FREE PORN ### IDS: 013 ... 13 Octobre 2008 Changes (HHH) ----------------------------- 1. Action: Removed "bfast.com" rule Removed: BadDomains[i++] = ".bfast.com"; // DEAD? Reason: None ever showed up since November of last year. That was AOL, and it was service.bfast.com. The domain is dead now. 2. Action: Modified two rules From: BadURL_WordEnds[i++] = "rape"; BadURL_Parts[i++] = "tgp"; To: BadURL_WordEnds[i++] = "[^cg]rape"; BadURL_Parts[i++] = "[^_k]tgp[^r]"; Reason: See the resolved False Positives for what these problems are and how this solves the problems. I added the "g" in the "rape" rule, but I still don't like it. I will have to live with it! 3. Action: Added white rule for several domains Added: GoodDomains[i++] = "1800flowers.com"; GoodDomains[i++] = ".ebayimg.com"; // "17" && "18" GoodDomains[i++] = ".googlepages.com"; // "17" & "18" GoodDomains[i++] = ".hp.com"; // "17" && "18" GoodDomains[i++] = ".hulu.com"; // "thumb" US-only GoodDomains[i++] = ".imageshack.us"; // "17" && "18" GoodDomains[i++] = ".mqcdn.com"; // "17" && "18" (actually, I just altered this one) GoodDomains[i++] = ".over-blog.com"; // "17" && "18" GoodDomains[i++] = ".photobucket.com"; // "17" && "18" Reason: "17" & "18" rules whack them. 4. Action: Comments for the "17" and "18 rules From: BadHostParts[i++] = "17"; BadHostParts[i++] = "18"; To: BadHostParts[i++] = "17"; // VOTRE CHOIX BadHostParts[i++] = "18"; // VOTRE CHOIX Reason: After thorough exhaustive proof of my logs going back almost two years I am concluding that as bad as these rules may seem - you end up with almost NO false positives. The only ones I have had are with the Avast Anti-Virus update servers that really mattered. 5. Action: Just in case Microsoft continues to use the IP address Added: GoodNetworks[i++] = "65.52.0.0, 255.255.252.0"; // Microsoft Reason: 6. Action: It is cnn.COM, not cnn.NET From: GoodDomains[i++] = ".cnn.net"; To: GoodDomains[i++] = ".cnn.com"; Reason: WOOPS! How did that one get there! I thought I had CNN covered. Now I do. 7. Action: "tdameritrade.com" From: BadHostParts[i++] = "dame"; To: BadHostParts[i++] = "[^nt]dame"; // tdameritrade.com Reason: self evident - we may need to modify the rule even more. Actually, I just did because of these hosts: fundamentaltop500.com pausefundamental.com (hosts file no longer blocks) 8. Action: Activate rule for everybody From: BadDomains[i++] = ".51yes.com"; // PRIVUS RULE - 2007-08-22 To: BadDomains[i++] = ".51yes.com"; Reason: count41.51yes.com showed up in my logs. You cannot enumerate all of them ... well maybe you can but they will change. 9. Action: Activate rule for everybody From: BadDomains[i++] = ".imrworldwide.com"; // PRIVUS RULE - 2007-08-22 To: BadDomains[i++] = ".imrworldwide.com"; Reason: Didn't have server-fr.imrworldwide.com and who knows how many others. They always have the same domain name. 10. Action: "bang" rule Added: // BadHostWordEnds[i++] = "bang"; // YOUR CHOICE Reason: I have lived with this one a long time. Since it has stopped porn it is valuable, but it also caused a FALSE POSITIVE (www.blogbang.com) 11. Action: Added spam IPs Added: BadNetworks[i++] = "122.198.62.4, 255.255.255.255"; // SPAM - Airelle BadNetworks[i++] = "218.61.33.235, 255.255.255.255"; // SPAM - Airelle Reason: Airelle's SPAM links. 12. Action: Removing ALL spylocked.com hosts Removed: BadDomains[i++] = ".spylocked.com"; Reason: No longer a threat. 13. Action: Our friend 2o7.net Removed: BadNetworks[i++] = "8.15.7.96, 255.255.255.224"; // REMOVE 08-09-03 BadNetworks[i++] = "63.251.179.0, 255.255.255.224"; // REMOVE 08-09-03 BadNetworks[i++] = "70.42.134.0, 255.255.255.0"; // REMOVE 08-09-03 BadNetworks[i++] = "74.201.95.0, 255.255.255.224"; // REMOVE 08-09-03 Reason: Actually, the 66.151.152.* rule had to be put back because it IS a part of 2o7.net! Boston.com maps to 66.151.183.41 and this rule should NOT block it. If boston.com is being blocked it is being done by something else. I just made it through with NO PROBLEMO! 14. Action: canal From: BadURL_WordEnds[i++] = "anal"; To: BadURL_WordEnds[i++] = "[^c]anal"; Reason: It would still be okay if it was a Host rule but it is NOT a host rule. 15. Action: BannerBank.ru (bb.ru) IP rule Removed: BadNetworks[i++] = "195.161.119.241, 255.255.255.248"; // BBRU1 BadNetworks[i++] = "195.161.119.248, 255.255.255.255"; // BBRU2 Reason: The IP address spaces are all over the wall. You may whack innocent hosts and we probably have all of these hosts we will ever get - there is no EASY way to determine if you have a new alias and so far NONE have showed up for YEARS now. 16. Action: valueclick.net, zango.com Added: BadDomains[i++] = ".seekmo.com"; BadDomains[i++] = ".valueclick.net"; BadDomains[i++] = ".zango.com"; Reason: - freeblowjobmovies.powered-by.seekmo.com, freeblowjobvideos.powered-by.seekmo.com, funberry.powered-by.seekmo.com, keyrastriptease.powered-by.seekmo.com, male-celeb-videos.powered-by.seekmo.com, pariswallpapers.powered-by.seekmo.com, slutmatrixfree.powered-by.seekmo.com, AND wallpapernudes.powered-by.seekmo.com are all aliases to powered-by.zango.com. THERE ARE MORE! - ads.link.valueclick.net, - cars-screensavers.com.powered-by.zango.com new *.zango names are showing up 17. Action: New 2o7.net IP rules Added: BadNetworks[i++] = "66.235.142.0, 255.255.254.0"; // 2008-09-14 // BadNetworks[i++] = "66.235.128.0, 255.255.224.0"; // 08-09-14 YOUR CHOICE // Covers 66.235.128.0 ... 66.235.159.255 Comment out other rules. Reason: The IP addresses of 66.235.142.3 and 66.235.143.70 showed up. Since I have lived with the YOUR CHOICE rule for several weeks (as an PRIVUS) I decided I would be remiss in NOT making it available to others. For now it is commented out, but if it causes NO problems it will eventually be put out without being commented out and eventually, all rules it covers will be removed. 18. Action: "*.clickzs.com" Added: BadDomains[i++] = ".clickzs.com"; Reason: There are so many now we are probably missing some of them. 19. Action: "*.clicksor.com", "*.esomniture.com", "*.focalink.com" Removed: BadDomains[i++] = ".clicksor.com"; // PRIVUS RULE - 2007-06-22 BadDomains[i++] = ".dynamic.dol.ru"; // PRIVUS RULE - 2007-08-23 BadDomains[i++] = ".esomniture.com"; // DEAD? BadDomains[i++] = ".focalink.com"; // DEAD? Reason: Airelle has all of the *.clicksor.com hosts and I just added what he had I didn't have. I never got anything other than ads.clicksor.com, ads103.clicksor.com, creative.clicksor.com in my Pseudo-HTTP logs anyway, and nothing since 20 Sep 2007. It is time to retire it. "*.esomniture.com" is DEAD. So is "*.focalink.com". I don't even have them in my hosts file any more. The only reason I had them is because they do DNS wild carding. THERE IS NO WAY TO DETERMINE WHEN THEY HAVE DIED. But since I haven't seen ANY "*.focalink.com" IN THREE YEARS I CONCLUDED THE PATIENT HAS DIED. I just went to their main page and got a pretty white page. I have NO "dynamic.dol.ru" in my logs - NONE. 20. Action: "adgardner.com" Added: BadDomains[i++] = ".adgardener.com"; Reason: This is a DNS wild-card domain. You can even put blahblahblah.adgardener.com and end up with a valid IP address. In reality though, they come at you as harvest[###].adgardener.com 21. Action: PERSONAL BadNetworks and WildCard domains Added: BadNetworks[i++] = "12.130.91.51, 255.255.255.255"; // PRIVUS te.tribune.com BadNetworks[i++] = "62.32.97.0, 255.255.255.0"; // PRIVUS intellitxt1 BadNetworks[i++] = "63.144.121.128, 255.255.255.128"; // PRIVUS PANTHER1 BadNetworks[i++] = "64.154.80.0, 255.255.255.252"; // PRIVUS HITBOX BadNetworks[i++] = "66.114.48.0, 255.255.240.0"; // PRIVUS PANTHER2 BadNetworks[i++] = "78.108.177.0, 255.255.255.0"; // PRIVUS PORN 2008-09-14 BadNetworks[i++] = "96.17.111.8, 255.255.255.128"; // PRIVUS RealMedia BadNetworks[i++] = "128.168.240.1, 255.255.252.0"; // PRIVUS RULE 2008-08-23 BadNetworks[i++] = "207.211.21.0, 255.255.255.0"; // PRIVUS intellitxt2 BadNetworks[i++] = "207.211.65.0, 255.255.255.0"; // PRIVUS intellitxt3 BadNetworks[i++] = "212.62.17.192, 255.255.255.192"; // PRIVUS sagemetrics BadDomains[i++] = ".crwdcntrl.net"; // PRIVUS RULE - 2008-09-14 BadDomains[i++] = ".kit.carpediem.fr"; // PRIVUS RULE - 2008-09-18 BadDomains[i++] = ".quantserve.com"; // PRIVUS RULE - 2008-09-29 BadDomains[i++] = ".searchresultsdirect.com"; // PRIVUS RULE - 2008-09-17 -------- BadURL_Parts[i++] = "[^cd]raped"; // PRIVUS RULE - 2007-09-19 BadURL_Parts[i++] = "teen"; // PRIVUS RULE - 2007-04-17 BadHostParts[i++] = "college" // PRIVUS PROXY - 2007-11-11 Reason: I have added these filter rules to test their affects. So far I haven't had many problems. The ones after the "---------" if added would be commented out. THEY ARE NOT FOR PUBLIC USE - PRIVATE USE ONLY! There are some times I go into really nasty situations. For tests of proxies I end up with a GSOD (Gray Screen Of Death) when I am using Firefox and I MUST have the "college" rule to bring it to a sane state. Definition of sane is to have to kill the browser only if GSOD lasts for over ten minutes which happens only rarely when I have that rule. It started as an attempt to make a REAL proxy rule for public consumption. Ditto for the two others but I have had to blow away my Firefox, Java, and MacroMedia folders, especially with the "raped" rule. This occurs when the host will NOT respond to a wget and the browser is the only way I can see what happens. When I do it that way, the host being tested gets put temporarily in as a GoodDomain. I have a LOT of GoodDomain rules but they really are PERSONAL. 22. Action: Removed TYPO Hosts rule Removed: BadNetworks[i++] = "75.126.144.219, 255.255.255.255"; // ZIPSERVERS TYPO Reason: NONE of the hosts I had that used to have this IP address are in DNS any more. Here is the list: http://www.securemecca.com/Ring/ZipServersTypo.txt I have also included it as a file in the change folder. 23. Action: *.xiti.com From: BadNetworks[i++] = "80.118.149.105, 255.255.255.224"; // xiti.com To: BadNetworks[i++] = "62.161.94.0, 255.255.255.0"; // xiti.com_1 BadNetworks[i++] = "80.118.149.0, 255.255.255.0"; // xiti.com_2 Reason: I found that they own these two complete blocks of IP addresses. They also have a smattering elsewhere. Only Airelle or somebody else primarily in France can determine if I have gone too far. There MAY be some valid xiti.com hosts we want to allow through. If that happens we can just shift back to what we had. 24. Action: *.insightexpressai.com rule needed Added: BadDomains[i++] = ".insightexpressai.com"; Reason: I don't have anywhere near Airelle's number of hosts in the domain and I don't want to have them. Chuck all of them into the localhost trap. 25. Action: Removed *.ninoa.com Removed: BadDomains[i++] = ".ninoa.com"; Reason: THEY ARE GONE! 26. Action: INSTACONTENT RULES BACK IN Added: BadNetworks[i++] = "64.191.192.0, 255.255.255.0"; // instacontent_3 BadNetworks[i++] = "65.216.116.0, 255.255.255.0"; // instacontent_1 // YOUR CHOICE - instacontent - comment out first and uncomment second BadNetworks[i++] = "216.38.160.0, 255.255.248.0"; // instacontent_2 // BadNetworks[i++] = "216.38.160.0, 255.255.240.0"; // instacontent_2_ALT Reason: I have had success with the PANTHER rules that were PRIVUS in trapping js.bizographics.com (g1.panthercdn.com) and will address it next. I just cannot believe that they have such a HUGE network range. How they got eight full 8-bit subnets is a mystery to me. I also don't know what they will shift to next. It seems to me they have address spaces other than these. I will just have to add them as they come. See the ZZZAliases.txt file in the Aliases subfolder of the Hosts folder. 27. Action: PANTHER RULES BACK IN Added: BadNetworks[i++] = "63.144.121.128, 255.255.255.128"; // YOUR CHOICE PANTHER1 BadNetworks[i++] = "66.114.48.0, 255.255.240.0"; // YOUR CHOICE PANTHER2 Reason: Hey, instead of a false positive I got a true positive, js.bizographics.com (g1.panthercdn.com). If it can do that maybe it can catch the rest. But just like INSTACONTENT I AM ASTOUNDED that they got eight full 8-bit subnets. See the InstaContent.txt file in the Aliases subfolder of the Hosts folder. 28. Action: increased scope of block of valueclick From: BadDomains[i++] = ".valueclick.net"; To: BadHostParts[i++] = "valueclick"; Reason: Well, lets see. Airelle has at latest count all of the following domains that are all part of the ValueClick group: valueclick-europe.com, valueclick-europe.de, valueclick.co.jp, valueclick.co.uk, valueclick.com, valueclick.com.br, valueclick.de, valueclick.fr, valueclick.jp, valueclick.ne.jp, valueclick.net, valueclick.org, valueclick.ru, valueclick.spb.ru, valueclickmedia.com, valueclicks.com, valueclicks.net, valueclicksearch.com, valueclicksearch.net, valueclicksyndicationservices.com I know for a fact that there are MORE because I have personally seen several *.valueclick.it and *.valueclick.es hosts in the debugger. This filter has to stop being so US-centric NOW. At least now if I see them again, they will be in my PHTTP Daemon logs now (and stopped). Also, in reality I have FAR more *.valueclick.com hosts in my PHTTP Daemon logs than *.valueclick.net hosts. In other words, the exisiting rule was USELESS! 29. Action: Temporary Italiano block Added: BadNetworks[i++] = "194.242.61.128, 255.255.255.255"; // TEMP Reason: http://hphosts.blogspot.com/ 30. Action: RealMedia (247RealMedia) blocks Added: BadNetworks[i++] = "64.58.80.0, 255.255.254.0"; // RealMedia BadNetworks[i++] = "64.191.218.0, 255.255.254.0"; // RealMedia BadNetworks[i++] = "208.71.120.0, 255.255.248.0"; // YOUR CHOICE RealMedia BadNetworks[i++] = "212.113.031.48, 255.255.255.248"; // YOUR CHOICE RealMedia Reason: I have saw plenty of RealPlayer attempts that succeeded from the 247RealMedia / RealMedia group. This is an attempt to stop the rest 13 Octobre 2008 UNresolved False Positives (HHH) -------------------------------------------------- 1. Pattern: "chest" Rules: BadURL_WordStarts[i++] = "chest"; BadURL_WordEnds[i++] = "chest"; Reason: Wed May 16 10:11:41: images.bestbuy.com/BestBuy_US/en_US/images/global\ /features/gigrad_blueshirtchest_2007.jpg THE EASY SOLUTION WOULD BE TO ADD A GoodDomains ".bestbuy.com" RULE. THE PROBLEM IS: hope-chest drawer-chest, chest-of-jewels, treasure-chest, etc. Further, even the efficacy of the rule itself poses no reason to drop the rules from URL to HOST: 44 chest_Parts.txt 5 chest_Starts_and_Ends.txt 33 chest_Passed_All_Rules.txt 82 total 13 Octobre 2008 RESOLVED False Positives (HHH) ------------------------------------------------ NONE