Spammers also often purchase lists of would-be recipients' email addresses. Cybercriminals gather these addresses using key logging software on infected computers or by scraping them out of a compromised database on another website. They may download PDFs that contain addresses and pay lackeys to enter them into a database. A tried and true technique involves crawling the Web in search of email addresses. The least sophisticated technique is simply to guess: A common name at any domain will probably work, for example.
An A-list spammer likely controls his own botnet using a server called a command-and-control center. If a spammer doesn't control a botnet, he will have to rent one to fire off his emails.
"Botnets are the ultimate tools of trade in the cyber-crime ecosystem and are capitalized in many ways, but what's common is the fact that the botmasters always get the lion's share," Catalin Cosoi, chief security researcher at BitDefender, said in an email interview.
The same botnet may simultaneously be launching another spam attack or, if the botmaster permits it, distributing malware. Spammers who are willing to tolerate the increased risk of arrest that dealing in malware brings, may load malware programs or links to infectious websites into the same email they are sending with an advertisement.
Researchers don't often get to peek into spammers' diffuse and well-hidden operations. A few instances in which they managed to do so suggest that for every 10 million spam emails sent out, more than 7.5 million are rejected at the ISP level. At least 2.45 million are blocked by email systems' spam filters. (All of the major filters enjoy success rates higher than 98 percent.) Just 50,000 emails reach a user. At best half of those are opened. Roughly 300 people click on a link, and just 55 buy something. A spammer would make more than US$2,000 from those clicks, though. A phenomenal success would consist of getting two percent of the email's recipients to click on a link.
Volume is so key for commercial email spam that the technique is called "spray and pray," said Chester Wisniewski, a senior security advisor at Sophos.
Malware gets more attention than commercial spam because it ostensibly causes more damage. But it makes up just 3 percent of all email and largely plays a supporting role to commercial spam. By bringing more computers into the botnet, it provides the firepower to send all those commercial emails.