Introduction
One major element of many brand-protection programmes is the use of an algorithm to sort the findings identified through monitoring, according to their relevance or level of potential threat. This prioritisation process offers a number of benefits, including the identification of priority targets for further analysis, content tracking, or enforcement[1,2].
In many cases, prioritisation or 'threat-scoring' metrics of this nature will make use of a number of characteristics of the identified websites in question, each of which independently can provide insights of the potential level of threat. These insights are usually based on research into the previous frequency of association of the relevant characteristics with content found to be fraudulent, malicious or infringing. Familiar examples of such characteristics might include the TLD (top-level domain, or domain extension) - with some TLDs found to be disproportionately popular with infringers, based on factors such as domain cost and registration requirements, or the nature of any IP protection programmes offered by the registries[3] - or the domain registrar (with infringement rates typically found to be dependent on factors such as compliance to enforcement requests) - as per (for example) the registrar 'bad reputation' league table published by Spamhaus[4].
In this article, I consider the hosting characteristics of websites as an indicator of potential threat level, following on from a previous study[5] looking at the set of (IPv4) IP addresses blacklisted in response to identified use for specific infringing purposes (such as spamming and malware distribution), in a database provided by Myip.ms[6] (as of January 2025). This previous study explored the creation of a threat-scoring algorithm based on (among other factors) the proximity of the host IP address of a website of interest to other blacklisted IP addresses. Specifically, an IP address was deemed to be of higher risk if it sat in a netblock together with a higher number of blacklisted addresses.
A by-product of this previous analysis was the construction of a table showing those hosting providers which were most frequently found to be associated with blacklisted IP addresses (a list topped by Amazon Technologies Inc. (14,030 blacklisted addresses, out of the full dataset of 169,023), ChinaNet Jiangsu Province Network (7,285), and Cloudflare (3,317)). However, this list does not provide the full picture, as it may simply be the case that the hosting providers associated with the highest number of blacklisted addresses are just the most popular hosting providers generally (in which case, the numbers of blacklisted addresses would not be disproportionate, implying that the hosting provider's reputation should not be considered to be adversely affected). In this follow-up, therefore, I consider the 'rates' of blacklisted IP addresses per hosting provider, by expressing the raw numbers as proportions of the total numbers of IP addresses (actually, an estimate, based on a sampling exercise) with which the providers are associated.
Methodology and analysis
In order to obtain an estimate of the total extent of online presence of each hosting provider, it would ideally be necessary to carry out a host look-up for every IP address in IP-space (from 0.0.0.0 to 255.255.255.255 - i.e. 2564 (4.3 billion) in total). However, in order to limit the number of look-ups required, a sampling approach was instead used, in which the analysis considered only four equally-spaced IP addresses within each second-level netblock (i.e. 0.0.0.0, 0.0.64.0, 0.0.128.0, 0.0.192.0, 0.1.0.0, 0.1.64.0, etc.). The idea is that this approach should provide a representative sampling of IP-space, and furthermore is reasonable (to some extent) by virtue of the fact that many hosting providers (particularly the major players) will operate large, continuous blocks of IP addresses (such that the sampling exercise will provide a reasonable overview of the activity breakdown).
By way of additional notes:
- Of the 262,144 IP addresses considered, the automated look-ups were unsuccessful in 97,114 cases (37% of the total), comprising a mix of cases where the IP addresses themselves are invalid, or other instances where the look-up was found to time-out or fail. Note that this issue may skew the statistics, if certain regions or hosting providers tend to be disproportionately associated with failed look-ups.
- In the latter stage of analysis, the name of the hosting provider (as given by the look-up) was - as in the previous study - 'cleaned' by truncating at the first instance of a comma (so that, for example, 'China Mobile Communications Corporation, Mobile Communications Network Operator in China, Internet Service Provider in China' is converted to 'China Mobile Communications Corporation'), which will in many cases produce a more reasonable aggregated dataset, but will also generate some 'false positives' (such as hosting providers listed just as (say) 'Headquarters' or 'ZA'), or instances where distinct entities are erroneously aggregated together, such that the final datasets may require some ‘sanity-checking’ and further cleansing. This approach may also generate cases where distinct instances of the 'same' entity are treated separately (e.g. 'Amazon.com' and 'Amazon Technologies Inc.').
From the initial stage of analysis, the top hosting providers generally appearing most commonly in the sampled dataset (i.e. by total numbers) are as shown in Table 1.
Hosting provider |
No. IP addresses |
DoD Network Information Center |
13,551 |
AT&T Enterprises, LLC |
6,384 |
Verizon Business |
5,563 |
Amazon.com, Inc. |
5,197 |
Amazon Technologies Inc. |
4,714 |
Comcast Cable Communications, LLC |
4,279 |
Headquarters, USAISC |
3,334 |
Microsoft Corporation |
2,802 |
Korea Telecom |
2,691 |
Charter Communications Inc
|
2,257 |
Table 1: Top ten hosting providers ('uncleaned' names) associated with the sampled set of addresses across IP-space
For the main stage of analysis, a 'bad reputation' or 'threat' score was calculated for each of the hosting providers, by dividing the total number of blacklisted IP addresses under their control (from the previous study) by the total number of (sampled) IP addresses under their control (according to the approach outlined in this study), to give an 'blacklist rate' score. From this approach, the top ten highest-threat hosting providers are given in Table 2 (with the full list of all hosting providers assigned a blacklist rate score of 10.00 or greater shown in Appendix A).
Hosting provider |
Blacklist rate |
Huawei HongKong Clouds |
512.67 |
Ahrefs Pte Ltd |
462.00 |
Yandex enterprise network |
382.00 |
Huawei-Cloud-SG |
280.67 |
Bangladesh Telegraph & Telephone Board |
280.00 |
Netprotect |
270.00 |
Strong Technology |
189.00 |
geofeed (GitHub: Simonadascalu/Freedomtech-Geofeed) |
116.00 |
LogicWeb Inc. |
112.00 |
Huawei Cloud Singapore POP
|
95.00 |
Table 2: Top ten 'highest threat' hosting providers, by 'blacklist rate' score
These results exhibit some parallels with other similar analyses with, for example, three of the top ten also appearing in Scamalytics' list of top 'high-risk ISPs' which achieve risk scores of greater than 52 (out of 100)[7] (namely: geofeed, score = 62; Strong Technology, score = 60; LogicWeb Inc., score = 56).
It is also noteworthy that some other fairly well-known providers do achieve relatively high blacklist rate scores in this new analysis, including Namecheap (rate = 52.00), Cloudflare (rate = 30.43) and OVH SAS (rate = 20.00). Furthermore, of the top 50 most commonly-appearing (i.e. most popular) hosting providers overall amongst the full sampled set of IP addresses, two (ChinaNet Jiangsu Province Network, rate = 10.95; Amazon Technologies Inc., rate = 2.98) have blacklist rate scores greater than 1.
Conclusion
The analysis reveals the identities of those hosting providers which are disproportionately most frequently associated with blacklisted IP addresses - and, by extension, those which may be most popular with bad actors for hosting infringing or malicious content. Accordingly, the determination that any of these highest-threat hosting providers is associated with any arbitrary identified website therefore provides some indication that - all other factors being equal - the website might be more likely to pose a threat, and thereby be worthy of closer attention.
On this basis, the 'blacklist rate' scores for the hosting providers (or some variant of it) could serve as a useful component of an overall threat score for ranking websites. This concept may be useful in the prioritisation of findings identified through brand-monitoring services.
Going forward, more robust future augmentations to this approach could utilise a more intensive analysis (i.e. a less 'coarse' sampling) of the full set addresses in IP address space, additional blacklist or threat information, or could be applied to alternative characteristics, such as geographical hosting location (i.e. countries or cities, using geolocation data).
Appendix A: Highest-threat hosting providers by 'blacklist rate' score
Hosting provider |
No. blacklisted IP addresses |
No. IP addresses in sample of total |
Blacklist rate |
Huawei HongKong Clouds |
1,538 |
3 |
512.67 |
Ahrefs Pte Ltd |
462 |
1 |
462.00 |
Yandex enterprise network |
382 |
1 |
382.00 |
Huawei-Cloud-SG |
2,526 |
9 |
280.67 |
Bangladesh Telegraph & Telephone Board |
280 |
1 |
280.00 |
Netprotect |
540 |
2 |
270.00 |
Strong Technology |
567 |
3 |
189.00 |
geofeed https://raw.githubusercontent.com/ Simonadascalu/Freedomtech-Geofeed/refs/heads/ main/Freedomtech%20solutions%20-%20ALL |
116 |
1 |
116.00 |
LogicWeb Inc. |
112 |
1 |
112.00 |
Huawei Cloud Singapore POP |
95 |
1 |
95.00 |
Braveway LLC |
187 |
2 |
93.50 |
Telekom Srbija |
217 |
3 |
72.33 |
TOT Mobile Co LTD |
245 |
4 |
61.25 |
FranTech Solutions |
349 |
6 |
58.17 |
1222 Dial-up Free Internet Service |
55 |
1 |
55.00 |
Network Engineering (Mobile) - Reginal APN IP Lagos |
53 |
1 |
53.00 |
Namecheap |
156 |
3 |
52.00 |
Huawei Cloud SG POP |
47 |
1 |
47.00 |
PT iForte Global Internet |
45 |
1 |
45.00 |
Beijing Xiaoju Technology Co. |
355 |
8 |
44.38 |
EZECOM CO. |
171 |
4 |
42.75 |
BigTip |
80 |
2 |
40.00 |
Biznet Networks |
271 |
7 |
38.71 |
Cogetel Ltd |
73 |
2 |
36.50 |
Castle Global Inc. |
36 |
1 |
36.00 |
Performive LLC |
232 |
7 |
33.14 |
SINET |
65 |
2 |
32.50 |
Single Digits |
32 |
1 |
32.00 |
HostPapa |
2,157 |
68 |
31.72 |
CHINANET-ZJ Lishui node network |
601 |
19 |
31.63 |
Ishan Netsol Pvt Ltd |
31 |
1 |
31.00 |
MEGA-II IDC |
31 |
1 |
31.00 |
Cloudflare |
3,317 |
109 |
30.43 |
Cyber Internet Services Pakistan |
60 |
2 |
30.00 |
Multinet Pakistan Pvt. Ltd. |
30 |
1 |
30.00 |
Shinjiru Technology Sdn Bhd |
30 |
1 |
30.00 |
Amanah Tech Inc. |
29 |
1 |
29.00 |
VIETTEL (CAMBODIA) PTE |
29 |
1 |
29.00 |
ASSIGNED-FOR-IMS-IMPLEMENTATION |
28 |
1 |
28.00 |
B2 Net Solutions Inc. |
278 |
10 |
27.80 |
Contabo Inc. |
55 |
2 |
27.50 |
OCULUS NETWORKS INC |
81 |
3 |
27.00 |
Interserver |
54 |
2 |
27.00 |
Emerald Onion |
27 |
1 |
27.00 |
CHINANET-ZJ Quzhou node network |
480 |
18 |
26.67 |
Latitude.sh |
26 |
1 |
26.00 |
Secure Internet LLC |
175 |
7 |
25.00 |
ENTERPRISE |
25 |
1 |
25.00 |
MekongNet |
49 |
2 |
24.50 |
PT Jala Lintas Media |
24 |
1 |
24.00 |
Contabo GmbH |
94 |
4 |
23.50 |
BDCOM Online Limited |
23 |
1 |
23.00 |
velia.net |
23 |
1 |
23.00 |
DhakaCom Limited |
45 |
2 |
22.50 |
Web2Objects LLC |
197 |
9 |
21.89 |
Palestine Telecommunications Company (PALTEL) |
65 |
3 |
21.67 |
Telenor Pakistan (Pvt) Ltd |
21 |
1 |
21.00 |
GTPL Broadband Pvt. Ltd. |
81 |
4 |
20.25 |
OVH SAS |
40 |
2 |
20.00 |
LayerHost |
20 |
1 |
20.00 |
Dynamic allocation for Broadband Subscribers |
39 |
2 |
19.50 |
YOU Telecom India Pvt Ltd |
155 |
8 |
19.38 |
Contabo Asia Private Limited |
19 |
1 |
19.00 |
Earth Telecommunication(Pvt.)Ltd. |
19 |
1 |
19.00 |
Indusind Media And Communication Ltd. |
19 |
1 |
19.00 |
Mailgun Technologies Inc. |
19 |
1 |
19.00 |
TekTonic |
19 |
1 |
19.00 |
CTG Server Ltd. |
111 |
6 |
18.50 |
PT. Mora Telematika Indonesia |
37 |
2 |
18.50 |
UNICOM ZheJiang Province Network |
576 |
32 |
18.00 |
GRAMEEN CYBERNET |
18 |
1 |
18.00 |
PT ARTHA TELEKOMINDO |
18 |
1 |
18.00 |
Trans World Enterprise Services (Private) Limited |
18 |
1 |
18.00 |
World Phone Internet Services Pvt Ltd |
18 |
1 |
18.00 |
YISU CLOUD LTD |
18 |
1 |
18.00 |
USF DSLAM Central |
69 |
4 |
17.25 |
eSited Solutions |
187 |
11 |
17.00 |
J2 Global Ventures |
34 |
2 |
17.00 |
ZHENGZHOU guangdian COPR |
34 |
2 |
17.00 |
ACT Hyderabad |
17 |
1 |
17.00 |
Magnite |
17 |
1 |
17.00 |
MTNN-OJOTA-REGION-PREFIXES |
17 |
1 |
17.00 |
Scloud Pte Ltd t/a Scloud Pte Ltd |
17 |
1 |
17.00 |
ServerPoint.com |
17 |
1 |
17.00 |
Shiodome Sumitomo Blog 1-9-2 TOKYO |
17 |
1 |
17.00 |
SwiftMail Communications Limited |
17 |
1 |
17.00 |
Ucom CJSC |
17 |
1 |
17.00 |
Ultra Internet Communications LLC |
17 |
1 |
17.00 |
TOT Public Company Limited |
473 |
28 |
16.89 |
Digital Energy Technologies Limited |
33 |
2 |
16.50 |
PT. Media Antar Nusa |
33 |
2 |
16.50 |
China Unicom HuNan province network |
258 |
16 |
16.13 |
Colocation America Corporation |
224 |
14 |
16.00 |
PT Indonesia Comnets Plus |
48 |
3 |
16.00 |
US Net Incorporated |
32 |
2 |
16.00 |
Access Telecom (BD) Ltd |
16 |
1 |
16.00 |
Armour Cloud |
16 |
1 |
16.00 |
HostRoyale LLC |
16 |
1 |
16.00 |
N R DATA SERVICE PVT LTD |
16 |
1 |
16.00 |
Nanping MAN |
16 |
1 |
16.00 |
PT Mora Telematika Indonesia |
16 |
1 |
16.00 |
RAHA Ltd |
16 |
1 |
16.00 |
WIRELESS INDONESIA |
16 |
1 |
16.00 |
ADSL - DYNAMIC POOL |
110 |
7 |
15.71 |
Future Tech Distribution |
47 |
3 |
15.67 |
CMPak Limited |
46 |
3 |
15.33 |
CHINANET-ZJ Zhongxin node network |
873 |
57 |
15.32 |
Intelligence Network |
60 |
4 |
15.00 |
Fiber Grid Inc |
15 |
1 |
15.00 |
PT Hutchison 3 Indonesia |
15 |
1 |
15.00 |
PT. Cemerlang Multimedia |
15 |
1 |
15.00 |
PT. LINKNET |
15 |
1 |
15.00 |
Westendstrabe 28 |
15 |
1 |
15.00 |
PT. MNC Kabel Mediacom |
29 |
2 |
14.50 |
DigitalOcean |
2,329 |
164 |
14.20 |
America-NET Ltda. |
28 |
2 |
14.00 |
Dynamic allocation for LTE customers |
28 |
2 |
14.00 |
HOSTKEY |
14 |
1 |
14.00 |
Leaseweb Asia Pacific Pte. Ltd. |
14 |
1 |
14.00 |
rain |
139 |
10 |
13.90 |
Chandigarh |
122 |
9 |
13.56 |
Static IP Addresses for Internet Services |
27 |
2 |
13.50 |
Centrilogic |
53 |
4 |
13.25 |
NEWTREND |
53 |
4 |
13.25 |
PT. Eka Mas Republik |
26 |
2 |
13.00 |
Sneaker Server |
26 |
2 |
13.00 |
Gigantic Infotel Pvt Ltd |
13 |
1 |
13.00 |
PT Net2Cyber Indonesia |
13 |
1 |
13.00 |
VIETTEL (CAMBODIA) PTE. |
63 |
5 |
12.60 |
WebNX |
75 |
6 |
12.50 |
Sharktech |
87 |
7 |
12.43 |
BNG_MED1_orange |
24 |
2 |
12.00 |
Wowrack.com |
24 |
2 |
12.00 |
InterCloud ltd |
12 |
1 |
12.00 |
Leaseweb Deutschland GmbH |
12 |
1 |
12.00 |
Maxis Broadband Sdn.Bhd |
12 |
1 |
12.00 |
Reserved-for-Enterprise-Internet-WAN |
12 |
1 |
12.00 |
Sipbound Corporation |
12 |
1 |
12.00 |
Krypt Technologies |
235 |
20 |
11.75 |
PT Telkom Indonesias customer. |
23 |
2 |
11.50 |
10 Fl. 72. CAT TELECOM TOWER Bangrak Bangkok Thailand |
137 |
12 |
11.42 |
Alibaba Cloud LLC |
1,971 |
173 |
11.39 |
CHINANET FUJIAN NETWORK |
136 |
12 |
11.33 |
GMO Internet Group |
102 |
9 |
11.33 |
UNE EPM TELECOMUNICACIONES S.A. |
99 |
9 |
11.00 |
LINKdotNET Telecom Limited |
22 |
2 |
11.00 |
Pakistan Mobile Communications Limited |
22 |
2 |
11.00 |
CABONNET INTERNET LTDA |
11 |
1 |
11.00 |
Mammoth Media Pty Ltd |
11 |
1 |
11.00 |
Myanma Post and Telecommunication |
11 |
1 |
11.00 |
POOL27 CONTEXT ORANGE BAS4 |
11 |
1 |
11.00 |
SONATEL Societe Nationale Des Telecommunications Du Senegal |
11 |
1 |
11.00 |
Telekom Slovenije d.d. |
11 |
1 |
11.00 |
VPSONLINE Ltd |
11 |
1 |
11.00 |
CHINANET jiangsu province network |
7,285 |
665 |
10.95 |
SendGrid |
97 |
9 |
10.78 |
DataWagon LLC |
21 |
2 |
10.50 |
PT Remala Abadi |
52 |
5 |
10.40 |
Emeigh Investments LLC |
61 |
6 |
10.17 |
IONOS Inc. |
81 |
8 |
10.13 |
FLAT 301 |
20 |
2 |
10.00 |
TYO_VULTR_CUST |
20 |
2 |
10.00 |
Automattic |
10 |
1 |
10.00 |
National Telecom Public Company Limited 7 Fl. 72. CAT TELECOM TOWER Bangrak Bangkok Thailand |
10 |
1 |
10.00 |
Neuviz (PT. Piranti Prestasi Informasi) |
10 |
1 |
10.00 |
Pacific Connect Private Limited |
10 |
1 |
10.00 |
PT Jembatan Citra Nusantara |
10 |
1 |
10.00 |
PT Telkom Satelit Indonesia |
10 |
1 |
10.00 |
PT. Comtronics Systems |
10 |
1 |
10.00 |
PT. KINEZ CREATIVE SOLUTIONS |
10 |
1 |
10.00 |
VIZAG BROADCASTING COMPANY PVT. LTD
|
10
|
1
|
10.00 |
References
[1] 'Patterns in Brand Monitoring' (D.N. Barnett, Business Expert Press, 2025), Chapter 5: 'Prioritisation criteria for specific types of content'
[2] 'Towards a generalised threat-scoring framework for prioritising results from brand monitoring programmes', [link TBC]
[3] https://circleid.com/posts/20230117-the-highest-threat-tlds-part-2
[4] https://www.spamhaus.org/reputation-statistics/registrars/domains/
[5] '"Notorious IP Addresses" and initial steps towards the formulation of an overall threat score for websites', Stobbs e-book [link TBC]
[6] https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time
[7] https://scamalytics.com/ip/isp
This article was first published on 3 April 2025 at:
https://circleid.com/posts/notorious-hosting-providers-an-overview-of-the-highest-threat-hosts-from-ip-address-blacklist-analysis