Researchers at UCSD have determined the return on investment for spam generated by the Storm botnet. While the per-message response rate is astonishingly low, it is sufficient for a spammer to generate a profit. At this year's ACM Conference on Computer and Communication Security, Stefan Savage, Vern Paxson and crew presented a paper that measures the conversion rate, or the rate at which an advertising impression results in a product sale, for spam. The team used somewhat aggressive tactics to collect their data; namely, they hijacked a portion of the Storm botnet to inject spam that contained links to domains and storefronts they controlled.
The team's data and analysis has shown that that generating 28 sales, averaging around $100 each, of various "male-enhancement" products required 350 million separate spams. This provides a yearly revenue rate of the Storm botnet for the sale of pharmaceuticals of around $3.5 million dollars.
What I feel to be the most interesting result from the paper is the direct measurement of the quality of anti-spam technology broken down by geographic location. The countries with the spam lowest response rate include the UNited States and Japan. Both nations have some of the highest capital investment in anti-spam technologies. As of early 2008, the countries with the worst anti-spam technology appear to be India, Pakistan, and Bulgaria.
The researchers do state that the profit margins of the spammers appear to be sensitive to anti-spam techniques. I am left to wonder what would be the profitability of spam if everyone in the world used effective anti-spam software.