30 June 2007 Changes (HHH) -------------------------- 1. Action: "blogbugs.org" "blogtur.com" "clearblogsonline.com" Added: BadDomains[i++] = ".blogbugs.org"; BadDomains[i++] = ".blogtur.com"; BadDomains[i++] = ".clearblogsonline.com"; Reason: http://blog.washingtonpost.com/securityfix/2007/06\ /substitute_teacher_granted_new.html Evidently they felt left out that we had not included them so now we have! http://www.dnsstuff.com/tools/whois.ch?%26ip%3Dclearblogsonline.com 2. Action: "creativecommons.org" Added: GoodDomains[i++] = "creativecommons.org"; Reason: Fri Jun 8 06:11:42 creativecommons.org/apps/scrape?url=http%3A%2F%2F\ www.mvps.org%2Fwinhelp2002%2Fhosts.htm (THIS IS JUST A TEMPORARY FIX) 3. Action: "rlwpx.free.fr" Added: GoodDomains[i++] = "rlwpx.free.fr"; Reason: Wed Jun 13 00:57:32: http://rlwpx.free.fr/WPFF/hosts.htm 4. Action: "hitslink.com" Removed: BadDomains[i++] = ".hitslink.com"; Reason: Haven't saw anything but counter.hitslink.com and counter2.hitslink.com. Ergo - use what is in the hosts file. 5. Action: "opendns.com" Added: GoodDomains[i++] = "opendns.com"; Reason: // COUNTER "adult" RULE Thu Jun 21 03:17:47: www.opendns.com/img/home_adult_promo.gif 6. Action: "sexybabesx.com" Removed: BadDomains[i++] = ".sexybabesx.com"; Reason: // FOR MVPS HOSTS He didn't take the hint. He wants to do everything with a hosts file - c'est-la-vie. Our other rules handle it anyway. 7. Action: "babylon" Added: BadHostParts[i++] = "babylon"; Reason: www.babylon-x.com when testing one of bad *.sexybabesx.com to detect if they are still bad (THEY ARE STILL BAD!) ended up with 21 hosts going through and who knows how many new ones. 8. Action: ".gemius.pl" Added: BadDomains[i++] = ".gemius.pl"; Reason: Mike added 12 more to the hosts file and since they aren't auto-added to my hosts.min file it looks like we need to do a ... // INFO GATHER RULE 9. Action: ".xclicks.net" Added: BadDomains[i++] = ".xclicks.net"; Reason: Mike added x3.xclicks.net and we have no idea how many more there are. // INFO GATHER RULE 10. Action: ".xiti.com" From: BadDomains[i++] = ".xiti.com"; // INFO GATHER RULE To: BadDomains[i++] = ".xiti.com"; Reason: Mike Burgess added almost a dozen hosts so it is now an active rule. 11. Action: "trackalyzer.com" Added: BadDomains[i++] = ".trackalyzer.com"; Reason: I saw something other than t2.trackalyzer.com and want to find it again. // INFO GATHER RULE 12. Action: "insightexpress.com" Added: BadDomains[i++] = ".insightexpress.com.net"; Reason: I haven't saw anything since February // INFO GATHER RULE 30 June 2007 UNresolved False Positives (HHH) --------------------------------------------- 1. Pattern: "tgp" Rules: BadURL_Parts[i++] = "tgp"; Reason: www.tomshardware.com/Design/graphics/\ tomshardware/logo_tgpfoot.gif www.vmware.com/files/images/promos/\ ws_promo_tgp.gif www.symantec.com/content/en/us/enterprise/\ images/promo/ent-vista_sec_mktgpromo.jpg ANY IDEAS WHAT TO DO ABOUT IT? 2. Pattern: "chest" Rules: BadURL_WordStarts[i++] = "chest"; BadURL_WordEnds[i++] = "chest"; Reason: Wed May 16 10:11:41: images.bestbuy.com/BestBuy_US/en_US/images/global\ /features/gigrad_blueshirtchest_2007.jpg THE EASY SOLUTION WOULD BE TO ADD A GoodDomains ".bestbuy.com" RULE. THE PROBLEM IS: hope-chest drawer-chest, chest-of-jewels, treasure-chest, etc. Further, even the efficacy of the rule itself poses no reason to drop the rules from URL to HOST: 44 chest_Parts.txt 5 chest_Starts_and_Ends.txt 33 chest_Passed_All_Rules.txt 82 total 3. Pattern: "pee" Rules: BadURL_WordStarts[i++] = "pee[^nrv]"; BadURL_WordEnds[i++] = "pee"; Reason: Wed May 9 12:04:18 forums.bicycling.com/groupee_common\ /jscript/prototype.js For now I have a personal rule but I really worry about a rule this short. 4. Pattern: "bbw" Rules: BadURL_Parts[i++] = "bbw"; Reason: Sat Jun 2 20:49:05: topics.nytimes.com/adx/bin/clientside\ /1dd00e15Q2F8!Q60VY6sQ2BQ3BXQ5B9L4LNTQ5BQ3BBwQ5BBQ5BXsN 5. Pattern: "rape" Rules: BadURL_WordStarts[i++] = "rape"; (PROBABLY OKAY) BadURL_WordEnds[i++] = "rape"; Reason: Fri Jun 8 05:59:23: creativecommons.org/apps/scrape I found the following words that end with "rape" that have 1, 2, or 3 letters in front of that: crape drape grape scrape serape That gives the [^cdeg] in front of the rule at a maximum and a [^c] at a minimum. but remember that grape can be gangrape. SEE 15 Jun 2007 CHANGES IF THIS IS RESOLVED 30 June 2007 RESOLVED False Positives (HHH) ------------------------------------------- *** NONE ***