12 October 2007 Changes (HHH) ----------------------------- 1. Action: "pointsmartclicksafe.org" Added: GoodDomains[i++] = "pointsmartclicksafe.org"; Reason: "pink" If you ask me the only points that they gave was that older humans monitoring MAY help. It depends on how intelligent they are - for what they are concerned about, great. Even somebody who knows nothing about computers can see when some scuzz-ball is up to no good on the other end. In other words, having their parents doing some monitoring of what their children doing online is MANDATORY. 2. Action: 087.242.090.132 ... 087.242.090.140 Added: BadNetworks[i++] = "87.242.90.132, 255.255.255.252"; // ADWARE Reason: It is all adware but there aren't enough in the rest of the range to worry about them right now. If somebody wants to try the following rules for false positives that may help to discover if there are others. In just a few more days I will be unable to do anything at all about it any more. BadNetworks[i++] = "87.242.90.136, 255.255.255.252"; BadNetworks[i++] = "87.242.90.140, 255.255.255.254"; Do NOT go beyond 140. There is nothing more in the IP address database until you get to this one so all you will be doing is clobbering innocent people. 087.242.116.123 porn0site.org 3. Action: "block" From: BadHostParts[i++] = "block"; // P To: BadHostParts[i++] = "unblock"; // P Reason: "adblockplus.org" I only had to add about four host entries the other filter rules (primarily the IP addresses) didn't cover. 4. Action: assiste.com.free.fr Added: GoodDomains[i++] = "assiste.com.free.fr"; Reason: Phishing block list, lots of pointers to security goodies like browser checkers, etcetera. Here is the phish list: http://assiste.com.free.fr/p/hosts/listes/phishing.txt That was the first thing I found. I have had this as a private rule long enough! 5. Action: "angel"; Added: BadHostParts[i++] = "[^r^v]angel"; Reason: WAY TOO MANY, but we have tangelo, rangeland, evangelist, and Michaelangelo for starts. We are just going to have to white list the rest. Note that it is NOT a URL rule. I already had one false positive, tinangel.com. I just added it as a permanent white-list PERSONAL rule. 689 angel_Parts.txt 57 angel_Starts_and_Ends.txt 285 angel_Passed_All_Rules.txt ------------------------------- 1031 total 6. Action: "baise" Added: BadURL_Parts[i++] = "baise"; Reason: 127 baise_Parts.txt 36 baise_Starts_and_Ends.txt 189 baise_Passed_All_Rules.txt ------------------------------ 352 total I worry about this causing problems for French people but it should have almost no false-positives in English. 7. Action: "breast" Removed: BadURL_Parts[i++] = "breasts"; Reason: Have BadURL_Parts[i++] = "breast"; AND NO FALSE POSITIVES! 8. Action: "vierge" Added: BadURL_Parts[i++] = "vierge"; Reason: "virgin" in French 9. Action: "abcdelasecurite.free.fr" Added: GoodDomains[i++] = "abcdelasecurite.free.fr"; Reason: The ABC's of Security. It isn't that what they provide is all that good - they are going the right way and we have two rules that whack them the commented out "free[^d]" rule and the ".free.fr" rule. All I would need to drop the block of free.fr is a no porn policy. 10. Action: "*.122.2o7.net" Added: BadNetworks[i++] = "66.151.244.28, 255.255.255.254"; // 122 Reason: They still have the same 8 IP addresses they used to have. They have just added one more; so did I. 11. Action: sassygalls.com Added: BadURL_Parts[i++] = "galls"; Reason: Some of these are listed at www.malwaredomainlist.com. This is one of them and it will infect a Windows machine. I hope the risk is worth the broad scope; I just can't think of anything that it matches for a false positive. I only have 41 hosts slipping through the rules with the pattern, thus the URL rule. 12. Action: bytecrime.org Added: GoodDomains[i++] = "bytecrime.org"; Reason: I don't even want to risk the chance of something going wrong here. Sure, they use statse.webtrendslive.com but if something goes wrong ... 13. Action: *.ninoa.com & *.p0rt2.com From: BadNetworks[i++] = "205.177.28.170, 255.255.255.254"; BadNetworks[i++] = "205.177.28.180, 255.255.255.254"; To: BadDomains[i++] = ".ninoa.com"; BadDomains[i++] = ".p0rt2.com"; Reason: Some were showing up that were not at these IP address, most notably codec.ninoa.com. Since they never change their name (no aliases) ... 14. Action: "surf" Removed: BadHostParts[i++] = "surf"; // P Reason: Too many false positives. It moved 258 back out of the add.PacProxy back into the add.Proxy file. Nothing we can do about it. If it was me, I would tack on the add.PacProxy and add.Dead files anyway, just to make sure the proxies are blocked. 15. Action: "msmvps.com" && "mvps.org" Added: GoodDomains[i++] = "msmvps.com"; GoodDomains[i++] = "mvps.org"; Reason: "xxx" Initially I thought it was at msmvps.com. It wasn't. Instead it was at mvps.org. It doesn't matter because both, like us, Airelle, and others are fighting the same battle - trying to protect people's machines. I was looking up information on #17. 16. Action: 64.28.176.0 ... 64.28.191.255 Added: BadNetworks[i++] = "64.28.176.0, 255.255.224.0"; // PORN 006 (TROJAN) Reason: THERE ARE SO MANY TROJANS IN THIS IP ADDRESS SPACE THAT IS MOSTLY PORN IN THE IP2Host.txt FILE THAT AN EMERGENCY RULE HAD TO BE CREATED! The AV companies can't keep up with them either. 17. Action: 81.29.249.27 & VideoAccessCodecInstall.exe Added: BadNetworks[i++] = "81.29.249.27, 255.255.255.254"; // PORN 007 (TROJAN) Reason: To cover the ones that we don't have in the hosts file. This is a pretty nasty trojan that is changing over time and AntiVirus like OD32, F-Secure, Kaspersky, Panda and others are having a hard time keeping up with what is happening. 18. Action: "twat" From: BadURL_Parts[i++] = "twat"; To: BadURL_Parts[i++] = "twat[^ce]"; Reason: Thu Oct 11 02:26:15: http://www.trustwatch.com We need to allow "watch" and "water". There may be some others at start, but I cannot see them in English. 19. Action: "chix" Added: BadURL_Parts[i++] = "chix"; Reason: $ ./reduce chix 90 chix_Parts.txt 9 chix_Starts_and_Ends.txt 67 chix_Passed_All_Rules.txt ----------------------------- 166 total 20. Action: "cnzz.com" Added: BadDomains[i++] = ".cnzz.com"; Reason: $ grep -c cnzz.com /etc/hosts ---> 46 ALL up to no good. 21. Action: Proxy IP blocks From: BadNetworks ... (intermingled with others) To: BadNetworks ... (in separate block from most to least) Reason: They are changing the IP addresses to avoid blocks by IP. WHAT THIS MEANS IS THAT ORGANIZED CRIME ***IS*** INVOLVED IN THE CREATION OF AND MAINTENANCE OF THE PROXY SERVERS! I am going to put them in their own section, IN FREQUENCY ORDER FROM MOST TO LEAST. I am also going to create a ChildSafe.txt file that states NOT to depend on the IP address rules of the PAC filter. They will have to cat on the add.PacProxy and the add.Dead files rather than depending on the PAC filter to block them. Does anybody want to monitor the IP address changes? I do NOT have the time to do that. 12 October 2007 UNresolved False Positives (HHH) -------------------------------------------------- 1. Pattern: "tgp" Rules: BadURL_Parts[i++] = "tgp"; Reason: www.tomshardware.com/Design/graphics/\ tomshardware/logo_tgpfoot.gif www.vmware.com/files/images/promos/\ ws_promo_tgp.gif www.symantec.com/content/en/us/enterprise/\ images/promo/ent-vista_sec_mktgpromo.jpg ANY IDEAS WHAT TO DO ABOUT IT? 2. Pattern: "chest" Rules: BadURL_WordStarts[i++] = "chest"; BadURL_WordEnds[i++] = "chest"; Reason: Wed May 16 10:11:41: images.bestbuy.com/BestBuy_US/en_US/images/global\ /features/gigrad_blueshirtchest_2007.jpg THE EASY SOLUTION WOULD BE TO ADD A GoodDomains ".bestbuy.com" RULE. THE PROBLEM IS: hope-chest drawer-chest, chest-of-jewels, treasure-chest, etc. Further, even the efficacy of the rule itself poses no reason to drop the rules from URL to HOST: 44 chest_Parts.txt 5 chest_Starts_and_Ends.txt 33 chest_Passed_All_Rules.txt 82 total 3. Pattern: "bbw" Rules: BadURL_Parts[i++] = "bbw"; Reason: Sat Jun 2 20:49:05: topics.nytimes.com/adx/bin/clientside\ /1dd00e15Q2F8!Q60VY6sQ2BQ3BXQ5B9L4LNTQ5BQ3BBwQ5BBQ5BXsN 4. Pattern: "rape" Rules: BadURL_WordStarts[i++] = "rape"; (PROBABLY OKAY) BadURL_WordEnds[i++] = "rape"; Reason: Fri Jun 8 05:59:23: creativecommons.org/apps/scrape I found the following words that end with "rape" that have 1, 2, or 3 letters in front of that: crape drape grape scrape serape That gives the [^cdeg] in front of the rule at a maximum and a [^c] at a minimum. but remember that grape can be gangrape. SEE 15 Jun 2007 CHANGES IF THIS IS RESOLVED 12 October 2007 RESOLVED False Positives (HHH) ---------------------------------------------- NONE