We never ceased to be amazed at the sheer volume, variety and persistence of spam. After all, the first spam message was sent 30 years ago, and we are still working hard every day to stem the flow. (See: Spam Is Still Alive and Kicking in this edition of Security Insights.)

As we first mentioned last month, our curiosity about spam got us thinking about the real affect of unsolicited commercial email on Internet users who actually read spam messages and not just begrudgingly sort through them in their inboxes. We usually look at spam from technical perspective, but this time we wanted to look at it from a behavioral perspective. This led us to what we now call the great S.P.A.M. Experiment in which 50 participants in 10 countries responded to email from unknown sources for 30 days. They blogged about their experiences at www.mcafeespamexperiment.com. (S.P.A.M., in this case, stands for Spammed Persistently All Month.)

We set our spam recipients up with new, uninfected laptops and newly created email accounts with no spam filtering features, just antivirus protection. They were then instructed to surf the Internet for an hour a day, interact with spam and see what happened.

We were amazed at what we received in just a few days. Almost immediately, we began to see local language spam arriving in the inboxes of our participants in France. And in all the countries, we saw emails hitting on the hot topics of the day, whether it was Free Tibet, the Beijing Olympics or the U.S. government’s tax refund. But mostly, we saw huge jumps in volume as the participants began responding to unsolicited emails.

By the end of the first week we had collectively received 8,000 pieces of spam. At the end of four weeks, we were drowned in 125,000 spam emails. To the surprise of some, our U.S. participants did not receive the most spam. The most-spammed region was EMEA, which received a total of 56,349 pieces of unsolicited mail versus 27,025 pieces for the U.S.

Also surprising was the amount of spam that asked for recipients’ mobile and SMS (short message service) numbers. To get this information, the spammers would offer a free ringtone if the recipient texted them. One of our participants soon found out, however, that it was the second ringtone that was free—the first they had to pay $12 to $16 for plus $4 in messaging fees (each way), in some cases.

Many of these emails bring with them great stories, as recounted by our participants in their various blogs. For example, U.S. blogger Karen tried to get one of the many work-from-home jobs offered online, even though the advertisements listed how much money she could make but not what the job was ("Earn $1,000,000 a month!"). She quickly realized that there was a catch—the job information required a "small fee."

"Isn’t it presumed that I need to earn money, not pay it out?" Karen writes.

Some participants, like Ian in the U.K., took advantage of the opportunity to give the spammers a taste of their own medicine. When one spammer repeatedly tried to get Ian's address, he kept writing back in the stilted English of the spammer, "Timothy Martins," finishing with this reply: "You say you need my dress but I as man wear trousers and shirt…You wear dress Mr. Timothy Martins?"

But all joking aside, what the S.P.A.M Experiment really taught us is that there are some really dangerous scams out there that can and do harm to a lot of people. Fortunately, we can minimize some of the risk by changing our behavior.

As Karen summed it up on Day 30, "There is no such thing as 'free.' If it sounds too good to be true, it really is." Finally, she writes, "Never, ever, ever give out your personal information to an unsolicited site (and be very careful when dealing with sites that you solicited)."

As we continue to tabulate the final results of this experiment, we hope that you will heed these words of caution. Here at McAfee we are working hard to protect users from a technical perspective but security technology is only half the battle; what we need is more education. After all, technology won’t protect users from being duped.

Look for the final results of the S.P.A.M Experiment in upcoming issues of Security Insights.