28 October 2007 Changes (HHH) ----------------------------- 1. Action: ANTI-SPAM Added: BadNetworks[i++] = "69.50.255.254, 255.255.255.255"; // SPAM BadNetworks[i++] = "66.248.154.254, 255.255.255.255"; // SPAM BadNetworks[i++] = "128.168.85.7, 255.255.255.255"; // SPAM Reason: Unsolicited in my email box. See the IP2Host.txt file in the spam folder for the reason why. 2. Action: Zeroing in on 64.28.17* ... 64.28.18* Trojan zone From: BadNetworks[i++] = "64.28.176.0, 255.255.224.0"; // PORN 006 (TROJAN) To: BadNetworks[i++] = "64.28.176.0, 255.255.248.0"; // PORN 006.1 (TROJAN) BadNetworks[i++] = "64.28.184.0, 255.255.254.0"; // PORN 006.2 (TROJAN) Reason: Some false positives and I now know the range a little better. The warning has been dropped. It goes from 176 ... 185 inclusive. We MAY need to make 176 a good network (255.255.254.0), but I doubt it. 3. Action: IPs *.112.2o7.net *.122.2o7.net ---> *.2o7.net From: (SEPARATE) To: (MERGED) BadNetworks[i++] = "66.150.208.9, 255.255.255.255"; BadNetworks[i++] = "66.150.208.54, 255.255.255.255"; BadNetworks[i++] = "66.150.208.55, 255.255.255.255"; BadNetworks[i++] = "66.150.208.106, 255.255.255.255"; BadNetworks[i++] = "66.151.152.125, 255.255.255.255"; BadNetworks[i++] = "66.151.152.126, 255.255.255.255"; BadNetworks[i++] = "66.151.152.143, 255.255.255.255"; BadNetworks[i++] = "66.151.244.27, 255.255.255.255"; BadNetworks[i++] = "66.151.244.28, 255.255.255.255"; BadNetworks[i++] = "66.151.244.162, 255.255.255.255"; BadNetworks[i++] = "66.151.244.166, 255.255.255.255"; BadNetworks[i++] = "70.42.134.12, 255.255.255.255"; BadNetworks[i++] = "70.42.134.17, 255.255.255.255"; BadNetworks[i++] = "128.241.21.146, 255.255.255.255"; BadNetworks[i++] = "128.241.21.149, 255.255.255.255"; BadNetworks[i++] = "128.241.21.163, 255.255.255.255"; BadNetworks[i++] = "128.242.125.9, 255.255.255.255"; BadNetworks[i++] = "128.242.125.13, 255.255.255.255"; BadNetworks[i++] = "216.52.17.134, 255.255.255.255"; BadNetworks[i++] = "216.52.17.136, 255.255.255.255"; BadNetworks[i++] = "216.52.17.206, 255.255.255.255"; BadNetworks[i++] = "216.52.17.207, 255.255.255.255"; Reason: I discovered there ARE some of their addresses in the the 112.2o7.net that were in the 122.2o7.net range so the thing to do is to make NO distinction and merge them. Also, I collated enough names that once a month doing DNS queries on them SHOULD give us all of the IP addresses so that they are always current. 4. Action: cybertipline.com Added: GoodDomains[i++] = "cybertipline.com"; // Advertising Reason: Mon Oct 22 08:21:34: cybertipline.com/en_US/images/ChildPornFactsheet_title.gif 5. Action: PROXY IP RULES - one to one From: BadNetworks[i++] = "66.90.103.122, 255.255.255.255"; // 374 BadNetworks[i++] = "67.159.30.105, 255.255.255.255"; // 32 To: BadNetworks[i++] = "83.170.113.102, 255.255.255.255"; // 374 BadNetworks[i++] = "66.90.104.172, 255.255.255.255"; // 32 Reason: They changed their IP addresses 6. Action: added bad domains Added: BadDomains[i++] = ".hpg.com.br"; BadDomains[i++] = ".hpg.ig.com.br"; Reason: They do NOT have any policies on either Porn or pop-unders. We may remove these as fast as we put them in. If we do, we will also remove free.fr. 7. Action: SPAMMER Added: // SPAM BadNetworks[i++] = "208.53.17.254, 255.255.255.255"; Reason: NEW SPAM email address. It is almost a shame to block them since their host names show imagination and creativity. 8. Action: NETMASKS WRONG From: 255.255.255.254 To: 255.255.255.255 Reason: The 254 gives two IPs, not one. There are some times I want this but not normally. 9. Action: "butt" Added: BadHostParts[i++] = "butt[^eor]"; Reason: There are some that pass through in the rules below, but ... ----------------------------- 412 butt_Parts.txt 170 butt_Starts_and_Ends.txt ----------------------------- 382 butt_Passed_All_Rules.txt ----------------------------- 964 total butte: 23 butto: 11 buttr: 7 That still isn't bad with 341. That translates to roughly a thousand hosts. 10. Action: One more IP address for 112.2o7.net / 122.2o7.net Added: BadNetworks[i++] = "128.241.21.13, 255.255.255.255"; Reason: RODNEY - THANKS! 11. Action: Made personal rules public. From: BadNetworks[i++] = "4.79.120.112, 255.255.255.248"; // PERSONAL instacontent - 2007-08-22 BadNetworks[i++] = "64.191.192.112, 255.255.255.248"; // PRIVUS instacontent - 2007-08-22 BadNetworks[i++] = "65.216.116.112, 255.255.255.248"; // PRIVUS instacontent - 2007-08-22 BadNetworks[i++] = "152.52.20.248, 255.255.255.248"; // PRIVUS nandomedia - 2007-08-22 BadNetworks[i++] = "192.147.176.112, 255.255.255.248"; // PRIVUS instacontent - 2007-08-22 BadNetworks[i++] = "204.0.99.112, 255.255.255.248"; // PRIVUS instacontent - 2007-08-22 To: BadNetworks[i++] = "4.79.120.112, 255.255.255.248"; // instacontent BadNetworks[i++] = "64.191.192.112, 255.255.255.248"; // instacontent BadNetworks[i++] = "65.216.116.112, 255.255.255.248"; // instacontent BadNetworks[i++] = "152.52.20.248, 255.255.255.248"; // nandomedia BadNetworks[i++] = "192.147.176.112, 255.255.255.248"; // instacontent BadNetworks[i++] = "204.0.99.112, 255.255.255.248"; // instacontent Reason: The holidays are upon us. 12. Action: Kaspersky Added: GoodDomains[i++] = "kaspersky-labs.com"; Reason: Just in case they have a "17" or "18" in the hosts. 13. Action: "babel" From: BadURL_WordStarts[i++] = "babe"; To: BadURL_WordStarts[i++] = "babe[^l]"; Reason: "babelfish" in AltaVista. Most of the true positives are "babeland". AltaVista's BabelFish translation is infinitely faster than Google's is for fast and dirty German <---> English. 14. Action: "altavista.com" Removed: GoodDomains[i++] = ".altavista.com"; // "babe" Reason: The modification of the "babe" start rule means the only people that need this rule are those people that use AltaVista regularly. Actually, I have modified it to a PERSONAL (PRIVUS) rule for myself now. { 2010-01-23 This was deprecated by a change of the rule for the babelfish and is only an issue in the pornproxy* file. The proxy* files don't have this problem, but I just gave them an exclusion for everybody on 2010-01-04. 28 October 2007 UNresolved False Positives (HHH) -------------------------------------------------- 1. Pattern: "tgp" Rules: BadURL_Parts[i++] = "tgp"; Reason: www.tomshardware.com/Design/graphics/\ tomshardware/logo_tgpfoot.gif www.vmware.com/files/images/promos/\ ws_promo_tgp.gif www.symantec.com/content/en/us/enterprise/\ images/promo/ent-vista_sec_mktgpromo.jpg ANY IDEAS WHAT TO DO ABOUT IT? 2. Pattern: "chest" Rules: BadURL_WordStarts[i++] = "chest"; BadURL_WordEnds[i++] = "chest"; Reason: Wed May 16 10:11:41: images.bestbuy.com/BestBuy_US/en_US/images/global\ /features/gigrad_blueshirtchest_2007.jpg THE EASY SOLUTION WOULD BE TO ADD A GoodDomains ".bestbuy.com" RULE. THE PROBLEM IS: hope-chest drawer-chest, chest-of-jewels, treasure-chest, etc. Further, even the efficacy of the rule itself poses no reason to drop the rules from URL to HOST: 44 chest_Parts.txt 5 chest_Starts_and_Ends.txt 33 chest_Passed_All_Rules.txt 82 total 3. Pattern: "bbw" Rules: BadURL_Parts[i++] = "bbw"; Reason: Sat Jun 2 20:49:05: topics.nytimes.com/adx/bin/clientside\ /1dd00e15Q2F8!Q60VY6sQ2BQ3BXQ5B9L4LNTQ5BQ3BBwQ5BBQ5BXsN 4. Pattern: "rape" Rules: BadURL_WordStarts[i++] = "rape"; (PROBABLY OKAY) BadURL_WordEnds[i++] = "rape"; Reason: Fri Jun 8 05:59:23: creativecommons.org/apps/scrape I found the following words that end with "rape" that have 1, 2, or 3 letters in front of that: crape drape grape scrape serape That gives the [^cdeg] in front of the rule at a maximum and a [^c] at a minimum. but remember that grape can be gangrape. SEE 15 Jun 2007 CHANGES IF THIS IS RESOLVED 28 October 2007 RESOLVED False Positives (HHH) ---------------------------------------------- NONE