Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 15 July 2010

HostExploit presents the Q2 2010 Top 50 Bad Internet Hosts & Networks Cybercrime Report

At rank #1 of the ‘Top 50 Bad Hosts’, Demand Media/eNom (USA) earns the label of ‘worst host’ from security analysts HostExploit taking over the top spot from Ecatel (Netherlands). A detailed analysis shows high levels of Internet ‘badness’ and cybercriminal activity hosted by Demand Media/eNom in their role as an Internet Service Provider (ISP). HostExploit is pleased to present the Q2 2010 report on the ‘Top 50 Bad Hosts and Networks’. Using data, supplied by, together with Open Source Security data partners, HostExploit has released an updated HE Index of the worst internet hosting operators around the world.

Compiled by actuarial analysis on data provided from all 34,748 public ASes (Autonomous Systems), exchanging routing information with each other over the public Internet, the HE Index is presented as an easy to understand ‘badness’ rating, published in chart form as the ‘Top 50 Bad Hosts and Networks’. With a focus on the worst aspects of cybercriminal activity, the HE Index also takes into account factors such as size of network and potential for the hosting of botnets and the distribution of malware, exploits, rogues and spam.

HostExploit’s unique quantitative study using data across a range of respected data sources produces a more comprehensive analysis on the ‘where’ of Internet hosting ‘badness’ and cybercriminal activity than other current methodologies.

Key findings from the ‘Top 50 Bad Hosts and Networks’ report include:

• The United States has 38% (19 out of the Top 50) of providers hosting Internet badness.
• 6 out of the Top 50 or 12% are based in Russia, 4 or 8% are based in The Netherlands.
• At rank #1 is Demand Media / eNom (US) with an HE Index of 307.5. A detailed analysis shows high levels of botnet command & control servers, badware, malicious URLs, and high levels of abuse via eNom registered, parked and hosted domains.
• The vast majority of the world’s commercial Internet hosts, ISPs and servers operate effective abuse procedures with a low tolerance for hosting badness. 94.2% of the 34,748 ASes compared had an HE Index of 25.0 or lower, indicating low levels of abuses.
• ‘Bad’ hosts are concentrated into 5.8% of all providers.
• Disclosure in the ‘Q1 Top 50 Bad Hosts’ report has been helpful to a number of hosts. Some in contact with us have made good progress in resolving badness and abuse issues, with decreases by as much as up to 90%.

HostExploit’s spokesperson and security analyst, Jart Armin had this to say, ‘We whole-heartedly support the vast majority of hosting providers who do a good job in the prevention of cybercriminal activities. For this reason we also highlight the ‘Top 10 Good Hosts’ to emphasize that when proper abuse controls are in place organized criminal gangs are prevented from sheltering under the protection of legitimate businesses.

The security and wider internet community can play an active role in calling for more stringent enforcement of abuse policies. The power of community action should not be underestimated, as illustrated in the recent exposure and demise of the malware serving hosts such as Troyak, and others. ‘The ‘Top 50 Bad Hosts’ report explores the implications of criminal involvement in terms of global security. It should be seen as a benchmark for law enforcement agencies, Internet crime monitoring bodies and the Internet community as a whole.

The free report can be downloaded in PDF form at The quantitative analysis of each of the 34,748 ASes now with daily updates can be viewed on

About is an informative community based website dedicated to exposing world-wide internet malpractice, backed by Nominet Trust. A foremost source of information on rogue and malicious networks, HostExploit is widely respected for its research reports, daily news feeds, as well as community reports exposing, RBN (Russian Business Network), Atrivo, McColo, Real Host, and others.


SiteVet is a tool aimed at the security research and web development community, providing historical and current data on Domains, IPs, ASNs and Cnets across a wide range of blacklists. This one-stop research tool provides information that will aid internet marketers, security researchers, web developers/masters, and general internet users, in choice of hosting, selection of domains and the security of servers and DNS systems.

You can find the Q2 report at;

1 comment:

greylogic said...

Just read the new report. Outstanding work, as usual. Congratulations to everyone involved.