FREE PORN ### IDS: 013 ... 07 September 2008 Changes (HHH) ------------------------------- 1. Action: 1st pass white list rules for Airelle's white list. Added: GoodDomains[i++] = "eurotunnel.com"; GoodDomains[i++] = "netfilter.org"; GoodDomains[i++] = "phillips.com"; GoodDomains[i++] = "phillips.fr"; GoodDomains[i++] = ".symantecliveupdate.com"; GoodDomains[i++] = "womenssportsfoundation.org"; GoodDomains[i++] = "wwwomen.com"; GoodDomains[i++] = "virginmedia.com"; GoodDomains[i++] = "virginmega.fr"; Reason: Most of these are high profile. The "wwwomen.com" domain seems to be the only exception. I may remove it later on. It seems to have little done to it during the last year. 2. Action: modified "lust" rule From: BadHostParts[i++] = "lust"; To: BadHostParts[i++] = "[^l]lust"; Reason: sportsillustrated.com, sportsillustrated.cnn.com There are only 19 *llust* in my lists that are not blocked by something else, but these are the only ones that are not parked or dead right now: animallust.com anime-illustrated.com animeillustrated.com asiaillustrated.com caramellust.com hotellust.com illustratedkamasutra.com illustratedsexstories.com locallust.com orientallust.com sellustraffic.com wellust.nl There are 508 hosts in the lust_Passed_All_Rules.txt file. Now don't let the short list fool you. These rules work synergistically with each other. I am also tailoring this rule at the host level to shove it down into the URL level. Also, I have perhaps less than 1/3 of the active Porn hosts. I have a good enough sample though, which is all they are there for. See the lust folder for a break down. 3. Action: Removing Proxy IP address rules Removed: BadNetworks[i++] = "82.98.86.163, 255.255.255.255"; // 303 BadNetworks[i++] = "82.98.86.167, 255.255.255.255"; // 235 Reason: Many of my IP Proxy address rules are being trashed. I am listing what PARKING service (but keep in mind that they ALWAYS trade names back and forth between the parkers) is attached to each IP address. 82.98.86.163 Sedo 82.98.86.167 Sedo The handful I had IP addresses for still have been parked at various sites. Most of them redirect you to search.trafficclub.com. This IP address is itself now a PARK IP address for Sedo. 4. Action: "gratis" and "gratuit" From: BadURL_Parts[i++] = "gratis"; BadURL_Parts[i++] = "gratuit"; To: // BadURL_Parts[i++] = "gratis"; // YOUR CHOICE // BadURL_Parts[i++] = "gratuit"; // YOUR CHOICE Reason: Free in any language is a mixed bag. Let them know it constitutes a danger and they can make their own choice. 5. Action: "masterba" From: BadURL_Parts[i++] = "masterba"; To: BadURL_Parts[i++] = "masterbat"; Reason: Other than the fact that they cannot even spell? Airelle has [www.]webmasterbase.com in his white list. "masturba" is okay since you have "masturbac*", "masturbat*", and "masturbaz*". At least for English, there is nothing I can see that could be a shortened contraction where the first word ends in "mastur" like the host here. 6. Action: "virgin" From: BadURL_Parts[i++] = "virgin[^i]"; To: BadURL_Parts[i++] = "virgin[^im]"; Reason: virginmedia.com & virginmega.fr But that was NOT enough. See #1 above 7. Action: "crazyfox.com" Added: GoodDomains[i++] = "crazyfox.com"; Reason: I have saw enough of these ads on TV on how it will help people make millions and work from home. How would I know? I don't believe it, but that doesn't mean I am right. More than that, I sometimes wonder whether the crazy rule is worth it, but I don't seem to have any problems with it. 8. Action: "pixel####.everesttech.net" Added: everesttech.net Reason: pixel1370.everesttech.net showed up in my logs but this is a DNSWCD, so there is no way of knowing how many more we are missing. Airelle has more than me, and I may add them, but this rule is even better. 9. Action: *baikal* Removed: BadHostParts[i++] = "baikal"; Reason: The last of these that was bad is now gone. 10. Action: Removed SPAM rules Removed: BadNetworks[i++] = "66.246.203.254, 255.255.255.255"; // SPAM BadNetworks[i++] = "66.248.154.254, 255.255.255.255"; // SPAM BadNetworks[i++] = "128.168.85.7, 255.255.255.255"; // SPAM BadNetworks[i++] = "128.168.224.4, 255.255.255.255"; // SPAM BadNetworks[i++] = "192.187.196.244, 255.255.255.255"; // SPAM BadNetworks[i++] = "192.187.197.18, 255.255.255.255"; // SPAM Reason: They no longer matched what the SPAM addresses were 11. Action: Added SPAM rules Added: BadNetworks[i++] = "8.14.98.4, 255.255.255.255"; // SPAM BadNetworks[i++] = "8.14.100.4, 255.255.255.255"; // SPAM BadNetworks[i++] = "66.128.147.4, 255.255.255.255"; // SPAM BadNetworks[i++] = "69.64.155.119, 255.255.255.255"; // SPAM BadNetworks[i++] = "69.64.155.120, 255.255.255.252"; // SPAM BadNetworks[i++] = "69.64.155.128, 255.255.255.252"; // SPAM BadNetworks[i++] = "69.64.155.136, 255.255.255.255"; // SPAM BadNetworks[i++] = "128.168.240.4, 255.255.255.255"; // SPAM Reason: They are the new SPAM IPs that show up in my email 12. Action: Removed Nandomedia Removed: BadNetworks[i++] = "152.52.20.248, 255.255.255.248"; // nandomedia Reason: All their servers or anybody using them have been shut down. I am removing all or almost all of the server list in my Hosts/Aliases/ZZZAliases.txt file. 13. Action: Added one more 2o7.net rule Added: BadNetworks[i++] = "128.242.100.9, 255.255.255.0"; Reason: It showed up with a DNS query for the c.p-real.com alias. I do worry about the netmask being too big, but we will see what happens. 14. Action: Removed unused trojan disseminating domain Removed: BadDomains[i++] = ".truth-is-out-there.org"; Reason: All hosts in domain are parked now. 15. Action: Added BadDomain that is tracking. Added: BadDomains[i++] = ".offermatica.com"; Reason: I don't know how many more there are. Further, I would like more information on the NebuAd deep packet inspection. I don't think blocking a server will do anything to stop it. 16. Action: Removed Proxy IP rules Removed: BadNetworks[i++] = "75.126.157.163, 255.255.255.255"; // 386 BadNetworks[i++] = "83.170.113.102, 255.255.255.255"; // 374 BadNetworks[i++] = "66.90.103.37, 255.255.255.255"; // 354 BadNetworks[i++] = "75.126.146.18, 255.255.255.255"; // 302 BadNetworks[i++] = "67.159.45.50, 255.255.255.255"; // 270 BadNetworks[i++] = "67.192.60.213, 255.255.255.255"; // 245 BadNetworks[i++] = "67.159.45.93, 255.255.255.255"; // 222 BadNetworks[i++] = "208.53.157.25, 255.255.255.255"; // 194 BadNetworks[i++] = "74.86.47.188, 255.255.255.255"; // 182 BadNetworks[i++] = "66.90.73.227, 255.255.255.255"; // 164 BadNetworks[i++] = "66.232.113.128, 255.255.255.255"; // 144 BadNetworks[i++] = "69.10.36.4, 255.255.255.255"; // 126 BadNetworks[i++] = "69.10.36.3, 255.255.255.255"; // 126 BadNetworks[i++] = "69.10.36.2, 255.255.255.255"; // 126 BadNetworks[i++] = "208.53.157.250, 255.255.255.255"; // 112 BadNetworks[i++] = "207.226.174.213, 255.255.255.255"; // 106 BadNetworks[i++] = "75.126.156.120, 255.255.255.255"; // 106 BadNetworks[i++] = "67.159.44.59, 255.255.255.255"; // 80 BadNetworks[i++] = "198.145.112.200, 255.255.255.255"; // 78 BadNetworks[i++] = "74.208.56.4, 255.255.255.255"; // 78 BadNetworks[i++] = "66.90.68.149, 255.255.255.255"; // 78 BadNetworks[i++] = "208.75.248.90, 255.255.255.255"; // 76 BadNetworks[i++] = "75.127.81.170, 255.255.255.255"; // 64 BadNetworks[i++] = "66.90.77.2, 255.255.255.255"; // 58 BadNetworks[i++] = "64.191.50.138, 255.255.255.255"; // 56 BadNetworks[i++] = "67.159.41.98, 255.255.255.255"; // 54 BadNetworks[i++] = "67.159.30.9, 255.255.255.255"; // 54 BadNetworks[i++] = "207.226.174.220, 255.255.255.255"; // 52 BadNetworks[i++] = "64.191.70.133, 255.255.255.255"; // 48 BadNetworks[i++] = "66.232.117.119, 255.255.255.255"; // 42 BadNetworks[i++] = "72.232.88.134, 255.255.255.255"; // 40 BadNetworks[i++] = "72.36.145.141, 255.255.255.255"; // 40 BadNetworks[i++] = "66.90.104.187, 255.255.255.255"; // 36 BadNetworks[i++] = "69.64.87.252, 255.255.255.255"; // 34 BadNetworks[i++] = "208.101.33.76, 255.255.255.255"; // 32 BadNetworks[i++] = "67.159.45.95, 255.255.255.255"; // 32 Reason: They just change their IP addresses too often. If I was rich and could hire one person full time and had them given these host names as they came in, this may be worth it, but for now we (*I* - Henry Hertz Hobbit) just cannot keep up with the onslaught. In fact, I am not going to do anything more with pseudo-proxies right now other than what I ABSOLUTELY MUST DO (which is to monitor the name changes). 17. Action: Removed all instacontent BadNetworks rules Removed: BadNetworks[i++] = "4.78.48.112, 255.255.255.240"; // instacontent BadNetworks[i++] = "63.111.30.112, 255.255.255.240"; // instacontent BadNetworks[i++] = "64.191.192.112, 255.255.255.240"; // instacontent BadNetworks[i++] = "64.191.208.93, 255.255.255.255"; // PRIVUS // instacontent BadNetworks[i++] = "64.191.208.112, 255.255.255.240"; // instacontent BadNetworks[i++] = "65.200.179.112, 255.255.255.240"; // instacontent BadNetworks[i++] = "65.206.60.112, 255.255.255.240"; // instacontent BadNetworks[i++] = "65.216.116.112, 255.255.255.240"; // instacontent BadNetworks[i++] = "216.38.160.117, 255.255.255.255"; // PRIVUS // instacontent Reason: Basically, they are just too volatile. Also, they aren't showing up in my Pseudo web server logs so they are either using HTTPS or are rather rare. 18. Action: Removed all panther* BadNetworks rules Removed: BadNetworks[i++] = "63.144.121.128, 255.255.255.128"; // PANTHER3 BadNetworks[i++] = "209.95.139.128, 255.255.255.128"; // PANTHER1 BadNetworks[i++] = "209.170.120.32, 255.255.255.224"; // PANTHER2 Reason: Same reason as instacontent. 19. Action: Modified lust rule From: BadHostParts[i++] = "[^l]lust"; To: BadHostParts[i++] = "[^cl]lust"; Reason: "cluster" - hardly any in my database. Airelle had only 28 20. Action: Added another *.2o7.net rule Added: BadNetworks[i++] = "66.235.132.0, 255.255.254.0"; // 2008-09-03 Reason: It showed up. More than that I dated ALL IP addresses that showed up, and put deprecated behind the ones that didn't show up (but retained them). This one was an eye opener. They have obtained a HUGE IP address space: 66.235.128.0 - 66.235.159.255. Technically, that means we could theoretically have the following rule: BadNetworks[i++] = "66.235.128.0, 255.255.224.0; And I HAVE that rule to test it! But this one blocks all IP addresses from 66.235.132.0 ... 66.235.133.255 inclusive. 21. Action: Modified a *.2o7.net rule From: BadNetworks[i++] = "128.242.100.9, 255.255.255.0"; To: BadNetworks[i++] = "128.242.100.0, 255.255.255.224"; Reason: In reality, Omniture is NOT the one that supposedly owns this address space, but it does run from 128.242.100.0 ... 128.242.100.31 In other words, this makes this the correct netmask. 22. Action: Added another *.2o7.net rule Added: BadNetworks[i++] = "209.85.51.0, 255.255.255.0"; Reason: Again, I don't know WHOSE address space this really is because they are registered with Optical Jungle. I do know that the IP address that showed up was 209.85.51.151. If this turns out to be wrong I will remove the rule. It does stretch all the way from 209.85.51.0 ... 209.85.51.255 so the netmask is correct. 23. Action: REMOVE UNUSED *.2o7.net rules Removed: BadNetworks[i++] = "8.15.7.96, 255.255.255.224"; // REMOVE 08-09-03 BadNetworks[i++] = "63.251.179.0, 255.255.255.224"; // REMOVE 08-09-03 BadNetworks[i++] = "70.42.134.0, 255.255.255.0"; // REMOVE 08-09-03 BadNetworks[i++] = "74.201.95.0, 255.255.255.224"; // REMOVE 08-09-03 BadNetworks[i++] = "128.242.125.0, 255.255.255.0"; // REMOVE 08-09-03 Reason: *I* *AM* *NOT* *REMOVING* *THESE* *JUST* *YET*! But if they don't show up in subsequent DNS lookups within 3 months, I will remove them. 07 September 2008 UNresolved False Positives (HHH) -------------------------------------------------- 1. Pattern: "tgp" Rules: BadURL_Parts[i++] = "tgp"; Reason: www.tomshardware.com/Design/graphics/\ tomshardware/logo_tgpfoot.gif www.vmware.com/files/images/promos/\ ws_promo_tgp.gif www.symantec.com/content/en/us/enterprise/\ images/promo/ent-vista_sec_mktgpromo.jpg ANY IDEAS WHAT TO DO ABOUT IT? 2. Pattern: "chest" Rules: BadURL_WordStarts[i++] = "chest"; BadURL_WordEnds[i++] = "chest"; Reason: Wed May 16 10:11:41: images.bestbuy.com/BestBuy_US/en_US/images/global\ /features/gigrad_blueshirtchest_2007.jpg THE EASY SOLUTION WOULD BE TO ADD A GoodDomains ".bestbuy.com" RULE. THE PROBLEM IS: hope-chest drawer-chest, chest-of-jewels, treasure-chest, etc. Further, even the efficacy of the rule itself poses no reason to drop the rules from URL to HOST: 44 chest_Parts.txt 5 chest_Starts_and_Ends.txt 33 chest_Passed_All_Rules.txt 82 total 3. Pattern: "rape" Rules: BadURL_WordStarts[i++] = "rape"; (PROBABLY OKAY) BadURL_WordEnds[i++] = "rape"; Reason: Fri Jun 8 05:59:23: creativecommons.org/apps/scrape I found the following words that end with "rape" that have 1, 2, or 3 letters in front of that: crape drape grape scrape serape That gives the [^cdeg] in front of the rule at a maximum and a [^c] at a minimum. but remember that grape can be gangrape. SEE 15 Jun 2007 CHANGES IF THIS IS RESOLVED