The New Yorker article excerpted below gives some interesting statistics for spam. There's obviously real money to be made from spam, or else it wouldn't be such a well-developed industry. About 90% of all email traffic is spam, hundreds of billions of messages per day. The response rate is around 1 per hundred thousand, and you can imagine that the bad guys could easily average $1 of profit per response. Taking those assumptions, we can conclude that spam generates at least a $1 billion per year for the bad guys. That pays for a lot of ingenuity in crafting and distributing malware! (The IT industry may spend as much as $10 billion per year just fighting spam.)
Both the malware and spam problems are a kind of tax on the overall internet population caused by the least sophisticated users (I won't reference IQ here, but there is certainly a correlation). It's the least sophisticated users that tend to get their machines infected (providing cheap botnet spam distribution -- any pc with a broadband connection can send out millions of messages per day), and it's the least sophisticated among us who reply to spam messages, generating profits for the spammers. I suspect that removing the 20% least sophisticated users from the ecosystem would make life 10 times harder for the bad guys. It's actually hard for people in the security industry to understand this sometimes -- security engineers tend to focus on very complex, technologically advanced solutions, without realizing that the key problem is to protect the most clueless users from themselves.
New Yorker: ... Few companies could function without attempting to stop spam from invading their employees’ in-boxes. The costs are not always easy to assess, but several studies have found that in the United States more than ten billion dollars is spent each year trying to contain spam. The success rate of such anti-spam efforts usually exceeds ninety-five per cent, but spam behaves on the Internet in much the same way that viruses do when they infect humans: it might take a million of them to attack an immune system before one gets through, but one is enough. The same is true of e-mail. The more spam that is blocked, the greater the volume spammers will need to send in order to make money. “If you used to have to send fifty thousand pieces of spam to get a response, now you have to send a million,’’ John Scarrow, the general manager of anti-spam technologies at Microsoft, told me. (Spammers usually need to send a million e-mails to get fifteen positive responses; for the average direct-mail campaign, the response rate is three thousand per million.) “Spammers just shrug it off and send a million.” That amount of e-mail can overwhelm servers and waste time, particularly for those who check their mail several times a day. (It takes at least five seconds to recognize and delete an e-mail. If a billion spam messages elude detection every day—which means that ninety-nine per cent do not—that adds up to a hundred and fifty-nine years of collective time lost hitting the delete button every day.) Scarrow told me that of the four billion e-mails processed by Hotmail every day, they deliver only six hundred million. The rest are spam.
...Matt Sergeant, of MessageLabs, told me. “In 2003, spammers started paying people to write viruses to take control of home computers. The easy days were over.” Viruses are actually tiny software programs that exploit weaknesses in networks or computer operating systems like Windows. They find a way to burrow into a computer’s hard drive. That summer, a virus called Sobig infected millions of computers through-out the world. In a single day, MessageLabs intercepted a million copies and AOL stopped more than twenty-five million.
Sobig was the first commercial virus created by spammers designed specifically to infect machines, embed its code, and then turn those machines into networks that could send millions of e-mails. Because the e-mails were sent by innocent people who never knew that their computers were infected, the criminals were almost impossible to trace. Suddenly, spam had created an industry: a netherworld of hijacked PCs (called zombies or slaves), linked together in rogue robot networks (or botnets) controlled by underground bot herders, who operate from anywhere in the world. These networks can unleash millions of pieces of mail in a few minutes; when the botnets disband, the herders regroup and seize tens of thousands of other computers. Even the cheapest machines now have enough processing power to churn randomly through millions of address combinations until they stumble on a few that are correct.
The increase in spam levels—nearly tenfold in the past three years—is almost solely a result of botnets. Messages routinely carried viruses, many of which were designed to evade traditional filters. It’s not hard to do: Many people use common, easily guessed passwords to protect their wireless networks—and a surprising number don’t use passwords at all. Clicking on the wrong link at a Web address can also permit malicious software to install itself on a computer and force it to manufacture spam. This is called a “drive-by download.” Once a computer virus invades, it will seek out any address book, sending copies of itself to every e-mail address it can find. Spammers today almost never use their own computers or Internet connections. It is rarely necessary, since they can seize control remotely from computers all around the world. “By the end of last year, spammers had taken over enough PCs that they could really do whatever they wanted with them,’’ Sergeant said. “Half of the time, they are doing it on your computer and you wouldn’t even have a clue.”