Those of you reading this blog for any length of time, or specializing in the documentation of malicious domains, will no doubt already be aware of RapidSwitch's history, but here's a little refresher for you;
242 reasons to avoid 126.96.36.199 (RapidSwitch - AS29131)
RapidSwitch customers still involved in SMS Fraud ......
Adobe9.0-PDF.com + Computer Solutions Group + 208.118.54.* + Xtreme Software Ltd + Saudi Arabia = Phishing and fraud network
Zlkon.lv disconnected - but apparently not completely gone
Fake malwarebytes site
Legitimate Software Typosquatted in SMS Micro-Payment Scam
RapidSwitch: UK webhosts in champagne throwing cat fight
LC Escrow & Consulting Fraud
Take your time, I'll wait.
Caught up? Good, lets begin shall we? We'll start by looking at what was there, as documented September last year. How many of these are still present? How many have moved? Well, the following contains the hpObserver validation results for those listed in hpHosts as residing on 78.129.*, which were done around an hour or so ago;
I believe the results speak for themselves - the majority are still present, and still involved in malicious activities.
Now, lets look at what's appeared over there in the last few months shall we? And I should point out, this only contains those recorded in my personal database (this database is not published online for varying reasons) and as such, is only a small example.
Here we see everything from RFI's, to fake AV's (these are the most common sighting within the RapidSwitch networks) and a spot of Koobface (e.g. svn.altervista.org/477, which as of a check a couple seconds ago, appears to have been cleaned up), with exploits such as those at pinomusik.altervista.org (see Wepawet results for details), thrown in for good measure.
I'm afraid, given this behaviour is continuing, and is in some measures, getting worse on the RS network, I believe it's safe to say RapidSwitch quite simply don't care. They ARE aware of the malicious traffic within their networks. How do I know? Well for starters, I'm not the only one to try and report it to them, and actually have them do something (I tried back in 2008, which was a complete waste of time, and have reported malicious content to them since then, with absolutely no reply (though given they blocked e-mail from me getting through to them (or so they claimed), I'm not really surprised)).
I do wonder however, how exactly they're explaining themselves to the legit customers they do actually have, and to their shareholders and whatnot (though given shareholders typically only care about profit, I doubt they care either). I suspect it's along the lines of "we're a large ISP and can't possible know about everything, and don't have access to customers servers, and ..... and ..... ", aka: excuses.
For those interested, you'll also find malicious content within the RapidSwitch networks, documented at;
Until such time as RapidSwitch die a horrible death, or boot all of their current management/staff and hire people that actually care about more than profit, I'm personally continuing to blackhole their entire ranges, and strongly urge everyone else do the same (to those legit customers unfortunate enough to be hosted with RapidSwitch - MOVE ELSEWHERE!!!).