24 November 2006 Changes (HHH) ------------------------------- 1. Action: Added URL start rule Added: BadURL_WordStarts[i++]="hard[(b|c|e|p|s)]"; Reason: These are the most frequently for the hard* hosts in the database. We may have to either downgrade this in the future or tailor it but although only 65% of the hosts in the database were alive, well over 50% of the hosts were not parked, no web server, etc. They were alive. I MAY add 'a' in the future, but I doubt it. 82 s * 52 c * 52 e * 36 b * 28 p ? 21 a 2. Action: Bad Domain rule Added: BadDomains[i++] = ".247realmedia"; Reason: This isn't permanent. Yes they abuse their rights with JavaScript. I just want the names of any unknown domains that are not in the hosts file. After that I will remove it. I want LOGS FROM EVERYBODY FOR THIS! 3. Action: Added GOOD DOMAIN rule Added: GoodDomains[i++] = ".amazon.com"; Reason: As one of the number one book and other online product vendors, it needs a free hand. Unlike Barnes & Noble and more akin to Border's they do very little (NONE?) spying through third party spies. But I haven't saw it in their scripts either. So far I have had no problems with Border's. 4. Action: Deactived "porn" Rules Removed: // BadURL_WordStarts[i++]="porn"; // BadURL_WordEnds[i++]="porn"; Reason: BadURL_Parts[i++] = "porn"; Until a false positive forces this rule down to apply to only HOSTS, why have the other two? I did NOT just remove them though. Just leave them as they are, commented out. I also added comments for the header: // arrays. Nevertheless, until a false positive shows up, the word // "porn" is not allowed anywhere in a URL. As soon as that rule elicits // a false positive, it will be downgraded to HOST, and the start and end // rules will be uncommented and activated for the URL. 5. Action: "natural" rule Removed: BadHostParts[i++] = "natural[^il]"; Reason: We have already downgraded it, and modified it. I will have to look at the 400 or so host entries and figure out what to do. After all, that is the natural thing to do. 6. Action: Added "wicked" rule Added: BadHostParts[i++] = "wicked"; Reason: 84 of them. I may upgrade this to apply to the URL, but for now Mike Burgess have ran off and found that some of them go beyond just Porn: www.wickedpictures.com DON'T GO THERE ON MS WINDOWS!!! 60 wicked_Parts.txt 13 wicked_Starts_and_Ends.txt 84 wicked_Passed_All_Rules.txt ------------------------------- 157 total 7. Action: Removed "eyeblaster-bs" Removed: BadHostParts[i++] = "eyeblaster-bs"; Reason: Dated. You can get a cookie from either eyeblaster.com or eyeblaster-bs.com. I have never saw the cookies and it hasn't been called by anybody. http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453077904 24 November 2006 UNresolved False Positives (HHH) ------------------------------------------------- 1. Word: "exposed" Rules: BadURL_Parts[i++] = "exposed"; Reason: www.hackinglinuxexposed.com/articles/20031231.html 96 expos_Parts.txt 70 expos_Starts_and_Ends.txt 92 expos_Passed_All_Rules.txt ------------------------------ 258 total 47 of the 92 passing are exposed, the others are exposure, expose, and some variations of sexpost. Downgrading the rule does NOTHING. In fact I am thinking of shortening it to "expose" where it is usually used in the French pronunciation of eks-po-zay 2. Word: "girl" at portal.opera.com Rules: BadURL_Parts[i++] = "dreamgirl"; BadURL_Parts[i++] = "girlfriend"; BadURL_Parts[i++] = "schoolgirl"; BadURL_Parts[i++] = "teengirls"; BadURL_WordStarts[i++]="girl"; BadURL_WordEnds[i++]="girl"; Reason: "girl" at portal.opera.com I have monitored my phttp.log for more than six weeks now. Here is what has shown up: http://www.estdomains.com/anacreon/images/homegirl.jpg (triggered by www.estdomains.com in hosts file) http://images.ig.com.br/homev8/novas/ic_girl18_box_novo.gif (triggered by images.ig.com.br in hosts file) http://www.kcsm.org/Reconnections/images/computer_girl.png (Going to kcsm.org takes you to: http://www.w3.org/Protocols/ ) (I never would have known it without a grep through logs!) www.clubhardball.com/templates/icons/search_girl.gif (porn site - Start or End rule) www.agentlemanschoice.com/images/join_girl.jpg (porn site - Start or End rule) All but the third one were either spy or porn domains. 24 November 2006 RESOLVED False Positives (HHH) ----------------------------------------------- 1. Word: URL Start "hard" Rules: BadURL_WordStarts[i++]="hard[(b|c|e|p|s)]" 2. Word: URL Start and End "pink Rules: BadURL_WordStarts[i++]="pink"; BadURL_WordEnds[i++]="pink"; Reason: Disney took me at my word with their following URLs: adisneyparks.disney.go.com/media/disneyparks/en_US/media/ btn_pink_continue.gif btn_pink_login.gif btn_pink_sendpassword.gif btn_pink_submit.gif But rather than changing the words they came up with a clever way that when you mouse over the buttons it changes to allow you in. What ever. They have shifted from using doubleclick to using hitbox for one of their spies.