29 July 2007 Changes (HHH) -------------------------- 1. Action: "justcounter.com" Added: BadDomains[i++] = ".justcounter.com"; Reason: http://www.siteadvisor.com/sites/justcounter.com // INFO GATHER RULE 2. Action: "live" From: BadHostWordStarts[i++] = "live"; BadHostWordEnds[i++] = "live"; To: BadHostWordStarts[i++] = "live"; // PERSONAL RULE BadHostWordEnds[i++] = "live"; // PERSONAL RULE Reason: Yes, it allows a lot to slip through, but hosts like http://www.citychurchlive.org/ can't make it past and there are LOTS of them. It is better that people comment the rule out rather than disable or not use the PAC filter. 3. Action: "openclick.com" Added: BadDomains[i++] = ".openclick.com"; Reason: only cb.openclick.com? Let us see if there are more // INFO GATHER RULE 4. Action: "superstats.com" Added: BadDomains[i++] = ".superstats.com"; // INFO GATHER RULE Reason: I only have a few stats.superstats.com in my logs and we only have the code.superstats.com and stats.superstats.com. But the hpHosts file has a bazillion extra *.superstats.com hosts. But McAfee gives them a green light: http://www.siteadvisor.com/sites/superstats.com 5. Action: "buzzlogic.com" Removed: BadDomains[i++] = ".buzzlogic.com"; Reason: // INFO GATHER RULE (STOPPED NOTHING) 6. Action: "focalex.com" Removed: BadDomains[i++] = ".focalex.com"; Reason: // INFO GATHER RULE DEAD? 7. Action: OOOPS! From: BadDomains[i++] = ".insightexpress.com.net"; // INFO GATHER RULE To: BadDomains[i++] = ".insightexpress.com"; // INFO GATHER RULE Reason: NO SUCH ANIMAL 8. Action: "pointroll.com" Removed: BadDomains[i++] = ".pointroll.com"; Reason: // INFO GATHER RULE (STOPPED NOTHING) I have got ONLY ads.pointroll.com 9. Action: "tacoda.net" Removed: BadDomains[i++] = ".tacoda.net"; Reason: // INFO GATHER RULE (STOPPED NOTHING) The only thing I have ever got are these two: an.tacoda.net anad.tacoda.net 10. Action: "ultsearch.com" Removed: BadDomains[i++] = ".ultsearch.com"; Reason: // INFO GATHER RULE (STOPPED NOTHING) The only thing I have ever got are these two: images.ultsearch.com imagesb.ultsearch.com 11. Action: "xclicks.net" Removed: BadDomains[i++] = ".xclicks.net" Reason: // INFO GATHER RULE (STOPPED NOTHING) Only www.xclicks.net and none since Aug 2006 12. Action: ".gfx.pichunter.com" Removed: BadDomains[i++] = ".gfx.pichunter.com"; Reason: NONE CAUGHT 13. Action: "stupidcash.com" Removed: BadDomains[i++] = ".stupidcash.com"; Reason: They are not parked at Internap Network Services. 14. Action: "zoo" Added: BadURL_Parts[i++] = "zoosex"; BadHostWordStarts[i++] = "zoo" // PERSONAL RULE Reason: These hosts are some that have caused the WORST problems for me. If you look at the zoo_Passed_All_Rules.txt file, you will understand WHY but for now the second rule will be ONLY for me. It MAY have just too many false positives. BadHostWordStarts[i++] = "zoo" But things like these: http://www.bronxzoo.com/ http://www.hoglezoo.org/animals/ http://www.sandiegozoo.org/ Make this rule an utter impossibilty: BadHostWordEnds[i++] = "zoo"; 15. Action: "bang" Added: BadURL_Parts[i++] = "backseat"; ( 28) BadURL_Parts[i++] = "bang-bus"; ( 25) BadURL_Parts[i++] = "bangbus"; ( 38) BadURL_Parts[i++] = "bange"; ( 56) BadURL_Parts[i++] = "banging"; ( 7) BadHostWordStarts[i++] = "bang"; (116) BadHostWordEnds[i++] = "bang"; ( 62) // PERSONAL RULE Reason: These hosts are NOTORIOUS for infecting Windows boxes. I had put this off until now because I didn't know how to handle it and actually forgot about it. Here are the counts with the Porn hosts that we have: 835 bang_Parts.txt 49 bang_Starts_and_Ends.txt 352 bang_Passed_All_Rules.txt ------------------------------ 1236 total (whittled down to 17 left with rules) Now we MAY have to alter these rules, for example, "bange" is short for both "banger" and "banged" so we may need to expand that one rule to two or put an OR wildcard in. I can think of Bangor Maine, and several other things so we may need to twiddle the rules but we need SOMETHING NOW! I will have to look at the logs to see what shows up but realize that this is NOT only for PORN! These people are frequently caught BANGING bad things into place onto people's machines and do it with THESE EXACT WORDS! 16. Action: "ivwbox.de" From: BadDomains[i++] = ".ivwbox.de"; // INFO GATHER To: BadDomains[i++] = ".ivwbox.de"; Reason: I have had only ONE of these and that is toi.ivwbox.de. McAfee gives the domain a green rating but I removed ALL of these from the hosts file. 17. Action: BadNetworks rules Added: BadNetworks[i++] = "66.220.17.0, 255.255.255.0"; // PERSONAL LOP BadNetworks[i++] = "69.31.128.0, 255.255.255.0"; // PERSONAL DISNEY PORN BadNetworks[i++] = "72.232.116.0, 255.255.255.0"; // PERSONAL PORN BadNetworks[i++] = "216.65.41.0, 255.255.255.0"; // PERSONAL OWNBOX.COM Reason: Bad subnets. See each of the indicated subnet files. They are nothing more than the grep'ping out of the networks from my IP2Host.txt file. 29 July 2007 UNresolved False Positives (HHH) --------------------------------------------- 1. Pattern: "tgp" Rules: BadURL_Parts[i++] = "tgp"; Reason: www.tomshardware.com/Design/graphics/\ tomshardware/logo_tgpfoot.gif www.vmware.com/files/images/promos/\ ws_promo_tgp.gif www.symantec.com/content/en/us/enterprise/\ images/promo/ent-vista_sec_mktgpromo.jpg ANY IDEAS WHAT TO DO ABOUT IT? 2. Pattern: "chest" Rules: BadURL_WordStarts[i++] = "chest"; BadURL_WordEnds[i++] = "chest"; Reason: Wed May 16 10:11:41: images.bestbuy.com/BestBuy_US/en_US/images/global\ /features/gigrad_blueshirtchest_2007.jpg THE EASY SOLUTION WOULD BE TO ADD A GoodDomains ".bestbuy.com" RULE. THE PROBLEM IS: hope-chest drawer-chest, chest-of-jewels, treasure-chest, etc. Further, even the efficacy of the rule itself poses no reason to drop the rules from URL to HOST: 44 chest_Parts.txt 5 chest_Starts_and_Ends.txt 33 chest_Passed_All_Rules.txt 82 total 3. Pattern: "bbw" Rules: BadURL_Parts[i++] = "bbw"; Reason: Sat Jun 2 20:49:05: topics.nytimes.com/adx/bin/clientside\ /1dd00e15Q2F8!Q60VY6sQ2BQ3BXQ5B9L4LNTQ5BQ3BBwQ5BBQ5BXsN 4. Pattern: "rape" Rules: BadURL_WordStarts[i++] = "rape"; (PROBABLY OKAY) BadURL_WordEnds[i++] = "rape"; Reason: Fri Jun 8 05:59:23: creativecommons.org/apps/scrape I found the following words that end with "rape" that have 1, 2, or 3 letters in front of that: crape drape grape scrape serape That gives the [^cdeg] in front of the rule at a maximum and a [^c] at a minimum. but remember that grape can be gangrape. SEE 15 Jun 2007 CHANGES IF THIS IS RESOLVED 29 July 2007 RESOLVED False Positives (HHH) ------------------------------------------- 1. Pattern: "pee" Rules: BadURL_WordStarts[i++] = "pee[^nrv]"; BadURL_WordEnds[i++] = "pee"; Reason: Wed May 9 12:04:18 forums.bicycling.com/groupee_common\ /jscript/prototype.js For now I have a personal rule but I really worry about a rule this short. I THINK I RESOLVED THIS IN JUNE! Oh well, you now have it here as well.