10 Mai 2009 Changes (HHH) ------------------------- 1. Action: Changed stat rule From: BadHostParts[i++] = "stat[(i|s)]"; // YOUR CHOICE - Tracker - 2009-04-12 To: BadHostParts[i++] = "stats"; // YOUR CHOICE - Tracker - 2009-04-21 Reason: static.ak.fbcdn.net/pics/* static.ak.fbcdn.net/images/ It made OpenDNS' Facebook pages look just AWFUL. There will be more. The OpenDNS URL is: http://tinyurl.com/d6vxwj 2. Action: Maliciel rule Added: BadURL_Parts[i++] = "smsreader"; // MALWARE - 2009-04-21 BadURL_Parts[i++] = "sms\.exe"; // MALWARE - 2009-04-21 BadURL_Parts[i++] = "trial\.exe"; // MALWARE - 2009-04-21 Reason: globalantiterror.com and a ton of other hosts are all downloading these files. I don't know if I have all of them but at least I have some of them! 3. Action: BadNetworks rule Added: BadNetworks[i++] = "84.52.156.0, 255.255.255.0"; // WAN-SCAN - 2009-04-23 Reason: There is this machine on this subnet in Slovenia that is SPEWING packets on port 29628 that is on this subnet. it is usually at IP address 84.52.156.162 (but not always). It started about a month ago and was using TCP packets. But recently it shifted to UDP so now the packet storm is in full SPEW mode. This is to protect direct connect machines. I assume it is some sort of worm. I wrote to them THREE TIMES - STILL NO IMPROVEMENT. 4. Action: Removed DNSWCD rule Removed: BadDomains[i++] = ".searchmiracle.com"; // DNSWCD - MalWare Reason: Mike Burgess removed ALL of them. So I am removing this rule and ALL of the hosts too. MDL still has both install.searchmiracle.com and searchmiracle.com. THEY ARE PARKED! 5. Action: Added DNSWCD rule Added: BadDomains[i++] = ".netlog.com"; // DNSWCD - Tracker - 2009-04-26 Reason: Never had the ones I had got a www.netlog.com at a host. Since it is a DNSWCD and a tracker, thus the rule. 6. Action: Added PERSONAL DNSWCD rule Added: BadDomains[i++] = ".namiflow.com"; // PRIVUS DNSWCD - Tracker - 2009-04-26 Reason: I don't know that I am stopping. { 2010-01-23: Rule is deprecated and removed - parable of of the vineyard - it didn't produce results } 7. Action: ADDED proxy exclusion rule Added: GoodDomains[i++] = "proxify.com"; // Au Revoir PAC - 2009-04-26 Reason: Associated with proxy.org 8. Action: Removed a lot of my rules that were for testing & some incidental Removed: BadNetworks[i++] = "12.130.91.51,255.255.255.255"; // PRIVUS te.tribune.com BadNetworks[i++] = "195.161.119.0, 255.255.255.0"; // PRIVUS BBRU BadNetworks[i++] = "212.62.17.192, 255.255.255.192"; // PRIVUS sagemetrics BadNetworks[i++] = "69.72.142.98, 255.255.255.255"; // wfb.zoneedit.com-1 BadNetworks[i++] = "216.98.141.250,255.255.255.255"; // wfb.zoneedit.com-2 BadNetworks[i++] = "216.109.89.3, 255.255.255.255"; // PRIVUS ads.ami-admin.com BadDomains[i++] = ".crwdcntrl.net"; // PRIVUS RULE - 2008-09-14 BadDomains[i++] = ".information.com"; // PRIVUS RULE - 2008-12-20 BadDomains[i++] = ".kit.carpediem.fr"; // PRIVUS RULE - 2008-09-18 BadDomains[i++] = ".lb-revsci.net"; // PRIVUS Tracker - 2009-02-09 BadDomains[i++] = ".quantserve.com"; // PRIVUS RULE - 2008-09-29 BadDomains[i++] = ".revenuescience.net"; // PRIVUS Tracker - 2009-02-09 BadDomains[i++] = ".revsci.net"; // PRIVUS Tracker - 2009-02-09 BadDomains[i++] = ".searchresultsdirect.com"; // PRIVUS RULE - 2008-09-17 BadDomains[i++] = ".xclicks.net"; // PRIVUS RULE - 2008-11-13 Reason: Nothing showed up or a false positive. Usually NOTHING got blocked. { 2010-01-23: The revsci rule is in the URL section now. } 9. Action: Removed ALL of the spam rules Removed: // SPAM BadNetworks[i++] = "8.14.98.0, 255.255.255.0"; // SPAM BadNetworks[i++] = "8.14.100.4, 255.255.255.255"; // SPAM BadNetworks[i++] = "64.86.95.25, 255.255.255.255"; // SPAM - 2008-11-30 BadNetworks[i++] = "66.128.147.4, 255.255.255.255"; // SPAM BadNetworks[i++] = "72.5.218.0, 255.255.254.0"; // SPAM - 2008-10-15 BadNetworks[i++] = "122.198.62.4, 255.255.255.255"; // SPAM - Airelle BadNetworks[i++] = "128.168.144.0, 255.255.240.0"; // SPAM - 2008-11-26 BadNetworks[i++] = "128.168.208.2, 255.255.255.255"; // SPAM - 2008-12-17 BadNetworks[i++] = "128.168.240.4, 255.255.255.255"; // SPAM BadNetworks[i++] = "128.168.240.0, 255.255.240.0"; // PRIVUS RULE - 2008-08-23 BadNetworks[i++] = "208.53.17.0, 255.255.255.0"; // SPAM BadNetworks[i++] = "208.73.210.0, 255.255.255.128"; // PARK SPAM -2008-12-22 BadNetworks[i++] = "218.61.33.235, 255.255.255.255"; // SPAM - Airelle Reason: OBSOLETE NOW 10. Action: Removed ALL of the IP proxy rules Removed: // Proxy servers BadNetworks[i++] = "208.53.137.178, 255.255.255.255"; // 103 BadNetworks[i++] = "83.170.97.191, 255.255.255.255"; // 90 BadNetworks[i++] = "208.53.138.150, 255.255.255.255"; // 80 BadNetworks[i++] = "69.93.244.114, 255.255.255.255"; // 47 BadNetworks[i++] = "74.208.14.63, 255.255.255.255"; // 46 BadNetworks[i++] = "85.234.150.249, 255.255.255.255"; // 36 BadNetworks[i++] = "72.232.77.98, 255.255.255.255"; // 22 BadNetworks[i++] = "67.159.54.26, 255.255.255.255"; // 22 BadNetworks[i++] = "75.126.219.186, 255.255.255.255"; // 12 BadNetworks[i++] = "67.159.45.51, 255.255.255.255"; // 12 BadNetworks[i++] = "38.100.42.114, 255.255.255.255"; // 6 BadNetworks[i++] = "74.86.121.192, 255.255.255.255"; // 6 BadNetworks[i++] = "208.53.157.248, 255.255.255.255"; // 2 Reason: OBSOLETE NOW 11. Action: Made all 2o7.net IP rules say what they are on the end From: YYYY-MM-DD To: 2o7.net - YYYY-MM-DD Reason: Getting ready to merge them in so IP rules are in ascending order 12. Action: Added the optional Akamai test rules Added: // BadDomains[i++] = ".akamai.net"; // YOUR CHOICE TESTING - 2009-04-26 // BadDomains[i++] = ".akamaiedge.net"; // YOUR CHOICE TESTING - 2009-04-26 // BadDomains[i++] = ".akamaitech.net"; // YOUR CHOICE TESTING - 2009-04-26 Reason: Per Rodney's request. I had to temporarily comment out the good rule in for ".akamai.net" in the Porn Proxy file. 13. Action: Added some ad server rules based on hit counts of ABP Added: BadHostParts[i++] = "advertising"; // AdServer - 2009-04-27 BadHostParts[i++] = "casalemedia"; // AdServer - 2009-04-27 BadHostParts[i++] = "exponential"; // AdServer - 2009-04-27 BadHostParts[i++] = "kontera"; // AdServer - 2009-04-27 BadHostParts[i++] = "tacoda"; // AdServer - 2009-04-27 BadURL_Parts[i++] = "adproducts"; // AdServer - 2009-04-27 BadURL_Parts[i++] = "adrevolver"; // AdServer - 2009-04-27 Reason: All of these had hit counters of 10 or above in ABP. 14. Action: Added rule for Malware scanners plus KNOWN exclusions Added: BadHostParts[i++] = "scan"; // MALWARE - 2009-05-07 GoodDomains[i++] = "jotti.org" // "scan" - 2009-05-07 GoodDomains[i++] = "networkscanning.com"; // "scan" - 2009-05-07 GoodDomains[i++] = "virus.org"; // "scan" - 2009-05-07 Reason: Just too many false pseudo scanners. We will block all but the legitimate ones. ALL OF THE FALSE ONES LEAD TO ROOTKIT / TROJAN INFECTED MACHINES! 15. Action: Modified the commented out "free" rule. From: // BadHostParts[i++] = "[^g]free[^bd]"; // VOTRE CHOIX To: // BadHostParts[i++] = "[^g]free[^bdz]"; // YOUR CHOICE - 2009-05-07 Reason: "freeze" word in of all things freezehappy.com. I did not notice it when it happened but now that it is there we handled it. 10 Mai 2009 UNresolved False Positives (HHH) -------------------------------------------- NONE 10 Mai 2009 RESOLVED False Positives (HHH) ------------------------------------------ NONE