19 January 2007 Changes (HHH) ----------------------------- 1. Action: Allow anything to go for a Government site Added: GoodDomains[i++] = ".gov"; Reason: Why not? Just because I don't have any false positives yet doesn't mean I want to see them. 2. Action: Info Gathering rule Added: BadDomains[i++] = ".instacontent.net"; Reason: Mike Burgess has six of these hosts. I just came up with ant.mii.instacontent.net 3. Action: Added lots of "free" sites as GOOD POTENTIAL RULEs Added: GoodDomains[i++] = ".1001freefonts.com"; GoodDomains[i++] = ".forumforfree.com"; GoodDomains[i++] = ".free-fonts.com"; GoodDomains[i++] = ".freenode.net"; GoodDomains[i++] = ".freeresumeexamples.net"; GoodDomains[i++] = ".freewebs.com"; GoodDomains[i++] = ".thefreesite.com"; Reason: An attempt to counter the "free[^d] rule. 4. Action: Added GOOD rule for Barnes and Noble Added: GoodDomains[i++] = ".barnesandnoble.com"; Reason: Wed Oct 4 20:23:28: images.barnesandnoble.com/gresources/navbar/\ tab_home_hot.gif This is NOT being done without some reservations. In addition to employing doubleclick, 2o7.net, and hitbox, they at one time had their own spies. They are STILL using doubleclick, but the ad.doubleclick.net server is stopped both by the PAC filter itself AND a blocking host file entry. They have just too many of these "hot" things and I am convinced LOTS of people go to Barnes & Noble, Amazon.com, etc. See the unresolved false positives for more information on "hot" 5. Action: Added GOOD rule for webshots.net Added: GoodDomains[i++] = ".webshots.net"; Reason: Just a picture site. It is not the "hot" that is stopping it. It is the "thumb" rule that caught it: thumb19.webshots.net/s/thumb 19 January 2007 UNresolved False Positives (HHH) ------------------------------------------------ 1. Pattern: "hard" Rules: BadURL_WordStarts[i++]="hard[(b|c|e|p|s)]"; BadURL_WordEnds[i++]="[^cs]hard"; // Changed from "hard" to "[^cs]hard" Reason: digg.com/security/Marcus_Ranum_on_hard_disk_encryption So far this is the ONLY one I have encountered 2. Pattern: "lips" Rules: BadHostWordStarts[i++]="lips"; BadURL_WordEnds[i++]="[^c]lips"; Reason: creativosparc.ads.uigc.net/RealMedia/ads/Creatives/\ OasDefault/BR_20061201_BUSCAPE-BOND/br_20061201_\ buscape-bond-BP-hometheaterphilips_pop.gif My initial hunch is to just downgrade the rules. The pattern is too short. 19 January 2007 RESOLVED False Positives (HHH) ---------------------------------------------- 1. Pattern: "exposed" Rules: BadURL_Parts[i++] = "exposed"; Reason: www.hackinglinuxexposed.com/articles/20031231.html 96 expos_Parts.txt 70 expos_Starts_and_Ends.txt 92 expos_Passed_All_Rules.txt ------------------------------ 258 total 47 of the 92 passing are exposed, the others are exposure, expose, and some variations of sexpost. Downgrading the rule does NOTHING. In fact I am thinking of shortening it to "expose" where it is usually used in the French pronunciation of eks-po-zay. Letting stand as is. Here are the the only things in my phttpd logs: Tue Dec 5 17:29:18: www.hollywoodmenexposed.com Wed Dec 13 22:27:27: cdn.channel.aol.com/aolportal/spears-paris-overexposed-tmz-96ml1207.jpg 2. Pattern: "hot" Rules: BadURL_WordEnds[i++]="[^s]hot"; // Changed from "hot" to "[^s]hot" Reason: creativosparc.ads.uigc.net/RealMedia/ads/Creatives/\ OasDefault/BR_20060130_PRIMA_UBBI-ENCONTROS/br_\ 20060912_ubbi-encontros-perfilhot_super.gif My initial hunch was WRONG. In the first place, this is NOT a false positive. In the second place I have the following in my logs (I think I got EVERYTHING): 0.8629.218/~hotpics/photos/profile natgeophoto.112.2o7.net spy site -sex-phisano.chot-le.com/ *** REAL *** positive images.bmnq.com/tplg/82/hotel.gif www.sedoparking.com/xxxphotos.ws *** REAL *** positive images.barnesandnoble.com/gresources/navbar/tab_home_hot ADDED a GoodDomains rule lcamtuf.coredump.cx/photo/current/thumb/nudetv.jpg thumb15.webshots.net thumb19.webshots.net (LOTS) - downgrade won't help It is the "thumb" that is catching it. amateurgirlphotos.com/ *** REAL *** positive www.hotactiondating.com www.avspalace.com/images/hot-bikini-babes.jpg *** REAL *** positive filext.com/images/icon_hot.gif www.spread4u.com/performer/table/hottestpussy www.spread4u.com/performer/table/hotbabygirl Two *** REAL *** positives www.photos-gratuites.net/pdv/link.php *** REAL *** positive www.hardbeast.com/pictures/animal98/animal98_hot_best *** REAL *** positive open.thumbshots.org/image.pxf www.thumbshots.org (allowed with GoodDomains rule) old.redhotgreetings.com/thumbc/75/resource/cards/9/sonnet_cxxxviii.jpg *** REAL *** positive BUT, it was the "xxx" that caught it. teenlesbians.hugetit.us/lesbianvideosphotosandmpegs.htm *** REAL *** positive karwanphotos.com/images/Celebraties/RayCharles.jpg www.publicexposurephotos.com *** REAL *** positive I STOPPED HERE BECAUSE ALL THE REST WERE LIKE THESE. Many had a hot in them, but it was either another rule or a bad host entry in the hosts file that snared them. The pattern MAY be too short, but I doubt it.