How many users access spam emails, click on the links found within, and open attachments intentionally? Why are they doing it, and who are they holding responsible for the spread of malware and spam in general, in between conveniently excluding themselves?
A newly released survey from the Messaging Anti-Abuse Working Group (MAAWG), summarizing the results of the group's second year survey of email security practices, offers an interesting insight into the various interactions end users tend to have with spam emails.
Key findings of the survey:
- Nearly half of those who have accessed spam (46%) have done so intentionally – to unsubscribe, out of curiosity, or out of interest in the products or services being offered
- Four in ten (43%) say that they have opened an email that they suspected was spam
- Among those who have opened a suspicious email, over half (57%) say they have done so because they weren’t sure it was spam and one third (33%) say they have done so by accident
- Canadian users are those most likely to avoid posting their email address online (46%). Those in the U.S., Canada and Germany are most likely to set up separate email addresses in order to avoid receiving spam
- Many users do not typically flag or report spam or fraudulent email
- When it comes to stopping the spread of viruses, fraudulent email, spyware and spam, email users are most likely to hold ISPs and ESPs (65%) and anti-virus software companies (54%) responsible
- Less than half of users (48%) hold themselves personally responsible for stopping these threats
It's interesting to see the paradox of end users blaming ISPs and antivirus vendors, whereas 43% of the surveyed users said that they have accessed spam emails, and that they do not typically flag or report these emails.
What the majority of the survey participants appear to be unaware of, is that, despite the fact that since early days of spam, spammers have been attempting to verify the validity of the emails using DIY tools, on their way to unsubscribe themselves, the users are actually confirming that their email is valid.
In short, it means even more spam.
- Go through related posts: From Russia with (objective) spam stats; Spamming vendor launches managed spamming service; Phishing experiment sneaks through all anti-spam filters; Inside an affiliate spam program for pharmaceuticals; Inside a DIY Image Spam Generating Traffic Management Kit
Moreover, the survey indicates that a common misunderstanding among end users, is still dominating their perspective of spam in general. Nowadays, spam is no longer a mass marketing channel for counterfeit goods/pharmaceuticals only.
Spam is both, an infection and propagation vector for malware campaigns in general, with an interesting twist - the most aggressive Zeus crimeware serving campaigns for Q1, 2010, were optimizing the traffic they were getting through the spam campaigns, by embedding client-side exploits on the pages, next to actual malware left for the end user to manually download and execute.
The most extensive study of end user's interaction with spam emails, was conducted in 2008 (Spamalytics: An Empirical Analysis of Spam Marketing Conversion), showing that users not only click on spam links, but that they're actually buying dangerous counterfeit pharmaceuticals:
- After 26 days, and almost 350 million email messages, only 28 sales resulted -- a conversion rate of well under 0.00001%. Of these, all but one were male-enhancement products and the average purchase price was close to $100. Taken together, these conversions would have resulted in revenues of $2.731.88 -- a bit over $100 a day for the measurement period or $140 per day periods when the campaign is active. Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year.
What do you think? Why are users still interacting with spam emails, which could easily lead them to drive-by exploits serving web site? Are ISPs or vendors to blame, or the end user's lack of awareness on the risks involved when interacting with spam emails these days? Do you think that spam is fought in the wrong way, in the sense that before it reaches your Inbox, it has to go out from the network of a socially-irresponsible ISP first?