How much is your unprotected PC worth to spammers?

I’ve written often about the need to keep your PC patched and your virus scanner up-to-date so that your PC doesn’t become infected with a Trojan or virus that turns it into a zombie for use in sending spam email or launching DDOS attacks. I’ve mentioned how virus writers don’t want to destroy your data anymore because our PC is worth more to them in an operational state so they can then charge spammers money to distribute junk email, but there’s never been a dollar amount indicating just how much the hackers are making off of their illicit use of your PC and internet connection. This article at USA Today finally gives us a hint.

One indication of the going rate for zombie PCs comes from a June 11 posting on, an electronic forum for spammers. The asking price for use of a network of 20,000 zombie PCs: $2,000 to $3,000. Such networks typically are used to broadcast spam and phishing scams and to spread e-mail viruses designed mainly to create yet more zombies.

Zombie networks can be sophisticated. Last fall, a small Internet service provider asked cybersleuth Don Bowman to find out which of its 70,000 subscribers were broadcasting spam. Its network was generating so much spam, other ISPs threatened to blacklist it.

Bowman discovered that e-mail would blast from 20 PCs for a brief period. After a pause, another fire-hydrant-like surge gushed from a different group of 20 PCs. On average, each machine disgorged 630 pieces of e-mail an hour. “It wasn’t natural,” says Bowman, chief software architect for security firm Sandvine. “No one can type that fast.”

His conclusion: An intruder was deploying squads of zombies in rotating waves. Why? Probably so the unwitting zombie owner would tolerate performance slowdowns that came and went — and investigate no further.

No wonder there’s such a drive by the blackhats out there to commandeer your machine. A little time spent coding and you can be making a couple of grand per customer as a spam relay. Doesn’t get much easier than that. Gathering valid email addresses is profitable as well. The article makes mention of Jason Smathers formerly of AOL who is charged with stealing 92 million email addresses from his former employer and selling them to a spammer for $100,000.

I suppose now is a good time to mention that EE automatically uses JavaScript to encode your email address when you put it into the comment form (or register an account) so it won’t be harvested by bots scanning the site. If you look at the page source on a page with comments you’ll notice that there’s quite a few bursts of JS code wherever an email address is likely to be listed.

8 thoughts on “How much is your unprotected PC worth to spammers?

  1. Just to be devil’s advocate; doesn’t obfuscating addresses like this make them more valuable to spammers? Isn’t it a matter of (little) time before obfuscated addresses are scraped by bots also?

    Stick with me on this.
    A) People start to trust obfuscation.
    B) They’re more likely to use a “real” email address.
    C) Real addresses are more valuable, so worthy of more effort to harvest.
    D) Obfuscation is just a simple Javascript that any browser runs transparent.
    E) Any hacker with a bit of time could write a bot that runs any javascript with doc-writes prior to scraping the result for email addresses.
    3) Profit.

    Personally, I don’t go anywhere without my SpamGourmet.

    Just pondering…

  2. As some have noticed, i post my email addy all the time in my posts on a whole slew of systems.  Sure, i get spam.  But, honestly, most of it is filtered out from my inbox.  On average, i tag 1-2 emails a day as spam-worthy.

    I think this is a matter of better and better filtering, and (like the terrorism question) there is and shall never be no macro-level solution.

  3. well f*ck it then – my computer is probably making some geek a few grand as we speak. If you can’t beat ‘em, join ‘em. Or is it if you can’t beat ‘em, kill ‘em.

    I want software that not only protects me from the scam artists, but also makes their lives miserable. wink

  4. It wasn’t explicitly stated, but apparently the answer to the articles question is: 10 cents.

    I use spambob. .net and .org are great, although .net can’t be changed, only deleted. .com is really, really slow. Not really good for email confirmation. More than once, my confirmations failed because they only work if you respond within half an hour. I’m going to check out those ones that you guys have suggested.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.