16 September 2007 Changes (HHH) ------------------------------- 1. Action: "72.46.130.0" Added: BadNetworks[i++] = "72.46.130.0, 255.255.255.224"; // P Reason: This may be going too far but they had 9, 23, 27, and 29 and every one of them were filling up with proxy servers. So I blocked out 1 ... 31 and called it a day. If we whack somebody innocent we can refine it. 2. Action: "*block" From: BadHostParts[i++] = "unblock"; // P To: BadHostParts[i++] = "block"; // P Reason: $ grep -c block add.Proxy ---> 58 The number just keeps going up. It is time to head it off right now. If we have to we will put in some NOTS to curtail the scope. Meanwhile, we BLOCK "block". For now I will leave the "block" that are not "unblock" in add.Proxy rather than moving them to add.PacProxy. 3. Action: "invisible" Added: BadHostParts[i++] = "invisible"; // P Reason: add.PacProxy:42 add.Proxy:4 Count keeps going up. Unless "visible" shows up without the preceding "in" this is fine. 4. Action: "symantec.com" Added: GoodDomains[i++] = "symantec.com"; Reason: "tgp" problem which is ALWAYS mktgpromo at symantec". It still doesn't cure the overall problem but this will hold us for a while. symantec shouldn't be blocked anyway. But then again, maybe they should. See #10 in the add list. Symantec were the ones that drove that change out the door. 5. Action: "l2m.net" Added: BadDomains[i++] = ".l2m.net"; // DNS-WCD Reason: Only had one, 14713804a.l2m.net but it has never showed up in my logs and it is a DNS WildCard domain. Either we remove it or block anything that shows up. 6. Action: "misstrends.com" Added: BadDomains[i++] = ".misstrends.com"; Reason: DNS-WCD porn tracker. 7. Action: "web-stats.org" Added: BadDomains[i++] = ".web-stats.org"; // DNS-WCD Reason: Hosts file blocks only 5623.web-stats.org but Google search gives 15,700 hits? Gotta have others! 8. Action: "netscape.com" Added: GoodDomains[i++] = "netscape.com"; Reason: See next - "browse"! 9. Action: "browse" From: BadHostParts[i++] = "browse"; // P To: BadHostParts[i++] = "browse"; // P PERSONNELLE Reason: browser.netscape.com. See previous. Yes, it is a let-down but that rule to block the proxies is NOT going to work. They are going to have to go into the blocking hosts file (done). This just lets them know they can remove the rule. Actually, the more I think about it I am just going to comment it out. 10. Action: 2o7.net IP addresses Added: //////////////////////////////////////////////////////////////// // BadNetworks[i++] = "66.151.152.125, 255.255.255.254"; // 112 // BadNetworks[i++] = "66.151.152.126, 255.255.255.254"; // 112 // BadNetworks[i++] = "66.151.152.143, 255.255.255.254"; // 112 // BadNetworks[i++] = "128.241.21.146, 255.255.255.254"; // 112 // BadNetworks[i++] = "128.241.21.149, 255.255.255.254"; // 112 // BadNetworks[i++] = "128.241.21.163, 255.255.255.254"; // 112 //////////////////////////////////////////////////////////////// // BadNetworks[i++] = "66.150.208.9, 255.255.255.254"; // 122 // BadNetworks[i++] = "66.150.208.54, 255.255.255.254"; // 122 // BadNetworks[i++] = "66.150.208.55, 255.255.255.254"; // 122 // BadNetworks[i++] = "66.150.208.106, 255.255.255.254"; // 122 // BadNetworks[i++] = "66.151.244.27, 255.255.255.254"; // 122 // BadNetworks[i++] = "66.151.244.29, 255.255.255.254"; // 122 // BadNetworks[i++] = "66.151.244.162, 255.255.255.254"; // 122 // BadNetworks[i++] = "66.151.244.166, 255.255.255.254"; // 122 //////////////////////////////////////////////////////////////// Reason: Somebody said that NAV was complaining about om.symantec.com and wanted to remove it from the hosts file. They were using a scare tactic and it is VERY offensive to me. Here is a blurb on it: http://tinyurl.com/293m8q So I am going to provide commented out rules that they can uncomment. I will NOT take the responsibility of them not keeping the PAC filter up to date. I WILL provide them as far as possible something that will still block that om.symantec.com, metrics.apple.com, and others and I will take the responsibility to attempt to keep the IP address up-to-date but Omniture changes their IP addresses every 2...6 months. That is the best I can do. Blocking IPs that no longer belong to Omniture at best does nothing and at worst we are blocking somebody innocent. I am not in the practice of blocking the innocent. Maybe I should block symantec.com itself! 11. Action: From: BadDomains[i++] = ".bpath.com"; // PRIVUS RULE BadDomains[i++] = ".esomniture.com"; // PRIVUS RULE To: BadDomains[i++] = ".bpath.com"; // (DEAD (MORT) BadDomains[i++] = ".esomniture.com"; // (DEAD (MORT) Reason: I have this rule privately for almost eight months now. It is now public. If you ask me the domain is dead. I have NOTHING in my phttpd logs. { 2010-01-23 - I have already removed the bpath.com rule and am removing the esomniture.com rule right now. Why keep something you never see? } 12. Action: ".mystat-in.net" Added: BadDomains[i++] = ".mystat-in.net"; // DNS-WCD Reason: They are coming up with all kinds of nonsense lead number stuff. Let's see if we can get the others. 13. Action: "cul" rule From: BadURL_Parts[i++] = "[^eilns]cul[^it]"; // PERSONAL RULE To: BadURL_Parts[i++] = "[^aeilns]cul[^it]"; // PERSONAL RULE Reason: Thu Sep 13 09:03:02: www.billygraham.org/includes/Echelon/scriptaculous.js Everybody is using this scriptaculous.js JavaScript. 14. Action: handled false positive From: BadURL_Parts[i++] = "gyn"; To: BadURL_Parts[i++] = "gyn[(e|o)]"; BadURL_Parts[i++] = "obgyn"; Reason: Peer Gynt 15. Action: "zoo" Added: BadHostWordStarts[i++] = "zoo"; // PERSONAL RULE Reason: Some of the worst of the porn sites at damaging the PCs running Windows all start with "zoo". Let them make up their own mind. 15. Action: "085.255.121.076", "085.255.121.077" Added: BadNetworks[i++] = "85.255.121.76, 255.255.255.252"; // PORN 005 Reason: There are hundreds of hosts infecting people at these IP addresses. It is NOT PERSONAL. IT IS MANDATORY! See the enclosed 085.255.121.07.txt file for them. 16. Action: "filtersetg.com" Added: GoodDomains[i++] = "filtersetg.com"; Reason: OBVIOUS 16 September 2007 UNresolved False Positives (HHH) -------------------------------------------------- 1. Pattern: "tgp" Rules: BadURL_Parts[i++] = "tgp"; Reason: www.tomshardware.com/Design/graphics/\ tomshardware/logo_tgpfoot.gif www.vmware.com/files/images/promos/\ ws_promo_tgp.gif www.symantec.com/content/en/us/enterprise/\ images/promo/ent-vista_sec_mktgpromo.jpg ANY IDEAS WHAT TO DO ABOUT IT? 2. Pattern: "chest" Rules: BadURL_WordStarts[i++] = "chest"; BadURL_WordEnds[i++] = "chest"; Reason: Wed May 16 10:11:41: images.bestbuy.com/BestBuy_US/en_US/images/global\ /features/gigrad_blueshirtchest_2007.jpg THE EASY SOLUTION WOULD BE TO ADD A GoodDomains ".bestbuy.com" RULE. THE PROBLEM IS: hope-chest drawer-chest, chest-of-jewels, treasure-chest, etc. Further, even the efficacy of the rule itself poses no reason to drop the rules from URL to HOST: 44 chest_Parts.txt 5 chest_Starts_and_Ends.txt 33 chest_Passed_All_Rules.txt 82 total 3. Pattern: "bbw" Rules: BadURL_Parts[i++] = "bbw"; Reason: Sat Jun 2 20:49:05: topics.nytimes.com/adx/bin/clientside\ /1dd00e15Q2F8!Q60VY6sQ2BQ3BXQ5B9L4LNTQ5BQ3BBwQ5BBQ5BXsN 4. Pattern: "rape" Rules: BadURL_WordStarts[i++] = "rape"; (PROBABLY OKAY) BadURL_WordEnds[i++] = "rape"; Reason: Fri Jun 8 05:59:23: creativecommons.org/apps/scrape I found the following words that end with "rape" that have 1, 2, or 3 letters in front of that: crape drape grape scrape serape That gives the [^cdeg] in front of the rule at a maximum and a [^c] at a minimum. but remember that grape can be gangrape. SEE 15 Jun 2007 CHANGES IF THIS IS RESOLVED 16 September 2007 RESOLVED False Positives (HHH) ------------------------------------------------ 1. Pattern: "gyn" Rules: BadURL_Parts[i++] = "gyn"; Reason: I didn't save it - it was on Windows (Peer Gynt) Solution: BadURL_Parts[i++] = "gyn[(e|o)]"; BadURL_Parts[i++] = "obgyn";