Christian Kreibich
ICIR ICSI
ICSI » ICIR » Christian Kreibich » Spamalytics
Spamalytics
An empirical analysis of spam marketing conversion

Introduction

The "conversion rate" of spam — the probability that an unsolicited e-mail will ultimately elicit a "sale" — underlies the entire spam value proposition. However, our understanding of this critical behavior is quite limited, and the literature lacks any quantitative study concerning its true value. In the CCIED Spamalytics project, we introduced a methodology for measuring the conversion rate of spam. Using a parasitic infiltration of an existing botnet's infrastructure, we analyzed three spam campaigns: two designed to propagate a malware Trojan, the other marketing on-line pharmaceuticals. For nearly half a billion spam emails we identified the number that are successfully delivered, the number that pass through popular anti-spam filters, the number that elicit user visits to the advertised sites, and the number of "sales" and "infections" produced.

Key Results

The Storm botnet partitions its infected machines into worker and proxy bots. In essence, worker bots are responsible for instantiating and sending spam, while proxy bots serve as conduits for the command-and-control traffic. Please refer to our our Campaign Trail paper for detailed explanation of Storm's spamming mechanics.

We built an infiltration setup for the Storm botnet which allowed us to rewrite the botnet's command-and-control traffic at the proxy bot level, so that the rewritten spam templates and dictionaries caused worker bots to produce spam that contained links pointing to websites under our control, instead of the spammer's sites. Our sites operated real-looking but suitably disarmed pharmacy and infection setups that allowed us to measure the whole pipeline of spam delivery from the initial stage consisting of spam the botnet attempts to send, to the final stage consisting of the user activity that would have lead to a pharmacy purchase or a malware infection. The following diagram illustrates the stages of this pipeline:

pipeline of spam conversion losses

Over the course of our experiment, we rewrote the content of nearly 470 million spams — 347 million pharmaceutical, 83 million greeting card, and 40 million April Fools' Day spams. This lead to 28 "purchases" and 541 "infections," shown here geographically and red and yellow, respectively:

map of conversions

This translates into the following conversion rates:

  • 1 in 12,500,000 pharmacy spams lead to a purchase.
  • 1 in 265,000 greeting card spams lead to an infected machine.
  • 1 in 178,000 April Fool's Day spams lead to an infected machine.
  • 1 in 10 people visiting an infection website downloaded the executable and ran it.

We caution the reader to generalize these numbers into other contexts. Our measurements represent individual data points, and different campaigns, tactics, or products may certainly yield different conversion rates.

For detailed discussion of our infiltration effort and a wide range of measurement results please refer to the CCS paper.

Links

Press

Related Publications

updated on 10 June 13 | yummy spam, yesss... built with TT | (cc) Christian Kreibich