27 April 2007 Changes (HHH) --------------------------- 1. Action: "intermountainlive.org" rule Added: GoodDomains[i++] = "intermountainlive.org"; Reason: Counter "live" rule. This is an info site for the huge Intermountain Health Care Organization. 2. Action: Renamed Folder in the InstallProxyPkg Folder From: Docs To: Recipes Reason: So people can calm their jitters and fears 3. Action: Altered the "huss" rule From: BadURL_Parts[i++] = "huss"; To: BadURL_Parts[i++] = "huss[(i|y)]"; Reason: We will have false positives, and it looks like this rule change is the best way to avoid all of them. 4. Action: ".altavista.com" rule Added: GoodDomains[i++] = "altavista.com"; Reason: babelfish.altavista.com/static/i/af/trans_en.gif at http://www.religioustolerance.org I haven't been able to find any other false positives in months, and since the language translator and the AltaVista search are important to a lot of people, lets give them what they want. See the Resolved False Positives for the count of "babe", we are talking over 1000 with hosts alone. Downgrading the Start "babe" rule from URL to HOST would have done NOTHING! http://www.siteadvisor.com/sites/altavista.com 5. Action: added ".overture.com" rule Added: BadDomains[i++] = ".overture.com"; Reason: // INFO GATHER RULE Every so often, Mike keeps adding another one of these to his blocking hosts file. So far he has 27. Let's see if we can find some more. 6. Action: added ".spylocked.com" rule Added: BadDomains[i++] = ".spylocked.com"; Reason: http://www.lavasoftsupport.com/index.php?showtopic=8194 http://www.securitycadets.com/2007/03/spylocked-the-latest-rogue/ - removal - http://www.spywaresignatures.com/forums/viewtopic.php?t=9 http://www.bleepingcomputer.com/forums/topic85376.html 7. Action: added ".go.com" exclusionary rule Added: GoodDomains[i++] = ".go.com"; Reason: Disney had "pink" buttons. I am just giving them a clear go-ahead. That does NOT mean that their spies aren't being stopped, because they are. 8. Action: removed "888" rule Removed: BadHostParts[i++] = "888"; Reason: https://reporting.bsa.org/usa/home.aspx?\ pr=1&CMP=BAL-compjobs&creative=200KRadioscriptText - this redirects to - http://www.1888nopiracy.com 16 888_Parts.txt 11 888_Starts_and_Ends.txt 11 888_Passed_All_Rules.txt --------------------------- 38 total 9. Action: removed "800" rule Removed: BadHostParts[i++] = "800"; Reason: 1800taxfree.com 130 800_Parts.txt 28 800_Starts_and_Ends.txt 12 800_Passed_All_Rules.txt ---------------------------- 170 total 10. Action: removed several rules Removed: BadHostWordStarts[i++]="extreme"; BadHostWordEnds[i++]="extreme"; Reason: BadHostParts[i++] = "extrem"; So far, the only host that could be considered a false positive is: folding.extremeoverclocking.com/sigs/sigimage.php The problem is, that one was border line spy. I have ONLY commented them out for now. The reason why is because I didn't add the Parts rule until 9 Mar 2007. It is too soon to tell whether I bit off too much or not. 11. Action: "girlz" Added: BadHostParts[i++] = "girlz"; BadURL_WordEnds[i++] = "girlz"; Reason: Just see the count. As with "girls", I am ready to make it a BadURL_Parts rule, but that generated false positives for "girls" and probably will here to. 97 girlz_Parts.txt 47 girlz_Starts_and_Ends.txt 100 girlz_Passed_All_Rules.txt ------------------------------ 244 total 12. Action: Changed about 59 From: (]=") To: (] = ") Reason: Matched the rest and looks nicer. 13. Action: Added "vegas" rules Added: BadHostParts[i++] = "vegas"; Reason: See the Vegas.txt file for an in depth analysis. Please remember that you are 2-3 times more likely to have your machine running Microsoft Windows by porn sites. For gambling sites, you are 5-20 times more likely to have your Windows machines infected. It isn't a slam against Las-Vegas, but when you even have sites in Germany and other places, the meaning on the Internet is clear. 14. Action: added exclusionary rule for VisitLasVegas Added: GoodDomains[i++] = "visitlasvegas.com"; Reason: // COUNTER "vegas" rule 15. Action: hotwire.com Added: GoodDomains[i++] = ".hotwire.com"; Reason: BadHostWordStarts[i++] = "hot[^em]"; // PERSONAL RULE I realize I have this as a PERSONAL rule, but if they feel duty bound to keep that rule, at least it does not whack this one out. 27 April 2007 UNresolved False Positives (HHH) ---------------------------------------------- NONE 27 April 2007 RESOLVED False Positives (HHH) -------------------------------------------- 1. Pattern: "secret" Rules: BadURL_Parts[i++] = "secret"; Reason: Sat Mar 31 15:17:42 ndc.shockwave.com/images/picons/highlight/ hideandsecret_highlight.png Analysis: 326 secret_Parts.txt 68 secret_Starts_and_Ends.txt 279 secret_Passed_All_Rules.txt ------------------------------- 673 total This is the ONLY *PSEUDO* false-positive I have. The ShockWave player will NEVER be available for Sun Solaris, Linux, and other Unix systems, and the Flash Player is ALWAYS out of date on those platforms. The only reason I know this is because there are Webinars, and in the field of Computer Security I am amazed that they think I would use Microsoft Windows as if it was secure platform. In other words for me, I blocked NOTHING! More to the point, here is what what McAfee thinks of them: http://www.siteadvisor.com/sites/shocwave.com http://www.siteadvisor.com/sites/megago.com Solution: DO NOTHING! 2. Pattern: "babe" Rules: BadURL_WordStarts[i++]="babe"; Reason: babelfish.altavista.com/static/i/af/trans_en.gif at http://www.religioustolerance.org Analysis: 5520 babe_Parts.txt 124 babe_Starts_and_Ends.txt 1085 babe_Passed_All_Rules.txt ------------------------------ 6729 total Solution: Since this is the only "babe" false positive I have found, I added altavista.com to the GoodDomains. http://www.siteadvisor.com/sites/altavista.com 3. Pattern: "888" Rules: BadHostParts[i++] = "888"; Reason: https://reporting.bsa.org/usa/home.aspx?\ pr=1&CMP=BAL-compjobs&creative=200KRadioscriptText - this redirects to - http://www.1888nopiracy.com 16 888_Parts.txt 11 888_Starts_and_Ends.txt 11 888_Passed_All_Rules.txt --------------------------- 38 total Solution: Drop rule 4. Pattern: "800" Rules: BadHostParts[i++] = "800"; Reason: 1800taxfree.com 130 800_Parts.txt 28 800_Starts_and_Ends.txt 12 800_Passed_All_Rules.txt ---------------------------- 170 total Solution: Drop rule