Sponsored by..

Friday, 19 April 2013

OVH WTF

If you work in the anti-spam or anti-malware business then you've probably come across OVH. It's a company with a shockingly bad reputation in these fields, tolerating malware and spammers to an extent that no other major host does. It even has a special tag in this blog to keep track of all the crap it hosts.

One particularly bad part of the network is the "MMuskatov" block 5.135.67.128/25 (5.135.67.128 to 5.135.67.255). I covered this back in February, but the situation has become even worse since that. This entire /25 hosts apparently zero legitimate sites and one of the highest concentrations of malware sites that I have seen for some time.

Out of 456 sites that I have identified in this block, 84 (18%) have been flagged as being dangerous by Google. 106 (23%) have a WOT trustworthiness score of 10 or less, and only 2 (0.4%) manage more than 40%.. and that's probably by accident.

A full list of the sites I can find and their ratings can be found here. And this isn't the only large scale black hat customer that OVH host, because there is Sidharth Shah as well. One can only speculate about the type of financial arrangements that these customers have in order to keep going.

I would recommend blocking the entire 5.135.67.128/25 range and implementing a zero-tolerance approach for OVH blocks that might appear on your radar for spamming and malware

These following sites are flagged by Google as being malicious:

basteln5.de
ktxstat240.info
charterd4.de
freepokee1.info
lozytose2.de
natrium7.de
spannend3.de
tj6e8k.com
fastmovekko.net
vertigozone.net
babynicefreelove.org
federewf.org
justifymanually.biz
stagesidebars.biz
virusspywareparents.biz
avivariva2.info
avivariva3.info
bbumpers.com
christmasmemot.com
cocojambo.info
cocojambo2.info
miniexchange.at
standard14.net
standard15.net
asnosnubmu.org
mronetcomgroup.com
qwertium.com
standard14.com
standard14.de
standard15.com
gofathermotherborns.com
iamtyredforblockdomins.com
mydnssa.com
visit-my-web-site.eu
visit-my-web-site.info
visit-my-web-site.net
as-bar.info
as-catch.info
as-closure.info
as-lock.info
asbolt.info
ascatch.info
asclasp.info
asfastener.info
aslatch.info
aslock.info
center-city-home.info
center-city.info
center-urban.info
centercitydental.info
centercityhome.info
centertown.info
centerurban.info
data-sales.info
freeinfosales.info
homeinfosales.info
hub-city.info
huburban.info
info-sales.info
information-sales.info
informationsales.info
infosalesonline.info
infosalestraining.info
istanbultransfer.info
my-first-blog.info
my-food-blog.info
my-life-blog.info
my-money-blog.info
mybeautyblog.info
myfoodblog.info
mygolfblog.info
myhomeblog.info
mylifeblog.info
myonlineblog.info
news-sales.info
newssales.info
thermaltransfer.info
transfer-domain.info
transferaccount.info
transferauthorization.info
transfercode.info
transfercredit.info
transferownership.info
transferservices.info

The sites are flagged by WOT as being untrustworthy (less than 20):
basteln5.de
ktxstat240.info
charterd4.de
freepokee1.info
lozytose2.de
natrium7.de
spannend3.de
tj6e8k.com
fastmovekko.net
vertigozone.net
babynicefreelove.org
federewf.org
fuchsduhastdiegansgestohlen.info
mojojojo.info
powerpuffgirls.ru
1aumir.biz
dfhiod.biz
seghiv.biz
sfgjjj.biz
sjbmb.biz
srghoop.biz
wdgwber.biz
wergxcb.biz
wryeuy.biz
daimlerfidelity.info
perstversion.info
provertymegastore.info
thewholespend.info
versetaility.info
emporiomurmani.info
fakeferarri.info
frankmousepo.com
gussi.info
mapplestory.info
mybestprojextmm.com
supermegaextragood.info
analytics-djmusic-online.info
analytics-djmusic-site.at
analytics-djmusic-site.com
analytics-djmusic-site.de
apeld.biz
bederg.biz
dhajbg.biz
hernn.biz
heronew.biz
lokoier.biz
mdopk.biz
mederf.biz
medoew.biz
neregda.biz
nerero.biz
oploug.biz
perokil.biz
polocz.biz
reseder.biz
trenere.biz
tydfghk.biz
ufrere.biz
vededd.biz
yherem.biz
zaderf.biz
basicsensorcomfort.info
brasenetworks.info
complexesuluation.info
creamvisitiorfinder.info
daisychellenge.info
dasuycompletesuluation.info
allrisor.com
anarebrelleee.me
my-res-to.com
myrisor.com
newrisor.com
res-to.com
resscience.com
risorgroup.com
risoronline.com
saledomainornott.biz
saledomainornott.co
saledomainornott.com
saledomainornott.in
saledomainornott.info
saledomainornott.me
saledomainornott.mobi
saledomainornott.net
scienceto.com
therisor.com
fbuniverse.net
carambala.com
freepokee2.info
freepokee3.info
monoxy3.de
natural9.de
shuttle4.de
sunari9.de
swedpuikavrot.info
jagsertowns.com
pendingtransfer.info
vertigoz0ne.info
vertigoz0ne.net
vertigoz0ne.org
loveplanetfr.org
sexcamsfreenow.org
analytics-djmusic-online.de
justifymanually.biz
stagesidebars.biz
virusspywareparents.biz
groholding.ru
traffffff.biz
trafffffff.biz
traffffffff.biz
invertingiharvest.biz
mobilityblurb.biz
rpostsmounting.biz
webcompatibleelect.net
calderamagicjack.com
touringassists.com
gymscertified.biz
savingdropboxs.biz
starwoodsignal.biz
touchpadequalizer.biz
depletedpermalink.biz
super8jdkwdkw.org
superversiya31337.com

4 comments:

Skye said...

OVH is terrible, my forums are under constant attack from their hosted servers. Here's my current OVH blocks, adding more all the time:

Deny from 5.135.0.0/16
Deny from 46.105.0.0/16
Deny from 91.121.0.0/18
Deny from 94.23.0.0/16
Deny from 142.4.192.0/19
Deny from 176.31.128.0/17
Deny from 176.31.180.0/22
Deny from 178.32.0.0/15
Deny from 188.165.0.0/16
Deny from 192.95.0.0/18
Deny from 198.245.48.0/20

Birdy said...

Thanks for the post! A site Kootation.com hosting with OVH is abusing my blog by hot linking each and every image from my blog. contacted their abuse department, but of no use. Any help, suggestion would be highly appreciated.

oyvinds said...

lol I found this blog by searching for a completely list of OVH IP ranges. Sadly I can't find one. :-/ Guess why I'd want one?

Conrad Longmore said...

@Birdy: I heard a rumour that there are some legitimate sites in OVH's ranges too ;)