Survey: Millions of users open spam emails, click on links

Survey: Millions of users open spam emails, click on links

Summary: A newly released report from the Messaging Anti-Abuse Working Group (MAAWG), summarizing the results of the group's second year survey of email security practices, offers an interesting insight into the various interactions end users tend to have with spam emails.


How many users access spam emails, click on the links found within, and open attachments intentionally? Why are they doing it, and who are they holding responsible for the spread of malware and spam in general, in between conveniently excluding themselves?

A newly released survey from the Messaging Anti-Abuse Working Group (MAAWG), summarizing the results of the group's second year survey of email security practices, offers an interesting insight into the various interactions end users tend to have with spam emails.

Key findings of the survey:

  • Nearly half of those who have accessed spam (46%) have done so intentionally – to unsubscribe, out of curiosity, or out of interest in the products or services being offered
  • Four in ten (43%) say that they have opened an email that they suspected was spam
  • Among those who have opened a suspicious email, over half (57%) say  they have done so because they weren’t sure it was spam and one third (33%) say they have done so by accident
  • Canadian users are those most likely to avoid posting their email address online (46%).  Those in the U.S., Canada and Germany are most likely to set up separate email addresses in order to avoid receiving spam
  • Many users do not typically flag or report spam or fraudulent email
  • When it comes to stopping the spread of viruses, fraudulent email, spyware and spam, email users are most likely to hold ISPs and ESPs (65%) and anti-virus software companies (54%) responsible
  • Less than half of users (48%) hold themselves personally responsible for stopping these threats

It's interesting to see the paradox of end users blaming ISPs and antivirus vendors, whereas 43% of the surveyed users said that they have accessed spam emails, and that they do not typically flag or report these emails.

What the majority of the survey participants appear to be unaware of, is that, despite the fact that since early days of spam, spammers have been attempting to verify the validity of the emails using DIY tools, on their way to unsubscribe themselves, the users are actually confirming that their email is valid.

In short, it means even more spam.

Moreover, the survey indicates that a common misunderstanding among end users, is still dominating their perspective of spam in general. Nowadays, spam is no longer a mass marketing channel for counterfeit goods/pharmaceuticals only.

Spam is both, an infection and propagation vector for malware campaigns in general, with an interesting twist - the most aggressive Zeus crimeware serving campaigns for Q1, 2010, were optimizing the traffic they were getting through the spam campaigns, by embedding client-side exploits on the pages, next to actual malware left for the end user to manually download and execute.

The most extensive study of end user's interaction with spam emails, was conducted in 2008 (Spamalytics: An Empirical Analysis of Spam Marketing Conversion), showing that users not only click on spam links, but that they're actually buying dangerous counterfeit pharmaceuticals:

  • After 26 days, and almost 350 million email messages, only 28 sales resulted -- a conversion rate of well under 0.00001%. Of these, all but one were male-enhancement products and the average purchase price was close to $100. Taken together, these conversions would have resulted in revenues of  $2.731.88 -- a bit over $100 a day for the measurement period or $140 per day periods when the campaign is active. Under the assumption that our measurements are representative over time (an admittedly dangerous assumption when dealing with such small samples), we can extrapolate that, were it sent continuously at the same rate, Storm-generated pharmaceutical spam would produce roughly 3.5 million dollars of revenue in a year.

What do you think? Why are users still interacting with spam emails, which could easily lead them to drive-by exploits serving web site? Are ISPs or vendors to blame, or the end user's lack of awareness on the risks involved when interacting with spam emails these days? Do you think that spam is fought in the wrong way, in the sense that before it reaches your Inbox, it has to go out from the network of a socially-irresponsible ISP first?


Topics: Security, Collaboration

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • More talk. No solutions.

    How can we put an end to spam?


    Everyone wants maximum protection of their on-line data which can be stored in a fully-encrypted manner. That would satisfy a whole bunch of cloud issues, including the <a href="">Fourth Amendment as it applies to the Cloud</a>, which is really not framed out.

    The larger issue I see is that ALL EMAIL flows over the Internet in 'Clear Text' (readable) form.

    We take the precaution as a matter of privacy to be sure to enclose our paper mail in an envelope do we not?

    Why shouldn't the same convention and assumption of a right to Privacy apply to mail sent on the Internet? Not just its 'storage'.

    That's where <a href="">OpenPGP</a> comes in. But you can't make it happen unless there is a Federal mandate in place and a Global set of Treaties could unify the supposed: 'Email Postal Encryption Act'.

    Making a Mandate should be accompanied by Government Funding to facilitate defraying the cost of bringing Email software applications into compliance over a period of time to the extent that such applications would incorporate PGP and self-signed certificates for encrypted email and make the process of sending a PGP email from an application usability standpoint sufficiently easy for any person to use with a minimum computer literacy level being assumed.

    So, why do we get upset about information stored on the Internet when we send clear text emails around the world each and every day?

    One side-effect and added 'benefit' of such a change coming into effect is that because of how signed-certificates work, the sender's email address would effectively become 'protected' so no 'bot' could send your email (from your machine if compromised).

    ISPs could then rely on making the assumption that if an email isn't enclosed with a signed-certificate and encrypted, then it is in non-compliance and Mandated handling procedures could be applied to handling of such mails and shunt them off line.

    The result: few or NO SPAM emails.

    Dietrich T. Schmitz
    GNU/Linux Advocate
    Dietrich T. Schmitz GNU/Linux Advocate
    • DIY duck hunt beats your idea

      Quicker and cleaner baby. Look below for the bushy eyed details.
      • Interesting approach, could get messy though.

        GPG signed certs on emails locks down the sender id field in SMTP MIME format.[1]

        Under a mandated change, ISPs can safely make the assumption, test and simply shunt non-compliant (no signed GPG certificate) email off-line.

        Simple. Buh Bye Spam.

        [1] A spam bot CANNOT sign a GPG cert. Only a human can perform the task.
        Dietrich T. Schmitz GNU/Linux Advocate
        • Messy true... but think of the fun ;)

          Quicker - check. Cleaner - er... *sigh*

          We may have to give your plan of attack more thought. :(
      • Until your computer is the one infected and sending out spam.

        [b] [/b]
        • You can count on that NOT happening

          Beyond that given, you also missed the main point altogether. I'm talking about going after the HEAD(s) of the dragon (der spammers), not the TAIL(s) (das victims). Once the instigators are laid asunder, their botnet networks will dry up like spent leaves in autumn.

          • Works good.. until your computer becomes a C&C server without you knowing.

            [b] [/b]
    • Right solution, for the wrong problem. HashCash is the solution to spam.

      That or CAPTCHAs that actually work. But they've already
      been tried and failed for a pretty long time now.

      The reason your solution is pointless against spam is
      that if the spammer has taken over your computer, he
      can use whatever keys are on it, or log whatever
      passwords you enter, and if he hasn't (if he's sending
      it from his own computer), just block his IP..
      • Windows BOT Networks

        Windows is the PROBLEM period.
        • Dude

          Go away. Come back when you learn a few things about what we are talking about. Both Linux and Mac have their own botnets, so no Windows isn't the only problem here.
          The one and only, Cylon Centurion
      • Out of band authentication would work with GPG signed certs

        The technology is quite prevalent in Europe.
        Dietrich T. Schmitz, Linux Advocate
        • That's just fancy terminology for "use a second computer".

          [b] [/b]
          • Actually it is becoming mandatory but simple to implement

            Check out:

            The perl script is easy to implement/integrate with any App, not just email.
            Dietrich T. Schmitz, Linux Advocate
          • As long as your smartphone isn't compromised too.

            And as long as you [i]have[/i] one.
  • My thoughts

    I do not understand why users are still falling for this stuff, unless they are newer users who are unaware of the landscape around them, there just should be no real reason why users are still falling for these schemes.

    Honestly, I think the blame can be shared, ISP's do have the means to block malicious websites... It's not too hard to do that. The only thing being most users do not flag the spam they receive. Still, it's not hard to track it and stop it in its tracks.

    Second and most important, the end user. ISP's and Anti-virus technology can't be your only defense. [b]YOU[/b] need to be the one aware of what's going on with your e-mail. [b]YOU[/b] are the first line of defense in the fight against malware. If you suspect it might be spam, why the heck are you clicking on it? That isn't the fault of anyone else but you, the end user. Do yourself and everyone else a favor and just delete it at first sight. Otherwise, you deserve the malware infection or theft of your credit card information.
    The one and only, Cylon Centurion
    • Until the next social engineering trick comes along.

      That isn't a solution.

      The solution is to 'lock down' the sender id field in SMTP MIME.

      A 'spam bot' spewing emails by the millions from a compromised Windows PC is putting any forged email address in that field 'with impunity' and sending off the email over the net as 'clear text'.

      Applying the idea of an enforceable mandate for GPG signed certificates with encryption, makes it 'impossible' for a bot to send a signed certificate attachment. Only a human can sign his/her GPG certificate at the point an email is being sent.

      Which effectively keeps your email private and protects the sender id from being forged at the same time.

      When/If ever the powers that be finally 'get it', a Mandate which would enforce this policy if implemented would allow software vendors sufficient time and financial offsets for the cost of bringing email client software into compliance.

      At the point of phase-in, ISPs can then safely assume that any email received through their MTAs need only check for the presence of a valid GPG signed certificate and if present, forward on the encrypted email to its recipient. Otherwise, the ISP can simply shunt the non-compliant email off-line.

      Hence, the level of SPAM will go to zero.

      Dietrich T. Schmitz
      GNU/Linux Advocate
      Dietrich T. Schmitz GNU/Linux Advocate
      • Unless the human can do AES/RSA in his head quickly..

        ..he's just going to enter a password into his
        computer (or not even that, it could just be
        using a key stored permanently on it), which any
        nasty spam bot(s) on his computer can intercept.
        • Out of band authentication would work.

          Used extensively in Europe.
          Dietrich T. Schmitz, Linux Advocate
    • Because it might actually be a valid e-mail?

      [b] [/b]
      • Chances are

        If you suspect it, it isn't.
        The one and only, Cylon Centurion