Jump to content
jobbais

false positive?

Recommended Posts

I have to inform that the whole range is blocked by Malwarebytes, wich is strange this is a rather new ISP wich doesnt host that much sites/servers.

So can you please look into this.

gr.

Share this post


Link to post
Share on other sites

This is neither strange, nor an F/P. This particular host (A2B Internet B.V.) has been blacklisted due to their offering "bulletproof hosting" to criminals. After a recent conversation with them, they advised they wouldn't take action against one of their customers (the customer was offering potential clients "bulletproof hosting", advising he/she had an "agreement" with A2B Internet B.V., and even advising they'd allow customers to host botnets as long as they were "web based").

A2B Internet B.V. were warned the blacklisting would occur, were sent screenshots of their customers posts, and did nothing. Due to an on-going investigation, I can't say anymore than that at present.

Share this post


Link to post
Share on other sites
This is neither strange, nor an F/P. This particular host (A2B Internet B.V.) has been blacklisted due to their offering "bulletproof hosting" to criminals. After a recent conversation with them, they advised they wouldn't take action against one of their customers (the customer was offering potential clients "bulletproof hosting", advising he/she had an "agreement" with A2B Internet B.V., and even advising they'd allow customers to host botnets as long as they were "web based").

A2B Internet B.V. were warned the blacklisting would occur, were sent screenshots of their customers posts, and did nothing. Due to an on-going investigation, I can't say anymore than that at present.

Let me react on this.

Dutch law doesn't allow to terminate a contract with customers if there wasn't any form of abuse. That was also what we answered on the requested ntd.

A forum post on a forum, stating that you can host any kind of content, is not a reasonable reason for termination that would hold in a court.

Lucky for you the particular 'reseller' of our customer, didn't behave and when we received 2 seperate abuse msg's within 24 hrs we blackholed all their provided ip's addresses and told our customer to terminate their contract. As I also explained in our conversation that this is how we operate, we are very clear on that.

Having blackholed the entire ip space, while the ripe db clearly stated that our customer only has a /24, because you didn't do your homework or provide any proof of abuse, is not correct imho.

Regards,

Erik Bais

Share this post


Link to post
Share on other sites

the block has already been removed, due to their booting the client in question.

Share this post


Link to post
Share on other sites

thanks guys.. rather strange that you guys block the whole range instead, this will block then also normal people like myself for example :blink:

Share this post


Link to post
Share on other sites

again you guys are blocking the whole range a2b-internet.

Please get it off the block guys, this is getting rather annoying, either block the IP in question that is or might be in your opinion contain malware, but simply blocking whole ranges is not the way to protect people from malicious code in my opinion.

i cant enter my site, cant enter a2b portal for statistics because everything is again blocked.

hope you sort this out a.s.a.p.

gr.

Share this post


Link to post
Share on other sites

I thought I'd made an exception for this one, I'll get it corrected for the next update (may want to inform them however, that housing criminals, disguised or otherwise, isn't exactly helping them - or you (do you really want to be associated with an ISP that actively allows the likes of fuckjagex.com, r00t-access.com for example?))

Share this post


Link to post
Share on other sites
I thought I'd made an exception for this one, I'll get it corrected for the next update (may want to inform them however, that housing criminals, disguised or otherwise, isn't exactly helping them - or you (do you really want to be associated with an ISP that actively allows the likes of censoredjagex.com, r00t-access.com for example?))

Steve,

I'm the CEO of A2B Internet.

Both domains are NOT direct customers of A2B Internet. They are hosted by a reseller who is purchasing dedicated servers from our customer.

Our customer with their IP range is registered in the RIPE DB. They have 1 /24. If you want to put that /24 on a block, that is your decision, however putting a complete /21 in a blocklist is just crazy.

Either do your home work as explained earlier and provide insight via abuse@ that these particular domains are hosting malware or illegal content or that the specific IP addresses are participating in scanning / dos attacks or other things.

I have received NO complains or abuse messages about the particular IP's or the domains that they are hosting something illegal and as stated to you before, Dutch law doesn't allow me to kick domains / website or servers without reason or cause.

We are running a VERY active abuse policy, we disconnect first and ask questions later, however AFTER we have received a valid complain. Not before.

Besides the above, there is such a thing as freedom of speech, people are on that part also subject to the Dutch law and unless there is a compelling reason, there is little I can do at this moment as they haven't done anything yet.

Regards,

Erik Bais

A2B Internet

Share this post


Link to post
Share on other sites

I'll look into why the abuse reports didn't make it through to you, but as far as "doing my homework", I did - it's your IP range, and as such, your responsibility.

You told me last time that you'd booted the customer involved - but all you seemed to have done is boot one of his domains (fuckjagex.com for example, is owned by the same person).

Share this post


Link to post
Share on other sites
I'll look into why the abuse reports didn't make it through to you, but as far as "doing my homework", I did - it's your IP range, and as such, your responsibility.

You told me last time that you'd booted the customer involved - but all you seemed to have done is boot one of his domains (censoredjagex.com for example, is owned by the same person).

Steve,

Do us both a favor and block the IP address involved or limit the block to the assigned IP range in the RIPE DB.

An ISP (LIR) as we are, have an ALLOCATION from RIPE, from which as ASSIGN IP addresses / ranges to our customers. Limit the block to (178.249.154.101) and we are both happy.

And if you have specific reasons or proof that is good enough for us to boot the reseller of our customer, do send it via abuse@ and we will take action on it.

Hosting a forum by itself is not illegal.

Regards,

Erik Bais

Share this post


Link to post
Share on other sites

I've already corrected the block (will be pushed out shortly if it's not been already), and re-sent the abuse report to you (CC'd to LE at this end again, as I'm getting rather tired of playing games with your "reseller").

Hosting a forum indeed is not illegal, but phishing scams, are;

halblbo.com

Forums dedicated to the development of malware, sharing/selling of stolen accounts, certainly are (both of which fuckjagex.com and r00t-access.com for example, are involved in).

... and who is at the center of all of this? The same customer (sorry, "reseller") we spoke about previously - exehosts.com.

Share this post


Link to post
Share on other sites
I've already corrected the block (will be pushed out shortly if it's not been already), and re-sent the abuse report to you (CC'd to LE at this end again, as I'm getting rather tired of playing games with your "reseller").

Hosting a forum indeed is not illegal, but phishing scams, are;

halblbo.com

Forums dedicated to the development of malware, sharing/selling of stolen accounts, certainly are (both of which censoredjagex.com and r00t-access.com for example, are involved in).

... and who is at the center of all of this? The same customer (sorry, "reseller") we spoke about previously - exehosts.com.

Steven,

Based on the phishing site I've put the ip address on the blackhole.

I informed my customer that they need to tell their reseller/customer about the situation and that I don't want them in the A2B Internet network.

Regards,

Erik Bais

Share this post


Link to post
Share on other sites

Much appreciated, thank you.

I'll continue to monitor this over the next few weeks and take any further action as appropriate (you should also hear from my LE contact shortly)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.