"Based on circumventing 120 million malware-propagating messages, that it might be possible to infect between 3,500 to 8,000 drones a year, the researchers say."

Having been logged into over a dozen botnets numbering in over 50k+ each, i would say 3,500 per day not per year.. And that is based on propagating with reserve.

As new infects come in they get scanned for readable files and email addresses are taken from these files and added to multiple organised databases. The average user only has some 50 or so emails on their pc but companies can have from 2000 - 500,000. On average we are looking at 10million fresh emails per 2,500 infects meaning that there is always a fresh batch to solicit for sales or infects to replenish stocks. The pro bot herders only use their bots to re-infect and harvest at intervals so as not to use too many resources, hosting a large botnet is a full time job in itself, as such, letting it grow too much may cut you off completely for a time.

Storm is probably the least professional i have seen in action of the bigger nets. They got lazy, over used their net and stopped caring how they promoted their product. Almost as if they lost members and control was gained by the lower ranks.

The sales ratio per spam and infect rate sounds about correct for the storm net however this is due to the decline in the quality of the messages they send.

They sent spam, you cannot go around claiming that it would just happen anyhow.

The cost of spam is the waste in time of dealing with it, if they want to research something they have to setup a controlled environment for it, and pay for the pleasure, not just ride rough shod over crack some systems and fire out their idea of innocuous spam.

It is tantamount to saying, it is ok to wander off to a war zone, and then just go round shooting people in the leg with stolen ammo from one side, sure the ammo may have got fired and killed someone, much better to be maimed then killed and in research is going, but I still think they have the issue of theft, and the maiming to deal with.

I have been waiting for this bit of news for a day so :)

The real problem is if they get off, they have opened a loophole in the law, what is to stop people spamming, having the spam intercepted by a 'research party' redirected to an 'innocuous' website, that then subsequently gets cracked and redirects to another target.

WHY DIDN'T THEY TAKE STEPS TO SHUT IT DOWN!.

Simple that would require them to make changes to people computer. You have no idea how screwed up those computers are. I believe altering the files on a computer with out permission is crime. You would also have some jack ass saying you messed his computer up.

"At first sight it might appear that the researchers were sending spam to study spam. But the set-up is more complicated than that and above board, according to security experts we asked to comment of the ethical implications of the exercise."

Then you need to stop talking to those "experts". They are either liars or idiots (or both). Whether the "researchers" sent the spam themselves or not is irrelevant. They created a spam message. They took control of (part of) a botnet and used it to send their spam message 350 million times. Hence, they are just as guilty of sending spam as the other botnet controllers are. Or are we now saying that it's the individual PC owners who are sending the messages and should be punished, and not the ones doing the actual controlling? I'm sure Robert Alan Soloway and Scott Richter would love that.

And how, exactly, did they "subvert" part of the Storm botnet? Whatever method they used is virtually guaranteed to be illegal (at least in the US and UK where unauthorized access to a computer is a crime). Even if it was by hacking into the "bad" guy's command and control system, it's still unauthorized access, and so is still illegal.

In short, there's no way in hell this was "above board".

>It is tantamount to saying, it is ok to wander off to a war zone, and then just go round shooting people in the leg with stolen ammo from one side

No. It is like intercepting a bullet that has already been fired and replacing it with a sponge one. Neither more nor less spam was sent, just the message was altered.

> They sent spam

No they didn't. Please read the paper. They intercepted messages between the compromised PCs that send the spam and their controllers to redirect them to send different messages. If they hadn't been there, the spams would have been more dangerous. If they had tried to break the flow of messages rather than changing it, the compromised machines would simply "heal" their connection to the servers by using a different route to it. So their actions did not make any more work for those (like you and me) who spend our time dealing with it, and they have given us a valuable insight into how the economics of spam work.

The source of spam if free email.

ISP contracts should include limits on email emmission. Low count of like 10 per day is free, after that you get a fixed fee of 1 cent per mail. If you are a business, you can negotiate different rates.

Clueless users will get a clue when they see a $200 mail tax tagged to their monthly contract. Then they will find out what security means right quick.

Okay, the ISP can also send out alerts to warn people, and have a trial period for a few months where they indicate how much the email tax would actually amount to.

If this means the end of spam, I will willingly pay a cent for every mail I send starting from the first.