I've covered Sagade
before, which appears to be a completely black hat web host with no legitimate domains at all. Sagade appear to have a new IP range in the 46.252.130.0 - 46.252.131.255 range which are completely full of toxic sites that should be blocked.
This IP range forms AS52055, of which
Google says:
Safe Browsing
Diagnostic page for AS52055 (RELIKT)
What happened when Google visited sites hosted on this network?
Of the 159 site(s) we tested on this network over the past 90 days, 9 site(s), including, for example, opanaw.com/, videospartyh.info/, galleryhotf.info/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2011-02-23, and the last time suspicious content was found was on 2011-02-23.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 16 site(s) on this network, including, for example, welcometotheglobalisnet.com/, 46.252.129.0/, welcometotheglobaliscom.com/, that appeared to function as intermediaries for the infection of 507 other site(s) including, for example, ctwatchdog.com/, deewanapan.com/, thedailyherald.com/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 55 site(s), including, for example, 46.252.129.0/, sontollones.co.cc/, toney.co.cc/, that infected 2312 other site(s), including, for example, cmsocial.com/, mediafire.com/, aotsargentina.org.ar/.
SiteVet oddly shows the AS as
being offline, but the accompanying "badness" chart shows a big leap in evilness since the beginning of the year, so perhaps the block was reallocated.
As well as .com domains and the like, the block hosts several hard-to-spot .cz.cc and .vv.cc domains which host malware, much of which is being distributed through an apparently bogus ad network at
traff4you.info.
So far, I can see see the following domains in the block (a list with IP addresses and MyWOT ratings can be downloaded
from here):
ertmovs.com
lkjsnfs.com
antivirussystem2011get.com
bbuydelivery.com
berrydush.net
brewtonconsult.net
collach.com
ddk2200.com
enter-way.net
euro2012corp.com
facebook-surprise-njwo.tk
facebook-surprise-njww.tk
fire6495ksd.com
fotoshare-2dknc.com
gigomark.com
grapndet.com
htss.su
hyipl.info
ibifit.com
lokia.info
lost-pass.ru
lostpass.ru
mailx.su
mittmax.com
nanosearchpro.net
novasystemutils2011.com
sentex10zx.in
shabgdr.com
softstoreinc.com
spy4.net
stylus2641fm.com
trabniyd.com
turb-o-search.com
x-pass.ru
xaker.me
nalmeron.cz.cc
agamaris.vv.cc
dalalore.vv.cc
thetakus.vv.cc
maribandis.vv.cc
mogrinn.vv.cc
Registration details for this block are:
inetnum: 46.252.130.0 - 46.252.131.255
netname: Sagade
descr: users
country: LV
admin-c: AK6804-RIPE
tech-c: AK6804-RIPE
status: ASSIGNED PA
mnt-by: andrejskaminskis-mnt
source: RIPE # Filtered
person: Andrejs Kaminskis
address: Latgales 32/34, Rezekne, Latvia
phone: +37127580487
e-mail: reliktbvk@gmail.com
nic-hdl: AK6804-RIPE
mnt-by: andrejskaminskis-mnt
source: RIPE # Filtered
route: 46.252.130.0/23
descr: users
origin: AS52055
mnt-by: andrejskaminskis-mnt
source: RIPE # Filtered
As I said, traffic seems to be fed through
traff4you.info, registered on 10th Decemeber 2010 with anonymous registration details and currently hosted on a dedicated server at
206.161.200.11, but until recently it was on a shared server on 69.65.48.218. This is probably a good domain to block, and I can't see much harm in blocking access to 206.161.200.0/24 and 69.95.48.0/24 while you're at it too.