17 Août 2007 Changements 17 August 2007 Changes (HHH) ---------------------------- 1. Action: "80.77.85" Added: BadNetworks[i++] = "80.77.85.0, 255.255.255.0"; // PERSONAL PORN Reason: See 080.077.085.txt file in BadNetworks_001 folder for at least the first half of the subnet. We MAY have to cut this back to a netmask that is more restrictive since the last bad host is 80.77.85.126. 2. Action: "freenet-homepage.de" Added: GoodDomains[i++] = "freenet-homepage.de"; Reason: I can't find anything wrong, so why not? I have had this as a PERSONAL (PRIVUS) RULE for me for quite a while. { 2010-01-23 note: The "free" rule has been deprecated and commented out now } 3. Action: "baikal" Added: BadHostParts[i++] = "baikal"; Reason: hpHosts added these additional hosts associated with the coolwebsearch.com - it redirected to meta.7search.com which stops, but if on Windows box with improperly setup IE browser it makes changes. I suspect that they are made even if you are running your IE browser with reduced privileges (using restricted login or DropMyRights or equivalent) since it is making changes in the user's folder. http://www.siteadvisor.com/sites/baikal-guide.com 4. Action: ".ivwbox.de" From: // PERSONAL RULE To: PLAIN RULE Reason: I took one look at all of the extra stuff in the hpHosts file and said ENOUGH! Until they begin to police their domain, I am not going to do it for them. I also removed all of the *.ivwbox.de hosts in the blocking hosts file. You can't keep up with something like this. 5. Action: "poker" Added: BadHostParts[i++] = "poker"; Reason: // PERSONAL RULE If they don't want it they can remove it. That is what the "PERSONAL" is there for ... 6. Action: "195.10.6.0, 255.255.255.0" subnet Added: BadNetworks[i++] = "195.10.6.0, 255.255.255.0"; Reason: // PERSONAL PORN 004 It may not be all porn, but it is chock full of REALLY bad sites. You aren't getting PORN 003 because it is an "// PRIVUS RULE" rule. { 2010-01-23 note: This may exist in only the pornproxy* rules. In reality I need to look at all of the IP rules and if any aren't applicable any more they need to be removed. Any volunteers? } 7. Action: "216.65.41.0" rule From: BadNetworks[i++] = "216.65.41.0, 255.255.255.0"; // PERSONAL OWNBOX.COM To: BadNetworks[i++] = "216.65.41.185, 255.255.255.254"; // PERSONAL OWNBOX FE Reason: After further examining of this, almost all of the hosts other than ownbox.com / www.ownbox.com have the IP address 216.65.41.185. ownbox.com / www.ownbox.com have IP address 216.65.41.144 and if you ask me, stopping that is enough. I did recommend the following rules to them and wasn't going to add either but I finally relented on the one I gave them. So they get there rule and there go several thousand hosts (3391 in their file to be exact). The following host also redirects to ownbox.com (it is the only one they had): [www.]syamantec.com 216.65.41.182 The only way I could get both with one rule was: BadNetworks[i++] = "216.65.41.176, 255.255.255.240"; Let THEM put the rule in place. I am not going to. In addition to blocking 216.65.41.181 and 216.65.41.185 it also blocks 14 additional hosts in the range 176 ... 191. 8. Action: "kazaa" Added: BadHostParts[i++] = "kazaa"; // PERSONAL P2P RULE Reason: They all have that pattern so why not? It installs ad-ware that it doesn't remove in all its gazillion name variations. The PERSONAL lets them know they can delete it at their own volition. I can't think of anything legitimate that will block but we will see. Looking at all of those *kazaa* hosts in hpHosts was what drove this rule. It is probably a good estimate that less than 30% of the ones Airelle has are still alive and hpHosts doesn't have all of them. Airelle: 217 hpHosts: 27 9. Action: "pervert" From: BadURL_Parts[i++] = "pervert"; To: BadURL_Parts[i++] = "perver"; Reason: This misses "pervers*". Doing a count for what slipped through for "pervers" we have: 90 pervers_Parts.txt 28 pervers_Starts_and_Ends.txt 141 pervers_Passed_All_Rules.txt -------------------------------- 259 total And if I shorten it to just "perver" I get: 275 perver_Parts.txt 28 perver_Starts_and_Ends.txt 142 perver_Passed_All_Rules.txt ------------------------------- 445 total I found that even though I got a lot more, the Parts rules kick in and we only get one more: pervermania.com I wonder if they have any "prever"s? once we have shortened it we have: I might go for that in a Host name but not a URL. 522 perv_Parts.txt 12 perv_Starts_and_Ends.txt 98 perv_Passed_All_Rules.txt ----------------------------- 632 total 10. Action: "insightfirst.com" Added: BadDomains[i++] = ".insightfirst.com"; Reason: New 247realmedia.com affiliate, not DNS-WCD, no CNAME to *.insightfirst.com that I can find. 11. Action: "205.177.28.70" & "205.177.28.80" Added: BadNetworks[i++] = "205.177.28.70, 255.255.255.254"; // ninoa + p0rt2 BadNetworks[i++] = "205.177.28.80, 255.255.255.254"; // ninoa + p0rt2 Reason: It injects a Trojan and does DNS Wildcard and exploits it. It isn't so much that I really am blocking it since I have never saw it in my logs. This is a statement. I HAVE HAD IT! DAMN THE TORPEDOS! FULL SPEED AHEAD! 12. Action: 159.54.239.0 / 255.255.255.128 Added: BadNetworks[i++] = "159.54.239.0, 255.255.255.128"; // PERSONAL gcirm Reason: Evenly spread from 1 ... 127 in the first half of this subnet. Every time I add "PERSONAL" it means it is "OPTIONAL" for them to have it. Since the PERSONAL rules are theirs, they can do with them as they please Eventually, these "PERSONAL" are going to change in the French file BUT they should all upper case them so I can pull them out as neccessary. I changed them to "// RÈGLE PERSONNELLE" but that is probably wrong. 13. Action: "tracker" Added: BadHostParts[i++] = "tracker"; This rule may be too severe. But since me and Dr. Bob are the only people using the PAC filter it doesn't matter any more. If I find it doesn't work for me I will pull it. If I don't have any problems with it for quite a while I will pull the following rules since this one rule does the sum total of all of them put together and more: BadDomains[i++] = ".opentracker.net"; BadDomains[i++] = ".realtracker.com"; BadDomains[i++] = ".sitetracker.com"; BadHostParts[i++] = "sextracker"; Reason: [hhhobbit@sirius rlwpx.free.fr_WPFF]$ grep -c tracker hosts.* hosts.blc:0 hosts.pub:95 hosts.rsk:100 hosts.sex:211 hosts.trc:426 - reason? 426 hosts? Not only did it block all of these trackers but some are now DNS WildCard Domains (DNS-WCDs) and I don't care how they warp themselves - they stick "tracker" in there, they get blocked! 14. Action: "cul" Added: BadURL_Parts[i++] = "[^eilns]cul[^it]"; Reason: It means "ass" in English. FOr now it is only PERSONAL RULE and only in the French file. I NEED ANYBODY to test it so we make sure it doesn't clobber anybody. I am hanging out there with almost two dozen experimental rules and I can't handle another one! 15. Action: NOTHING Added: English: // // PAC (Proxy Auto Configuration) Filter // Available at: // // http://www.securemecca.com/pac.html // http://www.hostsfile.org/pac.html // Français : // // PAC (Proxy Auto Configuration) Filtre // Disponible à : // // http://www.securemecca.com/pac.html // http://www.hostsfile.org/pac.html // Reason: LET THEM KNOW WHERE WE ARE AT! I will let Airelle correct my "little brown dog"s. 17 Août 2007 Positifs faux non définis (HHH) 17 August 2007 UNresolved False Positives (HHH) ----------------------------------------------- 1. Pattern: "tgp" Rules: BadURL_Parts[i++] = "tgp"; Reason: www.tomshardware.com/Design/graphics/\ tomshardware/logo_tgpfoot.gif www.vmware.com/files/images/promos/\ ws_promo_tgp.gif www.symantec.com/content/en/us/enterprise/\ images/promo/ent-vista_sec_mktgpromo.jpg ANY IDEAS WHAT TO DO ABOUT IT? 2. Pattern: "chest" Rules: BadURL_WordStarts[i++] = "chest"; BadURL_WordEnds[i++] = "chest"; Reason: Wed May 16 10:11:41: images.bestbuy.com/BestBuy_US/en_US/images/global\ /features/gigrad_blueshirtchest_2007.jpg THE EASY SOLUTION WOULD BE TO ADD A GoodDomains ".bestbuy.com" RULE. THE PROBLEM IS: hope-chest drawer-chest, chest-of-jewels, treasure-chest, etc. Further, even the efficacy of the rule itself poses no reason to drop the rules from URL to HOST: 44 chest_Parts.txt 5 chest_Starts_and_Ends.txt 33 chest_Passed_All_Rules.txt 82 total 3. Pattern: "bbw" Rules: BadURL_Parts[i++] = "bbw"; Reason: Sat Jun 2 20:49:05: topics.nytimes.com/adx/bin/clientside\ /1dd00e15Q2F8!Q60VY6sQ2BQ3BXQ5B9L4LNTQ5BQ3BBwQ5BBQ5BXsN 4. Pattern: "rape" Rules: BadURL_WordStarts[i++] = "rape"; (PROBABLY OKAY) BadURL_WordEnds[i++] = "rape"; Reason: Fri Jun 8 05:59:23: creativecommons.org/apps/scrape I found the following words that end with "rape" that have 1, 2, or 3 letters in front of that: crape drape grape scrape serape That gives the [^cdeg] in front of the rule at a maximum and a [^c] at a minimum. but remember that grape can be gangrape. SEE 15 Jun 2007 CHANGES IF THIS IS RESOLVED 17 August 2007 RESOLVED False Positives (HHH) --------------------------------------------- NONE ! AUCUN !