I was investigating hiskyhost.net (AS43355), due to the fact I've now got 48 domains going through them, that are associated with malware. More interestingly, they all resolve to housing.hiskyhost.net - a hostname that does not itself, actually resolve to an IP;
During the course of the investigation, I decided to do a WhoIs query, and prior to my trying today, EstDomains have never allowed WhoIs queries, instead opting to either refuse access to their WhoIs server, or as is the case with whois.internet.bs, return complete rubbish (i.e. when querying whois.internet.bs, their WhoIs server will return "D D"). In October 2007, I noticed their server consistently returning the following, irrespective of the domain being queried;
Having done a WhoIs query via the EstDomains website, I decided to try modifying the hpHosts site to do the query directly against their WhoIs server - and what did it return? Surprisingly, it returned the same data as their web interface - something it had never done before;
What I am rather interested in however, is their possible connection to hiskyhost.net, 2checkout.com and internet.bs.
As a side note, I've also noticed some of those that previously resolved to housing.hiskyhost.net (e.g. mcdirecting.com), though still going through EstDomains, now resolving to the VDHost Ltd/Ultranet (AS35057) netblock;
This also of course, begs the question of whether there is any relation between these, to EstDomains aswell? Or whether it's just me being overly suspicious. Either way, EstDomains, if they are serious about taking malicious domains offline (and I doubt they are - more likely they're just doing it until they're out of the headlines so to speak), then they need to take both those on VDHost/Ultranet, and those on HiskyHost, offline - as shown by the following, someone's already disabled some of them;
In the meantime, hopefully they'll continue to allow access to their WhoIs server, and not "accidentally" disable it??? Time will tell.