More tales from the online Wild West

Everything old is new again. It's been years since I got any spam trying to sell me legal herbal smoking mixtures, but here they come again. But, this time, there's a lot more to the scam than meets the eye.

"Legal weed" concoctions seldom have any more actual effect than does snorting a fat line of baking powder. They invariably, however, have names that make them sound as if just opening the bag and taking a sniff would blow Bob Marley's head clean off.

This time, the spam's trying to sell "Big Buddha Bud".

Or, as I discovered when I searched for that string, perhaps it isn't!

It would appear that the Big Buddha Bud spams were, a week or three ago, promoting That server had a protean IP address, shifting from one address that resolved to a home broadband provider to another, minute by minute if not second by second.

That could only mean that the site was being served by a botnet.

And that, in turn, probably meant that the site's only purpose was to harvest credit card numbers.

If, after all, you've got an online shopping site that can only be traced to countless virus-infected home PCs, why on earth should you bother actually sending anybody anything they've bought from you? is gone now, but is alive and well. And its shifting IP address remains.

When I looked at it it a few minutes ago it was at, an address in Verizon Wireless's allocation. Then it changed to, which is a Road Runner address. Then it was; that belongs to ChoiceOne, a bank! And less than a minute later, it resolved to, an Earthlink address. And then, which is AT&T. I doubt any US ISP will be left out, if I keep on checking.

(If you manually point a Web browser at any of the botnet IP addresses, by the way, you get an interesting little page that says "Coming Soon! Please check us back later... Ddos Protection by the leet boys ;)". This is an interesting thread to tug on, if you're after more information on this particular botnet.)

I had no idea it existed until this moment, but it turns out that this "botnet hosting" is a known phenomenon. It's a brilliant idea, too! Why use your army of zombified home PCs only to send spam, when you can also use it to host the super-dodgy sites you're promoting?

Botnet hosting seems to have taken great strides, as well. Sites like this are supposed to be flaky, but looks rock solid (not to mention professionally designed!) to me. This botnet seems to be delivering the kind of super-distributed redundancy that major Internet companies dream about.

8 Responses to “More tales from the online Wild West”

  1. will.dutt Says:

    interesting, this is so going to stop the DMCA take down notices from working ;)

  2. Dan Gordon Says:

    How is it that they can get their domain resolving to all those different IP's at such a fast rate? Doesn't it normally take a day or so for a change of IP to propagate through all the DNS servers?

  3. Daniel Rutter Says:

    When you ask DNS for, your request is routed to the nameserver(s) specified in that domain's registration information. For a botnet-hosted site, the nameservers simply keep track of the infected machines at their disposal, and serve up those machines' IP addresses, one at a time.

    At the moment, the nameservers for are and, which are as I write this at (another AT&T address - a allocation block) and (an SBC Global address), respectively. This means the nameservers are almost certainly also infected PCs.

    The nameservers have to remain relatively static. As you say, it takes time for DNS changes to propagate, and that's what would have to be done for to be moved to another machine. But as long as the nameservers are up, the botnet can keep hosting sites.

    I presume the machines chosen to be nameservers are the more reliable members of the botnet - not your average home PC that's only on for a few hours a day. They may still only need to be on a pissy home DSL connection, though; I don't think nameserver traffic for the average spamvertised site is likely to be very high.

  4. Daniel Rutter Says:

    (I also feel obliged to direct my readers' attention to the perfectly fascinating Google ads which this post is attracting.)

  5. Geraint Says:

    I'm not sure this really makes the site any less subject to being shut down (either legitimately or via DDOS, depending on whether it's being shut down by the good guys or by rivals); it would just be shut down at the nameservers instead of the webserver, but the net effect would be the same.

  6. Daniel Rutter Says:

    True, but in practice it doesn't seem to be easy. I imagine the nameservers churn about as fast as possible - is still where it was when I posted the above comment, but has already moved to (a Comcast address).

    Since a domain can have as many as four nameservers, stamping on all of them at once would probably be close to impossible. By the time the home broadband provider responsible for one of them disconnects the customer (which many ISPs have little interest in doing over mere botnet complaints), that box probably won't even be a nameserver any more.

    You could direct your complaint to the domain registrar instead, but for that's, who I have a sneaking suspicion don't even bother to read abuse mail.

  7. tjscott Says:

    It would appear that the aforementioned search query now returns this very entry as the top hit!

  8. » Damn my impoverishing ethics! Damn them to hell! How to Spot a Psychopath Says:

    [...] me a thousand dollars a day, then since he's not actually selling fake antivirus software or botnet infectors or something (as far as we know...), I'd run the ad, take the money, kick half of it back [...]

Leave a Reply