How To Spot A Psychopath

I just received, complained about and deleted an unsolicited commercial e-mail promoting “The Highland Hypnotist, Scott Burke”.

I needn’t post it here, because you can read the whole thing for yourself on prlog.org, one of those sites where people can upload press releases about whatever they like.

It’s pretty standard woo-woo claptrap. Mysterious Scottish wizard Has The Power to Cure What Ails Ye, et cetera. Except for the headline.

Which is, just in case you’ve not yet read the prlog.org page: “Highland Hypnotist Uses His Powers To Avenge Bad Health….or Your Money Back!“

Avenge bad health?

So, what, he finds the guy who made you sick and beats the hell out of him?

I suppose that could account for the money-back guarantee - “OK, you’ve still got diabetes, but you didn’t see the part when I totally avenged the dickens out of it!”.

(Actually, money-back guarantees like this are de rigueur for quacks of all colours. Some of them just never return anybody’s money, of course, but most rely on the low number of warranty claims that’re likely to turn up when your audience is self-selected for gullibility and you’re treating variable illnesses with indistinct end-points.)

A spammer has just used my e-mail address as the return address for a good-sized run of spam. Gee, it’s fun when that happens.

In case this is all new to you: There is nothing verified about the From: or Reply-To: lines in an e-mail. A sender can put whatever they like in there. Spammers do this as a matter of course, generally picking some address out of the same list to which they’re sending the spam, or picking something relevant-sounding like admin@viagra.com or bigmoney@amazingsupercasino.biz.

It seems, at least, that Internet users are now savvy enough that they don’t send outraged messages to these bogus reply addresses any more. Or maybe the people who’re prone to do that are all now just behind good enough spam filters that they never get to see that “I” sent them 300 porn spams today. So that’s a relief.

But I’ve still ended up with the thick end of three thousand “backscatter” bounce messages from moronic mail servers that don’t check to see whether, perchance, incoming obvious spam might just possibly not have a genuine reply address. Nope, they (a) accept the mail, even though they could tell instantly that it’s for an address that doesn’t exist, and (b) then cheerfully send an error e-mail. And they send that error e-mail to the Reply-To address, because how could the Reply-To for “Hot replica watches from 2008″ or “ivagra ciails” possibly not be real!?

What mail servers should do in this situation is check the recipient before they accept the message, and reject message delivery if the recipient does not exist. Then an error gets sent directly to the sending mail server.

Backscatter will still exist even if every mail server got this right, but it’d be restricted to far rarer things like “I’m out of the office” messages, and other kinds of autoresponder systems.

The backscatter bounce flow seems to have slacked off a bit, now; it’s down to about five bounces a minute. And it’s not terribly onerous for me to MailWash all of those bounces out of existence. Actually filtering backscatter bounces is a bit tricky - in essence, you probably do want to receive bounces from messages you actually sent, and backscatter bounces look very much the same - but manually deleting them with some sort of header-preview tool like MailWasher is no big deal.

Mixed in among the thousands of bounces, though, were a few other things, one of which I’d never seen before.

For every few hundred nonexistent-address errors, you see, there are a few “please confirm your subscription” messages. Those are from mailing list servers that treat anything sent to subscribe@dumblist.example.org as a subscribe request, even if it’s an ad for porn or watches or pharmaceuticals.

This does no real harm - it’s just another darn message in among the bounces - unless the list is one of the old-style ones that don’t require a subscribe confirmation.

Here’s a new one, though. This spammer sucessfully UNSUBSCRIBED me from a mailing list!

I’m a subscriber to Jakob Nielsen’s Alertbox list, which is administered by Sparklist. It’s normal for mailing list unsubscribe requests to not require a confirmation, and clearly Sparklist don’t spam-filter unsubscribe messages. So when the spammer sent some piece of crap or other to leave-alertbox@laser.sparklist.com, “from” dan@dansdata.com, it cheerfully unsubscribed me.

My actual Alertbox e-mails have a different unsubscribe address, leave-alertbox-[seven-digit-number]Y@laser.sparklist.com, which probably isn’t in any spammer’s database, and would be unlikely to be generated randomly either (yes, spammers send spam to aaaa@example.org, aaab@example.org, aaac@example.org…). But I just tried unsubscribing by e-mailing plain old leave-alertbox@laser.sparklist.com, and it worked just fine. So I reckon that’s the button the spammer pressed.

I just subscribed to Alertbox again, so there’s no real harm done there, either. But it was a pure fluke that I noticed the lone “Alertbox unsubscribe confirmation” message in the middle of the thousands of bounces and other messages. It didn’t even come from the same address as the subscribe confirmation messages, so whitelisting that address wouldn’t have helped me. If this had been some mailing list that was essential for my job, or something, I could have missed a few issues before I noticed.

Thanks again, spammers! You’re doing a heck of a job!

I know what you’re wondering. You’re wondering how many penis-pill spams I get per hour.

Well, gentle reader, it varies, depending on the time of day, from about six to about fifteen.

Per hour.

For some weeks now, the most popular ones have had subject lines that always contain a name, a word vaguely denoting bigness, and a word vaguely donating a dickish object, in various arrangements.

Some of the words for “big” are particularly entertaining. Actual subject lines I’ve seen include HoracioObviousFuckstick, BouffantPenisRosetta, and ClarkOverlargeBodypart (overlarge?).

(The penis I’ve been promised has also been described as “spacious”. I’m sure “massive” has been in there, too - though “sturdy” and “fearsome”, sadly, remain unused.)

The body of these messages always includes another of the three-word portmanteaux, followed by the URL of a Web site. There are many such sites - calormontes.com, grayskues.com, janeoplane.com, jeroneus.com, junioeres.com, planesjanes.com, razkoesu.com and slopitues.com were all promoted in one day - all registered with nonsense details to Some Dude In China.

All of them currently give you the same site (on, I think, the same physical server), promoting a product allegedly called “VPXL” from a company allegedly called “Express Herbals”.

The VPXL/Express Herbals guys are the source of the vast bulk of my dick-pill spam, and I bet they’re the source of most of yours, too, if you’re not using an airtight spam filter.

(I’ve got three active e-mail addresses at the moment. The filtering on my iiNet account lets through zero spam but no doubt bounces a few valid messages; I only use it for a few mailing lists and occasional personal messages, though, so that’s fine. I’ve also got an old Optus account I hardly ever use for anything, which is almost as well filtered; only a few spams a day get through there. And then there’s dan@dansdata.com, messages to which get an “X-Spam-Tests-Failed:” header tacked on by m’verygoodfriends at SecureWebs who host Dan’s Data, but are very minimally filtered by them, if they’re filtered at all. Hence: Spamvalanche!)

Like the previous fake marijuana spams, the VPXL ones come to you courtesy of a botnet - a huge collection of virus-infected home computers on ordinary Internet accounts, identifiable because the sending IP addresses for the spam vary widely but always belong to some ISP or other that serves the home-user market.

The botnet this time is called Mega-D, and it has the interesting quality that its infected machines almost all seem to be in non-English-speaking countries. (The previous Storm-botnet spam overwhelmingly came from the USA.)

The VPXL dudes now seem to be shifting away from the three-word spams. In one 155-minute period earlier today I received:

One VPXL spam directly promoting http://polierin.com/; it came from a codetel.net.do IP address (Dominican Republic).

One VPXL spam with an “I’m Feeling Lucky” Google link (http://google.com/pagead/iclk?sa=l&ai=acetate&num=137336094&adurl=http://clinrie.com?446) that takes you to the spammers’ site, in this case clinrie.com. The spam came from 58.19.232.188, a China Network Communications Group Corporation IP address.

One for jilafen.com from 80.146.114.212, a Deutsche Telekom address.

One for nidegnero.com from 201.19.74.24, a probably-Brazilian IP address.

And another variant, whose body text said “Pls Go ‘ www.redmehs ‘ dot com”; redmehs.com is VPXL yet again, registered to Chinese nonsense yet again. This one came from 68.118.233.112, though, which is an IP address belonging to Charter Communications in the USA.

There was exactly one spam that actually mentioned VPXL in the text of the spam - but it was malformed, with no actual link to anywhere you could buy the product. It came from 92.112.20.89, belonging to Ukrtelecom in the Ukraine.

And then there were a couple of the classic three-worders, one from Peru and one from Chile, both promoting zhbvdiaeg.com.

And then there was yet another variant, from a Colombian IP address and promoting http://geocities.com/kathydowns889/, which is a redirector page that sends you to neverwaitons.com, another facade for the Express Herbals server.

The runners-up in the dick-pill spam-flow are the “Canadian Pharmacy” type (the sites are usually subtitled “#1 internet online drugstore”). The most prominent products on these sites are, of course, always erectile dysfunction drugs. Which you almost certainly will not actually receive if you place an order.

In my 155-minute period I got one promoting marquitamontemurrodd.blogspot.com, which redirects to a Canadian Pharmacy site at putwish.com, which is registered to a pile of Chinese nonsense that closely resembles the standard VPXL-domain registration nonsense, leading me to suspect they’re related. The spam came from 220.128.197.130, some Taiwanese mail server.

And then there was one that directly promoted canocaw.com, “Target Pharmacy”, registered to more Chinese nonsense and also billed as “#1 Online Pharmacy Store”, and looking much the same as the “Canadian” version. The sender was 84.108.33.6, belonging to Bezeq International in Israel.

Another one promoted tamilacyg.blogspot.com, which redirected to another “Canadian Pharmacy” at pha-cana.com, an unusually comprehensible domain name for these guys. More Chinese rego details; spam sent from 82.54.82.43, Telecom Italia.

And one promoting ruoedi.kiltyale.com, which is “World Pharmacy”, which looks a bit different from the Canadian and Target varieties. Kiltyale.com is registered to marginally more real-looking Chinese details than the other pharma-sites, but the spam came from 190.156.83.182 in Colombia, which suggests the Mega-D net again.

And then there was one promoting the entirely genuine-sounding URL http://gbcdelmafhjk.filmplenick.com/?iafhjkxowptygzchcmbcdelm, which is a “Viagra + Cialis” site calling itself “VIP Pharmacy“. Filmplenick.com is registered to a US address, so even though this was another spam from a South American IP address, I suspect it’s not the same people as “Canadian” and “Target”.

And then there was one for www.onthebob.com, a site that’s regrettably down right now - one of only two pharma-spams whose promoted sites didn’t work - and which is registered to pointless details in Brazil rather than China, suggesting that the culprit is different again. The spam came from 60.242.181.54, which is a TPG Internet IP address right here in Australia.

The other complete failure had the subject “Hydrocodone, Vicodin, Phentermin, we are 100% reliable pharmacy retailer cufqev21ph”, and advertised gop.uhthclrenewed.com, which is down (so not quite 100%, I guess). Actually, the uhthclrenewed.com domain isn’t even registered as I write this, so spamming about it would appear to be slightly premature. This spam originated from 66.228.248.134, belonging to the gloriously titled “Park Region Mutual Telephone Co. and Otter Tail Telcom” in the USA.

On top of these, I got one ad for pohfrensei.com, selling the entirely non-icky product “WonderCum”. This is the VPXL people again; that domain is registered to more Chinese nonsense, and WonderCum and VPXL are often sold - or complained about - on the same sites. This spam came from a BT Total Broadband IP address in the UK, though.

(The VPXL people have also been responsible for “Elite Herbal”, “Manster”, “ManXL” and the delightfully understated “Megadik”.)

There was also one quit-smoking spam advertising something called LiveFree at www.celarpo.com/f/. That’s probably unrelated to the dick-pills people; the domain is registered to someone allegedly in the USA, and the spam came from 201.226.17.2, somewhere in South America.

I also got one sad little “RE: February 88% OFF” (the number varies - in one mail check a while ago I got eight different “discounts”…), allegedly from “admin@viagra.com”, with a link to a broken redirector. Presumably that’s the remnant of an older botnet, still spamming sporadically away with out-of-date info.

Along with all of the above, and not counting the spams not in English that I couldn’t figure out, my 155-minute period netted me nine casino spams (including four copies of “RE ORDER Casino”), six offers of business loans, two counterfeit-watch spams, five counterfeit-other-things spams (four were in Asian character sets, but “Gucci” and “Tiffany” stood out in the headers…), two “offshore printing service” spams (I’ve been getting those for a while), one fake-lottery spam, two eBay phishes, and exactly one of those magical messages that’s nothing but the bare minimum headers needed to get it to you, with no subject, To: line or body.

Yes, I have thought about just redirecting all of my mail through Gmail or something so that I won’t smell this constant tide of manure any more - even if all it can do is slap up against my MailWasher deletion queue. I doubt Gmail filtering would be any worse than what I’m doing now - I may be manually scanning over the headers of my mail, but I’m sure I’ve failed to notice valid mail and deleted it anyway.

But there’s a sick fascination to doing it this way.

It’s interesting to see the sheer quantity of repeato-spam. You don’t get to appreciate the magnitude of the problem - sucking up Internet bandwidth, server power and the money you pay for Internet access - if you hide behind a filter.

The current repeato-spam onslaught is, I think, created by the distributed botnet senders. Botnets are a great way to spam, but they have no way to coordinate their sending lists.

Spammers never prune their mailing lists anyway, and I do know that one should never underestimate the stupidity of spammers, but I think even the dumbest modern mass-mailing software ought to be able to avoid sending the same spam to the same recipient twelve times in one run. If you’ve got thousands of zombie PCs sending your spam independently, though, it becomes much harder to prevent the same recipient getting (essentially) the same message over and over and over in a short period of time, because none of the individual bots know which other bot has sent which message to which recipient.

This is probably why I got three copies in quick succession of “AGF has an exellent opportunity for you! Australia”, plus one “AGF is a smarter way to money! Australia”, three “New part time job - good salary in Australia”, one “Work with us today - earn money today!”, one “AGF company helping individuals in business online” and one “it is your new job possible!”. All in the course of, I don’t know, maybe three hours.

I suppose someone’s dotty email-forwarding great-aunt might think this just meant these people were really really eager to find new employees. But super-repeato-spam like this, and like the three-word dick-pill tirade, ought to have some negative effect on the message’s credibility to even the most cretinous of other recipients.

Another attraction of paying (at least a little) attention to incoming crap is that you get to see how much of it, as in this case, resolves to just a very few senders.

If someone found, and dealt with, in one way or another, just the VPXL spammers, the total volume of spam in the world might well drop by a double-digit percentage. It’s not often that crime prevention has such a definite monetary payoff; since spam costs the world tens of billions of dollars a year, you could easily save a sum equal to the Gross Domestic Product of an African nation by shutting down just one major spam-group, as long as another didn’t rise up to take their place.

And that might well not happen, if we establish just a little deterrent value. First World nations need to crack down on spam more effectively, and Third World nations need to realise that spammers are (a) rich and (b) probably all pudgy and easy to rob, ‘cos they spend a lot of time sitting in front of a computer.

Legal prosecution would be good. But I’d settle for standover men.

“I bet that stuff you sell’s given you a really big dick. Would you like to keep it?”

From a Hungarian mail server whose security is presumably not all it might be:

Date: Sun, 3 Feb 2008 17:41:17 +0100 (CET)
Subject: BE MORE CAREFUL
From: “BE MORE CAREFUL” <restinpeac@yahoo.com>
To: undisclosed-recipients:;

I am very sorry for you, is a pity that this is how your life is going to
end as soon as you don’t comply. As you can see there is no need of
introducing myself to you because I don’t have any business with you, my
duty as I am mailing you now is just to KILL you and I have to do it as I
have already been paid for that.

Someone you call a friend wants you Dead by all means, and the person have
spent a lot of money on this, the person also came to us and told me that
he want you dead and he provided us with your name ,picture and other
necessary information’s we needed about you. So I sent my boys to track
you down and they have carried out the necessary investigation needed for
the operation on you, and they have done that but I told them not to kill
you that I will like to contact you and see if your life is Important to
you or not since their findings shows that you are innocent.

I called my client back and ask him of you email address which I didn’t
tell him what I wanted to do with it and he gave it to me and I am using
it to contact you now. As I am writing to you now my men are monitoring
you and they are telling me everything about you.

Now do you want to LIVE OR DIE? As someone has paid us to kill you. Get
back to me now if you are ready to pay some fees to spare your life,
$30,000 is all you need to spend You will first of all pay $15,000 then I
will send the tape to you and when the tape get to you, you will pay the
remaining $15,000. If you are not ready for my help, then I will carry on
with my job straight-up.

WARNING: DO NOT THINK OF CONTACTING THE POLICE OR EVEN TELL ANYONE BECAUSE
I WILL KNOW.REMEMBER, SOMEONE WHO KNOWS YOU VERY WELL WANT YOU DEAD! I
WILL EXTEND IT TO YOUR FAMILY, INCASE I NOTICE SOMETHING FUNNY.

DO NOT COME OUT ONCE IT IS 7:PM UNTIL I MAKE OUT TIME TO SEE YOU AND GIVE
YOU THE TAPE OF MY DISCUSSION WITH THE PERSON WHO WANT YOU DEAD THEN YOU
CAN USE IT TO TAKE ANY LEGAL ACTION. GOOD LUCK AS I AWAIT YOUR REPLY TO
THIS E-MAIL CONTACT

Name:william Agent
E-mail: william1111@live.com

These messages have been around for a while, but I don’t think I’ve ever received one before. Plenty of ordinary Nigerian scams, but not the death-threat type.

Quick advice for those receiving mysterious messages promising wealth or making menaces: Search for a string out of the message, to see if lots of other people have received the exact same thing.

Are those people all now rich, or dead, or whatever else the message promises?

(Hint: They won’t be.)

You may forego the above steps if you yourself have received 28 copies of whatever the message is, all nominally from completely different people but all strangely similar otherwise.

I get a lot of commercial spam from Chinese manufacturers who’re under the impression that I’m a “reseller” of just about anything I’ve ever reviewed. And then some.

These e-mails are usually not very literate, but sometimes they break through into unintentional poetry.

I just got two copies of this one:

From: “RISING TRADING CO”
Date: Thu, 6 Dec 2007 12:45:22 -0800
To: <cs@110220volts.com> [I presume my address was way down in the BCCs somewhere]
Subject: Christ Ma’x Promotion MP4

Dear Friend,

How are you doing? I hope that everything is good!
Are you searching the rivalrous and commercioganic products? Please have a look our this new model mp4 player, it has some rivalrous features in market:
1 : 1.8″ TFT display + card reader function .
2 : Built in outside speaker
3 : Built in RF function(optional).
4 : With the good handle housing which use the flash metal facture.
Its picture and details information is as below,please reference:

[A picture of a Keepin’ It Real Fake version of an iPod Nano was meant to be included here - but I had to dig the file out of my embedded directory and rename it to be able to see what the heck it was. It was originally called “ui=1&amp;attid=0.1&amp;disp=emb&amp;view=att&amp;th=1168aff0f2e8de23″.]

Main Function and features:

* Exquisite & fashionable flash metal and thin design;
* 1.8″ TFT screen, 260K TRUE color display;
* Built-in FM radio & With FM recording function (optional) ;
* RF(Radio Frequency) transmit function ,the sigBnal can be accepted by your car FM, etc.(optional)
* Built-in outside speaker (optional);
* Support card reader function;
* Support DRM(digital right management)(optional).
* Built-in lithium battery .
* Capacity supported: 128MB to 4GB;
* Supports MP3, MP4, WMA, WAV, etc;
* Supports TXT electronic text reading ;
* Supports WAV recorder format;
* 7 EQ modes: moral , rock, pop, classic, soft, jazz, bass;
* Supports ID3 synchronous lyrics display;
* Support Multi-languages.(more than 20 kinds).

It went on, but that’s the end of the funny stuff.

What do you imagine “moral” EQ does? I wasn’t aware that you could make NWA sound like Perry Como just by changing a frequency response curve.

Date: Tue, 4 Dec 2007 05:28:52 -0500 (EST)
Subject: Link Exchange Request
From: webmaster@creditreportkey.com
To: [my domain registration contact address]

Hello buddy ,

Quality sites need to link together.. don’t you agree? I can give you a
high quality content page link from my site
(http://www.creditreportkey.com). In addition both our sites are
vertically related. I am sure you are aware of content page link plays a
major role in SEO.

Kindly add my link in your content pages other than the links page.your
site is a quality site hence I need a content link from your website.

If you said yes, then I need your link text and URL to get this started.If
no,I am really sorry to have been a disturbance.I promise,this will not
repeat.

We also offer free download of xp icons in our website. I hope this will
also be useful to you.

Link Title : Credit Report Key
Link Url : http://www.creditreportkey.com/

Awaiting for your word,
Peter parker

Wow - “free download of xp icons” from a site that also offers you the never-to-be-repeated opportunity to pay money for free credit reports and bogus credit repair services?

Why would anybody in the world ever need to visit any OTHER site?!

I’ll link to nobody else, from now on!

(And don’t worry, Peter - your super-secret’s safe with me!)

And what’s the deal with the “vertically related” part, anyway? The business-jargon usage of “vertical” is supposed to mean every stage of a business from production to distribution, hence the concept of vertical integration; “vertically related” businesses would be, say, a flour factory and a bakery. The word seems to have turned into cant, though; now it just means “stuff that’s related to other stuff”. So you get ad agencies spouting things like “high bidded content in your vertical”, as if their purpose were not to actually communicate an idea but just to win a game of Scrabble.

The above missive arrived right next to this other magnificent creation:

From: Stephen >hotescortreviews@gmail.com<
To: dan@dansdata.com
Subject: I would like to exchange links with your site
Date: Tue, 4 Dec 2007 0:38:42 -0800

Dansdata, [I do love that personal touch!]

I visited your site today, and I enjoy the information your provide. I
run an adult site similar to yours, and I was wondering if you would
like to trade links with me? You can see my site at
“http://www.hotescortreviews.com”. I ask for this link exchange because
I feel our sites are closely related in topic, and a link exchange
would benefit us both. My website also has a page rank of 2.

If you exchange links with me, I will list you on my site. I can put
your banner/link on my directory page
here:http://www.hotescortreviews.com/HERDirectory.html, and I can put
you in a category which is related to your site. Our site is gaining
more visitors by the week, and getting your link on my site guarantees
you future traffic and customers, which increases your bottom line.

Please let me know if you have any questions or comments. If you wish
to add my link, you can add the HTML code below to your site:

[link code redacted]

If you would prefer to exchange banners, you can find my banner on this
page:http://www.hotescortreviews.com/Links.html. You can just right
click on it and download.

Best regards,

Stephen

It would appear that the previously mentioned “herbal marijuana” business (which, as I explain in that earlier post, is probably actually just a scam to harvest credit card numbers) is burgeoning.

From: “Bud Shop” <dancitep_yzpsoy@gte.net>
Date: Fri, 16 Nov 2007 14:05:42 -0700
To: “dan” <dan@dansdata.com>
Subject: Smoke up the bud

Do You Smoke Big Buddha Bud Or Any Other Legal Bud To Go Crazy ?

http://shabaaloo.com

My buddy Mark stopped hanging out with me because he now works at the post
office and has to do a piss test every other week. Just last week though, i
see him sparking up. I’m like “Dude are you smoking bud again??” and he is
all “Yeah! i bought ONE POUND of Legal Bud at cheapestbuds.com and i dont
need to worry, this shit doesnt come up in piss tests and its some potent
shit!” cheapestbuds.com is too good to be kept a secret.

One warning though, Dont drive with this potent bud.
My friend blasted up before going on his mailing route and he ended up
crashing the postal truck LOL.
Oh and he still smokes up the Legal Bud!

http://www2.shabaaloo.com

OR

http://3I.shabaaloo.com

The shabaaloo.com site being promoted here looks exactly the same as the previous thebudshop.net. Note also the mention of “cheapestbuds.com”, which was perhaps an earlier URL for the same scammers. That’s dead now, but all of the other ones are still up. The “www2″ and “3I” subdomains spreading the botnet hosting out even further.

Once again, these sites are all shuffling from one home broadband IP address to another, a technique I now know is called “fast-flux“, which was apparently originally used to hide spam mail servers. Their nameservers occasionally seem to be pointing more than one domain at the same IP address - both shabaaloo.com and thebudshop.net were at 69.141.166.10 (someone’s virus-infected PC on a Comcast address) when I first checked. Mere moments later shabaaloo had moved to 75.22.25.116 (another zombie, this time connected via AT&T) and thebudshop had moved to 63.131.13.17 (Choice One Communications). Then shabaaloo was 82.10.184.121 (NTL Internet, a UK ISP) and thebudshop was 70.92.159.113 (Road Runner). The subdomains all have their own separate changing addresses, too.

Thebudshop’s nameservers are still ns1.b4cf5f189.com and ns2.b4cf5f189.com; those are currently at 68.16.9.22 (AT&T) and 75.66.195.228 (Comcast), respectively. NS1 has stayed the same since I first checked four and a half days ago, but NS2 has changed at least twice since then.

The DNS entry for shabaaloo.com lists no fewer than five nameservers - four is the usual limit. It’s got NS1 through NS5.b4cf5f189.com. As I said in the comments for the previous post, that probably makes it virtually invincible, at least by spam-site-hosting standards.

When botnets first hit the news, many people (me included) had some difficulty figuring out what they were for, exactly. Yes, you could use them to send spam, or to launch denial-of-service attacks, or as your own personal massively parallel supercomputer for cracking encryption or something. But none of those features sounded hugely marketable.

Bulletproof hosting for any site you want is different, though. There are plenty of people who already pay big bucks for that.

I think we’ll be seeing a lot of spam-scam sites shifting to botnet hosting soon. Perhaps that’ll be what it takes to get the major ISPs to start actually disconnecting people whose computers are part of a botnet. Thus far they’ve resisted taking such action, despite being urged to do so by such minor entities as the US Government for going on three years.

One might cynically surmise that the lack of action is because there’s no money to be made in disconnecting zombies. Actually, there’s money to be lost; even if all you do is direct all of the customer’s Web requests to a “you’ve been quarantined” page with information about antivirus software, you’re still going to get irate support calls that’ll rapidly eat up every penny the customer’s paying you. If you cut ‘em off altogether, they’ll probably tell all of their friends that you’re a terrible ISP, and may file complaints with their credit card company. It’s a nightmare.

And botnet members don’t generally actually use a whole lot of the ISP’s precious bandwidth, either. J. Random Hacker with his squeaky-clean computer that’s downloading TV all day is the user an ISP really wants to cut off.

And if every ISP doesn’t adopt a no-zombies policy, at least some disgruntled customers are not going to actually put their house in order - they’ll just switch to an ISP that’ll let their lurching zombie of a PC onto the Internet.

Here’s a good article about the current sad state of affairs. Busting the people who set up the botnets seems to be the most promising course of action. That strategy hasn’t exactly stamped out spam so far, though.

Everything old is new again. It’s been years since I got any spam trying to sell me legal herbal smoking mixtures, but here they come again. But, this time, there’s a lot more to the scam than meets the eye.

“Legal weed” concoctions seldom have any more actual effect than does snorting a fat line of baking powder. They invariably, however, have names that make them sound as if just opening the bag and taking a sniff would blow Bob Marley’s head clean off.

This time, the spam’s trying to sell “Big Buddha Bud”.

Or, as I discovered when I searched for that string, perhaps it isn’t!

It would appear that the Big Buddha Bud spams were, a week or three ago, promoting thebudshop.hk. That server had a protean IP address, shifting from one address that resolved to a home broadband provider to another, minute by minute if not second by second.

That could only mean that the site was being served by a botnet.

And that, in turn, probably meant that the site’s only purpose was to harvest credit card numbers.

If, after all, you’ve got an online shopping site that can only be traced to countless virus-infected home PCs, why on earth should you bother actually sending anybody anything they’ve bought from you?

Thebudshop.hk is gone now, but thebudshop.net is alive and well. And its shifting IP address remains.

When I looked at it it a few minutes ago it was at 75.208.93.134, an address in Verizon Wireless’s allocation. Then it changed to 76.188.169.229, which is a Road Runner address. Then it was 63.131.13.17; that belongs to ChoiceOne, a bank! And less than a minute later, it resolved to 76.15.25.162, an Earthlink address. And then 76.247.75.67, which is AT&T. I doubt any US ISP will be left out, if I keep on checking.

(If you manually point a Web browser at any of the botnet IP addresses, by the way, you get an interesting little page that says “Coming Soon! Please check us back later… Ddos Protection by the leet boys ;)”. This is an interesting thread to tug on, if you’re after more information on this particular botnet.)

I had no idea it existed until this moment, but it turns out that this “botnet hosting” is a known phenomenon. It’s a brilliant idea, too! Why use your army of zombified home PCs only to send spam, when you can also use it to host the super-dodgy sites you’re promoting?

Botnet hosting seems to have taken greate strides, as well. Sites like this are supposed to be flaky, but thebudshop.net looks rock solid (not to mention professionally designed!) to me. This botnet seems to be delivering the kind of super-distributed redundancy that major Internet companies dream about.

My spam had two high points today.

One of them was not the terrible news that the invaluable link directory at teksavers.com was REMOVING MY LINK OMG from their site because I had failed to respond to their repeated unsolicited requests for a link from this ancient motherboard review to http://www.teksavers.com/, with the title “Buy Sell Refurbished Cisco”.

I simply cannot figure out why I haven’t done that. Too late now!

Spam high point one was brought to me by the new wave of random-subject-lined replica watch ads, which seem to be sourcing their random words from a much more awesome dictionary than most.

My favourite so far is today’s masterpiece, “Rainbow Kaleidoscope Ice-cream Egg Magnet”.

I opened that message, hopeful to be given the opportunity to purchase this wonderful-sounding product. But all it contained was the usual link to an odd-named and inaccessible server where, I fear, no Rainbow Kaleidoscope Ice-cream Egg Magnet would be on sale anyway.

(The next one to arrive had the subject “Solid Prison Post-office Necklace Fan”, which sounds much less appealing.)

Later in the day, I received this pearler:

Date: Sat, 10 Nov 2007 19:04:47 +0200
From: “Igal K.” <igalkr@013.net>
Subject: Article contribution proposal to www.dansdata.com
To: dan@dansdata.com

I’ve stumbled across your site - www.dansdata.com and
I want to make you an offer regarding contributing uniquely
written Insomnia & Sleep Problem related articles to your site.

As you know - Creating unique content for your site is the only
way to get high rankings in Google and other Search Engines.
Copying Articles from Article Directories became obsolete
now that Google is penalizing sites with Duplicate content.

This is where we can help each other in a win-win partnership - I
have a staff of skilled writers creating articles about subjects
such as ( Just to to name a few ) :

      Insomnia Treatment Tips
      What Are Sleep Disorders
      Chronic Insomnia Treatment
      Sleep Aid Guides
      Sleep Disorders
      Sleeping Pills Help

The articles that I’m offering will be unique and were never
published on any articles directory or website, therefore you will
have the full benefits of a unique content that is published only on
your website - in Addition you have full rights to edit and tailor those
articles to your own liking and your website needs.

The only thing I want in return are 2 links pointing back to my
Insomnia Related site at the bottom of each published article.

So if you’re interested in my unique win-win proposal please let
me know so we can start helping each other get Higher Rankings
in Google.

Igal K.

You know how sometimes you click on a result for some obscure search or other, and then find yourself on a site with a buggerload of Google ads and some real actual readable text… but that text doesn’t contain any valuable information at all?

In fact, the text looks as if it could be customised, with a quick search and replace, to apply to any subject?

I’m betting that this is the sort of “content” that Igal’s “staff of skilled writers” are offering my poor little site, which with its miserable thousand or so articles and laser-like focus on sleep disorders is clearly in need of Igal’s assistance.

(Amazingly enough, I don’t think dansdata.com contains even a passing reference to insomnia at the moment. Usually, subject-specific spam like this comes to me because someone found the word “sauna” on my site somewhere and decided that I therefore must be interested in ordering a few container-loads of Chinese pre-formed hot tubs. Heaven knows how Igal came up with the insomnia connection, in the absence of such an obvious link.)

I suppose it’s possible that Igal really does have writers on staff. If that’s the case, I imagine they’re the inexpensive and quirky kind.

Igal’s a wily one, too; he doesn’t mention the URL of his special insomnia site in his spam.

But I’ll betcha any of you unfortunate enough to be searching for information on sleep disorders will be seeing Igal’s site soon. At least until Google catches on, yet again.

Another outstanding piece of mystifying spam:

Join the Thousands of Americans GETTING OUT OF DEBT!

Be DEBT FREE in as little as 12 MONTHS.

Please visit the link below and get a free debt consultation today. NO OBLIGATION!

http://eurocasinobj.com/indexd.html

Euro. Casino. BJ?!

Why, that’s exactly the sort of URL at which I’d expect to find sensible debt reduction advice!

If you go to the root of http://eurocasinobj.com/, you find exactly what you’d expect to find - a casino site offering you a no doubt completely kosher $555 Welcome Bonus as long as you run the SetupCasino.exe file they want you to download.

http://eurocasinobj.com/indexd.html, on the other hand, redirects to the similarly mystifying URL http://heroesthai.com/, which is a generic Web-2.0-looking “Goodbye Debt” site.

And which, of course, is probably also a big fat scam.

It’s an example of the peculiar rule of thumb which states that people with little money are easier to scam out of that money than rich people. Actually, “debt elimination” scams take it even further - they screw money out of people who have less than no money to start with!

A search of the Federal Trade Commission’s site for “unsecured debt” is enlightening.

Sometimes the scammers claim that they’ll negotiate with creditors in some special magical way that a normal customer couldn’t, accept payment for doing so, and then just don’t do anything. Genius!

The more creative scammers come up with a line of bull akin to that spouted by “tax protesters“. There are a bunch of peculiar arguments in this category. Generally, they all assert that widely-held assumptions - like, for instance, the notion that it is legal to lend money at interest, or that when a person borrows money he personally now owes it to the lender, or that civilian courts are not military courts - are not true.

These arguments also have in common the fact that not a one of them holds more water than a tea bag.

The FTC’s actual advice to people who’re knee deep in debt is also useful. They advise debtors to seek out cheap-to-free credit counselling, and specifically avoid one-size-fits-all expensive “debt reduction” outfits.

Especially the ones with weird URLs.