09 February 2007 Changes (HHH) ------------------------------ 1. Action: added GoodDomains rule Added: GoodDomains[i++] = ".msn.com"; Reason: When I added the BadHostWordStarts[i++]="hot"; rule it killed hotmail. This does NOT cure all of the ills of the rule, but it is a start. // COUNTER HOSTS STARTING "hot" RULE 2. Action: added GoodDomains rule Added: GoodDomains[i++] = ".passport.com"; // COUNTER "hot" RULE Reason: When I added the BadHostWordStarts[i++]="hot"; rule it killed hotmail. This does NOT cure all of the ills of the rule, but it is a start. For heaven's sake - I already had passport.net. Now they are using passport.com. Musical host names! // COUNTER HOSTS STARTING "hot" RULE I can already see why Eric didn't have that hot rule. It is a KILLER! 3. Action: altered the hole rule From: BadHostParts[i++] = "hole"; To: BadHostParts[i++] = "[^w]hole"; Reason: There were no false positives. In fact I had to ADD some Porn Hosts with "whole" in them. But what is wrong with wholesom. 4. Action: Allow people to look for bad sites at McAfee Added: GoodDomains[i++] = "siteadvisor.com"; Reason: LOTS of terms match stuff I am looking up. I debated making it a private rule, but LOTS of people will use SiteAdvisor to check stuff out, especially those using the MVPHosts file. 09 February 2007 UNresolved False Positives (HHH) ------------------------------------------------- 1. Pattern: "hard" Rules: BadURL_WordStarts[i++]="hard[(b|c|e|p|s)]"; BadURL_WordEnds[i++]="[^cs]hard"; // Changed from "hard" to "[^cs]hard" Reason: digg.com/security/Marcus_Ranum_on_hard_disk_encryption So far this is the ONLY one I have encountered 2. Pattern: "lips" Rules: BadHostWordStarts[i++]="lips"; BadURL_WordEnds[i++]="[^c]lips"; Reason: creativosparc.ads.uigc.net/RealMedia/ads/Creatives/\ OasDefault/BR_20061201_BUSCAPE-BOND/br_20061201_\ buscape-bond-BP-hometheaterphilips_pop.gif My initial hunch is to just downgrade the rules. The pattern is too short. 3. Pattern: "hot" Rules: BadHostWordStarts[i++]="hot" Reason: hotmail.com - it beats me what is causing the problem. I do not want a hotmail account to figure it out either. For right now the rule is commented out until we can figure out what is going wrong. An allow for hotmail.com should mean it is home free and it isn't. 09 February 2007 RESOLVED False Positives (HHH) ----------------------------------------------- NONE