It was a difficult choice deciding who should be in the firing line next, as far as being cybercrime friendly, as there's a multitude of choices, those I've not yet covered include VPLSNET (VPLS Inc. d/b/a Krypt Technologies), Masterhost, China (I'd be here all year with this one), Aruba (and if you're reading this Aruba - FIX YOUR DAMN ABUSE ADDRESS!), Peterhost, to name a few.
I thought I'd focus on yet another ISP that's continuing to provide connectivity to a 100% malicious ISP (root eSolutions incase you're wondering). This left me with three choices, COGENT /PSI, RUNNET or Hurricane Electric (all three have legit clients, aswell as malicious ones), I decided to opt for COGENT /PSI (AS174).
COGENT have a plethora of legit clients, amongst them, my ISP (Plusnet PLC), and to be fair, there's very little malicious activity on their own network (though there's likely alot more, I've only recorded 231 cases since July 2009), but they're continuing to provide connectivity to malicious ISP's such as Netelligent and root eSolutions et al, regardless of the fact there's been a flood of reports published on them. One has to wonder why this is, my guess is money (but I'm a skeptic).
It gets worse however, as COGENT are also one of two ISP's that are providing connectivity to the much despised Phorm (AS48214). A company that's been in the news on more than one occasion for specializing in illegal (Ref: 1, 2, 3 etc) and malicious (namely, spyware via DPI (Deep Packet Inspection) and connection hijacking) behaviour.
It is this, and this alone, that has earnt them the title of crimeware friendly. Had they not put up with this, and de-peered these "ISPs" (and I use the term ISP loosely as far as they're concerned) as soon as this started, which is what they should have done (there's certainly plenty of evidence against their clients available), I'd have went with RUNNET instead (RUNNET are also providing connectivity not only to root eSolutions, but to two other 100% malicious ISP ranges - KABELFOON (aka WorldStream)* and CARAVAN, and not forgetting of course, MASTERHOST, I'll be covering these in a later article), but alas nope.
* Just to clarify, Hurricane Electric are also providing connectivity to KABELFOON/WorldStream
To make matters worse, they've also not given Lunarpages a swift kick in the behind yet (remember them?). A kick that was deserved a very long time ago, and in my opinion, is still something they deserve (sorry guys, but your grip on security is about as good as Mr Beans, and you're about as quick at taking action on abuse/hacked sites reports, is about as quick as Google).
Something I am a little curious about however, is why COGENT /PSIs *clients* haven't forced them to take action. You'd have thought legit ISP's would want to ensure there were no connections to malicious activity, I suppose this is a question that will be left unanswered.
/update 10-02-2010 - Corrected typo