I've always thought that affiliate programs - where a company offers incentives for a third party to advertise their products or website - were a questionable idea. The idea of cheap advertising seems appealing. The downside is that it puts your reputation in the hands of an army of strangers who have no reason to care about your 'good name', and every incentive to want to get their particular affiliate ID seen as widely as possible. Abuse follows as inevitably as night follows day.
It's hard to tell how much spam originates from affiliate abuse, because identifying links that are associated with affiliate programs often involves quite a lot of digging and a certain amount of guesswork. The issue is further blurred by the fact that some companies will go so far as to set up fake "affiliate programs" - or deliberately encourage the use of spam by affiliates - so that when they're called on their abusive activities they can blame it all on third parties. This is a trick that doesn't work indefinitely, but it does make it hard to put a number on the scale of affiliate abuse.
It's unclear, for example, how much of the spam sent by the bandwidthnoc spam network is affiliate spam. Pretty much all of it now seems to redirect via Hydra Networks' lynxtracker.com domain but what the association is between Hydra Networks, the obviously-abusive bandwidthnoc, and the mixture of dubious and mainstream operations advertised by the spams is unclear. There's a fairly tangled web to be unravelled there, but if bandwidthnoc is nothing more than a support network for affiliate program abuse, then it must be one of the largest and most systematic cases ever seen.
Some cases are more clear-cut. A couple of recent spams that I received contained web-bugged URLs that led indirectly to the web sites of two mainstream companies: Cingular in one case, and Apple in the other. The URLs referenced domains registered in Belgium - 'feklok.be' and 'gedesee.be' - and contained a long encoded string that presumably identifies both the recipient's email address and the final 'target' URL (including the affiliate ID).
The "Belgian" sites, registered at Belgian reseller Stone Internet Services bvba and hosted by IN-Telecom in Russia (with name service from 'ebaitous.com'), act as first-stage redirectors. If the recipient email address is encoded in the URL - which seems likely - it will be logged by the spammer at this point, making it a target for more spam in future. The site then sends a 302 Redirect message to the browser, sending the user on to 'click.linksynergy.com', a site managed by LinkShare, who specialize in affiliate marketing. 'linksynergy.com' issues another redirect, and the user's browser finally displays the target page at the Apple Store or Cingular's online sales site. The URLs passed to 'linksynergy.com' and then to the final target contains the spammer's affiliate ID so that the spammer can be credited for any resulting sales.
So who are the winners and losers here? On the face of it, companies like Apple and Cingular lose out because the promotion of their products by spam hurts their reputation. Experience has shown that many users don't have a very sophisticated understanding of who is responsible for the spam they receive: if their mailbox fills up with spam advertising Apple products, they're going to conclude that Apple is spamming them. That ultimately hurts Apple.
LinkShare could also lose, because if a company has a bad experience with affiliate marketing, they'll stop using LinkShare's services. In theory, LinkShare thus also has an interest in trying to stamp out abuse by affiliates.
The spammer, on the other hand, wins if someone follows their link to the Apple Store and buys a Mac Pro. According to Apple's web pages, affiliates can earn up to 2% or 3% (different pages give different figures) on hardware sales, which could translate to $50 or more on high-end hardware. The spammer loses if Apple or LinkShare notice that they're sending spam (which is in violation of the affiliate agreement) and cancels their account.
But the spammer's losses are limited. The spammer doesn't lose their own money if they get caught: they only lose the money that they would have earned in commission. Their out-of-pocket expenses are limited to the cost of sending the spam (which is small) and the cost of setting up and hosting their redirector sites (which is not much larger). Their potential revenue comes from commissions generated by undetected spam, plus anything they can get from reselling logged email addresses. The fact that this kind of spam occurs at all suggests that the spammer thinks he can cover his costs.
He may have good reason to be confident. The odds that his account will be pulled don't seem to be very large. Each company involved publishes terms of service that prohibit advertising an affiliate ID by spam, but none of them provides any obvious mechanism for reporting abuse. (I've forwarded the spammer's affiliate ID to LinkShare through their Affiliate Support contact form, as they don't have a form for abuse reporting: we'll see if anything comes of that). Companies like Apple or LinkShare presumably feel that they have better things to do than play whack-a-mole with spammers.
The problem is that failing to take action to curb affiliate abuse is a tacit acceptance of such abuses and an invitation to further abuse. This comes back to what I said at the start: affiliate programs are inherently questionable. Any company that sets up an affiliate program has to recognize that they have given their affiliates an incentive to behave badly, and that enforcing their terms of service will not be easy or effort-free. Unfortunately, all the evidence suggests that these companies don't see affiliate abuse as a particularly pressing problem: LinkShare's FAQ's don't even mention the topic and there's no description of any measures that they take to identify and prevent abuse.
Affiliate programs are a gift to spammers. The spammer doesn't need to provide a service or deliver a product. They just devise a simple process for registering affiliate IDs and sending out spam to promote them and at the end of the day a big company sends them a check. It's a convenient way to get paid to spam with none of the inconvenience of having to hunt up customers for themselves. But these programs are also a gift to marketing departments. The company gets a banner ad on someone's website and they pay nothing unless the ad results in a sale. There are no contracts, no negotiations, no up-front payments. And if one of their affiliates takes it into his head to bend the rules slightly and dump an unwanted ad into a million mailboxes, well, they have plausible deniability. The company can always just shrug off the blame: "It wasn't us, it was our affiliate."
Spammers are parasites, but affiliate marketing programs sometimes look more like a case of symbiosis.
Update: [21.08.2006] LinkShare have referred this affiliate to their legal department for investigation. We'll see what happens.