UC San Diego

Modern unsolicited bulk email, or spam, is ultimately driven by product sales: goods purchased by customers online. While this model is easy to state in the abstract, our understanding of the concrete business environment--- how many orders, of what kind, from which customers, for how much---is poor at best. This situation is unsurprising since such sellers typically operate under questionable legal footing, with ground truth data rarely available to the public. However, absent quantifiable empirical data, "guesstimates" operate unchecked and can distort both policy making and our choice of appropriate technical interventions. This dissertation presents new methodologies for and results from experiments that characterize and quantify the economics of email based scams. The methodology relies on infrastructure infiltration to gain a view of the mechanisms and revenues of these operations from the point of view of the perpetrators themselves. Through multiple research efforts, we are able to capitalize on the weaknesses of the perpetrators' security to collect information that provides insight into the way these scams work. The first effort investigates the proportion of spam recipients that act upon the spam messages they receive - the "conversion rate" of spam. Using a parasitic infiltration of an existing botnet's infrastructure, we analyze two spam campaigns comprised of nearly half a billion email messages : one campaign designed to propagate a malware Trojan, the other campaign marketing on-line pharmaceuticals. We identify the number that are successfully delivered, the number that pass through popular anti-spam filters, the number that elicit user visits to the advertised sites, and the number of "sales" and "infections" produced. The second effort uses two inference techniques to peer inside the business operations of spam-advertised enterprises : purchase pair and basket inference. Using these methodologies, I provide informed estimates on order volumes, product sales distribution, customer makeup and total revenues for a range of spam-advertised businesses. The results from these studies demonstrate that infiltration of Internet criminal infrastructure allows collection of useful information that can improve our understanding of the operations and economics of adversaries on the Internet. This information informs both technical and policy based defenses so that they can take into consideration the business realities of economically motivated Internet adversaries