11 November 2007 Changes (HHH)
------------------------------

  1. Action:	"grannie"  &  "granny"
     Added:	BadURL_Parts[i++] = "grannie";
		BadURL_Parts[i++] = "granny";
     Reason:	If they cause problems at the URL level ...
		--------------------------------
		 48 grannie_Parts.txt
		 14 grannie_Starts_and_Ends.txt
		 50 grannie_Passed_All_Rules.txt
		--------------------------------
		112 total
		---------
		-------------------------------
		167 granny_Parts.txt
		 44 granny_Starts_and_Ends.txt
		140 granny_Passed_All_Rules.txt
		-------------------------------
		351 total
		---------

  2. Action:	"download.php"
     Added:	// BadURL_Parts[i++] = "download.php";	// YOUR CHOICE - TROJAN
     Reason:	There are a LOT of hosts distributing ZLOB trojans.  They
		are all like this one:
			kimsoftware.com/download.php?id=107
		They almost all use the Nullsoft Install System.  Until
		they drop out of Malware Domain List we are going to
		have to keep this rule.  This is an OPTIONAL RULE.
		Further they have to uncomment it.

  3. Action:	66.246.203.254  SPAM
     Added:	BadNetworks[i++] = "66.246.203.254,	255.255.255.255"; // SPAM
     Reason:	SPAMMER IP, but what is in the message that does NOT
		show up in Thunderbird is what is interesting.  Too many
		spammers assume everybody uses Microsoft Office's Outlook.
		In this case just using Thunderbird protects you a LOT!
		You are NOT redirected to a URL, and it doesn't attempt
		to look at the <style> ... </style> macros that are
		intended to do something - either on Linux or Windows.
		Of course the macros don't work on Linux anyway, and
		instead of using Office you are using OpenOffice so you
		are immune to the macros.  They don't work in OpenOffice
		since OpenOffice doesn't have an integrated MUA program.
		In fact, it doesn't even have a mail program.

  4. Action:	
     From:	BadNetworks[i++] = "85.255.121.76,	255.255.255.252"; // PORN 005 (TROJAN)
     To:	BadNetworks[i++] = "85.255.113.0,	255.255.255.248"; // PORN 005 (TROJAN)
     Reason:	In honor of the new Trojan for the Macintosh OS X that
		redirects users to the pseudo DNS servers:
			s1=85.255.116.71
			s2=85.255.112.63
		I wanted to sneak up on this zone but once you look at
		it you will realize it had to be done.  Here is the info
		on the DNSChanger Trojan for the Macintosh (which I am
		pretty sure also works on Linux and what that guy had
		unless it was Earthlink or similar bad DNS servers that
		caused the problem.  This whacks out the following 8-bit
		subnets:  85.255.113 .. 85.255.119.  Let me know if it
		causes problems.

  5. Action:	Finally made PORN 003 rule public
     Added:	BadNetworks[i++] = "85.255.121.176,	255.255.255.254"; // PORN 003
     Reason:	There are no less that 250  085.255.121.076 hosts.  This
		rule MAY be expanded in the future.  Most of the hosts
		around it aren't porn though - they are Pseudo AntiVirus
		AntiSpy stuff that do nothing but take your money and
		provide no protection.

  6. Action:	TYPO SERVER
     Added:	BadNetworks[i++] = "75.126.144.219, 255.255.255.255"; // ZIPSERVERS TYPO
     Reason:	Rodney has  2179 (NEED THEM)

  7. Action:	NEW TROJAN WORD:  codec
     Added:	// BadHostParts[i++] = "codec";			// YOUR CHOICE - TROJAN
     Reason:	SHOW ME ONE LEGITIMATE HOST WITH THE NAME CODEC IN
		IT!  If you don't this rule is going to be uncommented.
		EVERY host I have seen that has "codec" in it is BAD.
		If nobody says anything it is going to be uncommented
		in just a few weeks.

  8. Action:	k###.ddfdn.biz
     Added:	BadDomains[i++] = ".ddfdn.biz";
     Reason:	I cannot quite get a hand on what these people are doing
		but it goes pretty fast.  This is a DNSWCD, but if you do
		a search in Google, ALL of the hosts are in the form given.
		It is really difficult to see what they are doing but they
		are using  feed.trafflow.com/click.cgi with a  LOT of stuff
		handed to it.  Here is its code:

		<html><body onLoad="document.f.submit()">\
		<form name="f" method="GET" action="">
		</form></body></html>

		Because it is ostensibly associated with porn I am going
		to add feed.trafflow.com FOR MYSELF ONLY.  If it doesn't
		cause any problems then I will add it into everybody's
		hosts file in the add.Porn section.  In reality, NONE
		of this stuff is Porn - it is all PSEUDO-PORN.

  9. Action:	truth-is-out-there.org
     Added:	BadDomains[i++] = ".truth-is-out-there.org";	// TROJAN
     Reason:	I kept finding one after another and when I went
		to MalwareDomainList.com I just kept coming up with
		more.  They are NOT a DNSWCD (no matter what anybody
		says) so this is the best way to stop them.  They
		may be using SPAM to spread, but the threat is REAL
		to Windows owners.

 10. Action:	clickbank.net
     Added:	BadDomains[i++] = ".clickbank.net";
     Reason:	Redirector for rogue and other bad sites.  Airelle has
		over 100 of them but you have NO way of knowing whether
		or not some are still alive or not since it is a DNSWCD.
		$ dns kdsfhksdjkfaksdf.hop.clickbank.net
			Name:   kdsfhksdjkfaksdf.hop.clickbank.net
			Address: 209.81.12.133
			Name:   kdsfhksdjkfaksdf.hop.clickbank.net
			Address: 209.81.12.132
		CREDIT - AIRELLE

 11. Action:	bpath.com
     From:	BadDomains[i++] = ".bpath.com";
     To:	BadNetworks[i++] = "216.200.199.0,	255.255.255.0"; BPATH
     Reason:	I still don't believe there are any bpath.com servers.
		But this rule will also pick up all the hyperbanner.net
		and bidserver.net  CREDIT - RODNEY

 12. Action:	insight* hosts
     From:	BadDomains[i++] = ".insightexpress.com";
		BadDomains[i++] = ".insightfirst.com";
     To:	BadHostWordStarts[i++] = "insight[(e|f|x)]";
     Reason:	The problem was that we also have  insightexpressai.com
		and  who knows how many undiscovered  insightxe.* hosts,
		e.g.,  insightxe.investors.com which is an alias to
		investorscollect.247realmedia.com  I STRONGLY suspect
		there are more than the 13 (Airelle - 18) that we
		have.  Airelle - they are TRACKERS!  In addition we have
		insightfirst.*.com so now you see why this rule.
		CREDIT - RODNEY.
 
 13. Action:	FAILED PERSONAL RULE
     Removed:	BadHostWordStarts[i++] = "content"; // PRIVUS RULE - 2007-09-22
     Reason:	Tue Oct 30 21:13:51: content.dealnews.com/s_code.js?2006042601
		Sat Nov 10 19:36:38: content.elpasotimes.com/pdf/frontpage.gif
		I sure had to wait a long time for this false positive.
		I didn't even notice the first ones.  This is just a
		reminder not to do it again.

 14. Action:	sitetracker.com & freestats.com
     Added:	BadNetworks[i++] = "64.136.25.165,	255.255.255.255";
		// SITETRACKER+FREESTATS
     Reason:	They are both DNSWCDs.  The PAC filter has a BadDomains
		rule for sitetracker.com, but not for freestats.com.
		Since Mike Burgess removed most of the freestats.com
		hosts I thought the domain was dead.  I have a fair
		amount of addfreestats.com in my PHTTPD log but only one
		freestats.com and it looks like I got it going there
		directly:

		Sat Aug 18 23:00:40: abbyssh.freestats.com
		Sat Aug 18 23:00:40: abbyssh.freestats.com/favicon.ico

		You only get it that way going to it DIRECTLY in the
		browser.  I sincerely doubt anybody would call it that
		way.  Report if you get a *.freestats.com host!
		CREDIT - RODNEY.

 15. Action:	ebonypages.com
     Added:	GoodDomains[i++] = ".ebonycamera.com";
		GoodDomains[i++] = "ebonypages.com";
     Reason:	AWARDS!  NO SPIES, 


11 November 2007 UNresolved False Positives (HHH)
-------------------------------------------------

  1. Pattern:	"tgp"
     Rules:	BadURL_Parts[i++] = "tgp";
     Reason:	www.tomshardware.com/Design/graphics/\
	tomshardware/logo_tgpfoot.gif
		www.vmware.com/files/images/promos/\
	ws_promo_tgp.gif
		www.symantec.com/content/en/us/enterprise/\
	images/promo/ent-vista_sec_mktgpromo.jpg

		ANY IDEAS WHAT TO DO ABOUT IT?

  2. Pattern:	"chest"
     Rules:	BadURL_WordStarts[i++] = "chest";
		BadURL_WordEnds[i++] = "chest";
     Reason:	Wed May 16 10:11:41:
		images.bestbuy.com/BestBuy_US/en_US/images/global\
		/features/gigrad_blueshirtchest_2007.jpg
		THE EASY SOLUTION WOULD BE TO ADD A GoodDomains
		".bestbuy.com" RULE.  THE PROBLEM IS:  hope-chest
		drawer-chest, chest-of-jewels, treasure-chest, etc.
		Further, even the efficacy of the rule itself poses
		no reason to drop the rules from URL to HOST:

		44 chest_Parts.txt
		 5 chest_Starts_and_Ends.txt
		33 chest_Passed_All_Rules.txt
		82 total

  3. Pattern:	"bbw"
     Rules:	BadURL_Parts[i++] = "bbw";
     Reason:	Sat Jun  2 20:49:05:
		topics.nytimes.com/adx/bin/clientside\
		/1dd00e15Q2F8!Q60VY6sQ2BQ3BXQ5B9L4LNTQ5BQ3BBwQ5BBQ5BXsN

  4. Pattern:	"rape"
     Rules:	BadURL_WordStarts[i++] = "rape";	(PROBABLY OKAY)
		BadURL_WordEnds[i++] = "rape";
     Reason:	Fri Jun  8 05:59:23:
		creativecommons.org/apps/scrape

		I found the following words that end with "rape" that
		have 1, 2, or 3 letters in front of that:

		crape			drape			grape
		scrape			serape

		That gives the [^cdeg] in front of the rule at a
		maximum and a [^c] at a minimum.  but remember that
		grape can be gangrape.
		SEE 15 Jun 2007 CHANGES IF THIS IS RESOLVED


11 November 2007 RESOLVED False Positives (HHH)
-----------------------------------------------

	NONE