Spam, unwanted commercial e-mail, costs businesses billions each year in lost productivity and actual IT time spent defending against it.

Spam is also a wonderful source of malware infections and, if you care about having happy, satisfied employees, it is a personal disaster for those who fall prey to things such as 3-Card Monte games, the appeal of the shiny bells and whistles on slot machines, scratch-off lottery games, and Viagra ads. These are the employees who fall prey to spam feel (and are) cheated aren’t happy workers.

Spam is definitely a security threat on several levels, even if you defend against it perfectly. Just look at the anti-SPAM resources being wasted, time and money that could improve your overall network security or reliability.But while many people are actively working to block spam, most of them have little idea of the nature of the beast, and “know thy enemy” is a vital piece of wisdom, one often ignored in the modern world and to our peril.

We have some blatant examples of this today and we should learn from them.We can keep patching up filters and take other steps, but if we are ever to truly defeat spam we must go into the attack armed with a real knowledge of the threat. We hear anecdotally and know from common sense that if spam didn’t make money for somebody it wouldn’t exist but, as with the war on drugs (or other ill-conceived ventures), if you don’t understand the scope of the problem you won’t be ready to launch a meaningful attack.SPAM that generates a $10,000,000 profit per year is a very different enemy from one that generates $10,000.

You probably think you know the biggest source of spam, but I bet you’re wrong. See what some experts found when they looked at hard data.
Most of us hate SPAM and it costs companies a lot of money to deal with it, but a recent study at Oxford shows some solid evidence of just why it will be with us a long time – it makes money!

The November/December issue of MIT’s Technology Review of carries a brief note on the topic, led me to the original study ( in which Oxford Internet Institute professors Friedler and Zittrain published the results of a study on pump-and-dump stock schemes where people buy penny stocks and later send out SPAM touting it as a great investment, hoping to sell it as quickly as possible.

The researchers estimate that about 15% of the 730 million weekly spam messages are stock touts. Unlike schemes where people are asked to send money directly to some fly-by-night company/Web site and it is difficult or impossible to trace just how successful the SPAM is, stock touts simply want people to buy their stock picks through regular investment channels and the purchases are perfectly legitimate – they are just terrible investments.

Evidence from the study shows that people who fell for the spam stock touts and bought the stocks lost an average of 8 percent of their investment over the following two days but that those who already held the stock were able to sell it with returns as high as 6 percent the next day and averaged a profit of 4.9 percent.

I’ve personally seem a flood of stock spam over the past six months and have reliably used it as a guide to penny stocks NOT to purchase, although I mostly stick to uranium mining stocks these days and most of those just keep going up. However, if one of them showed up in spam touting schemes I would definitely steer clear of it, knowing the price was about to pop artificially for a very brief time.

But as any educated investor knows, one problem with making money on penny stocks is that the trading volume is often very small and if you try to sell out at a profit the price can drop precipitously simply because you are trying to sell more shares than the market can absorb in a short period of time.
In addition to raising the price temporarily, spam touts cause volume to surge, making it easy for spammers to unload a lot of stock at the higher price.

Obviously a lot of people aren’t particularly savvy and actually buy stock touted by complete strangers in e-mails, thereby pushing up the stock value and (vitally) liquidity for a very brief period – just long enough for the spammers to dump it at a significant profit.
Of course 5-6% doesn’t sound like much of a profit after commissions, but do it every few days for a year and it really adds up.

The study demonstrated empirically what was obvious to those in the security field – spam makes money or people wouldn’t continue using it, but it also puts some solid numbers behind that common sense belief and may provide a way to track down some spammers simply by tracking who made large purchases and sales of penny stocks just before and just after tout e-mails were sent.

Unlike e-mail accounts, it is difficult to get an anonymous stock brokerage account. Of course if this is mostly taking place due to large criminal organizations they will cover their tracks well, but even with spam touts the trading volume for these stocks is probably not large enough to interest big East European criminal organizations.

Obviously education is the only practical way to reduce spam volume and it should begin at work where you can educate employees about the scams and how their participation in any way, even just by opening spam e-mails, leads to increased spam volume because it keeps spam profitable.

The hard numbers provided in this study should go a long way in helping educate employees and showing management why it is important to conduct wide-ranging security training.

The Junk-o-Meter site ( offers some good statistical data on junk mail volume. As of December, the percentage of emails on the net that are SPAM has reached 83%, up from nearly zero in January 2001.

In addition to spam volume over a range of time periods, including hourly, the site also provides a breakdown by country and type of spam. It may surprise you to learn that most spam originates in the U.S., although that may be due to zombie computers.

Another surprise to many is that most spam is NOT related to the sex trade. In fact, that is a small and shrinking percentage of the total spam traffic, most of which is health-related. is another source of spam statistics.