23 March 2007 Changes (HHH) --------------------------- 1. Action: Temporary BadDomain rule for "focalex.com" Added: BadDomains[i++] = ".focalex.com"; Reason: // INFO GATHER RULE - catch others not in hosts file for entry into the hosts file. 2. Action: Temporary BadDomain rule for "statcounter.com" Added: BadDomains[i++] = ".statcounter.com"; Reason: // INFO GATHER RULE c18.statcounter.com is NOT in the blocking hosts file and it or somebody using it had a malformed PHP script. 3. Action: Temporary BadDomain rule for "ivwbox.de" Added: BadDomains[i++] = ".ivwbox.de"; Reason: // INFO GATHER RULE We will depend on our Deutsch people to get us the rest. 4. Action: Restricted "friend" rule in domain. From: BadHostParts[i++] = "friend"; To: BadHostParts[i++] = "friendfinder"; Reason: Greater chance for false positives over false false negatives by several orders of magnitude. Two of them are: friendsofed.infopop.net img3.musiciansfriend.com 5. Action: "extrem" From: TEST RULE To: PERMANENT RULE Reason: No false positives. 6. Action: GoodDomain rule for "apple.com" Added: GoodDomains[i++] = "apple.com"; Reason: qtpix.apple.com; there may be more. 7. Action: "topix.net", "indigipix.com" Added: GoodDomains[i++] = "topix.net"; GoodDomains[i++] = "indigipix.com"; Reason: After analysis, we have to live with the "pix" rule. These will show up as a // PERSONAL RULE Here are the rest I looked at in MY logs that didn't pass muster: www.pixpox.com -------------- PORN AND ASSOCIATION WITH A WORM SEVERAL YEARS BACK. pix.t-online.de --------------- ASSOCIATED WITH WEB-BUG SITE. OTHERWISE HARMLESS. goldenpix.com ------------- NOT ONLY PORN BUT HISTORY OF DAMAGING SYSTEMS sexpixbox.com ------------- PORN prmpix.about.com/pixel.cgi -------------------------- UNKNOWN. By itself, about.com is okay, but I can't pull the script in question. I don't know affected ANYTHING. Here is why we can't drop it: 1173 pix_Parts.txt 115 pix_Starts_and_Ends.txt 414 pix_Passed_All_Rules.txt ----------------------------- 1702 total 23 March 2007 UNresolved False Positives (HHH) ---------------------------------------------- *** NONE *** 23 March 2007 RESOLVED False Positives (HHH) -------------------------------------------- 1. Sat Nov 25 06:52:34: www.baits.com/images2/shinichi-2006-flw-beaver-la.jpg RULES: ------ BadURL_Parts[i++] = "beaver"; ANALYSIS: --------- 105 beaver_Parts.txt 12 beaver_Starts_and_Ends.txt 152 beaver_Passed_All_Rules.txt ------------------------------- 269 total SOLUTION: --------- None showed up. People will just have to add as necessary. I don't think baits.com should be added except by the person needing to go there. 2. Tue Nov 28 19:42:01 friendsofed.infopop.nethttp://friendsofed.infopop.net/favicon.ico RULES: ------ BadHostParts[i++] = "friend"; ANALYSIS: --------- 525 friend_Parts.txt 40 friend_Starts_and_Ends.txt 171 friend_Passed_All_Rules.txt ------------------------------- 736 total That is quite a few hosts. Since it is already just a host rule, we can't just drop it. After I changed it to the friendfinder (which is the number one source of grist for sites that damage Windows machines with the word "friend" in them. I came with the following count: 547 friend_Parts.txt 39 friend_Starts_and_Ends.txt 150 friend_Passed_All_Rules.txt ------------------------------- 736 total SOLUTION: --------- I can live with that. See the FRIENDS.txt file for the false positives.