24 August 2007 Changes (HHH) ---------------------------- 1. Action: "tunnel" & "prox" Added: BadHostParts[i++] = "prox"; BadHostParts[i++] = "tunnel"; Reason: THIS WAS A HUGE HOLE IN THIS FILTER! I saw the KingOfThePac filter as a filter for people that wanted to protect their machines and themselves. If they have children these rules will mask out just some of these sites. It took a bit of searching but the people at proxy.org kindly provided a list that was better than anything else I could find. The page that gets you the most info is: http://proxy.org/proxies_sorted2.shtml They claim to update it every ten minutes. I have no idea why they so kindly provided the IP addresses, but since everybody else has the info too, it is nonsense to guard it. I will be looking at the IP addresses and names they gave us and construct some more rules. The ones the rules won't cover go into the hosts file that the rules won't block. Oh yes, the kid in that forum where the parent was complaining kept turning off the ZoneAlarm firewall. Talk about stupid! I wonder how they found out about our web sites? There are still less than six people using this filter though. 2. Action: BadNetworks rules for bypass proxies Added: BadNetworks[i++] = "66.90.103.37, 255.255.255.254"; // X (171) BadNetworks[i++] = "75.126.146.18, 255.255.255.254"; // X (151) BadNetworks[i++] = "66.90.103.122, 255.255.255.254"; // X (148) BadNetworks[i++] = "85.234.133.216, 255.255.255.254"; // X (119) BadNetworks[i++] = "208.53.131.176, 255.255.255.254"; // X (107) BadNetworks[i++] = "64.22.116.138, 255.255.255.254"; // X (100) BadNetworks[i++] = "216.163.40.100, 255.255.255.254"; // X (098) BadNetworks[i++] = "66.79.168.150, 255.255.255.254"; // X (095) BadNetworks[i++] = "85.234.150.253, 255.255.255.254"; // X (089) BadNetworks[i++] = "74.86.56.176, 255.255.255.254"; // X (089) BadNetworks[i++] = "74.86.47.188, 255.255.255.254"; // X (085) BadNetworks[i++] = "91.186.11.70, 255.255.255.254"; // X (082) BadNetworks[i++] = "83.170.97.191, 255.255.255.254"; // X (073) BadNetworks[i++] = "66.90.118.45, 255.255.255.254"; // X (073) BadNetworks[i++] = "66.232.113.128, 255.255.255.254"; // X (069) BadNetworks[i++] = "75.126.156.120, 255.255.255.254"; // X (062) BadNetworks[i++] = "74.86.13.240, 255.255.255.254"; // X (054) BadNetworks[i++] = "207.226.174.213, 255.255.255.254"; // X (049) BadNetworks[i++] = "67.159.45.92, 255.255.255.254"; // X (049) BadNetworks[i++] = "64.151.124.5, 255.255.255.254"; // X (047) BadNetworks[i++] = "74.208.56.4, 255.255.255.254"; // X (042) BadNetworks[i++] = "208.53.138.150, 255.255.255.254"; // X (040) BadNetworks[i++] = "198.145.112.200, 255.255.255.254"; // X (038) BadNetworks[i++] = "69.93.244.114, 255.255.255.254"; // X (037) BadNetworks[i++] = "69.59.28.133, 255.255.255.254"; // X (037) BadNetworks[i++] = "78.129.131.27, 255.255.255.254"; // X (035) BadNetworks[i++] = "66.90.103.82, 255.255.255.254"; // X (034) BadNetworks[i++] = "69.10.36.2, 255.255.255.254"; // X (033) BadNetworks[i++] = "198.145.45.175, 255.255.255.254"; // X (032) BadNetworks[i++] = "69.10.36.3, 255.255.255.254"; // X (030) BadNetworks[i++] = "208.109.168.157, 255.255.255.254"; // X (029) BadNetworks[i++] = "72.232.181.170, 255.255.255.254"; // X (029) Reason: See the CountAndIPs.txt and IPsAndCount.txt files. If any of the others starts to exceed 30 I will add them. This left 1464 more hosts which expands to double that or 2928 hosts. We will reduce the rest with rules (see the previous section) and chuck the rest into the hosts file. If you ask me it is a lost cause. They are multiplying at the same rate as the porn sites and now the script kiddies have kicked in with cookie cutter instant proxy sites. But the ones with more than a handful of host names at the same IP address are sponsored by the porn industry that fills my email box full of crap! 3. Action: BadNetworks rule for DomainsParking.com Added: BadNetworks[i++] = "72.9.98.66, 255.255.255.254"; // DP Park Reason: The behavior of all *baikal* hosts and all other hosts that were parked with them was so bad - they would cycle over and over going to site after site, etcetera, that blocking them altogether is expedient). More than just the *baikal* hosts are parked with them, like top-new-affiliate-programs.com and top-10-shop.com. 104 of the 257 hosts that Mike Burgess removed between 2007-07-31 to 2007_08_18 all map to this IP address. They probably don't do anything bad but they irritate me tremendously. 4. Action: ".adtech.fr"; Added: BadDomains[i++] = ".adtech.fr"; // AD Reason: AdServer block, Airelle's files (our benchmark) hosts.pub:131 hosts.rsk:65 hosts.trc:2 hosts.web:131 5. Action: ".liveadvert.com" Added: BadDomains[i++] = ".liveadvert.com"; // AD Reason: AdServer block: hpHosts & Airelle's files hosts.pub:683 hosts.rsk:1 hosts.web:683 6. Action: "gcirm.*" hosts Added: BadHostWordStarts[i++] = "gcirm"; // AD Reason: Tons of new RealMedia servers. 24 August 2007 UNresolved False Positives (HHH) ----------------------------------------------- 1. Pattern: "tgp" Rules: BadURL_Parts[i++] = "tgp"; Reason: www.tomshardware.com/Design/graphics/\ tomshardware/logo_tgpfoot.gif www.vmware.com/files/images/promos/\ ws_promo_tgp.gif www.symantec.com/content/en/us/enterprise/\ images/promo/ent-vista_sec_mktgpromo.jpg ANY IDEAS WHAT TO DO ABOUT IT? 2. Pattern: "chest" Rules: BadURL_WordStarts[i++] = "chest"; BadURL_WordEnds[i++] = "chest"; Reason: Wed May 16 10:11:41: images.bestbuy.com/BestBuy_US/en_US/images/global\ /features/gigrad_blueshirtchest_2007.jpg THE EASY SOLUTION WOULD BE TO ADD A GoodDomains ".bestbuy.com" RULE. THE PROBLEM IS: hope-chest drawer-chest, chest-of-jewels, treasure-chest, etc. Further, even the efficacy of the rule itself poses no reason to drop the rules from URL to HOST: 44 chest_Parts.txt 5 chest_Starts_and_Ends.txt 33 chest_Passed_All_Rules.txt 82 total 3. Pattern: "bbw" Rules: BadURL_Parts[i++] = "bbw"; Reason: Sat Jun 2 20:49:05: topics.nytimes.com/adx/bin/clientside\ /1dd00e15Q2F8!Q60VY6sQ2BQ3BXQ5B9L4LNTQ5BQ3BBwQ5BBQ5BXsN 4. Pattern: "rape" Rules: BadURL_WordStarts[i++] = "rape"; (PROBABLY OKAY) BadURL_WordEnds[i++] = "rape"; Reason: Fri Jun 8 05:59:23: creativecommons.org/apps/scrape I found the following words that end with "rape" that have 1, 2, or 3 letters in front of that: crape drape grape scrape serape That gives the [^cdeg] in front of the rule at a maximum and a [^c] at a minimum. but remember that grape can be gangrape. SEE 15 Jun 2007 CHANGES IF THIS IS RESOLVED 24 August 2007 RESOLVED False Positives (HHH) --------------------------------------------- NO TIME TO WORK ON THEM! And since I didn't notice them at the time other than #1 and #4, I am not going to worry about them. I don't have the time any more. Only me and Airelle are working on it anyway. So we are just going to do what makes us happy. I am no longer worrying about whether or not anybody is going to use this - they won't.