Monday, August 13, 2012

The Economics of Spam

Did you know that there are about 100 billion spam e-mails sent every day? Did you know that the overwhelming majority of this spam is screened out by your e-mail provider and never even ends up in your "junk mail" folder. That when one big spammer was taken down in 2009, global e-mail traffic fell by one-third? That American firms and consumers experience costs of about $20 billion per year because of e-mail spam? All this and more is discussed by Justin M. Rao and David H. Reiley in "The Economics of Spam," which appears in the Summer 2012 issue of my own Journal of Economic Perspectives. Like all JEP articles from the current issue back to 1994, it is freely available on-line courtesy of the American Economic Association. 

I found especially interesting what the authors describe as a cat-and-mouse game between spammers and anti-spam software. For example, when many people label a message as "spam," then it helps the anti-spam software to look for those words or URLs repeated in other messages, so that those messages can be filtered out. But then spammer responded with creative misspellings (like "VIagrA") to trick the anti-spam filter, and used many different URLs that would all take the unwary to the same sales page. 

In addition, the spammers use software to mark messages as "not spam," thus trying to offset those who label them as spam. Rao and Reiley write: "In four months of 2009 Yahoo! Mail data, our Yahoo! colleagues found that (suspiciously) 63 percent of all “not spam” votes were cast by users who never cast a single “spam” vote."

Anti-spam software can try to identify the computer that is sending spam, and shut it down. But spammers have responded with "botnets," which are a network of computers infected by malware that will send out spam e-mails. In addition, "a zombie could be programmed to sign up for hundreds
of thousands of free email accounts at Gmail, and then send spam email through these accounts. ... In 2011, Yahoo! Mail experienced an average of 2.5 million sign-ups for new accounts each day. The anti-spam team deactivated 25 percent of these immediately, because of clearly suspicious patterns in account creation (such as sequentially signing up account names JohnExample1, JohnExample2, . . .) and deactivated another 25 percent of these accounts within a week of activation due to
suspicious outbound email activity."


The volume of e-mail sent by botnets can be enormous: "The largest botnet on record, known as Rustock, infected over a million computers and had the capacity to send 30 billion spam emails per day before it was taken down in March 2011. Microsoft, Pfifi zer, FireEye network security, and security experts at the University of Washington collaborated to reverse engineer the Rustock software to determine the location of the command servers. They then obtained orders from federal
courts in the United States and the Netherlands allowing them to seize Rustock’s command-and-control computers in a number of different geographic locations. ... The takedown of this
single botnet coincided with a one-third reduction in global email spam— and hence a one-quarter reduction in global email traffic." 


Various websites began to use what is called a "CAPTCHA, which is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart” to prevent spam and other automated software. As a first response, "Spammers turned to visual-recognition software to break
CAPTCHAs, and in response email providers have created progressively more difficult CAPTCHAS, to the point where many legitimate human users struggle to solve them." But then spammers figured out how to get humans to solve the CAPTCHAs for them. "[A] spammer would set up a pornography site, offering to display a free photo to any user who could successfully type in the text characters
in a CAPTCHA image. In the background, their software had applied for a mail account at a site like Hotmail, received a CAPTCHA image, and relayed it to the porn site; they would obtain text from a user interested in free porn and relay this back to the Hotmail site ..." And now one can hire faraway workers to break CAPTCHAs, perfectly legally: "The market wage advertised for CAPTCHA-breaking laborers declined from nearly $10 per thousand CAPTCHAs in 2007 to $1 per thousand in
2009. These labor markets started with Eastern European labor and then moved to locations with lower wages: India, China, and Southeast Asia."


Several teams of researchers have managed to take over botnets and other spam-related software, which allowed them to see how many messages were going out, how many were blocked by anti-spam software, and how many responses were being received.  In one such study: "In total, the group modified 345 million pharmaceutical emails sent from botnet zombies. Three-quarters of these were blocked through blacklisting, and the remaining 82 million emails led to a scant 28 conversions, or about 1 in 3,000,000."  Thus, e-mail spam is a profitable if illegal business if it receives one attempt to purchase a good out of every three million spam e-mails sent!

Given the ability of spammers to react to anti-spam efforts, what might be done about e-mail spam? Rao and Reiley are lukewarm about proposals that would seek to impose a small charge on senders of messages, which would go to recipients of e-mails as compensation. If a recipient desired, they could identify any e-mail senders who would not have to pay them when sending an e-mail. Rao and Reilley note that there is currently no mechanism for linking the sending of e-mails to payments. And if sending an e-mail automatically generated a payment, then spammers would have an incentive to hijack accounts and send thousands of messages--so that the senders could collect. Instead, they suggest approaches like going after the relatively few financial institutions around the world that process transactions for sales that result from spam e-mail, or even setting up a task force that would seek to "spam the spammers," thus raising the costs of spam operators and perhaps making their operation unprofitable.