Researchers from the University of California, Berkeley and UC San Diego have published a report detailing how they hacked into a criminal network to collect data on the economics of spam.
The team managed to get into the Storm botnet and configured the command and control infrastructure so that results were sent back to them for analysis. The team followed three spam campaigns involving 469 million pieces of spam.
"Spam-based marketing is a curious beast. We all receive the advertisements but few of us have encountered a person who admits to following through on this offer and making a purchase," said the Spamalytics report (PDF).
"And yet the relentlessness with which such spam continually clogs inboxes, despite years of energetic deployment of anti-spam technology, provides undeniable testament that spammers find their campaigns profitable. Someone is clearly buying. But how many, how often and how much?"
The researchers found that a campaign for pharmaceuticals achieved a 0.00001 per cent conversion rate from spam to sale, and that all but one of the sales were for 'male enhancement' products.
Nevertheless, the low cost of sending out vast amounts of email, which the researchers estimate at £51 per million, means that the spammers could earn £1.75m a year from spam, although how much of that is profit is unknown.
The research also revealed some interesting data on the effectiveness of anti-spam filters, which typically cut out about a quarter of all spam. They are a serious concern to spammers, but not deployed widely enough to cut traffic significantly.
The effectiveness of blacklisting was also called into question, since lists had to be updated every half hour and were frequently ineffective.
Why does Facebook store "my entire call history with my partner's mum", asks developer who requested his Facebook data
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Before Ocado could start selling the technology it had developed to other retailers, it had to tear down and rebuild its own monolithic architecture
Successful attack could result in harm to patients and financial loss, warns NHS governing body
Guccifer 2.0 claimed to be a lone Romanian hacker - until a schoolboy error gave him, her or them away