FREE PORN ### IDS: 013 ...
24 December 2007 Changes (HHH)
------------------------------
1. Action: xiti.com
Added: BadNetworks[i++] = "80.118.149.105, 255.255.255.224"; // xiti.com
Reason: In case there are any aliases. This takes us from
080.118.149.105 ... 080.118.149.127
2. Action: hotlog.ru
Added: BadNetworks[i++] = "81.176.69.192, 255.255.255.192"; // HOTLOG1
Reason: In case there are any aliases. Although they only go from
081.176.069.212 ... 081.176.069.248 in my database for
this range of their IP address space the reverse whois
shows they have this entire block:
081.176.069.192 ... 081.176.069.255
Here are their other IP addresses:
062.118.248.075 ad.hotlog.ru
THIS RANGE
195.131.004.166 click.hotlog.ru
217.016.031.112 ... 217.016.031.127 (see next)
3. Action: hotlog.ru
Added: BadNetworks[i++] = "217.16.31.112, 255.255.255.240"; // HOTLOG2
Reason: In case there are any aliases. Although they only go from
217.016.031.120 ... 217.016.031.123 in my database for
this range of their IP address space the reverse whois
shows they have this entire block:
217.016.031.112 ... 217.016.031.127
4. Action: new PORN IP
Added: BadNetworks[i++] = "216.240.129.82, 255.255.255.255";
// PORN 010 (TROJAN)
Reason: I HAD 119 at the 085.255.120.138 IP address just 1-2
weeks ago. Since then only 18 are still at that old
address. Two are dead. 109 have moved to this new IP
address. See the MusicalChairIPs folder for how the
things changed. Some of the hosts are:
easytoons.net
[www.]forfat.net
[www.]jokescartoons.info
[www.]plustoons.com
[www.]shemales4u.info
[www.]voyeurdorms.info
[www.]yoursgirls.com
I suspect they are moving to the new IP address. But I
have to at least FINISH with what I am doing with
Host2IP.txt file and IP2Host.txt files right now
before I can look at this. If anything, it is a
warning that blocking single IP addresses is usually
NOT A GOOD THING. THEY CAN ALWAYS DO THIS! I suspect
that what is happening is that they are moving to a new
server. And they are complaining about IPv4 having a
limited address space yet they are able to MOVE like mad!
Wait until IPv6 comes on line! The problem will get
worse exponentially.
5. Action: new PORN IP
Added: BadNetworks[i++] = "85.255.121.76, 255.255.255.255";
// PORN 011 (TROJAN)
Reason: Two weeks ago I had 187 at this IP address. In that
short time span, 20 have defected to the 069.050.188.004
subnet. That is probably just a few people changing
alliances. Here are some hosts to monitor to make sure
they stay there:
[www.]547-hollywood-video.info
[www.]bestskivideo.com
[www.]bestvideohouse.com
[www.]dvdcodecall.com
[www.]dvdsclip.com
[www.]wincodec.org
6. Action: White List Rule
Added: GoodDomains[i++] = "skyangel.com";
Reason: We WANT the white angels! It is the dark ones we want
to keep out of the machine. Here are some more of the
good ones I have been keeping to myself:
GoodDomains[i++] = "angelsbysharae.com"; // PERSONAL RULE
GoodDomains[i++] = "thetinangel.com"; // PERSONAL RULE
- but if I take some of the links I am taken to -
http://guardianangelsbysharae.blogspot.com/atom.xml
That was one of the domains Rodney said I should block.
They don't have an anti-porn policy as does this
domain:
// BadDomains[i++] = ".homestead.com";
What I am saying is that there is no good way around this
mess. The only thing that works is to patiently try to
see how big the problem is and always depend on the fall
back of white list rules. For every homestead.com host
that serves porn there are hundreds that don't. Haste
makes waste. YOU HAVE TO SNEAK UP ON THESE. But since
this is one of the premier Christian networks, it doesn't
do to block it. And the only thing I have to work with
is a potential modification of adding a ^y to the rule
[^rv]angel ---> [^rvy]angel
That allows the following hosts to trickle through:
[www.]barelyangels.com
[www.]beautyangel.net
[www.]candyangels.com
[www.]creamyangels.com
[www.]curvyangel.com
[www.]dailyangelboris.com
[www.]destinyangel.net
freeandeasyangels.homestead.com
[www.]merryangels.com
[www.]shinyangels.com
[www.]shyangel.com
[www.]veryangel.com
Hmm, are some of them REALLY white angels? I may be
wrong, but I cannot think of any words that "yangel" is
the root of. Note that one of the hosts is at
homestead.com. You can NOT just do a wget because
here is what it gives you:
Homestead - your web site company
So I gave them a temporary exclusion and went to it in
the browser. Here is what I got:
freeandeasyangels.homestead.com/index.ffhtml
Basically it is parked. Now did you learn anything
from going through it? I will go and offer my pointers
to Sharae. One thing I did notice though was that
despite the policy Google has for blogspot.com, most
of the "adult" content pages I got through to do NOT
carry the "WARNING" they are supposed to have. They
also have NO mechanism for reporting infractions.
Google is going to have to learn the hard way what
Yahoo has already learned. We will see what Sharae has
to say.
7. Action: "internetfilter.com"
Added: GoodDomains[i++] = "internetfilter.com";
Reason: False positive "filter"; security research site.
8. Action: angel rule
From: BadHostParts[i++] = "[^rv]angel";
To: BadHostParts[i++] = "[^hrv]angel";
Reason: In addition to the obvious "archangel" we have the
following block related to the above:
Wed Dec 5 04:31:53:
photos1.blogger.com/blogger/4386/787/200/earthangellogopink_01.jpg
It is part of the angelsbysharae thing.
9. Action: "best"
From: GoodDomains[i++] = "bestbuy.com"; // PERSONAL RULE
BadHostWordStarts[i++] = "best"; // PERSONAL RULE - 2007-06-22
To: GoodDomains[i++] = ".bestbuy.com";
{ NOTHING }
Reason: I noticed too many hosts with "best at the start of
their name that were NOT the best for your computer. I
was seeing how many others I could find. Since the rule
for the starting hosts was ineffective I am removing it.
But in the process I found that other rules affected the
BestBuy.com URLs. Since they have the Geek Squad (who
despite the ads don't know all that much) plus the fact
they are even bigger than Fry's Electronics it won't do
to block them, BUT we WILL block their spies. See the
files in the WhatIsBest/ folder for more information.
10. Action: *.hittail.com AND *.mylongtail.com
Added: BadNetworks[i++] = "168.75.66.156, 255.255.255.254"; // hittail
Reason: All they have to do is 87358473.${EITHERONE} and they
make it though. There is NO WAY you can block all the
calls with just host files. See the HitTail folder for
proof of why this rule is necessary. Also, contrast
Rodney's omnibus list of these hosts with Airelle's
then the MVPS hosts file. I never bothered adding any
more because this IS a DNS WildCard Domain (DNSWCD).
BUT, WE MUST MONITOR FOR WHEN THEY CHANGE THEIR IP
ADDRESSES!
11. Action: new PORN IP
Added: BadNetworks[i++] = "195.56.77.0, 255.255.255.0"; // PORN 012
Reason: This is the GTS-DataNet in Hungary. Their main hosts
of concern are their notorious *.axelsfun DNSWCD. By
that I mean their p#######.axelsfun.com. No matter how
many you add to a hosts file, all they need to do is
tweak it a little bit.
12. Action: "versiontracker.com";
Added: GoodDomains[i++] = "versiontracker.com";
Reason: http://en.wikipedia.org/wiki/VersionTracker
If I have more than 2-3 more of these I will remove
this rule entirely.
13. Action: Spy Haven
Added: BadNetworks[i++] = "204.245.162.8, 255.255.255.224"; // SPYHAVEN
BadNetworks[i++] = "204.245.162.32, 255.255.255.254"; // SPYHAVEN
Reason: Look at my IP2Host.txt file or your own database. It
makes you wonder if there are any associations! There
may be some false positives but I doubt it. I was wrong!
The History Channel (www.history.com) is at 204.245.162.32.8
and 204.245.162.8.
14. Action: Removed "ebony" rules
Removed: GoodDomains[i++] = ".ebonycamera.com";
GoodDomains[i++] = "ebonypages.com";
Reason: They were only meant as temporary rules. Gone now.
People will need to add them on their own.
15. Action: Added one more "ebony" rule
Added: GoodDomains[i++] = ".ebony.com";
Reason: I was thinking that "ebonyjet.com" was the Ebony
magazine. It is, but they have a front end in case
you don't know what it is so it is added to.
16. Action: Removed stale Proxy IP rules
Removed: BadNetworks[i++] = "64.151.124.5, 255.255.255.255"; // 134
BadNetworks[i++] = "66.79.164.42, 255.255.255.255"; // 56
BadNetworks[i++] = "66.90.104.172, 255.255.255.255"; // 32
BadNetworks[i++] = "66.90.118.45, 255.255.255.255"; // 166
BadNetworks[i++] = "66.232.98.249, 255.255.255.255"; // 32
BadNetworks[i++] = "67.159.44.36, 255.255.255.255"; // 68
BadNetworks[i++] = "67.159.45.209, 255.255.255.255"; // 34
BadNetworks[i++] = "72.9.100.146, 255.255.255.255"; // 32
BadNetworks[i++] = "72.46.130.9, 255.255.255.255"; // 32
BadNetworks[i++] = "72.167.15.158, 255.255.255.255"; // 58
BadNetworks[i++] = "74.86.43.154, 255.255.255.255"; // 48
BadNetworks[i++] = "74.86.82.247, 255.255.255.255"; // 44
BadNetworks[i++] = "91.186.11.70, 255.255.255.255"; // 94
Reason: They shifted their IP address for ALL of these. I am
NOT going to depend on IP rules for proxies any more.
I may even abandon the effort to handle the proxies.
It is too much work. If people want to infect their
machines - LET THEM!
17. Action: park.funnel.revenuedirect.com.akadns.net RULES
Added: BadNetworks[i++] = "66.150.161.57, 255.255.255.255"; // PARKFUNNEL
BadNetworks[i++] = "69.25.47.164, 255.255.255.255"; // PARKFUNNEL
Reason: There are so many aliases to this that the paltry few
that I have is awful. These hosts ARE technically parked
and need to be removed and I DO remove them. But I don't
like the behavior of RevenueDirect.com. That means I have
one more IP address I need to keep track of.
18. Action: new 2o7.net subnet range
Added: BadNetworks[i++] = "74.201.95.0, 255.255.255.224";
BadNetworks[i++] = "63.251.179.0, 255.255.255.224";
BadNetworks[i++] = "8.15.7.96, 255.255.255.224";
Reason: I added the "74.201.95.0, rule first because it appeared
to have all the qualifications needed. I am adding the
other two with the conservative rules, but am adding
these for me:
BadNetworks[i++] = "63.251.179.0, 255.255.255.0"; // PERSONAL RULE
BadNetworks[i++] = "8.15.7.96, 255.255.255.0"; // PERSONAL RULE
19. Action: ".youtube.com"
Added: GoodDomains[i++] = "yotube.com";
Reason: Fri Dec 14 16:19:28:
img.youtube.com/vi/peeBnVIUACU/default.jpg
It is just a matter of time before others have some
problems and youtube.com is one of the most popular
destinations on the planet.
20. Action: "128.168.224.4"
Added: BadNetworks[i++] = "128.168.224.4, 255.255.255.255"; // SPAM
Reason: [www.]dreamsexisted.net
They busted these away from the military and Gold Hill
Computers has been direct assigned the network range of
128.168.000.000 ... 128.168.255.255! I guess it is a
a sign of the times that the first thing that has come
out of the new address space is SPAM. Shall I block
the entire "CIDR: 128.168.0.0/16"? In case you are
wondering, YES, I HAVE BLOCKED IT - FOR MYSELF ONLY!
I want to see what else is there. Here is my rule:
BadNetworks[i++] = "128.168.0.0, 255.255.0.0"; // PERSONAL SPAM
Here is the one host it stopped:
21. Action: "192.187.197.18"
Added: BadNetworks[i++] = "192.187.197.18, 255.255.255.255"; // SPAM
Reason: [www.]tattersflight.net
Again, they have the entire network address space from
192.187.168.000 ... 192.187.255.255
So I have also made the following rules for me:
BadNetworks[i++] = "192.187.168.0, 255.255.248.0"; // PERSONAL SPAM
BadNetworks[i++] = "192.187.176.0, 255.255.240.0"; // PERSONAL SPAM
BadNetworks[i++] = "192.187.192.0, 255.255.192.0"; // PERSONAL SPAM
We will see how many innocent hosts we snare, but unsolicited
email means I don't want the IP address space near me right
now.
22. Action: v1.panthercdn.com
Added: BadNetworks[i++] = "63.144.121.128, 255.255.255.128"; // PANTHER3
Reason: They shifted their IP addresses yet again.
23. Action: "amazon.ca"
Added: GoodDomains[i++] = ".amazon.ca";
Reason: Is amazon.fr big? I thought they just did everything
via their COM domain.
24. Action: "instacontent"
Added: BadNetworks[i++] = "4.78.48.112, 255.255.255.240"; // instacontent
BadNetworks[i++] = "64.191.192.112, 255.255.255.240"; // instacontent
BadNetworks[i++] = "65.216.116.112, 255.255.255.240"; // instacontent
Reason: changed the IP addresses of their servers again
25. Action: ".ask.com"
Added: GoodDomains[i++] = ".ask.com";
Reason: Ask.com is the ONLY search engine that allows you to opt
out out of them keeping your history for more than a year,
primarily by IP address. SANS gave them a big thumbs up,
especially if you are searching for health care info.
Here is a URL on it:
http://tinyurl.com/2mx56a
26. Action: "ocular" & "oculomotor" & "oculus"
From: BadURL_Parts[i++] = "[^aeilns]cul[^it]";
To: BadURL_Parts[i++] = "[^aeilnos]cul[^it]";
Reason: Mon Dec 24 03:41:08:
binoculars2.ask.com/binocl_get?url=\
c71210befc5fd9551baabbf0e40a957d&s=3078406374&size=2
I realize that I just added ".ask.com", but in
addition to the words that I just made, we are
bound to have "binocular" and other words like
that.
24 December 2007 UNresolved False Positives (HHH)
-------------------------------------------------
1. Pattern: "tgp"
Rules: BadURL_Parts[i++] = "tgp";
Reason: www.tomshardware.com/Design/graphics/\
tomshardware/logo_tgpfoot.gif
www.vmware.com/files/images/promos/\
ws_promo_tgp.gif
www.symantec.com/content/en/us/enterprise/\
images/promo/ent-vista_sec_mktgpromo.jpg
ANY IDEAS WHAT TO DO ABOUT IT?
2. Pattern: "chest"
Rules: BadURL_WordStarts[i++] = "chest";
BadURL_WordEnds[i++] = "chest";
Reason: Wed May 16 10:11:41:
images.bestbuy.com/BestBuy_US/en_US/images/global\
/features/gigrad_blueshirtchest_2007.jpg
THE EASY SOLUTION WOULD BE TO ADD A GoodDomains
".bestbuy.com" RULE. THE PROBLEM IS: hope-chest
drawer-chest, chest-of-jewels, treasure-chest, etc.
Further, even the efficacy of the rule itself poses
no reason to drop the rules from URL to HOST:
44 chest_Parts.txt
5 chest_Starts_and_Ends.txt
33 chest_Passed_All_Rules.txt
82 total
3. Pattern: "rape"
Rules: BadURL_WordStarts[i++] = "rape"; (PROBABLY OKAY)
BadURL_WordEnds[i++] = "rape";
Reason: Fri Jun 8 05:59:23:
creativecommons.org/apps/scrape
I found the following words that end with "rape" that
have 1, 2, or 3 letters in front of that:
crape drape grape
scrape serape
That gives the [^cdeg] in front of the rule at a
maximum and a [^c] at a minimum. but remember that
grape can be gangrape.
SEE 15 Jun 2007 CHANGES IF THIS IS RESOLVED
X. Pattern:
Rules:
Reason:
24 December 2007 RESOLVED False Positives (HHH)
-----------------------------------------------
NONE