I was checking out a blog post by Dancho Danchev on ZDnet, he has some interesting statistics on Russian spam. In it, he describes how much spam is Russian and how much money they are making. Rather than summarize his views, I thought I would repost some excerpts because I can’t state it any better than he does:
- Spammers make more money, than they are fined with - According to RAEC’s study based on publicly obtainable data of fines against EU based spammers, in 2009 the fines (€2.85 million) represented slightly more than 1% of their profits (€218 million). The same situation is often seen in different markets, where the companies engaging in illegal activities are in fact making so much money, that they can afford to pay the fines imposed on them. However, despite the obvious need of higher fines for spammers, from my perspective, imposing those fines on a participant within an affiliate network, in situations where you cannot get to the masterminds of it, undermines its effectiveness.
- Russian cybercriminals are ahead of the legal framework - With anti-spam legislation in Russia virtually non-existent, it’s no surprise that so many people are operating in the open, without any feeling of prosecution. However, another paradox we talked about, was the fact that some Russian spammers and cybercriminals in general, operate their campaigns outside Russian, in countries with developed anti-spam and anti-cybercrime laws. Yet, they are still at large.
- The world’s top spammers are Russian citizens, relying on U.S based infrastructure for their operations - Whether it’s the systematic abuse of legitimate email providers (Gmail, Yahoo and Hotmail systematically abused by spammers), or compromised web sites, numerous independent studies continue emphasizing on this fact. For instance, the recent PhishTank’s stats for February, 2010, and MarkMonitor’s Brandjacking Index for 2009, both, point out that the U.S is hosting the majority of phishing sites. What does this mean? It means that from a pragmatic perspective, given the active legal framework, resources and technical capabilities, spam and phishing shouldn’t be the kind of problem it currently is. That’s, of course, in a perfect world.
- Spam and cybercrime in general are not a country-specific problem, but an international one - Although this is a fact and we both agreed on, another fact cannot be disputed - Eastern European based cybercriminals going after financial data, make Chinese cybercriminals look like cartoon heroes on their way to steal your virtual goods.
- Go after the people, not the ISPs, as a form of public statement - The fact that there are people known as “spam kings” or “spam czars” means that they’ve been in operation for years. Moreover, based on the scale of their spam operations, and the money they make, a logical move on their behalf would be to keep a very low profile, and take basic operational security measures in place. That’s not the case, making it easier to go after them.
- Try to get to the top of the affiliate network chain, instead of prosecuting/fining a participant in the affiliate network - Who’s getting prosecuted for spamming at the end of the day? It’s usually not the one who should be. The next time you hear that a spammer has been arrested, is being sued, and possibly even fined, ask yourself the following - is this guy the one running an affiliate network with hundreds of thousands of spammers participating in it, the supplier of the counterfeit pharmaceuticals, or is he basically one of the thousands of participants in the network?
Pretty good analysis, I think.