I was listening to Patrick Gray's Risky Business podcast last week, and I was struck by a statement he made, so I scribbled the following in my notebook:
As security professionals, we're used to technical incompetence and wilful ignorance, yet we say "Spam must work, otherwise spammers wouldn't keep doing it." That is, we believe that they must be making money off their spam offerings, else they wouldn't continue filling our inboxes with offers of Canadian drugs and methods to make our various body parts so large our partners would reasonably be frightened seeing us naked. In a world of botched marketing campaigns and incompetent management and co-workers, why do we assume that spammers necessarily have better business sense than people who fall for Ponzi schemes, or give low-percentage mortgages on homes people could never realistically afford?
In short, why do we assume that spammers are perfectly competent, when ample evidence surrounds us that "normal" business people can be somewhat less than such? Do we know enough about those sending spam to know that their business model actually works, or are there a certain number of spammers pumping good money after bad in trying to reach people who will buy product sight unseen online?
This isn't an attack on Patrick, who has an excellent podcast. It's not just him saying this, and I've been... guilty? of doing the same thing. But why this assumption?