08 Février 2009 Changes (HHH) ----------------------------- 1. Action: HitBox extends their range Added: BadNetworks[i++] = "64.154.86.0, 255.255.255.192"; // YOUR CHOICE HITBOX2 - 2009-01-01 Reason: 12 of them, and the rule ranges from 1 ... 63 064.154.086.013 get.hitbox.com 2009-01-01 064.154.086.013 hitbox.com 2009-01-01 064.154.086.013 www.hitbox.com 2009-01-01 064.154.086.013 ww3.hitbox.com 2009-01-01 064.154.086.019 stats.hitbox.com 2009-01-01 064.154.086.021 evwr.hitbox.com 2009-01-01 064.154.086.026 vwr1.hitbox.com 2009-01-01 064.154.086.031 w31.hitbox.com 2009-01-01 064.154.086.033 w21.hitbox.com 2009-01-01 064.154.086.034 tools.hitbox.com 2009-01-01 064.154.086.047 resources.hitbox.com 2009-01-01 064.154.086.050 ias.hitbox.com 2009-01-01 I am reasonably sure that more will show up although it looks like they have moved their internal hosts into this range for now. 2. Action: Removed commented out rules Removed: // GoodDomains[i++] = ".amazon.ca"; // GoodDomains[i++] = ".amazon.com"; // GoodDomains[i++] = ".ask.com"; // GoodDomains[i++] = ".barnesandnoble.com"; // GoodDomains[i++] = ".bestbuy.com"; // GoodDomains[i++] = "circuitcity.com"; // GoodDomains[i++] = ".cnn.com"; // GoodDomains[i++] = "crazyfox.com"; // GoodDomains[i++] = "creativecommons.org"; // GoodDomains[i++] = "ebay.com"; // "17" && "18" // GoodDomains[i++] = ".ebayimg.com"; // "17" && "18" // GoodDomains[i++] = ".ebaystatic.com"; // "17" && "18" // GoodDomains[i++] = "gnome.org"; // "live" // GoodDomains[i++] = ".hp.com"; // "17" && "18" // GoodDomains[i++] = ".images-amazon.com"; // GoodDomains[i++] = ".imageshack.us"; // "17" && "18" // GoodDomains[i++] = "intermountainlive.org"; // GoodDomains[i++] = "live365.com"; // GoodDomains[i++] = "livejournal.com"; Reason: They aren't helping you. If we need them, we will just add them later on. Most of them were ones where we got clobbered by one of the "17", "18" and "live" rules whether it said it or not. Now that the "17" and "18" rules are gone, we can go on without them. There are some other rules I am looking at now that I have the time. I will do the same thing I did here, move them to commented out form and eventually remove them. 3. Action: Changed some rules. From: // GoodDomains[i++] = ".go.com"; // Disney GoodDomains[i++] = "netsafeutah.org"; To: GoodDomains[i++] = ".go.com"; // Disney - PESONAL RULE GoodDomains[i++] = ".go.com" // Disney - RÈGLE PERSONNELLE GoodDomains[i++] = "netsafeutah.org"; // PERSONAL RULE GoodDomains[i++] = "netsafeutah.org"; // RÈGLE PERSONNELLE Reason: I think I will sprinkle in some of these so people have the idea how to add their own rules. 4. Action: Removed our former "PERSONAL RULE" Removed: GoodDomains[i++] = "seventeentraditions.com"; // PERSONAL RULE GoodDomains[i++] = "seventeentraditions.com"; // RÈGLE PERSONNELLE Reason: The rules do not whack it any more so this is just blatant advertising now. I would like to say that it is the same for Disney, but it isn't - there are still some rules that may whack us. Pink Buttons? - GAUCHE! This rule is still there in pornproxy_xx* files. 5. Action: Commented out rules that may not be needed any more. From: GoodDomains[i++] = ".hulu.com"; // "thumb" US-only GoodDomains[i++] = "netscape.com"; GoodDomains[i++] = "network54.com"; GoodDomains[i++] = ".pbs.org"; // VOTRE CHOIX GoodDomains[i++] = "pbskids.org"; // VOTRE CHOIX GoodDomains[i++] = ".shutterstock.com"; // "thumb" GoodDomains[i++] = ".thumbshots.com"; GoodDomains[i++] = ".thumbshots.org"; GoodDomains[i++] = ".webshots.net"; // "thumb" To: // GoodDomains[i++] = "netscape.com"; // GoodDomains[i++] = "network54.com"; // GoodDomains[i++] = ".pbs.org"; // VOTRE CHOIX // GoodDomains[i++] = "pbskids.org"; // VOTRE CHOIX // GoodDomains[i++] = ".shutterstock.com"; // "thumb" // GoodDomains[i++] = ".hulu.com"; // "thumb" US-only // GoodDomains[i++] = ".thumbshots.com"; // GoodDomains[i++] = ".thumbshots.org"; // GoodDomains[i++] = ".webshots.net"; // "thumb" Reason: These are commented out ONLY in the dbgproxy_XX* and proxy_XX* files. They are still active in the pornproxy_XX* files, primarily because of the thumb rule. It has caused enough grief and has been removed. That is a mixed bag, but we just have to take up the slack with malware pushers by using the hosts file. 6. Action: scripts.dlv4.com Added: BadNetworks[i++] = "66.40.9.250, 255.255.255.255"; // scripts.dlv4.com - 2009-01-05 BadNetworks[i++] = "195.10.6.225, 255.255.255.255"; // scripts.dlv4.com - 2009-01-05 Reason: hpHosts and Airelle have a TON of these that Mike Burgess (MVPHosts) and me do NOT have. I still don't want to have them, but I need SOMETHING. For some reason I suspect this rule is going to kill me! 7. Action: Reflect status of a domain From: BadDomains[i++] = ".clickbank.net"; // Tracker To: BadDomains[i++] = ".clickbank.net"; // DNSWCD Tracker - 2009-01-06 Reason: One of the hosts that MDL removed took me to lllll.antispywre.hop.clickbank.net. So doing a DNS lookup on 3478jdfj.securemecca.hop.clickbank.net gives the two IP addresses. I have NOT availed myself of their services! The characters at the start are random garbage. 8. Action: PERSONAL RULE Added: BadDomains[i++] = ".g.ak.nbci.com"; // AdTracker - 2009-01-08 Reason: It isn't completely a DNSWCD (you have the 'a' and any number from 0 ... 2048 in the a${NUM}.g.ak.nbci.com), but I cannot block even 0 ... 2047 the way Airelle is doing it so this is it. I noticed hpHosts had only two of them in their hosts file. I will add those two to my hosts file and call it a day ... 9. Action: Disney is no longer contracting their web services through go.com From: GoodDomains[i++] = ".go.com"; // Disney - PESONAL RULE To: GoodDomains[i++] = ".disney.com"; // Disney - PESONAL RULE Reason: PINK BUTTONS! I would like to shorten it but there are porn hosts that end with "disney.com": 14658:adult-disney.com DEAD - ADDING to add.Dead 107354:eroticdisney.com ALIVE - ADDING to hosts file 227595:nastydisney.com ALIVE - ADDING to hosts file 253928:porn-disney.com ALIVE - ADDING to hosts file 256040:porndisney.com ALIVE - ADDING to hosts file 257419:porno-disney.com ALIVE - ADDING to hosts file 289864:sexdisney.com ALIVE - ADDING to hosts file 368469:xxx-disney.com ALIVE - ADDING to hosts file (also added disney-xxx.com because it was associated with xxx-disney.com which is at the same IP address as pornomoviesclips.com & trafamore.org which were added by MalwareDomainList - AND THEY DO *NOT* BLOCK PORN.) Even though our other rules handle them for all the ones that are alive, I added these hosts JUST in case somebody shortens the rule (chops off the leading "."). 10. Action: movcab.yi.org Added: BadDomains[i++] = ".movcab.yi.org"; // TMP MALWARE - 2009-01-10 Reason: MalwareDomainList removed the host bigtits-at-vf86.movcab.yi.org From what I saw, I am NOT removing it and am adding this rule and MAYBE adding the hosts to the hosts file. The problem is still there! 11. Action: paycount.com Added: BadDomains[i++] = ".paycount.com"; // DNSWCD Traquer -2009-01-10 Reason: Airelle has 268 - I have none, now I have ALL of them. 12. Action: panthercdn.com rule Removed: BadNetworks[i++] = "63.144.121.128, 255.255.255.128"; // YOUR CHOICE PANTHER1 Reason: It is no longer active and they are CONSTANTLY changing their IP address space they walk through. Currently it is 66.114.51.*, but don't count on it being that tomorrow. Their IP address space is HUGE and they have allocated only what they need to round-robin through to avoid blocks. I think we have all their hosts anyway. 13. Action: Optional publicus.com rules Added: BadNetworks[i++] = "64.210.240.50, 255.255.255.254"; // YOUR CHOICE PUBLICUS1 - 2009-01-12 BadNetworks[i++] = "64.210.240.52, 255.255.255.254"; // YOUR CHOICE PUBLICUS2 - 2009-01-12 Reason: hpHosts has TONS of publicus.com ad-servers that I am adding. Lets see if we can find some more. 14. Action: *.mycomputer.com Added: BadDomains[i++] = ".mycomputer.com"; // Tracker - 2009-01-12 Reason: I don't want to add them all to my hosts file. 15. Action: "siteadvisor.cn" Added: GoodDomains[i++] = "siteadvisor.cn"; // 2009-01-13 Reason: China rule BUT LOTS of stuff won't pass muster that are given in the URL because we are after all looking at hosts that are bad. 16. Action: landings.trafficz.com FE hosts (only IP for now) Added: BadNetworks[i++] = "65.243.103.55, 255.255.255.255"; // landings.trafficz.com FE - 2009-01-14 Reason: Just to log them. You are immediately redirected there, but just like the ownbox.com, all you really have to do is just block landings.trafficz.com. It is the ONLY IP address 17. Action: *.primosearch.com & *.blueseek.com Added: BadDomains[i++] = ".primosearch.com"; // DNSWCD - WebBug - 2009-01-22 BadDomains[i++] = ".blueseek.com"; // DNSWCD - WebBug - 2009-01-22 Reason: I am trying to see what MVPHosts author Mike Burgess sees wrong with these hosts that I am missing (other than they just front-end into Yahoo a lot). Never mind. They are doing false URLs - having something pretending to be one thing that is really another. They are BOTH at the same IP address! Same person behind both of them? 18. Action: *.adskape.ru Added: BadDomains[i++] = ".adskape.ru"; // DNSWCD AdServer - 2009-01-26 Reason: MVPHosts just added p13178.adskape.ru, p1574.adskape.ru, and p2408.adskape.ru. A DNS lookup on p3475673487835.adskape.ru or any other sequence of digits WORKS! I am not adding his or anybody else's ad servers. Now I block ALL of them without knowing their names. 20. Action: *.clickability.com Added: BadDomains[i++] = ".clickability.com"; // Tracker - 2009-01-30 Reason: Airelle has at least 20 of them and I have no idea how many there are - but there are TOO MANY. I only have eight of them and almost nothing in my logs. Let's catch ALL of them until we have a false positive. 21. Action: "secret" rule Added: BadHostParts[i++] = "secret"; // PROXY - 2009-02-05 Reason: Because this rule was affiliated with Porn at one time I forgot that it was also covering the proxy servers as well. If we have false positives I may have to make it an optional rule. It covers almost NO proxies at present (6 with 2 just dying) but fads come and go ... 22. Action: ".revsci.net" & ".revenuescience.net" Added: BadDomains[i++] = ".revenuescience.net"; // PRIVUS Tracker - 2009-02-09 BadDomains[i++] = ".revsci.net"; // PRIVUS Tracker - 2009-02-09 Reason: We just lost two of their trackers. I just want to catch the rest if they show up and add them to the hosts file. IT IS THE HOSTS FILE WHERE YOU WANT THESE TO BE! IOW, these rules will NEVER be given to ANDBODY else. So if you also add them, add them ONLY for yourself! { 2010-01-23: The revenuescience.net rule was removed since it yielded NOTHING. OTOH, revsci has been driven down into the URL to avoid host blocks so the rule has gone there as well. }