There's an interesting study on the economics of spamming, reported today at BBC and The Register.
Spamalytics: An Empirical Analysis of Spam Marketing Conversion was authored by researchers from the University of California, Berkeley, and UC San Diego.
Summary: the Storm botnet sends out spam leading interested parties to two sites, a malware-infected site designed to expand the botnet itself and a pharmacy site promoting "male enhancement drugs". It has been assumed that even a few people buying such products would be enough for spammers to make a huge profit, but few studies have been performed to investigate.
In this study, the researchers hacked into the Storm botnet's command and control system to modify a subset of spam already being sent out. The change redirected "any interested recipients to servers under [the researcher's] control, rather than those belonging to the spammer", where the researchers could track sales attempts. They could then use the data to figure out how many actual sales the entire spam operation would be likely to generate.
Interesting points from the analysis: even with a tiny conversion rate of "0.00001 per cent" from spam to sale, spammers can still net a fair bit of profit, but not as much as suggested. Since the conversion rate is so minuscule however, spammers can be really pressured by countermeasures that affect it, like anti-spam filters, blacklists and so on.
The study also clearly documented the reasoning the researchers used to handle the legal and ethical issues they faced, the key points being that they: 1) did not actively send out the spam itself, or create new spam; 2) none of the actions performed based on the methodology were "intrinsically objectionable"; and 3) where there was potential for harm, they worked to "strictly reduce" it.