02 February 2007 Changes (HHH) ------------------------------ 1. Action: HOSTS "twink" rule Added: BadHostParts[i++] = "twink"; Reason: russiantwinksecrets.com (BAD HOST) AND 302 (181) of them: 261 twink_Parts.txt 19 twink_Starts_and_Ends.txt 302 twink_Passed_All_Rules.txt ------------------------------ 582 total 2. Action: HOSTS "donne" rule Added: BadHostParts[i++] = "donne"; Reason: This is just "women" in Italiano. It has no meaning in Espanol, but it is the root of "donate" in Francais. Actually it came straight from Latin and was dropped in al Latin derived languages but Italiano where it morphed considerably over the years. 68 donne_Parts.txt 20 donne_Starts_and_Ends.txt 79 donne_Passed_All_Rules.txt ------------------------------ 167 total 3. Action: URL "ebony" rule Added: BadURL_Parts[i++] = "ebony"; Reason: I have put this off MUCH too long. Now that I have a better idea what I have, the worry about false positives is GONE. We may have some, but it is not only tons of hosts but also tons of stuff embeded in URLS. 939 ebony_Parts.txt 166 ebony_Starts_and_Ends.txt 817 ebony_Passed_All_Rules.txt ------------------------------- 1922 total 4. Action: GoodDomains ".aol.com" ".yahoo.com" Added: GoodDomains[i++] = ".aol.com"; GoodDomains[i++] = ".yahoo.com"; Reason: Have some stuff that goes into the rules like "celeb", et al. Please, no snickers here. I realize that both of them do things that are not the best with security practices, but all of the spies they use are contained. So we let the content through. 5. Action: block hosts that have "casino" and "poker" Added: // BadHostParts[i++] = "casino"; // BadHostParts[i++] = "poker"; Reason: $ grep poker /home/tmp/Quarantine/*.txt It gave me 15 lines in baddown.txt and only one in gooddown.txt. I scanned the file named gpiclientinstall.exe from both internet sites goldenpalace.com and goldenpalacepoker.com which is the ONLY one of these downloads I get from both of these gambling sites. The original scans were done by AVG, ClamAV, and Kaspersky on the date 10 Oct 2006. I submitted it again right now to virustotal.org and it still comes up clean. This was owned by Tribeca Tables Europe, but they have been bought by PlayTech. This is the ONE AND ONLY download from these gambling sites that passes muster with AntiVirus and AntiSpy companies. I just went to them again and got a dowload of BlackjackSetup.exe from [www.]goldenpalaceblackjack.com. It also passes muster. So you have ONE online gambling site that is okay among all of the ones that I have looked at. THESE ENTRIES ARE COMMENTED OUT! It is just being put there as a suggestion. I MAY remove them later on. I prefer to handle these with hosts file entries. I am NOT blocking the golden*.com sites any more (just removed the last one). 6. Action: added beginning "hot" rule for hosts Added: BadHostWordStarts[i++]="hot"; Reason: It is added as a "PERSONAL RULE", but if I find we are okay with it after a while, I will drop that monikor. We STILL have thousands of hosts that have "hot" in them (some are "photo") that may need to be handled in the hosts file. WHOA! I JUST FOUND THAT EVEN THOUGH HOTMAIL IS ALLOWED THIS RULE KILLS IT FOR SOME REASON! Can somebody scope it out for me? I don't have a hotmail account (hhhobbit was taken). The LAST thing I need is another free-mail account. 02 February 2007 UNresolved False Positives (HHH) ------------------------------------------------- 1. Pattern: "hard" Rules: BadURL_WordStarts[i++]="hard[(b|c|e|p|s)]"; BadURL_WordEnds[i++]="[^cs]hard"; // Changed from "hard" to "[^cs]hard" Reason: digg.com/security/Marcus_Ranum_on_hard_disk_encryption So far this is the ONLY one I have encountered 2. Pattern: "lips" Rules: BadHostWordStarts[i++]="lips"; BadURL_WordEnds[i++]="[^c]lips"; Reason: creativosparc.ads.uigc.net/RealMedia/ads/Creatives/\ OasDefault/BR_20061201_BUSCAPE-BOND/br_20061201_\ buscape-bond-BP-hometheaterphilips_pop.gif My initial hunch is to just downgrade the rules. The pattern is too short. 3. Pattern: "hot" Rules: BadHostWordStarts[i++]="hot" Reason: hotmail.com - it beats me what is causing the problem. I do not want a hotmail account to figure it out either. For right now the rule is commented out until we can figure out what is going wrong. An allow for hotmail.com should mean it is home free and it isn't. 02 February 2007 RESOLVED False Positives (HHH) ----------------------------------------------- NONE