An A-list spammer likely controls his own botnet using a server called a command-and-control center. If a spammer doesn't control a botnet, he will have to rent one to fire off his emails.
"Botnets are the ultimate tools of trade in the cyber-crime ecosystem and are capitalized in many ways, but what's common is the fact that the botmasters always get the lion's share," Catalin Cosoi, chief security researcher at BitDefender, said in an email interview.
The same botnet may simultaneously be launching another spam attack or, if the botmaster permits it, distributing malware. Spammers who are willing to tolerate the increased risk of arrest that dealing in malware brings, may load malware programs or links to infectious websites into the same email they are sending with an advertisement.
Researchers don't often get to peek into spammers' diffuse and well-hidden operations. A few instances in which they managed to do so suggest that for every 10 million spam emails sent out, more than 7.5 million are rejected at the ISP level. At least 2.45 million are blocked by email systems' spam filters. (All of the major filters enjoy success rates higher than 98 percent.) Just 50,000 emails reach a user. At best half of those are opened. Roughly 300 people click on a link, and just 55 buy something. A spammer would make more than US$2,000 from those clicks, though. A phenomenal success would consist of getting two percent of the email's recipients to click on a link.
Volume is so key for commercial email spam that the technique is called "spray and pray," said Chester Wisniewski, a senior security advisor at Sophos.
Malware gets more attention than commercial spam because it ostensibly causes more damage. But it makes up just 3 percent of all email and largely plays a supporting role to commercial spam. By bringing more computers into the botnet, it provides the firepower to send all those commercial emails.
When Microsoft destroyed Rustock, spammers lost control of a huge network of unknown size (estimates ranged from about 850,000 to more than 2 million infected computers). In the months following the take-down, the percentage of spam emails carrying malware, not including messages that pushed users to links that would deliver it, rose significantly according to Eric Park, an abuse analyst at Symantec. The trend suggested that spammers were endeavoring to regain the firepower they'd lost.
Because malware plays the vital role of "botting" more machines, the spammers devote their craftiest messages to it. Significant innovation has occurred in this area, possibly as a result of increased pressure on the command-and-control centers from law enforcement and companies, including Microsoft, filing civil actions.
Gone are the days of misspellings and amateur graphics. The emails are timely, often alluding to current events. They also cleverly play on human psychology to ensure a click-through to the website that downloads the malware. One email purporting to come from the U.S. Postal Service notifies you of a package sent using a label charged to your credit card. The recipient will want to track down the payment and obtain a refund, but the link simply promises to provide more information.
Spammers are also increasingly using social networks like Facebook and Twitter to drive users to their advertisements. Paul Judge, Barracuda's chief research officer, said the reason was simply "more eyeballs."
Say a spammer has the maximum of 5,000 friends on Facebook. If he uploads a photo and tags it with the maximum of 50 people, Judge said, he can reach 250,000 people with a single photo and accompanying link -- five times more views than result from 10 million email messages.