And in todays firing line, competing with the rest for the title of worlds most crimeware friendly ISP, we have AS8206, Latvian based ISP, Junik-Riga-LV.
Junik is being listed for 2 very specific reasons, they're providing connectivity for;
AS29106 VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
AS49314 NEVAL PE Nevedomskiy Alexey Alexeevich
Oh dear, this isn't going to end well is it?
Neval has been home to a plethora of malicious content over the years, and like a few others, I've not yet seen a single legit domain hosted over there. Criminals they DO however host include the miscreants responsible for the YES exploit pack who are housed at say-yes.biz (18.104.22.168).
Not exactly hiding what they're offering are they? (hat tip to SysAdMini for the heads up)
Then of course, there's the usual selection of rogues such as mcafee-malware.com, which is housed at 22.214.171.124, or this piece of malicious goodness (sadly, only one vendor is detecting this at the time of writing this), which is housed at dowmowvid.ru which was living on 126.96.36.199 and has now moved to another criminal network, 188.8.131.52 (AS24826 KHARKOV-TERMINALS-AS PE Viktor Nastechenko, see here).
Indeed, I'll tell you what, just pick ANY domain within the Neval network, and you'll find it's involved in malicious activity of one description or another.
And then we get to VolgaHost, which is yet another network whose connectivity is provided by Junik, that doesn't contain a single legit domain. Every single one is involved in either exploits or malware of one description or another (ZeUs and Fragus exploits primarily). For example;
One can't help wondering why Junik are allowing this to continue, especially given neither VolgaHost nor Neval are exactly trying to hide it. Well Junik - care to explain yourselves?
Until they do bother to boot these criminals, I'd personally recommend everyone blackhole their ranges. Sadly, this seems to be the only way these ISP's are going to learn.