« Announcing the Launch of SiteAdvisor's Public Trial Version | Main | The Ghosts of Downloads Past »

Strange Bedfellows - IP Bunkmating

Posted by Jonathan Cohen on March 3, 2006 05:15 PM

(Thanks go to our tech team for spearheading this inquiry.)

Look around the SiteAdvisor team, and there’s always someone with a furrowed brow. We’re constantly discovering new scams and surreptitious online behavior. Today we'll explore a hosting practice we call “IP bunkmating." (Others call it “host multiplexing" or “IP sharing.")

Web sites are all stored on servers, and each server has an IP address. When more than one site is located at the same IP address, it could mean one of two things:
1) The hosting company decided not to allocate a unique address to each of their clients. (This isn’t a bad idea for many sites, and it’s required by some IP registries’ rules.)
2) One organization is running multiple sites on the same server. This is easier for them – fewer physical servers mean less to set up and less to maintain.

In the first case, there’s generally no relationship between the sites that happen to share a server. If you care to learn more about Web sites sharing IP addresses, you can read spyware researcher Ben Edelman’s related article. But in the second case, there’s an increased likelihood that sites will be similar. After all, a company with one “red" site might well have other bad business practices too, possibly extending into unrelated ventures. Below are some examples of sites we found based on their similarities with sites we already rated as red.

The IBIS Umbrella

IBIS is a known provider of what many people would consider adware, spyware or other unwanted programs. According to spywareguide.com, the IBIS Toolbar logs URLs of webpages, shows ads, changes browser home pages, and overwrites affiliate tracking. Many, but not all, of the sites hosted on the ip address 146.82.109.220 are registered to or have business partnerships with IBIS. Some of these sites are: (links go to respective SiteAdvisor site details pages)

IBIS Bunkmates

404-errorpage.com
bestjobsguide.com
bestphonesguide.com
bigromantic.com
financeadvisor.com
fitnessandhealth.com
guideforyou.com
internetandcomputers.com
mp3radio.com
seekerbar.com
spywarelinkcentral.com
travelandyou.com
ways2business.com
websearch.com
websecurityguard.com

Though the labels of Web destinations like financeadvisor.org, fitnessandhealth.us, and bigromantic.com imply a specific site focus, all these sites act as poorly executed placeholders for an IBIS-operated search engine, websearch.com. This certainly isn't illegal, but it is misleading. You won't see Google redirecting to its search engine from "timetoeatthedonuts.com".

The designers at Websearch.com seem to be big fans of Yahoo!’s layout. Is it possible that websearch.com is mimicking Yahoo!’s familiar front page design in order to trick users into feeling confident about interacting with their site? Archived front-page images for Websearch.com indicate this is a recent design change.

websearchyahoo2.GIF
Websearch.com and Yahoo! feature similar layouts. Red, Blue, Green, & Purple Rectangles are superimposed to highlight similar regions.

Seekerbar.com, another IBIS site, features an identical front page to Websearch.com. We've examined this phenomena before: it's cheap to register new domain names, and even new ip addresses. Redesigning complete Web sites is much more expensive. So profit-minded toolbar and adware distributors tend to re-use design, text, and programming code to save time and money.

Websearch.com may look like Yahoo! on the surface, but don't try to compare the reputations of the two sites in terms of safety. According to Websearch.com, they have "seized distribution" (from their Toolbar page, we think they meant ceased) of the IBIS-developed Websearch toolbar, which received an 8 out of 10 nuisance score from SpywareGuide.com because it "Logs activity, uses stealth installation and removal is difficult." Besides developing the ruthless Websearch toolbar, SpywareGuide.com awarded two other IBIS products (Huntbar and IBIS Toolbar) 6 out of 10 nuisance scores for showing ads, stealth tactics, and logging Web page URLs.

Currently, websearch.com and seekerbar.com are redirecting all toolbar queries and top-navigation bar links to a toolbar from Crawler, which is also developed by IBIS. Crawler.com is currently rated red by SiteAdvisor because of its relationship to IBIS, but it will likely earn a yellow rating in the future barring software or EULA policy changes. (Our tests of the Crawler toolbar indicate a yellow rating would apply because the toolbar automatically opts users in to a homepage switch during the install sequence.)

Linda Tripp Has Something In Common With SheMales

There are plenty of instances where Web sites share an IP address even though they actually have no business relationship and nothing in common. For example, FamilyCareGiversOnline.com is bunked with smut and adware hawker Portale93.com. We see no sign of any relationship between these two sites; rather, they’re both just renting server space from Lunarpages.com.

Some of our history teacher readers may have come across the helpful resource HistoryTeacher.net. This site shares an IP address with sexybabesx.com, which is loaded with videos that conceal adware. There’s no apparent connection between these two sites beyond their host and IP address.

Speaking of an obscured motive, recall Linda Tripp, who uncovered the Lewinsky/Clinton affair in 1998. Her Web host paired LindaTripp.com with beautyshemale.com on the same ip address (67.15.35.182) together with another site that is too outrageous for us to reference. We assume this is all an unfortunate coincidence.

Unexpected consequences can result from a Web site sharing its IP address with sketchy neighbors. For example, when major mail providers detect spammers, the spammer’s IP address is frequently added to a “block list" that prevents delivery of future e-mail originating from the same IP address. Sounds great – until you consider multiple servers all sharing an IP. IP-based blocking can cause blocking of legitimate e-mail sent from an unaffiliated entity that merely happens to share that same IP address.

For example, HistoryTeacher.net is an excellent educational resource that shouldn’t be grouped together with pornographic content by spam filters that check for IP addresses. Furthermore, we assume Linda Tripp would like to have her e-mails delivered. (She probably sends thank you e-mails to everyone that sends “legal fund donations" via her site’s online form.) For the highest level of reliability, a Web site will want to ensure it has its own IP address.

The moral of this tale is twofold:
• IP address mapping can help uncover groups of related sites that are trying to mask their affiliation. This is one of SiteAdvisor’s many research tools for hunting down related "red" and "yellow" sites.
• If you’re sharing an IP address, get to know your neighbors. Having a legitimate site located on the same server as a crass or dishonest Web venture can be embarrassing and might restrict your ability to reach the widest possible audience.

Make Us Laugh, Get A SiteAdvisor T-Shirt

We’d love to hear your own discoveries about ‘strange bedfellows’ sharing the same IP address. We'll send a SiteAdvisor t-shirt to anyone who submits an entry that makes us laugh out loud.

TrackBack

TrackBack URL for this entry:
http://blog.siteadvisor.com/mt/mt-tb.cgi/32

Listed below are links to weblogs that reference Strange Bedfellows - IP Bunkmating:

» Interesting article from Bobs Niched Blog
The article is on something called IP Bunkmating. ... [Read More]

Tracked on April 16, 2006 08:18 PM

Comments

Hello. Yes, nowadays thousands of sites can share IP addresses and I'm curious to see who we might find bunking together, so to speak. I found an interesting association graphic yesterday: Stanford.edu. Stanford is listed as a green site (I should hope so!) but I don't think I can vouch for its (i really shouldn't put the domain names here) the associated sites. Not sure how to handle this.


This site was started by MIT folks right? :-)

Posted by: Carl | March 9, 2006 11:04 AM

Okay, going for the cotton...
209.249.114.13 hosts an amusing pair: detroitredwings.com and erectile-difficulties.com. No offense intended here, just an observation.

Posted by: Carl | March 9, 2006 11:35 AM

Oh no - I have to make you LAUGH! by finding incongrous domains hosted on a single IP (bunking together) to get a T-shirt.

The bar is set awfully high considering the grim business of internet safety and security you're in.

I picture the Site Advisor team as trim, steely-eyed, serious individuals, dressed either in "geek squad"/men-in-black business suits or low drag desert camouflage. Blackberries holstered in quickdraw snap cases, with logic testers and RJ45 test sets on utility belts. SANS and CERT reports scrolls constantly on 72' plasma screens mounted on the walls above the "Operation Center". Well, I've got an imagination. In any case ... I picture folks not prone to light hearted laughter.

  • I'll give it a try. How about IP= 209.133.245.2, which is operated by Setup Site, Inc. in North Brunswick NJ.
  • I was tracking the commercial Keylogger software sold from http://www.IamBigBrother.com. Big Brother, secret spying, password prying, sneaky site reports, all of which sets a sort of grim, hi-tech, 1984-ish mood.
  • But to chase that cold chill away, maybe we'll take a tour in the bunkmate site of http://www.oilsandcandles.com. A little aroma therapy to ward off the wobblies?
  • But we also find solace at the comforting, warm and toasty http://www.georgesbakery.com, supplying all of New England.
  • If we overeat at Georges, we can get diet aids at http://www.diyet.com
  • Keeping that country home, all-American theme, we also find the home-n-hearth site, http://www.kiwanisclub.org, for the Florence Kiwanis Club, oddly elbow-to-elbow with BigBrother?
  • And if the dichotomy is too great to stand, we'll schedule a counseling visit at http://www.disasterpsych.org -- but oops, ... the Disaster Pysch site sems to have had a mental meltdown as well. I get an error, an "unhandled exception" error. Apparently too much information for MySql? But maybe they've been hacked!
  • They can always get recovery help for the Psychs at http://www.findingstrength.com ....
  • But let's be extra safe, we'll ask the guys at Big Brother to check in on their IP bunkmates. Please just email us a report at someplace http://www.downrightamazing.com

All these sites share the same server. It must get crowded in there, since there are 149 total.
** Also at 209.133.245.2: **
  • www.asparagusharvester.com -- an unusual business
  • www.astroscratchingpad.com - Your Cats Will Love Our Extra Wide Scratching Pads!!
  • www.blacktiellamas.com -- llamas?? Oh my.
  • www.blue-frog.biz -- Expertise Areas: Space Transportation Operations
  • www.cowboysmcalester.com -- cowboys to ride the horses
  • www.lightstarhorsetransportation.com -- horse hauling in the 21st century
  • The Pine Bush Piranhas (aka the Pine Bush Aquatic Club) -- ">http://www.pbpiranhas.org/
  • www.highsierrawaterskiing.com -- a day away
  • www.icleanall.com -- for the day after ...
  • www.midwestfieldturf.com -- The grass
  • www.midwesttennisandtrack.com -- The games
  • www.theparkmotel.com - take a nap here
  • http://www.thepotterboys.com -- forget Big Brother, they tell it all, here.
  • www.recycled-into-art.com -- in the end, aren't we all this?
  • www.romanticoccasions.com -- oh nice!
  • www.turkmd.com -- very mysterious, this turk MD
  • www.warehouseloan.com -- finance it all, HERE ...
  • www.federated-mortgage.com -- here, ...
  • www.federatedmortgages.com -- and HERE!

Posted by: TomS | April 13, 2006 08:43 PM

Very good reading. Peace until next time.
WaltDe

Posted by: WaltDe | August 31, 2006 10:28 AM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)