[LINK] Economics of Spam

Tom Worthington Tom.Worthington at tomw.net.au
Thu Nov 13 09:09:57 AEDT 2008 

The paper "Spamalytics: An Empirical Analysis of Spam Marketing 
Conversion", details how researchers hacked into a spam network to 
measure its effectiveness 
<http://www.blogger.com/www.icsi.berkeley.edu/pubs/networking/2008-ccs-spamalytics.pdf>. 
I was interviewed about it on ABC Radio yesterday "Spammers making a 
profit": "<http://www.abc.net.au/pm/content/2008/s2418104.htm>. The 
researchers suggest that Spam is not as profitable as previously 
thought. My main concern was over the ethics and legality of the 
research technique.

The researchers hacked into the "Storm" botnet network and monitored 
how many messages were sent. They then set up two fake e-commerce web 
sites to see how many people would click through the spam ads to buy 
the products. They found only one in 12.5 million clicked through. 
Based on this they suggested Spam is not very profitable. It seems a 
reasonable conclusion and I suggested in the radio interview that the 
people doing this could probably earn more from the effort involved 
via legitimate e-commerce.

There are numerous research papers on the economics of Spam 
<http://scholar.google.com.au/scholar?q=spam%20economics>. That spam 
may not be as profitable as previously thought is interesting, but 
does not necessarily lessen its appeal to criminals.

However, my main concern was the methodology of the research. It is 
ethically and legally questionable for the researchers to hack into a 
spam network. Like any citizen, when a researcher finds someone doing 
something illegal, they have a responsibility to report that to the 
appropriate authorities so it can be investigated and those involved 
prosecuted. In this case the researchers do not appear to have done 
that and instead monitored the network and even set up their own 
e-commerce store to exploit it.

The researchers are from Dept. of Computer Science and Engineering, 
Berkeley and University of California, San Diego. Those institutions 
have ethical guidelines for research which the researchers should 
have consulted before proceeding.

In the ethics section of the paper, the authors state: " First, our 
instrumented proxy bots do not create any new harm" and "Second, our 
proxies are passive actors and do not themselves engage in any 
behaviour that is intrinsically objectionable; they do not send spam 
e-mail, they do not compromise hosts, nor do they even contact worker 
bots asynchronously. " and "Finally, where we do modify C&C messages 
in transit, these actions themselves strictly reduce harm. Users who 
click on spam altered by these changes will be directed to one of our 
innocuous doppelganger Web sites.".

However, the authors do not address the issue of if they were taking 
part in a criminal activity or if they should have reported the 
criminal activities to the appropriate authorities. It seems a flawed 
argument for the researchers to say  their activities were no more 
harmful than those being observed.

More in my blog: <http://www.tomw.net.au/blog/2008/11/economics-of-spam.html>.



Tom Worthington FACS HLM tom.worthington at tomw.net.au Ph: 0419 496150
Director, Tomw Communications Pty Ltd            ABN: 17 088 714 309
PO Box 13, Belconnen ACT 2617                      http://www.tomw.net.au/
Adjunct Senior Lecturer, Australian National University

More information about the Link mailing list