different campaigns, tactics, or products may certainly yield
different conversion rates.
For detailed discussion of our infiltration effort and
a wide range of measurement results please refer to the
- Researchers Hijack Storm Worm to Track Profits, Washington Post, 7 Nov 2008.
- Spammen im Dienste der Wissenschaft, heise.de, 8 Nov 2008.
- Study shows how spammers cash in, BBC News, 10 Nov 2008.
- Researchers hijack botnet for spam study, The Register, 10 Nov 2008.
- Study: Viagra spam is profitable, but margins are tight, Network World, 11 Nov 2008.
- Jede 12,5-millionste Spam-Mail ist erfolgreich, Spiegel Online, 11 Nov 2008.
- The Economics of Spam, Bruce Schneier, 12 Nov 2008.
- Economies of Scale in the Spam Business, Erik Larkin, PC World, 12 Dec 2008.
- Spam grows up, Berkeley Science Review, 1 May 2009.
- Equation: How Much Money Do Spammers Rake In?, Wired Magazine, March 2011.
Click Trajectories: End-to-End Analysis of the Spam Value Chain
K. Levchenko, A. Pitsillidis, N. Chachra, B. Enright, M. Felegyhazi, C. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, D. McCoy, N. Weaver, V. Paxson, G. M. Voelker, and Stefan Savage. IEEE Symposium on Security and Privacy, 2011, Oakland, USA.
Spamalytics: An Empirical Analysis of Spam Marketing Conversion
C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. 15th ACM Conference on Computer and Communications Security (CCS), 27-31 October 2008, Alexandria, VA.
Spamalytics: An Empirical Analysis of Spam Marketing Conversion (invited article)
C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage.
Communications of the ACM, 52(9), pp. 99-107, September 2009.
Spamcraft: An Inside Look At Spam Campaign Orchestration
C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. Second USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '09), 2009, Boston, USA.
On the Spam Campaign Trail
C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. First USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '08), 2008, San Francisco, USA.