31 August 2007 Changes (HHH) ---------------------------- 1. Action: "surf" & "surfcontrol.com" GoodDomains[i++] = "surfcontrol.com"; Added: BadHostParts[i++] = "surf"; // P Reason: $ grep -c surf search ---> 906, Still had 251 after applying the IP rules to the data. We have no choice. There are lots of sites but I can guarantee that for every one site somebody's kid would request white-listed there are probably dozens they will request that are nothing more than these proxies. I added one legitimate one already. surfcontrol.com. If you tell me others I wil add them if I think there is general interest or security sites. 2. Action: "bypass", "cloak", "myspace", "privacy" Added: BadHostParts[i++] = "bypass"; // P BadHostParts[i++] = "cloak"; // P ( will need modifications as we go ) BadHostParts[i++] = "myspace"; // P BadHostParts[i++] = "privacy"; // P Reason: block proxies used to defeat filters. see the tunnels folders. 3. Action: "myspace.com" Added: GoodDomains[i++] = "myspace.com"; Reason: Allow them in to myspace.com but we will have to block a few more "*myspace*" in the hosts file 4. Action: "privacydigest.com" Added: GoodDomains[i++] = "privacydigest.com"; Reason: Counter "privacy" rule. If you remove the "privacy" rule remove this one. 5. Action: "216.65.41.188" Added: BadNetworks[i++] = "216.65.41.188, 255.255.255.254"; // OWNBOX FE Reason: ownbox.com front end host. [www.]disneyworldresorts.com This is the ONLY one at this address and I will add the host as an add.WinRisk but this rule exists ONLY to block it, but why are they putting only one host at this IP address? I thought of a wider snare but this is the best I can do. 6. Action: "getpast", "hidden", "sneak", "unblock", "unlock" Added: BadHostParts[i++] = "getpast"; // P BadHostParts[i++] = "hidden"; // P BadHostParts[i++] = "sneak"; // P BadHostParts[i++] = "unblock"; // P BadHostParts[i++] = "unlock"; // P Reason: block proxies used to defeat filters. see the tunnels folders. 7. Action: start "hide" and end "hide" Added: BadHostWordStarts[i++] = "hide"; // P BadHostWordEnds[i++] = "hide"; // P Reason: Eventually, the embedded "hide" pattern would nail us with false positives. Therefore these are now added and [www.]historyhider.com and [www.]mshideme.info which are the only two that were not covered by the broader rule but not these rules have been added to the add.Porn file. That is good enough for me. 8. Action: "browse", "filter" Added: BadHostParts[i++] = "browse"; // P BadHostParts[i++] = "filter"; // P Reason: Each of these sets of patterns to block the proxies is being put in several days apart. They come by me just looking at the host names and coming up with a new pattern. This will continue until I am satisfied that I got as many as possible with rules. IT IS SILLY TO DO IT! 99% of the people using these filters are using them on Windows and it is trivial to just turn the filter off. That is why all of the effort on this is strictly to be complete. They of course can tack on the add.Proxy and that will block almost all of the proxies but now the porn sites are allowed through. On Linux it is a different matter. Anybody for Airelle's hosts.sex file? 31 August 2007 UNresolved False Positives (HHH) ----------------------------------------------- 1. Pattern: "tgp" Rules: BadURL_Parts[i++] = "tgp"; Reason: www.tomshardware.com/Design/graphics/\ tomshardware/logo_tgpfoot.gif www.vmware.com/files/images/promos/\ ws_promo_tgp.gif www.symantec.com/content/en/us/enterprise/\ images/promo/ent-vista_sec_mktgpromo.jpg ANY IDEAS WHAT TO DO ABOUT IT? 2. Pattern: "chest" Rules: BadURL_WordStarts[i++] = "chest"; BadURL_WordEnds[i++] = "chest"; Reason: Wed May 16 10:11:41: images.bestbuy.com/BestBuy_US/en_US/images/global\ /features/gigrad_blueshirtchest_2007.jpg THE EASY SOLUTION WOULD BE TO ADD A GoodDomains ".bestbuy.com" RULE. THE PROBLEM IS: hope-chest drawer-chest, chest-of-jewels, treasure-chest, etc. Further, even the efficacy of the rule itself poses no reason to drop the rules from URL to HOST: 44 chest_Parts.txt 5 chest_Starts_and_Ends.txt 33 chest_Passed_All_Rules.txt 82 total 3. Pattern: "bbw" Rules: BadURL_Parts[i++] = "bbw"; Reason: Sat Jun 2 20:49:05: topics.nytimes.com/adx/bin/clientside\ /1dd00e15Q2F8!Q60VY6sQ2BQ3BXQ5B9L4LNTQ5BQ3BBwQ5BBQ5BXsN 4. Pattern: "rape" Rules: BadURL_WordStarts[i++] = "rape"; (PROBABLY OKAY) BadURL_WordEnds[i++] = "rape"; Reason: Fri Jun 8 05:59:23: creativecommons.org/apps/scrape I found the following words that end with "rape" that have 1, 2, or 3 letters in front of that: crape drape grape scrape serape That gives the [^cdeg] in front of the rule at a maximum and a [^c] at a minimum. but remember that grape can be gangrape. SEE 15 Jun 2007 CHANGES IF THIS IS RESOLVED 31 August 2007 RESOLVED False Positives (HHH) --------------------------------------------- NONE