Over the past few weeks, more spam has been slipping through to my Gmail inbox. Consider: The oddly named Jule Cuc enthusiastically offers college Dip1omas [sic]: “At your own pace! No examination! No study! No classes!” Kieth l. Black is cautiously optimistic with his pitch: “Please your spouse more often than not,” while Marianne Daniels is mysteriously quaint: “Uplift your darling couch adventures”. Ironically, Bishop appears to be selling Viagra, though his email contains an esoteric reference to the diary of Samuel Pepys, in which he suggests that “meer sauce, or a pickle” are reasonable antidotes for souring Venison. A certain Elden Tyrimoh is miffed that I “again misplaced his number”.

What is all this nonsense? Who is sending all this email and can it really be profitable? Are things getting better or worse? What is Conficker, the so-calledParis Hilton of Botnets? And what exactly is Samuel Pepys doing in an ad for Canadian pharmaceuticals?

I’m going to try to answer all these questions. But it’s too much writing for one night so this will be the first part of a spam mini-series. Samuel Pepys (pronounced like “peeps”, I’m told, will make repeated appearances, I hope).

The story starts with botnets. What is a botnet? It’s a network of bots. What is a bot? It’s a computer, connected at least periodically to the Internet, that has been infected with the latest incarnation of computer virus. What makes a network of bots such an important innovation? Each infected computer broadcasts its availability so that a centralized server can distribute tasks—like sending email spam—all over the world.

Finally, "botnet" searches outnumber searches for "Samuel Pepys"

A botnet is a hugely parallel supercomputer. If they so desired, botnet operators could use this processing power to, say, simulate exquisite climate models, or defeat Deep Blue (which defeated Gary Kasparov) in chess. But the botnet’s most valuable attribute is its distributed bandwidth. This is how to send a billion emails in a day or coordinate a denial of service attack to take down a website—“the digital equivalent of filling a fishtank with a firehose”.

Take the Storm botnet as an example. Some say it controls over a million computers. Some security experts suspect that Storm is run by the Russian Business Network, a group of renegade Russian (surprise!) computer scientists also blamed for the denial of service attacks that crashed Georgian President Mikhail Saakashvili’s website along with the National Bank of Georgia just before the 2008 South Ossetia War. Storm is also responsible for a considerable fraction of the world’s email spam.

How much money is in spam? IBM Security Systems expert Joshua Corman is widely quoted as claiming    that spam sent by Storm is generating “millions and millions of dollars every day”. And, does Storm send its own spam or does it rent its bandwidth to specialized spammers—a disconcerting possibility, suggesting a maturing underground economy.

A team of researchers in Berkeley and San Diego set out to investigate. First they figured out how Storm works. It’s complicated but here’s the gist: infected computers are classified as either workers or proxies based in part on whether they have a firewall installed. Workers do the actual spamming, receiving instructions from proxies that coordinate the jobs. Proxies take orders from a master server.

The researchers set up eight proxies, simply by installing the software (the didn’t have to go looking; it was in their email). This way, workers contacted them, requesting tasks. But just as the instructions were shipping out, they modified the text of the spam messages, replacing the link with their own—a mock pharmaceutical website complete with Viagra, “Viagra professional”, a shopping cart, etc. (though they never collected any money or personal information about their customers).

An imitation pharmacy website. Why get Viagra when you can go Professional?
In this way, they tracked half a billion spam messages—a Viagra campaign and a botnet expansion campaign with fake greeting cards (complete with dancing banana)—over 26 days. Here is the big result: 350 million emails resulted in 28 purchases. Average purchase size was $100. Estimating they tracked 1.5% of the full network and assuming continuous active spamming, this gives about $3.5 million in Viagra-inspired revenue per year. Much less than millions in a day, but not too shabby either.

Is this good or bad? Well, it’s annoying. If nobody ever bought anything as a result of email spam, it would stop. And 28 in 350 million—1 in 12.5 million—is awfully close to nobody. It’s good in the sense that at $3.5 million per year, it’s unlikely that Storm is running an affiliate program—renting their services to third party spammers—since profit margins are so slim.

red flags mark pharmacy purchases; yellow flags mark new infections
The bad news is two-fold. First, the greeting card expansion campaign was considerably more successful. One in ten people that visited the greeting card page downloaded and installed the software (no purchase necessary). If people are gullible enough to install Storm themselves, it’s very hard to imagine how to slow down the botnets. Second, so much mystery remains. Perhaps this particular spam campaign was just a side-project, an experiment much less fruitful than the botnet’s ordinary activities.

Further analysis shows national differences. While the U.S. received over 10 times more spam than Japan (the 2nd most spammed country), it is the least efficient of targets: the U.S. response rate was lowest, while India, Pakistan, and Bulgaria showed the highest response rates. The researchers believe these differences are due more to spam-filtering technology and anti-spam awareness than to varied interest in Viagra.

Ok. A few statistics to close out this installment. Spam doubled in 2007 to 120 billion messages sent daily. The rate seems to have doubled again in 2008. Microsoft recently estimated that over 97% of all email sent is spam, and that nearly 1% of all computers are infected by some botnet. Bill Gates, it is said, receives around 10000 spam emails every day.