Email spam is a lucrative business for everyone involved - usually the spammer, the email harvester that provides the list of email addresses to target, and the botmaster that rents out his botnet to send out the spam.
Previous research efforts have concentrated on studying the email addresses' harvesting process, the structure of botnets, the creation of spam templates, the financial conversion of spam, but these researchers wanted to discover the operational relations and the interactions among the different parties in the spam ecosystem.
To that end, they performed an experiment that allowed them to track how email addresses are harvested, and which botnets are sending what type of spam to the harvested addresses.
What they discovered is that spammers usually purchase their email lists from professional email harvesters and rent a single botnet to send the spam. Also, that some of them set up their own mail transfer agents (MTAs) to spread it.
And, contrary to what we may believe, spammers do not consider a list of target email addresses "spent" after a few runs - they continue to use the same list over and over again, sometimes for years.
The research also gave some insight into the distribution of the bots in several spam-sending botnets, as well as that of the mail transfer agents (Postfix and Sendmail) used to send spam.
And, what is interesting, it turns out that none of the spam campaigns detected advertized pharmaceutical products. "While this might arguably be an artifact in our dataset, it might also suggest that spammers are moving on to exploring other ways of generating revenue, such as blackhat Search Engine Optimization (SEO)," they noted.
"It could (also) be that large pharmaceutical affiliate programs harvest their own email addresses, and that they directly provide them to their affiliates, who do not have to look for email lists on the black market," they added.
Another interesting thing is that spammers are loyal to their email harvesters and botmasters.
Both these discoveries can be leveraged by security researchers for detection, as explained in the researchers' paper, which they are set to present at the 9th ACM Symposium on Information, Computer and Communication Security currently in progress in Kyoto, Japan.