In last month's issue of Wired, the magazine published a tidy little infographic detailing a study conducted by a team of researchers at UC San Diego, which attempted to explain the economics behind email spam:
The team's methods were bold, but harmless. They hacked into an existing spam ring, hijacked its traffic, and redirected victims to a fake payment processing page. The resulting data confirmed what most people already thought they knew about spam networks: their success depends overwhelmingly on scale and high margins, not a high purchase rate, to make money.
A widely cited conclusion of the study was that, scaled to the full size of the spam network the researchers infiltrated, revenues could be as high as $7,000 a day, or $2m a year. Pretty good! But a later passage in the study, which was conducted a few years ago, didn't get quite as much attention:
Anecdotal reports place the retail price of spam delivery at a bit under $80 per million . This cost is an order of magnitude less than what legitimate commercial mailers charge, but is still a signiﬁcant overhead; sending 350M e-mails would cost more than $25,000. Indeed, given the net revenues we estimate, retail spam delivery would only make sense if it were 20 times cheaper still.
And yet, Storm continues to distribute pharmacy spam — suggesting that it is in fact proﬁtable.
This was a bit outside of the scope of the team's study, so they were left to speculate: "One explanation is that Storm’s masters are vertically integrated and the purveyors of Storm’s pharmacy spam are none other than the operators of Storm itself (i.e., that Storm does not deliver these spams for a third-part in exchange for a fee)." It's a reasonable explanation, but leaves open the question of just how profitable spamming is. The assumption that these networks are wildly successful, in other words, might not be correct.
I followed up with one of the contributors to the study, Chris Kanich, to see if he and his colleagues had been able to shed any more light on the overall economics of running a spam enterprise. He will soon be presenting a followup study to the IEEE Symposium on Security and Privacy in May, called Click Trajectories: End-to-End Analysis of the Spam Value Chain. He wasn't able to talk about the paper pre-publication, but confirmed that "the current structure of the market is very much affiliate program oriented," pointing me to a paper published by security firm Sophos.
The paper's conclusion, in short, is that what enables all types of spam to be profitable are tightly knit affiliate programs, in which spammers can pull commissions as large as 40% on sales resulting from their independent promotion. (In Russia, where the most prominent affiliate networks have been able to thrive, these programs are known as "partnerka.") This tight integration is enough to ensure that larger partners make a good deal of money; by taking hefty commissions from sales with huge margins--generic or fake pharmaceuticals, pirated software, etc.--spammers can recoup their costs.
But even with this relatively (albeit synthetically) vertical business plan, email spammers don't fare nearly as well as those who use more modern spamming techniques, such as search engine manipulation:
[E]mail spam has become less popular amongst afﬁliates due to the high risk and steep entry barrier. This has been acknowledged by the afﬁliates themselves on SEO-related forums. But given that we see no shortage in the supply of ‘Canadian Pharmacy’ or ‘fake Rolex’ spam, it’s not going to go away any time soon. It’s just being carried out by a smaller ‘elite’ group of afﬁliates.
Effective spam filters and savvier users have driven the success rate of email spam to rock-bottom levels, so that in order to profit from it, spammers must be able to operate with unusually low overhead. In something an straightforward as email spam, "unusually low overhead" usually translates directly as "massive scale," which means that new and small players are often pushed out--of email spamming, not all spamming.
Web-based spam, propagated with shady SEO methods and browser-hijacking trojans, offers an attractive alternative to new or small partners. For one, it takes almost no investment. Web hosting is extremely cheap, the e-commerce systems used in affiliate programs are free and easy to copy to a new site, and fewer measures need to be taken to avoid prosecution under anti-spam laws, which were written first and foremost to combat email spam. Best of all, if a customer has found his way to your shady pharmaceuticals website via search, chances are better that he's actually in the market for your off-brand Viagra, as opposed to someone who received an unsolicited email.
With that in mind, the answer to the question of how email spammers make their money is this this: outside of a lucky few established players, they might not be. Not to worry, though. They'll be fine.