Everything folks have mentioned was my functional assumption. It seems unlikely that they'd have that much IP space under their direct control, and if they did, it would be easier to block using WHOIS info, origination details, etc. Now, as mentioned, there are some botnets out there that are somewhat above board in that the controlled endpoints are voluntarily doing the stuff they're hired to do. They may even get paid a little. It's doubtful that the owner of the endpoint really understands the ramifications of their participation, but at least they're otherwise consenting and an economic beneficiary. Of course, as we all know, many or most botnets are made up primarily or essentially entirely of compromised endpoints. Now we're in "just flat out illegal" territory. Lovely. It took far less shady action than this to get (albeit very weak and not particularly timely) US federal legislation on email SPAM. I'm not holding my breath for this to get addressed any time soon, though.