Summary

  • Hosting4Friends EOOD is an active Bulgarian limited-liability company whose registration number is the one recorded for the organisation behind AS208518. The commercial site is linked with high confidence by its brand, Kyustendil location, hosting activity, Bulgarian-law terms and registration one day after the company was incorporated, although the site does not print the full legal name or registration number and gives a different street address.
  • AS208518 currently originates two Dutch-registered IPv4 /24s, 45.141.61.0/24 and 193.109.136.0/24. Both announcements are RPKI-valid and widely visible, but both blocks are provider-aggregatable space allocated to Access2.IT Group B.V.; they are assigned for the duration of that provider relationship rather than portable assets owned by Hosting4Friends.
  • Public routing observation shows one current upstream, NovoServe B.V. AS24875, no IPv6 originated by AS208518 and only a few months of history under this ASN. That is a clean, simple topology, not proof of physical redundancy, multiple locations, DDoS capacity or a long continuity record.
  • The storefront sells shared hosting, reseller accounts, VPS and nominal dedicated-server packages. Its terms reveal the actual service boundary: customer-managed systems unless management is purchased, ten-day backup retention for shared services, a narrow credit-based uptime promise, broad suspension rights and meaningful exit friction. Buyers should value the service as a support and aggregation layer, not assume it owns the address space, transit, data centre or server fleet.

Begin with the two squares on the map

A /24 is a small but useful unit of Internet territory: 256 IPv4 addresses, large enough to be independently announced on the global routing table and small enough to fit the economics of a specialist host. Hosting4Friends has two. The current RIPE routing record for AS208518 says that the network imports routes from AS24875 and AS208258 and exports AS208518 to them. Live observation is simpler. RIPEstat’s routing-status view, sampled on July 18, 2026, sees two IPv4 prefixes, 512 addresses, no IPv6 space and one observed neighbour. It sees the routes at 323 of 325 full-feed IPv4 peers, which is strong global visibility rather than a local or partial announcement.

Those are the two squares: 45.141.61.0/24 and 193.109.136.0/24. Both registry entries label the network Hosting4Friends, assign country code NL and point to the Bulgarian organisation. Independent routing catalogues agree. bgp.tools, Hurricane Electric’s BGP view and IPinfo’s ASN page each show two IPv4 /24s, no IPv6 and NovoServe as the observed upstream. IPinfo measurements place responsive samples in or near Amsterdam, Delft and Rotterdam; those observations support a Netherlands deployment, though an IP geolocation label is never a rack address.

The tempting description is therefore “a Bulgarian host with a Dutch network.” It is accurate only at a high level. An ASN is authority to state routing policy; it is not a deed for a building, proof of server ownership or an inventory of every product sold on a website. A prefix registration tells the Internet who is using an address range; it does not say which company owns the disks behind it. A route collector sees which autonomous system carried the advertisement next; it cannot see whether there are two cross-connects, redundant routers, spare servers or an engineer on site.

That distinction is the thesis of this business. Hosting4Friends appears to operate the customer account, product packaging, support policy, abuse decisions and the origin identity of two routes. Public evidence shows that other companies provide the address allocation and the only observed path to the wider Internet. The physical server supply is not disclosed. A buyer is not purchasing a miniature hyperscale cloud. The buyer is purchasing an accountable wrapper around several rented layers. That can be a perfectly sensible bargain, provided the wrapper is more transparent and responsive than buying the underlying components directly.

The identity bridge is strong, but the contract should finish it

The legal side begins with Bulgarian company number 207562887. A Bulgarian company-data record identifies ХостингФорФрендс as active, formed as a single-member limited-liability company on October 18, 2023, based at 111 Banska Street in Kyustendil. Its stated activities begin with hosting services. The record names Daniel Rashkov Parvanov as manager. Most importantly for identity, the RIPE organisation entry gives the exact registration number 207562887, the exact English legal name Hosting4Friends EOOD and the same Banska 111 address. The AS208518 record points directly to that organisation. This is not a match guessed from a similar brand: the legal number closes the company-to-network bridge.

The commercial-site bridge requires more assembly. The storefront is at hosting4freinds.com, with “friends” misspelled in the domain. Its privacy policy defines the company as Hosting4Friends, locates it in Kyustendil, Bulgaria, and names that URL as its website. Its terms call the supplier Hosting4Friends, choose Bulgarian law and describe hosting, domains, connectivity, power and technical support. Its contact page gives a Bulgarian phone number and a Kyustendil address. The domain’s Verisign registration record dates its creation to October 19, 2023—the day after the legal entity was incorporated. Brand, activity, city, jurisdiction and timing converge. That is sufficient to treat the site as the operating storefront with high confidence.

It is not a perfect legal imprint. The privacy policy calls the company simply Hosting4Friends rather than Hosting4Friends EOOD, does not print 207562887 and gives 35 Gorotsvetna Street rather than the registered Banska 111 address. One may be an operating address and the other a registered office, but the site does not explain the difference. Its claim that the service has operated “since 2022” may describe a pre-incorporation brand or an operator’s prior activity; it is not the legal company’s age. The company began in October 2023, while the current ASN was assigned only on March 30, 2026.

For a low-risk personal site, those gaps may be tolerable. For a business account, the invoice and order form should complete the proof: exact seller name, company number, VAT number, registered and service addresses, contracting email, applicable product schedule and the legal entity receiving payment. The buyer should also ask the seller to state whether every ordered service will run in AS208518. Nothing on the public product pages maps shared hosting, reseller hosting, VPS or dedicated products to an ASN, a prefix or a facility.

The identity bridge proves that Hosting4Friends EOOD controls the network registration; it does not prove that the entire catalogue sits on that network.

The domain typo is not cosmetic

The misspelling in hosting4freinds.com looks at first like a branding blemish. Operationally it is more serious because the correctly spelled domain is not an alias. Verisign’s record for hosting4friends.com shows a separate registration dating to 2012, different nameservers and a different registrar. The live correctly spelled website describes itself as web hosting for “Jerry’s friends”; it does not identify the Bulgarian company. The two domains should therefore be treated as distinct unless their registrants say otherwise.

Yet the Bulgarian site’s terms direct abuse complaints to [email protected], the correctly spelled domain. The privacy policy instead gives [email protected], while the site footer uses [email protected]. RIPE’s current organisation and abuse records use a Gmail address. This is not merely inconsistent stationery. Abuse response is a control loop: a complainant needs a deliverable address, the host needs a case record, a reseller may need to reach an end customer, and the upstream may impose a deadline. Sending the first report to an apparently separate domain can consume the time in which a compromised site, spam run or phishing page should have been contained.

The same ambiguity affects ordinary support and contract notices. The terms require cancellation through the support desk and impose a seven-day pre-renewal deadline. A customer who writes to the wrong spelling could believe notice was served while the supplier never received it. The SLA requires a credit claim within seven days. An address error can consume that window as well. The public site does offer a contact form and phone number, but neither substitutes for a clearly designated notice address in a business contract.

A competent procurement check is simple. Before paying, open tickets through the portal and both published supplier-domain mailboxes, then require replies that identify the legal entity and ticket number. Ask which address is authoritative for abuse, security incidents, billing disputes, cancellation and formal notice. Ask the company to correct or explicitly disown the correctly spelled address in its terms. For an operator with only 512 originated IPv4 addresses, this repair costs little and materially improves trust.

The broader lesson is that a small host’s service boundary includes its names. Route origin can be cryptographically correct while the human escalation path is misaddressed. The first protects a prefix from one class of routing mistake. The second determines whether anyone responds when a customer machine is compromised. Both are infrastructure.

What Hosting4Friends operates—and what it rents

The strongest evidence of direct operation is the ASN. AS208518 is assigned to Hosting4Friends EOOD; its organisation and technical-contact roles are named for the company; and it is the current origin for both /24s. Originating a route normally entails choosing when it is announced, arranging an upstream session and coordinating route objects and ROAs. Even where a sponsor or upstream performs the keyboard work, the origin identity lets Hosting4Friends separate its routes from a provider’s ASN, develop its own reputation and change routing policy without renumbering immediately.

The addresses themselves are rented in the economically important sense. The RIPE entry for 45.141.61.0/24 marks it ASSIGNED PA, maintained by A2-MNT. The less-specific 45.141.60.0/22 is allocated to Access2.IT Group B.V. The 193.109.136.0/24 entry has the same ASSIGNED PA status and maintainer; its parent 193.109.136.0/23 is also allocated to Access2.IT. Access2.IT is the sponsoring organisation for the ASN.

“PA” means provider aggregatable. RIPE NCC’s plain-language guidance is unambiguous: an organisation with ASSIGNED PA addresses cannot take them when it changes provider and must renumber. Thus Hosting4Friends has a registered assignment and valid use of the two blocks, but their continuity depends on the agreement with Access2.IT. The distinction is not pedantry. If that agreement ends, the company may retain AS208518 while losing the addresses that currently make the ASN commercially useful.

The transit layer is separately rented. RIPEstat neighbour observation sees AS24875, NovoServe B.V., as the one left-side neighbour and no right-side downstream. bgp.tools and IPinfo also identify NovoServe as the sole observed upstream. The registry policy mentions AS208258, Access2.IT’s network, but current public observation does not see it as a second live path. A declared import statement is intent or permission; an observed path is evidence of use. The latter should govern a present-tense resilience assessment.

Hardware remains unproven. NovoServe openly markets a white-label reseller programme in which a partner can rent whole servers, bring an ASN and addresses, control the operating system and sell managed or unmanaged services under its own brand. That public offer fits the visible topology. It does not prove that Hosting4Friends buys its machines under that programme. It may colocate owned servers, rent servers through another intermediary or use several suppliers while taking transit from NovoServe. The proper conclusion is narrower: address allocation and transit are externally supplied; physical ownership and facility contracts are undisclosed.

One upstream can contain many links—and still be one dependency

The phrase “one upstream” is often misunderstood. It does not necessarily mean one cable, router or building. AS24875 can carry a customer over redundant ports, diverse fibre and multiple edge routers. NovoServe’s public status page lists Dutch facilities in Oude Meer, Delft, Schiphol-Rijk and Enschede. Its infrastructure offer describes high-capacity links, BGP support and deployments across several cities. None of that proves which redundancy Hosting4Friends purchased, but it shows why an ASN count alone cannot describe physical design.

It does, however, show administrative concentration. Every globally observed path from AS208518 next enters AS24875. If NovoServe withdraws the customer, filters its routes, suffers a control-plane fault affecting the session or suspends service after an abuse or billing dispute, there is no independently observed second transit organisation to carry the prefixes. Two circuits to the same upstream can protect against a cut; they do not protect against every upstream-wide policy or account failure.

There is also no advertised IPv6 route. This matters because the product catalogue claims IPv4 and IPv6 support for VPS plans. The two statements can coexist: Hosting4Friends could supply IPv6 from an upstream’s ASN, tunnel it, or use a different network for those products. But a customer cannot infer native dual-stack service in AS208518 from the catalogue. The supplier should provide an IPv6 test address, prefix length, origin ASN, reverse-DNS process and explanation of what happens to the allocation on migration. If the answer involves a different provider, that dependency belongs on the service map.

For IPv4, current routing quality has two positive signals. First, route visibility is high. Second, both exact /24 origins are RPKI-valid. RIPEstat validates 45.141.61.0/24 and 193.109.136.0/24 against ROAs authorising AS208518 with maximum length /24. That configuration prevents a more-specific announcement under those ROAs and lets networks enforcing route-origin validation reject an unauthorised origin.

RPKI validity should not be expanded into a general security claim. RIPE NCC explains that current RPKI validates the origin, not the full path. The Internet Engineering Task Force’s operational guidance likewise notes that origin validation does not validate AS paths and that the forwarding path need not mirror the advertised control path. A valid ROA says Access2.IT’s certified address resources authorise AS208518 to originate these /24s. It says nothing about router patching, DDoS scrubbing, cross-connect diversity, customer isolation, disk encryption or backup recovery.

The old origin shows a migration, not an ownership chain

The two /24s have a history older than Hosting4Friends EOOD’s ASN. RIPEstat’s routing history for 45.141.61.0/24 and history for 193.109.136.0/24 show AS209493 as the widely seen origin from March 2023 until the March 2026 changeover. Both then appear under AS208518. AS209493 is registered as HOSTING2YOU LTD and, like AS208518, was sponsored and maintained through Access2.IT and observed behind NovoServe. The shared prefixes, sponsor and upstream make this a clear routing migration between two edge ASNs.

What the records do not establish is the commercial relationship. Companies House says the UK legal company HOSTING2YOU LTD was dissolved on August 29, 2023. That is before Hosting4Friends EOOD’s October incorporation, yet AS209493 continued to originate the routes for more than two years after the dissolution. Possible explanations include an operator continuing a technical service while corporate arrangements changed, an asset or customer transfer, delayed registry housekeeping, or a separate party using the network under contract. Public evidence does not select among them. It would be reckless to call Hosting2You a parent, affiliate or predecessor without a contract or corporate filing.

The history still matters to a buyer in three ways. First, the addresses themselves have several years of routing continuity even though AS208518 does not. That can be useful for reachability and reputation analysis, but the historical reputation belongs to the prefixes and prior users, not automatically to the current legal company. Second, the origin transition demonstrates that Access2.IT can reassign routing authority without changing the blocks or upstream. That is operationally efficient, while also underscoring the sponsor’s control. Third, stale data is inevitable.

Some commercial lookup pages still associate an IP or even AS208518 with an earlier holder. Payment processors, fraud systems, geolocation feeds and email reputation tools may update at different speeds.

A customer should therefore test the exact IP it will receive, not the company name alone. Check geolocation in the customer’s target markets, outbound-mail reputation, common threat feeds, reverse DNS, major content networks and payment gateways. Ask whether the address was used by a prior customer and how replacement works if a third-party reputation system blocks it. The host’s terms threaten fines where spam causes blocklisting, which aligns incentives, but a fine does not repair delivery. Clean allocation, rapid complaint handling and a documented IP-swap process do.

The migration is one of the strongest signs that Hosting4Friends has moved beyond being merely a storefront. Taking a distinct origin ASN creates a clearer network identity. It also starts a new clock. As of publication, the route has only about three and a half months of observed life under AS208518. Any claim about long-term stability under the current operating arrangement must wait for time or be supported by private service records.

Bulgaria writes the contract; the Netherlands determines latency

Jurisdiction and geography separate cleanly here. The legal company is Bulgarian. Its terms select Bulgarian law and venue. The commercial contact is in Kyustendil. The address blocks are registered with country code NL, the only observed upstream is Dutch and public measurements place responsive addresses in the Netherlands. A customer suing over an invoice, reporting a privacy issue or serving a notice deals with the Bulgarian supplier; a customer diagnosing milliseconds and packet loss deals with a Dutch network path.

Neither “Bulgaria” nor “Netherlands” is a full data-residency answer. RIPE country codes are administrative fields. Geolocation services infer locations and can be stale. NovoServe has several Dutch sites. The Hosting4Friends site claims multiple locations but does not publish facility names, availability zones or product-to-location mapping. The public evidence therefore supports Netherlands network use, not a particular rack in Rotterdam, Delft or Amsterdam. A regulated buyer needs a written facility and subprocessors schedule, including backup location, support-access countries and any remote management path.

Performance should be tested from where the users are. IPinfo’s sub-millisecond observations from Delft and Amsterdam are consistent with Dutch infrastructure; a Sofia probe to one address traversed other networks before reaching AS208518. Those examples are snapshots, not an SLA. RIPE Atlas returned no connected public probe registered inside AS208518 at the evidence cut-off. Without a probe or a published looking glass, independent continuous measurements are sparse. A buyer should request test IPv4 and IPv6 addresses, then run at least a week of latency, loss, jitter, throughput and route monitoring from actual customer regions.

The single-upstream design makes path tests especially important. A good median in Amsterdam can coexist with poor evening congestion on one international path. A fast download test can coexist with packet loss during DDoS mitigation. A test IP on one premium node may not represent a shared-hosting cluster. Procurement should specify the product and facility being tested, use both inbound and outbound traffic, and repeat during busy hours.

The contract should also state where data moves during support and recovery. The privacy policy says data may be processed where the company and involved parties operate, but does not name hosting, payment, analytics or backup subprocessors. For ordinary public websites this may be manageable; for personal, health, financial or confidential data, a buyer needs a data-processing agreement, subprocessor list, deletion procedure and breach-notification deadline. Geography is a chain, not a flag.

The catalogue describes packaging, not architecture

The public WooCommerce product catalogue presents four layers. Shared plans run from €25 to €80 a year. Reseller offers package control-panel accounts and storage on quarterly, half-year and yearly billing. Annual VPS offers range from €300 to €1,200, advertising one to 20 virtual CPUs, one to four gigabytes of memory, 100 to 1,000 gigabytes of SSD storage, one to four terabytes of transfer, a dedicated IP and a 100 Mb/s connection. “Dedicated” offers list ten to 20 CPU cores, 12 to 32 gigabytes of memory, Windows or Linux, a 1 Gbit port, daily backups and unlimited email accounts.

Those fields are enough to place an order, not enough to reproduce the service. The VPS pages omit CPU generation, virtualization technology, oversubscription policy, storage media topology, IOPS limits, snapshot mechanics, host-failure recovery, location and whether vCPU time is shared or dedicated. A four-gigabyte VPS advertised with 20 vCPUs is an unusual ratio; it may be appropriate for bursty parallel work, but only if scheduling and sustained CPU entitlement are clear. The dedicated pages do not name a processor, disk capacity or hardware chassis. “Cores” alone cannot distinguish a physical server from a virtual allocation.

The site says Cpanel or Plesk is available, but does not say whether the licence is included in the shown price, which edition applies or who bears future licence increases. It promises daily backups, yet the terms’ detailed backup section discusses website and reseller accounts, a vault retention of up to ten days and the customer’s responsibility to keep copies. VPS and dedicated pages say backups are available, but the exact recovery-point and recovery-time commitments are absent. “RAID protected” and “multiple location” appear in marketing copy; neither replaces a restore test.

This opacity does not prove a weak platform. Small hosts frequently assemble reliable services from mature panels, leased bare metal, external backup storage and manual support. Their advantage can be judgment: migrating a difficult site, fixing DNS, recovering a mailbox or explaining an abuse notice. The problem is that the catalogue mixes outcomes and components without stating which are guaranteed. “100% inbox delivery,” “zero downtime” migration and one-click upgrades without data loss are absolute marketing claims that no responsible buyer should treat as warranties.

The implementation interview should force a diagram into words. Which company owns or leases the node? Which facility holds it? Which hypervisor runs? Where is the control panel? Where are backups, with what encryption and retention? Which network originates each address family? Who has console access? What happens on host failure? Which actions are automated and which require a human? Hosting4Friends can create value at every one of those points; a customer simply needs to know which points it has actually undertaken.

The economics point to a reseller with a support margin

Hosting4Friends’ visible prices make most sense as bundled retail rather than raw compute. The annual VPS sequence works out to roughly €25, €41.67, €83.33 and €100 per month. Storage and core counts rise, memory remains unusually tight, and the port remains 100 Mb/s. Shared hosting is much cheaper because many sites share a licensed panel, mail system and server. Reseller products sell the ability to create accounts, turning the customer into another support and billing layer.

The underlying market is more aggressive. NovoServe advertises Dutch dedicated-server promotions and a reseller programme built around wholesale pricing, white labelling, full remote management and bringing one’s own ASN. Larger European clouds publish much more granular comparisons. Scaleway’s instance pricing separates compute, storage and IPv4, shows hourly and monthly rates, bandwidth and tax treatment. OVHcloud’s VPS range specifies cores, memory, NVMe storage, public bandwidth, backup and an uptime commitment at prices below many Hosting4Friends VPS equivalents. These are not like-for-like comparisons: panel licences, migration, mail, backup, management and human support can outweigh raw compute.

That gap is the commercial test. If Hosting4Friends charges more than a self-service infrastructure supplier, what labour and accountability fill the difference? Its site promises round-the-clock support and free migration. Its terms say unmanaged VPS and dedicated customers should manage their own systems unless they buy a management add-on; support can cost €30 per 30 minutes in office hours and €75 per 30 minutes for emergency work outside them. “24/7 support” may therefore mean the desk is reachable, not that unlimited engineering labour is included.

A buyer should price a realistic year, not the product tile. Add VAT, control-panel licences, management, backup capacity and restores, extra IPv4 addresses, bandwidth overage, migration, emergency tickets, domain renewals and exit work. Ask whether the shown amount is per billing period or an annual total and whether prices include tax. Ask for the currency and exchange-rate rule on the invoice. The terms allow renewal at the prevailing rate and permit package allowances to change for existing customers with notice. That shifts vendor and currency increases to the customer.

There is a plausible niche here. A small agency may prefer one Bulgarian counterparty to a Dutch bare-metal portal, a panel vendor, a mail relay, a backup system and a network sponsor. The host can spread licensing and operational skill across customers. But the margin is justified only if support is fast, backups restore, abuse is handled and upstream failures are owned rather than passed down a chain. Resale is not a criticism; undisclosed responsibility is.

Currency is now simpler than the terms suggest

Hosting4Friends’ commercial documents preserve several monetary eras. The live catalogue is denominated in euros. The November 2023 terms say charges may be in pounds, dollars or euros; cap liability by the “actual pound amount” paid; and render many fees with Є, a Cyrillic character that resembles but is not the euro sign. They also contain the phrase “fourteen (7) day” money-back guarantee. These defects create ambiguity precisely where automated renewal, late fees, chargebacks and refunds require precision.

Bulgaria adopted the euro on January 1, 2026. The European Commission’s changeover page records the fixed conversion rate of 1.95583 lev per euro and says dual display of lev and euro prices remains compulsory until August 8, 2026. At the July 18 evidence cut-off, the public product feed displayed euro only. Whether every listing falls within the Bulgarian consumer dual-display rule depends on the customer, product and manner of sale, so this is not a finding of non-compliance. It is a reason for a Bulgarian consumer buyer to request a compliant final price and for the company to update its presentation.

Euro adoption removes one obvious mismatch between a Bulgarian seller and Dutch euro-denominated infrastructure. Other mismatches remain. Control-panel and software suppliers may price in dollars. The site offers pounds and dollars to customers. Card processors and PayPal set conversion spreads. A reseller that takes an annual euro payment while paying monthly variable infrastructure or licence costs carries timing and vendor-price risk. Its terms answer that risk by allowing renewal-price changes and plan adjustments, not by guaranteeing a multi-year rate.

Customers should insist that order currency, tax basis, renewal currency, conversion source and fee currency match across product page, checkout, invoice and contract. A €500 spam penalty should not appear as an undefined lookalike character. A liability cap should not be expressed in pounds when the customer paid euros. A “seven” or “fourteen” day refund period must be one number. A host selling continuity cannot let the monetary control plane depend on interpretation.

Currency mismatch also shapes exit. The annual plans place more cash with the supplier before service is consumed, while VPS, dedicated servers, certificates and domains are excluded from the stated money-back arrangement. Renewals are non-refundable, cancellation must arrive at least seven days before renewal, and duplicate PayPal payments become account credit rather than cash refunds. Those terms may be commercially acceptable if clearly accepted, but they make a short paid pilot more valuable than an immediate annual commitment.

Security responsibility changes at each product layer

Security begins with a positive, verifiable fact: both IPv4 prefixes have exact RPKI origin authorisations for AS208518. That reduces the risk of an accidental or unauthorised origin being accepted by networks that enforce validation. The company also uses a distinct ASN, which makes its route and reputation easier to observe than addresses hidden entirely inside an upstream origin.

Above routing, evidence thins. The marketing site says servers are monitored around the clock, protected by RAID and high security, and backed up in multiple locations. The terms transfer much of system security to the customer: VPS and dedicated services should be professionally managed by the end user unless management is purchased; applications and plugins must be kept updated; shared environments can be suspended if they threaten other users. This is a conventional shared-responsibility arrangement, but it needs a product-specific matrix.

The matrix should name who patches the hypervisor, host operating system, guest operating system, panel, web applications and firmware. It should state whether administrative access requires multifactor authentication, whether console and panel actions are logged, how employee access is approved, whether backups are encrypted and separated from production credentials, and how vulnerabilities are reported. It should identify DDoS protection by capacity, trigger, covered protocols and customer cost. The public terms exclude DDoS downtime from SLA calculations; they do not promise a particular mitigation service.

The site is candid that shared and reseller hosting is not PCI DSS compliant and tells merchants not to store card details there. That is useful boundary-setting. Its privacy policy is less specific: it lists categories of collected data and general purposes, but no named subprocessors, detailed retention periods, technical controls or cross-border mechanism. A buyer handling regulated or sensitive information should not infer certification from “high security.” It should request a data-processing agreement, subprocessor register, security schedule, incident-notification promise and evidence appropriate to the workload.

The corporate domain itself is behind Cloudflare, while its Verisign record reports no signed DNSSEC delegation. This says nothing decisive about customer servers, but it is another reminder not to generalise. The storefront, mail system, nameservers, customer workloads and AS208518 can all use different providers and controls. Each surface needs its own test.

No credible public report in the frozen evidence set documents a security breach or prolonged outage at AS208518. That is not a clean bill of health. The ASN is young, has little independent telemetry and is small enough that incidents may never become news. Buyers should ask for the previous 12 months of material incidents across the service, including the period before the ASN migration, and how each changed operations.

Abuse handling is an availability feature

Hosting providers sit between end customers, resellers, address suppliers, transit providers, rights holders and law enforcement. Abuse handling is therefore not a compliance appendix; it is part of uptime. An unanswered complaint can cause an address, server, route or whole account to be suspended. A rushed response can terminate an innocent customer. A good process identifies the affected tenant, preserves evidence, imposes a proportionate deadline and keeps the upstream informed.

Hosting4Friends’ terms prohibit spam, malware, attacks, unlawful material and several high-risk uses. They allow investigation, restriction and termination, and require resellers to cooperate with corrective action. The spam section imposes administrative charges and a €500-equivalent charge where bulk mail causes blocklisting. These provisions show awareness of reputation economics: one customer can damage a shared IP pool and impose labour on the operator.

The operational weaknesses are contact fragmentation and broad discretion. RIPE publishes a Gmail abuse mailbox. The terms publish an address at the apparently separate correctly spelled domain. The privacy policy and footer use addresses at the misspelled commercial domain. The terms allow immediate suspension, make the supplier sole arbiter of high resource use and unlisted harmful activity, and deny credits for enforcement-related downtime. They do not publish acknowledgement times, remediation windows, appeal routes or emergency escalation.

For a reseller, the risk compounds. Hosting4Friends must pass a complaint to its reseller customer, who must identify an end user, who may operate in another time zone. Meanwhile Access2.IT controls the PA allocation and NovoServe carries the route. Each layer can have its own deadline. The contract should define who receives upstream notices, how quickly the host acknowledges them, what evidence is shared, when a single IP rather than a server or account is isolated, and how false positives are reversed.

A buyer can test this without creating abuse. Ask the designated mailbox a policy question and measure acknowledgement. Confirm the ticket carries the exact affected IP and timestamp. Request the escalation path for active phishing and for mistaken reports. Ask whether the supplier supports standard abuse formats and whether reverse DNS and WHOIS contacts stay current. The inconsistent public addresses should be corrected before the route’s reputation becomes more valuable.

Small address pools create strong incentives. With only two /24s, Hosting4Friends cannot endlessly discard damaged space. That scarcity can encourage disciplined customer selection and rapid remediation. It also means one persistent bad tenant has a larger proportional effect. The health of the abuse desk will eventually be visible in mail delivery, fraud scores and upstream tolerance.

The SLA is a credit formula, not continuity

Hosting4Friends advertises 99.9 per cent network uptime. In an average month, that permits roughly 44 minutes of counted downtime. The terms promise a credit worth ten times the downtime if service falls below the threshold, but only if the customer claims within seven days. Planned maintenance, natural disasters and DDoS attacks are excluded. Measurement comes from the supplier’s status page and monitors.

Several variables are undefined in the public text. It does not identify the status-page URL, measurement interval, monitoring locations, minimum incident duration, affected component, credit unit or maximum credit. “Ten times the amount of downtime” could mean time added to service or a monetary fraction; the text does not say. It also does not state whether server, storage, power, control panel, DNS, mail and support are covered, or only IP connectivity. A service can remain reachable while its disk is corrupt or its panel cannot provision accounts.

The upstream has a public status page, but an upstream’s status is not the customer’s SLA. Hosting4Friends may run its own hardware, virtualisation, storage and panels on top. Conversely, a NovoServe incident may be excluded or translated differently under Hosting4Friends’ terms. The buyer’s remedy lies against the Bulgarian seller, not automatically against a Dutch supplier with whom the buyer has no contract.

Continuity needs design beyond credits. A €25-per-month VPS customer gains little from a few cents after an outage that costs a day of trading. The useful questions are how the service fails and how to leave. Are there two power feeds and network paths? What is the spare-hardware time? Can a VM restart on another host? Can a backup be restored without the primary control plane? Are DNS and domains separable? Can the customer obtain a current data export when the account is disputed?

A paid pilot should create evidence. Monitor from at least three external regions. Trigger a permitted restore into a separate location. Measure support during office hours and outside them. Reboot through the panel and through a support request. Simulate loss of a server without touching production by documenting the recovery runbook. Record route withdrawals and origin changes. If the supplier will contract for recovery-time and recovery-point objectives, put them beside the uptime figure; if it will not, architect the application so the host is replaceable.

Switching costs live in addresses, panels, mail and notice periods

The most concrete exit cost is renumbering. Hosting4Friends’ two /24s are PA space from Access2.IT. RIPE’s policy means the company cannot assume it can take them to a different address supplier, and an end customer receiving one or five addresses from Hosting4Friends certainly should not assume portability. DNS, allowlists, firewalls, partner APIs, SPF records, payment-risk systems and customer bookmarks may all embed those addresses.

Control panels add application-level gravity. cPanel and Plesk simplify account moves when both ends support compatible versions, but they also package mailboxes, DNS zones, databases, certificates, cron jobs and users into provider-specific workflows. Hosting4Friends offers free migration, yet the exit direction is not promised. A customer should retain independent domain control, DNS exports, database dumps, mail archives, certificate keys where appropriate and application deployment instructions.

Backups can reduce or intensify lock-in. The terms say nightly shared-hosting backups are retained for up to ten days and advise customers to keep their own copies. They also reserve the right to remove backups stored locally on the hosting account. That makes an external, customer-controlled backup mandatory. A backup inside the same supplier account is useful for operational mistakes; it is not an exit plan for account suspension, provider failure or a disputed invoice.

The billing terms create timing costs. Services renew automatically. Cancellation must be submitted through support at least seven days before the invoice date. Renewals are not refundable. VPS and dedicated services are outside the money-back provision. Free domains cannot be transferred for six months. Accounts seven days overdue may be suspended, and the service can charge late and collection fees. Combined with the contact-domain inconsistency, these provisions make documented early notice essential.

Exit planning should begin before migration in. Use a domain registrar independent of the host when possible. Keep authoritative DNS in a portable service. Automate builds. Send backups to an account controlled by the customer. Avoid IP allowlists where a hostname or private overlay works. Test a restore elsewhere every quarter. Contract for a termination export, deletion certificate and reasonable read-only window. If fixed IP reputation is central—mail, payments, partner VPNs—consider whether a provider-independent allocation or a larger host’s flexible-address product is worth the cost.

Hosting4Friends can still be sticky for good reasons: an engineer who knows the customer, a well-tuned panel and responsive migration help. Chosen dependence can be valuable. The aim is to prevent accidental dependence on an address assignment or account portal that cannot travel.

A procurement test built for this particular host

The first test is identity. Require a quote from Hosting4Friends EOOD showing company number 207562887, VAT treatment, Banska registered office, any Gorotsvetna operating address, exact contracting domain and bank or payment beneficiary. Confirm the ordered product, facility, service address and governing documents. Ask why the site’s abuse address uses the separate correctly spelled domain and obtain the corrected authoritative contacts in writing.

The second test is the network handoff. Request one production-representative IPv4 and IPv6 test address. Confirm the IPv4 falls in one of the two registered /24s and originates from AS208518 with a valid route. For IPv6, identify the prefix and origin because AS208518 currently announces none. Ask whether there are two physical circuits, routers and meet-me paths to NovoServe; whether a second upstream is contracted but inactive; and how quickly the company could restore routing if AS24875 service ended.

Ask Access2.IT dependency questions indirectly through the supplier: term of the PA assignment, notice period, ROA control and renumbering plan.

The third is a one-week performance trial from actual users. Measure round-trip latency, loss, jitter, sustained transfer and route path at morning, evening and weekend peaks. Test both directions and several protocols. Verify that the test node matches the purchased product and location. Compare results with a direct NovoServe server and a larger European VPS, not merely to rank speed but to identify what Hosting4Friends’ service layer adds.

The fourth is recovery. Upload an encrypted test dataset, delete it under an agreed procedure and request restoration from the oldest promised recovery point. Record time to acknowledgement, time to restore, data integrity and whether the process incurs a fee. Repeat with a panel export and a restore to an outside provider. Ask where backups reside and whether a compromise of the production credentials can delete them.

The fifth is support and abuse. Open ordinary tickets during and outside business hours. Ask a technical question that requires access to the network or hypervisor, not a copied answer. Send a benign abuse-policy query to the designated contact. Verify ticket numbers, escalation and legal identity. Establish which work is included and which starts the €30 or €75 half-hour meter.

The sixth is contract arithmetic. Reconcile product price, VAT, licence, management, backup, bandwidth, additional IP, restore and renewal charges. Resolve the seven-versus-fourteen-day refund contradiction, currency characters, liability currency and cancellation channel. For Bulgarian consumer sales during the transition period, request the required price presentation. Do not prepay a year until the month-long pilot and one restore have passed.

The final test is exit. Before production, ask the company to demonstrate a full export and state the time to provide it after cancellation. Document DNS and IP changes, domain transfer, mailbox export and deletion. If the supplier resists an exit test, the low headline price is not low.

What remains unverified

Public evidence proves the legal entity-to-ASN bridge and strongly supports the storefront bridge. It proves the two current IPv4 origins, RPKI state, PA status, Access2.IT allocation chain, one observed upstream, Dutch registration geography and prior origin through AS209493. It proves what the public catalogue and terms say.

It does not prove that Hosting4Friends owns any server or data-centre equipment. It does not prove a formal reseller contract with NovoServe, only a live transit relationship and a commercially compatible wholesale offer. It does not identify a rack, facility or redundant physical path. It does not map every storefront product to AS208518. It does not prove native IPv6, DDoS capacity, backup separation, security certification, staffing level, response time or successful restores. It does not establish a corporate link to the dissolved HOSTING2YOU LTD.

It also does not prove bad performance, abuse or incidents. No responsible inference should turn sparse evidence into an accusation. The current routes are widely visible and RPKI-valid. The company has taken the useful step of giving its network a distinct origin. Its terms candidly assign some security duties and exclude shared hosting from PCI DSS use. Those are positives.

The uncertainty is itself commercially relevant. Large suppliers publish facility maps, detailed component specifications, service schedules, audit reports, APIs and status histories because customers buy standardised infrastructure. A small supplier can substitute direct human accountability, but only if it answers specific questions quickly and puts the answers into the order. Silence should be priced as risk; clarity can be priced as service.

The next twelve months will reveal the boundary

The first watchpoint is routing diversity. A second independently observed upstream, especially one outside AS24875’s administrative domain, would reduce one class of dependency. It would need matching route policy, filtering, RPKI and tested failover; a dormant registry import line alone would not count. Continued high visibility and stable origin under AS208518 will gradually build a stronger continuity record.

The second is IPv6. Publishing a native prefix, ROA where applicable, test address and product mapping would reconcile the VPS claim with network observation. In 2026, a host selling long-lived infrastructure without a visible IPv6 plan is borrowing time from scarce IPv4 space.

The third is resource control. PA addresses are reasonable for a small operator, but the company should disclose the allocation dependency and maintain a renumbering plan. Customers should watch changes to inetnum, route, maintainer and ROA records. A future provider-independent resource or additional allocation would change the exit assessment; merely adding customer addresses inside the same Access2.IT parents would not.

The fourth is commercial hygiene. The website should print Hosting4Friends EOOD, company number, VAT details and consistent addresses; correct the abuse mailbox; distinguish the unrelated correctly spelled domain; update the refund period, euro character and liability currency; and expose a status page. Those changes require no new data centre and may improve trust more than another marketing claim.

The fifth is evidence of operations: a service map, hardware specifications, named facility, backup retention and restore metrics, DDoS terms, security responsibilities, subprocessor list and incident history. A small host need not publish trade secrets. It should publish enough for a customer to know which promise belongs to Hosting4Friends and which depends on Access2.IT, NovoServe, a panel vendor or the customer.

The real product is accountable intermediation

Hosting4Friends EOOD’s network is neither imaginary nor fully sovereign. It has a real Bulgarian legal identity, a real ASN, two visible /24s and correct origin authorisations. It also has a real hierarchy above it: Access2.IT allocates and maintains the addresses and sponsors the ASN; NovoServe is the only currently observed path to the wider Internet; the hardware and facility contract are not public. Below it sit end customers and resellers whose sites, mail and reputations share the consequences.

That hierarchy defines the service boundary more honestly than the word “cloud.” Hosting4Friends can operate routing intent, customer provisioning, panels, support, backups and abuse decisions while renting addresses, transit and perhaps machines. Its value is the speed and quality with which it coordinates those layers. If it diagnoses a route, restores a site, reaches an upstream, translates a complaint and gives the customer a clean exit, the intermediary earns its margin. If it merely forwards tickets and points to exclusions, buying closer to the underlying supplier is cheaper and clearer.

The two /24s are therefore not a trophy. They are a test. RPKI shows disciplined origin configuration. PA status shows dependence. One upstream shows concentration. Dutch routing and Bulgarian law show split geography. The old Hosting2You origin shows that infrastructure identities can migrate while addresses stay put. The typo-domain support path shows that the least glamorous control can still be the one that fails first.

A customer can verify much of this before committing: legal seller, route, origin authorisation, address status, upstream, test latency, restore, ticket response, total price and export. What cannot be verified should become a contractual answer or an architectural precaution. That is the fair way to buy from a small host—not to demand that it own every layer, but to insist that it knows exactly where each layer ends and will remain answerable when one of them breaks.