A couple of months ago I had a serious issue with a new VPS at a different host, when my IP was flagged as having a Website on it that is attacking other Websites. My Website was a simple WordPress site. I had taken occupation of the VPS and new IP in April, and the exploit was apparently noticed in July by Anti-Spam bots. I was away at the time and only picked up on the event three weeks after, when my VPS had already been suspended.
And now the interesting detail. When I protested quite loudly, and my host checked my VPS, there was nothing on my VPS! They reckoned I had something that was part of my VPS – maybe a plugin – that had automatically taken care of the problem.
So when I discovered my VPS suspended, once it was unsuspended I immediately reloaded the OS and powered the VPS down. I wanted to check up what was happening. After three days of shut down I checked up on the IP at places like DNS inspect. Then discovered four silly named Websites with my VPS IP. Like there is no mention of my previous Website with the IP or connection. But the Internet at large came back with listing four Websites as being on the VPS, without the VPS or IP being live.
The four domains were with Namecheap, and obviously had name servers pointing to my IP. One of the domains were the one that was accused of attacking other domains.
So my own theory, for what it is worth. Domain Registrars like Namecheap need to be more strict in scrutinizing name servers. I picked up on at least four DUDD domains (Websites come up with blank pages), with name servers that point to an IP that doesn’t belong to them.