Computer scientists from the University of California, Berkeley and UC, San Diego (UCSD) conducted a 1-month study on how spammers make their money in early 2008.

How the researchers did it:

(1) they hijacked part of Storm, a huge existing, operational spam network that controlled up to 1 million home PCs as email relays for sending spam. They did this by creating and utilising several proxy bots that got in the way of the actual Storm control system and the “zombified” home PCs. These bots managed to take over control of 75,869 home PCs from Storm.

(2) The researchers then created 2 spam campaigns, albeit fake ones:
- one: mimicking how Storm spreads via viruses.
- two: tries to tempt people to visit a (fake) pharmacy website, which then tries to sell them a “libido boosting herbal remedy”. The site was deliberately designed to look like that run by Storm’s owners; the difference was that it did not keep credit card details keyed in by potential customers.

(3) Run the spam campaign i.e. send millions of junk emails. By the end of the study, the researchers had sent out about 469 million emails, most of them for the fake pharmacy campaign.

Result:

After 26 days and 350 million emails sent, 28 sales had resulted, which would have resulted in a revenue of USD2,731.88.

Not bad at all!

That meant a response rate of less than 0.00001%. In comparison, legit direct mail campaigns on average returns 2.15%.

Scaled up to the full size of the Storm network, it’s estimated that the spammers are netting USD7,000 per day i.e. USD210,000 per month, or more than USD2 million per year!

In other words, even if only 1 email out of 12.5 million result in a sale, a “big spammer” would still turn over profits in MILLIONS of US DOLLARS every year.

Source
“Spamalytics: An Empirical Analysis of Spam Marketing Conversion” by C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson and S. Savage
The BBC, 10th Nov 2008