Open Source Security
Welcome at » 2009 » October

The September 2009 edition of the Communications of the ACM had a very fascinating article called Spamalytics: An Empirical Analysis of Spam Marketing Conversion. Aside from the catchy title, this article is well worth a read. You will definitely understand more about spam after doing so. Given how much fun the authors must have had doing the background research for this article, it seems a shame to quibble with it, but there were a couple of things that set my teeth on edge so I’ll do so anyway. Besides, it gives me the reason to point out this article which really is a fun read. With that said, here are the things about the article that that affected me like nails on a chalkboard.

The article starts off with chest beating about how revolutionary the article is since there is a lack of information on the efficacy of spam. But, in their background section, they mention the previous work on pump and dump spam which is relatively easy to study. Wikipedia links to 3 studies that show that pump and dump spamming drove up prices of the touted stocks by 6% between 2005-6. This is a pedantic point but distracts from the strength of their argument right away.

The deconstruction of Corman’s remarks is just outright weird. No telling why they didn’t just ask him what he meant and what numbers he was adding up. My guess is that instead of profit, he may have said or meant millions of dollars in damages, but I haven’t asked him either. The site that they link to doesn’t quote him, rather it attributes a paraphrased statement to him. This paraphrased statement is then put into quotes in the article, but the text in quotes doesn’t actually show up on the linked-to site. (Note, although we both work for the same company, I have never met nor talked to Corman.)

Gathering statistics by parasitic infiltration is ethically questionable. Counter attack is becoming more acceptable from a cyber war perspective, but it is not a generally acceptable security practice. I definitely do not consider it an ethical research practice. The paper extensively discusses the ethics of this practice and decides that since no one is left worse off than before that it must be ethically correct to allow it. I think this is disingenuous and disregards all of the arguments about why it is not an ethically sound security practice, primarily the argument that you might get it wrong and actually damage an innocent bystander inadvertently.

The spamalytics system alters the entity that they are studying and thus their statistics although interesting become questionable. The backend fulfilment or trojan delivery server is often quickly shut down in a real attack. They address this point in Figure 6, but don’t discount their conversion rate in any way nor do they site statistics about how quickly fulfilment servers are shut down to defend not discounting their conversion rate.

They wound up with 28 conversions for the pharmacy spam, but they didn’t allow the site to accept personal information. How many of the 28 users would actually have completed the transaction. How many of them were participants in the scam the scammers movement? Regardless, their conversion rate is amazingly low, as they state too low to sustain profitability for the spamming operation.

The researchers performed analysis on only one type of spammer – the ones motivated by money. The quality of the average spam clearly indicates that not every spammer is in it for the money. They are griefers, just like the griefers in online games who show up to “spoil it for the rest of us”. It would be worth running a similar research project on non-email spammers who are motivated by money to see if they are more profitable. Wired had an article about Craigslist in a recent issue and it included a paragraph on the problems that they have with spam. They manually remove spam from their listings. Captchas didn’t work because the spammers hired cheap labor to break the captcha. You can see this in Amazon’s Mechanical Turk where spammers offer users $0.01 to perform a spam like activity.

Because of these quibbles, I would not bet the house that spammers are unprofitable (or barely profitable) just based on these results. Despite these quibbles, I really enjoyed the time that I put in to reading this article and so I recommend that you go take a look too. Enjoy!