01 December 2006 Changes (HHH) ------------------------------- 1. Action: "natural" rule Removed: BadHostParts[i++] = "natural[^il]"; Reason: We have already downgraded it, and modified it. I will have to look at the 400 or so host entries and figure out what to do. After all, that is the natural thing to do. 2. Action: Modify range of "booty" rule From: BadURL_Parts[i++] = "booty"; To: BadHostParts[i++] = "booty"; Reason: www.aolsportsblog.com/2006/11/08/\ john-david-booty-a-semifinalist-for-the-davey-obrien-award/ 98 booty_Parts.txt 24 booty_Starts_and_Ends.txt 359 booty_Passed_All_Rules.txt ------------------------------ 481 total 3. Action: BadDomain ".axelsfun.com" rule added Added: BadDomains[i++] = ".axelsfun.com"; Reason: // INFO GATHER RULE - TEMPORARY (TROLLING) Temporary to find the other "*.axelsfun.com" hosts until I have all of them. 4. Action: BadDomain "15x.net" rule added Added: BadDomains[i++] = ".15x.net"; Reason: // INFO GATHER RULE - TEMPORARY (TROLLING) Temporary to find the other "*.15x.net" hosts until I have all of them. 5. Action: BadDomain ".sexsearch.com" rule added Added: BadDomains[i++] = ".sexsearch.com"; Reason: // INFO GATHER RULE - TEMPORARY (TROLLING) Temporary to find the other "*.sexsearch.com" hosts until I have all of them. 6. Action: ".xiti.com" rule added Added: BadDomains[i++] = ".xiti.com"; Reason: // INFO GATHER RULE - TEMPORARY (TROLLING) Temporary to find the other "*.xiti.com" hosts until I have all of them. 7. Action: Some "good" thumbs. Added: GoodDomains[i++] = ".thumbshots.com"; GoodDomains[i++] = ".thumbshots.org"; Reason: I can't find any porn content. If I do, I will remove them. 8. Action: Added a spyware fighting site Added: GoodDomains[i++] = ".javacoolsoftware.com"; Reason: To work around the general "cool" rule. It seems like they would KNOW to avoid "cool", "hot", etc. Why didn't they use something like JavaBlockSoftware.com instead? 1 December 2006 UNresolved False Positives (HHH) ------------------------------------------------- 1. Word: "exposed" Rules: BadURL_Parts[i++] = "exposed"; Reason: www.hackinglinuxexposed.com/articles/20031231.html 96 expos_Parts.txt 70 expos_Starts_and_Ends.txt 92 expos_Passed_All_Rules.txt ------------------------------ 258 total 47 of the 92 passing are exposed, the others are exposure, expose, and some variations of sexpost. Downgrading the rule does NOTHING. In fact I am thinking of shortening it to "expose" where it is usually used in the French pronunciation of eks-po-zay 1 December 2006 RESOLVED False Positives (HHH) ----------------------------------------------- 1. Word: "girl" at portal.opera.com Rules: BadURL_Parts[i++] = "dreamgirl"; BadURL_Parts[i++] = "girlfriend"; BadURL_Parts[i++] = "schoolgirl"; BadURL_Parts[i++] = "teengirls"; BadURL_WordStarts[i++]="girl"; BadURL_WordEnds[i++]="girl"; Reason: "girl" at portal.opera.com I have monitored my phttp.log for more than six weeks now. Here is what has shown up: http://www.estdomains.com/anacreon/images/homegirl.jpg (triggered by www.estdomains.com in hosts file) http://images.ig.com.br/homev8/novas/ic_girl18_box_novo.gif (triggered by images.ig.com.br in hosts file) http://www.kcsm.org/Reconnections/images/computer_girl.png (Going to kcsm.org takes you to: http://www.w3.org/Protocols/ ) (I never would have known it without a grep through logs!) www.clubhardball.com/templates/icons/search_girl.gif (porn site - Start or End rule) www.agentlemanschoice.com/images/join_girl.jpg (porn site - Start or End rule) All but the third one were either spy or porn domains. Solution: I HAVE NO CHOICE - WE LIVE WITH IT. For every false positive I run into HUNDREDS where it is correct.