Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 4 October 2009

Crimeware friendly ISP's: NetDirekt

Because there are a slew of ISP's providing homes to criminals, seemingly without giving a hoot about the victims being affected by their customers, I thought I'd try a name and shame approach, and to start it off, I thought we'd name and shame German ISP, NetDirekt.

Now, you'll have to bear with me here as I've not got this blog pre-written or prepared, I'm sort of, writing it as I go.

NetDirekt have a well known and well publicized reputation as far as criminal activities go, due to their long standing housing of the well known Internet Service Team (commonly referred to as the IST).

The IST, amongst others, are just some of the folks behind the Google, Bing and Yahoo etc etc, blackhat SEO campaigns, that lead unsuspecting folks to fake malware and more recently, the likes of the Koobface exploit.

Now, given the amount of activity there is within NetDirekt's network, on behalf of the IST, and the amount of publicity their network has received over the years, because of such activity, leads to the obvious question of - why? Why are they allowing this? Why are they not taking steps to boot the IST off of their network?

The answer to this is of course, money, but, and I have no proof at present, I suspect there may be more to this than just money and will continue looking into this until it's proven either way. In the meantime, I'd like to extend an invitation to NetDirekt to explain themselves to YOU, the internet users and more importantly, the victims of their complete lack of action.

NetDirekt, we'd like to hear from you, we'd like you to explain why you've allowed the IST (amongst others) to mis-use your network for so long, and to explain what you plan on doing (if anything) to stop this? I hope, your first step is going to be booting the IST and the other criminals, off of your network and reporting them, given your networks logs are the best source of intel on them, to the relevant authorities, but if not, why not?

In the meantime, and this may seem excessive, I'd like to call for a global blackholing of their ranges until such time as they bother to take action. I can already hear the internet version of the Daily Mail readers with their "but blackholing their network isn't fair on the legit sites within their ranges", and yes, I agree - but we've tried everything else to get NetDirekt to take action. We've tried publicity, we've tried abuse reports, and quite frankly, I feel this is the last option we have to force their hand.


Google poisoning, IST, rogues and 250+ reasons to avoid 209.44.* ......

IST (Internet Service Team - * in blackhat SEO campaign - again

Robtex: AS43391 - NetDirekt


netdirekt said...

My name is Wiethold Wagner, CEO of netdirekt, Germany

First of all: We have nothing to do with AS43391, they do have same name but
we are not related with them or have any contact. netdirekt has taken legal steps on the missuse of our name.

What is is a domain we have registered and it is used for name and
RDNS servers we setup. This is done to offer our customers a white label platform with no relation to our name.

By today we have >65K DNS entries for this domain starting with IP with dashed and the

Who is netdirekt, Germany?

netdirekt was established 1996 and offers mostly dedicated servers to worldwide customers.
Today we run close to 8.000 dedicated servers.

What is netdirekt doing against crime?

In the past year the abuse department was restructed in terms of structure and man power.
We have introduced a new ticketsystem which is able to handle request much easier and faster.
netdirekt has changed his policies regarding abuse by reducing the timeline for reaction to a minimum.
By today we are in close contacts with many sites running abuse information like blacklists, abuse departments, CERTs and many others. Data received from there
are taken additionally beside those received from abuse @
We have invested a large amount into this change including new software to detect other abuses and block these from the start.

What does this all mean?

You can imagine that a server farm with dedicated servers make it easy for scammer to run any script they want.
This does not automaticly implement that our business model is bad. Almost all of our customers running regular content like radio streams you have maybe be listening to.
This large amount of Ips and server automaticly will be followed by a good amount of abuses in sum.
Counting this in percentage (Abuse/IPs) will lead you to a other value probably much lower than other ISPs related to the amount of servers/IPs.

What do we ask for?

We ask you to send us any information regarding abuse in our network. This information will be taken very seriously.

What is our goal?

If you look at statistics you can see that the amount of Spam from our network droped dramaticly. This is a result of our work in the past.
In the next few months we will fully activate the new tool to detect more precise abuses activity and act immediatly.
All of this takes a great amount of time and effort.
We will be unable to stop any abuse related activity from our network but we will further reduce it to a minimum.

MysteryFCM said...

Thanks for the response. Any particular reason you've never responded to any of the abuse reports I've sent over the years? And didn't feel it necessary to respond to the other blog reports on your network?

I find it interesting that you claim is "just a domain name", but has been a domain that has been and continues to be, one of the most active involving malware.

"We ask you to send us any information regarding abuse in our network. This information will be taken very seriously. "

I'll be happy to - give me an e-mail address that will result in my actually receiving a response? (I've tried abuse@ for years without so much as an auto-response).

netdirekt said...

We will be happy to discuss the particular abuse reports personally. Please drop us a email to info @ Please also tell us your "from" email adress used to send abuse emails to us to follow up on your abuse emails.
Maybe you can also point out on how AS43391 was attached to us.

Take this post as a reset ind communication.
If the community will give us specific information on Malware we will work on each abuse report and fix the issue. This will help us clean the network.

MysteryFCM said...

Thanks for the response.

AS43391 was found to be associated with your company due to information in the Netblock pointing to NetDirekt. As you've mentioned this is not actually yours, I'm happy to take this particular issue as resolved and will leave it to your legal team to deal with those misusing your name.

As far as the abuse reports, they were all sent from services @

I'll also get the cases unresolved, collated from both of my databases, and sent to the address you've specified.

MysteryFCM said...

Not so much as an auto-response so far .....

Unknown said...

We have checked our database and cannot find any abuses email from @
Could it be that you mix up AS28743 and the other turkish AS43391?
Which email adress you are using to send abuese emails to?

MysteryFCM said...

After the comment above, I sent the abuse reports to "info @", as I was asked to do by the above commenter.

I've got more to send later today, to NetDirekt (mainly hacked websites), and a plethora to send to NetDirect (definately NOT hacked sites). If you can drop me an e-mail (services @, I can get them sent directly to yourself.

MysteryFCM said...

As an aside btw, you'll also find I'm not the only one that's publicing your ISPs/company involvement - your company (with the C, not with the K), has also gotten listed in HostExploit's "Top 50 bad hosts".