15 July 2007 Changes (HHH) -------------------------- 1. Action: "lop.com" Added: BadDomains[i++] = ".lop.com"; Reason: Mostly, I have img.lop.com but ... the log stopped in February. In other words, I think they are using some other server other than img.lop.com now // INFO GATHER RULE 2. Action: "maxserving.com" Added: BadDomains[i++] = ".maxserving.com"; Reason: // INFO GATHER RULE I can't believe anybody can get by using only one server without people blocking them but I got hammered by just this one calli until December and since then NOTHING! c4.maxserving.com/gen.js 3. Action: "metriweb.be" Added: BadDomains[i++] = ".metriweb.be"; Reason: Fall back mechanism for Belgium / France / Netherlands If you do a Google search you can see tons of Hijack This logs with them in them. 4. Action: "advertising.com" Added: BadDomains[i++] = ".advertising.com"; Reason: I want see if they use some other servers besides servedby.advertising.com & opera1-servedby.advertising.com // INFO GATHER RULE 5. Action: "pointroll.com" Added: BadDomains[i++] = ".pointroll.com"; // INFO GATHER RULE Reason: the only one I am getting is ads.pointroll.com. I am seeing if there are some more. // INFO GATHER RULE 6. Action: "realtracker.com" Added: BadDomains[i++] = ".realtracker.com"; Reason: All I am getting is web4.realtracker.com. I suspect that there are more than that. If there wasn't I would be getting some of the others. 7. Action: "sitestats.com" Added: BadDomains[i++] = ".sitestats.com"; Reason: Unlike sitestat.com I got stuff with I have NONE of these. That causes me to wonder if they have some other servers that need to be stopped. // INFO GATHER RULE 8. Action: "tacoda.net" Added: BadDomains[i++] = ".tacoda.net"; Reason: All I have ever got is "an.tacoda.net" and to a much lesser extent "anad.tacoda.net". I suspect they have changed the names of their servers. // INFO GATHER RULE 9. Action: "teracent.net" Added: BadDomains[i++] = ".teracent.net"; Reason: When I download the following file: adserver2.teracent.net/Ads2/js/Ads.js it referenced the following URLs: www.adbriteshopping.com/index.htm www.rockyou.com adserver3.teracent.net/teraAdServlet/getAd?url= SO WHAT ARE WE MISSING? // INFO GATHER RULE 10. Action: "tribalfusion.com" Added: BadDomains[i++] = ".tribalfusion.com"; Reason: JUST IN CASE NO BLOCKING HOSTS FILE 11. Action: "valueclick.net" Removed: BadDomains[i++] = ".valueclick.net"; Reason: NOT WORTH IT! All I ever blocked was: ads.scot.valueclick.net/cycle I haven't saw them since January. I also removed them as blocked cookie. 12. Action: "pandasoftware.com" Added: GoodDomains[i++] = "pandasoftware.com"; Reason: Sun Jun 10 06:00:55: www.pandasoftware.com/NR/rdonlyres/\ 9806B502-2611-4EB4-8663-2804442D637D/8593/BSex_70x91.gif (also - you do NOT block an AV company!) 13. Action: "adjuggler.com" Added: BadDomains[i++] = ".adjuggler.com"; Reason: Mike has added two more - how many more are there? // INFO GATHER RULE 14. Action: "opentracker.net" Added: BadDomains[i++] = ".opentracker.net"; Reason: Mike found s17.opentracker.net. How many more? // INFO GATHER RULE 15. Action: "finger" Added: BadHostParts[i++] = "finger"; Reason: Too many hosts with pattern passing through and I can't think of a legitimate reason for them. Actually, the "fingering" URL rule needs to be re-examined. 83 finger_Parts.txt 4 finger_Starts_and_Ends.txt 53 finger_Passed_All_Rules.txt ------------------------------- 140 total 16. Action: "virustotal.com" Added: GoodDomains[i++] = "virustotal.com"; Reason: Who would have thought somebody would spell analysis as analisis? Counteracts the following rule: BadURL_WordStarts[i++] = "anal[^oy]"; 17. Action: "hostsfile.org" & "securemecca.com" Added: GoodDomains[i++] = "ericphelps.com"; GoodDomains[i++] = "hostsfile.org"; GoodDomains[i++] = "securemecca.com"; Reason: http://www.securemecca.com/pornolink.org.7z I couldn't figure out why I couldn't download the file! But I could wget it! 18. Action: "travesti" Added: BadURL_Parts[i++] = "travesti"; Reason: (Romance languages transvestite) 36 travesti_Parts.txt 19 travesti_Starts_and_Ends.txt 79 travesti_Passed_All_Rules.txt --------------------------------- 134 total 19. Action: "pee" From: BadURL_WordStarts[i++] = "pee[^nrv]"; BadURL_WordEnds[i++] = "pee"; To: NO CHANGE FOR FIRST BadURL_WordEnds[i++] = "[^u]pee"; Reason: Wed Oct 18 14:01:30: www.circuitcity.com/IMAGE/app/r/icon_peekcart.gif Thu Jan 4 13:00:38: projects.info-pull.com/moab/images/apple-peeler.jpg Fri Feb 2 08:33:01: www.npr.org/include/javascript/peekaboo.js Mon Feb 5 11:00:10 digg.com/userimages/toupee/small.jpg Sat Feb 24 07:15:29 www.aros.net/styles/blues/random/backgrounds/grand_peek.jpg Wed May 9 12:04:18: forums.bicycling.com/groupee_common Fri May 11 20:31:38: www.sarc.com/avcenter/venc/data/w32.peerload.a.html Sat Jun 9 07:48:14: episteme.arstechnica.com/groupee_common/ I will handle the "upee" hosts in the hosts file, and since www.sarc.com is an arm of Symantec they MUST be excluded! Ditto for "npr.org" and "circuitcity.com". 20. Action: "circuitcity.com" Added: GoodDomains[i++] = "circuitcity.com"; Reason: SEE #19 - "peek" is an especially BAD word. THERE IS NO WAY AROUND THIS OTHER THAN WHITE-LIST! 21. Action: "npr.org" Added: GoodDomains[i++] = "npr.org"; Reason: SEE #19 - allow the left wing pinkos the right to speak. 22. Action: "sarc.com Added: GoodDomains[i++] = "sarc.com"; Reason: SEE #19 15 July 2007 UNresolved False Positives (HHH) --------------------------------------------- 1. Pattern: "tgp" Rules: BadURL_Parts[i++] = "tgp"; Reason: www.tomshardware.com/Design/graphics/\ tomshardware/logo_tgpfoot.gif www.vmware.com/files/images/promos/\ ws_promo_tgp.gif www.symantec.com/content/en/us/enterprise/\ images/promo/ent-vista_sec_mktgpromo.jpg ANY IDEAS WHAT TO DO ABOUT IT? 2. Pattern: "chest" Rules: BadURL_WordStarts[i++] = "chest"; BadURL_WordEnds[i++] = "chest"; Reason: Wed May 16 10:11:41: images.bestbuy.com/BestBuy_US/en_US/images/global\ /features/gigrad_blueshirtchest_2007.jpg THE EASY SOLUTION WOULD BE TO ADD A GoodDomains ".bestbuy.com" RULE. THE PROBLEM IS: hope-chest drawer-chest, chest-of-jewels, treasure-chest, etc. Further, even the efficacy of the rule itself poses no reason to drop the rules from URL to HOST: 44 chest_Parts.txt 5 chest_Starts_and_Ends.txt 33 chest_Passed_All_Rules.txt 82 total 3. Pattern: "bbw" Rules: BadURL_Parts[i++] = "bbw"; Reason: Sat Jun 2 20:49:05: topics.nytimes.com/adx/bin/clientside\ /1dd00e15Q2F8!Q60VY6sQ2BQ3BXQ5B9L4LNTQ5BQ3BBwQ5BBQ5BXsN 4. Pattern: "rape" Rules: BadURL_WordStarts[i++] = "rape"; (PROBABLY OKAY) BadURL_WordEnds[i++] = "rape"; Reason: Fri Jun 8 05:59:23: creativecommons.org/apps/scrape I found the following words that end with "rape" that have 1, 2, or 3 letters in front of that: crape drape grape scrape serape That gives the [^cdeg] in front of the rule at a maximum and a [^c] at a minimum. but remember that grape can be gangrape. SEE 15 Jun 2007 CHANGES IF THIS IS RESOLVED 15 July 2007 RESOLVED False Positives (HHH) ------------------------------------------- 1. Pattern: "pee" Rules: BadURL_WordStarts[i++] = "pee[^nrv]"; BadURL_WordEnds[i++] = "pee"; Reason: Wed May 9 12:04:18 forums.bicycling.com/groupee_common\ /jscript/prototype.js For now I have a personal rule but I really worry about a rule this short.