A study in which researchers infiltrated an infamous pharmaceutical spam botnet revealed that, while the response rate to spam is really low, it’s still enough to generate millions of dollars per year.

Computer scientists at the University of California at Berkeley and San Diego infiltrated the Storm botnet—a collection of compromised computers running spam software—and modified its command and control system by inserting their own links in spam messages to a Web site they created. The Web site would report a sale to the researchers while returning an error code to anyone who attempted a purchase.

Several spam campaigns containing the researchers’ code sent 69 million e-mails each. Of the 350 million e-mail recipients, 10,522 visited the researchers’ site, but only 28 tried to buy anything. Although a response rate of .0000081 percent is extremely low, the average purchase price was $100.

Based on an estimate of how much spam Storm sends each day, the researchers figured it could generate revenue of $7,000 per day or $3.5 million annually. However, because that amount is less than the cost of sending out that much spam, the researchers surmised that the spammers must also be operating the Web sites, or getting a percentage of the profits. It also suggests that spammers and Storm network operators may operate on tight profit margins, meaning, in turn, that their campaigns are “economically susceptible to new defenses,” the researchers said.