For the lazy:
"After 26 days, and almost 350 million e-mail messages, only 28 sales resulted — a conversion rate of well under 0.00001%. Of these, all but one were for male-enhancement products and the average purchase price was close to $100. Taken together, these conversions would have resulted in revenues of $2,731.88—a bit over $100 a day for the measurement period or $140 per day for periods when the campaign was active. However, our study interposed on only a small fraction of the overall Storm network — we estimate
roughly 1.5 percent based on the fraction of worker bots we
proxy. Thus, the total daily revenue attributable to Storm’s pharmacy campaign is likely closer to $7000 (or $9500 during periods of campaign activity). By the same logic, we estimate that Storm self-propagation campaigns can produce between 3500 and 8500 new bots per day.
The next obvious question is, “How much of this revenue is
profit”? Here things are even murkier. First, we must consider how much of the gross revenue is actually recovered on a sale. Assuming the pharmacy campaign drives traffic to an affiliate program (and there are very strong anecdotal reasons to believe this is so) then the gross revenue is likely split between the affiliate and the program (a annual net revenue of $1.75M using our previous estimate). Next, we must subtract business costs. These include a number of incidental expenses (domain registration, bullet-proof hosting fees, etc) that are basically fixed sunk costs, and the cost to distribute the spam itself."
Yes. That's about right but I am afraid that the lazy's are gonna miss out on the intricate command & control hierarchy of a botnet and how the researchers injected their machines within the command & control channel to effectively control a portion of the botnet. I am quite surprised about the level of sophistication these botnets are - well ... I guess that programmers in Russia are smarter than their U.S counterparts.
The only thing that we should be weary of (or some of us happy about) is the fact that with this paper, somebody could go ahead and employ the botnet to do their evil bidding instead of the botnet's owner's original evil bidding. Talk about what comes around goes around!
Russian programmers are not smarter, they're just willing to do things like this without feeling like they're the scum-of-the-earth like most Americans would.
In Russia they don't believe in black/white, right/wrong like we do here in America, there's about an 80% gray area in between which means things like SPAM, Botnets and taking money from suckers is acceptable (notice I didn't say right or wrong)
Actually, they believe strongly in black/white and right/wrong in Russia, but within a tighter social circle. This difference between Russia and the West is of degree, not of kind. Most Americans care little about how their actions affect people in the third world, for example.
- Hotmail didn't let any spam through
- one campaign had 347,590,389 emails, 10,522 visits and 28 conversions (paper: "However, a very low conversion rate does not necessary imply low revenue or profitability.")
Penis enlargement products are ideal for spam because they are embarrassing to buy elsewhere, they are very cheap to manufacture (e.g. sugar pill) and they don't work. The last part is important, if they did work there would be a non-spam market for them.
For this reason, I believe that we do not see hair loss products marketed extensively through spam. There are good hair loss products (minoxidil and propecia) that have clinically shown effects.
The next obvious question is, “How much of this revenue is profit”? Here things are even murkier. First, we must consider how much of the gross revenue is actually recovered on a sale. Assuming the pharmacy campaign drives traffic to an affiliate program (and there are very strong anecdotal reasons to believe this is so) then the gross revenue is likely split between the affiliate and the program (a annual net revenue of $1.75M using our previous estimate). Next, we must subtract business costs. These include a number of incidental expenses (domain registration, bullet-proof hosting fees, etc) that are basically fixed sunk costs, and the cost to distribute the spam itself."