31 Mai 2009 Changes (HHH) ------------------------- 1. Action: Changed comment style. From: "pattern" To: pattern Reason: I had too many unterminated "pattern" rules that needed the semicolon. This makes them easier to find. Now all I have to do is search for a double quote followed by a return or a double quote followed by a tab. If I get either one of those and it isn't the 1-2 that are left in the main comments I HAVE A BIG TIME PROBLEM. 2. Action: spaces.live.com Added: BadDomains[i++] = ".spaces.live.com"; // PRIVUS DNSWCD TEST - 2009-05-18 Reason: Airelle has 3652 in his hosts.web file. I believe that they aren't needed. So far, all I have with that pattern is lisafromwindowslive.spaces.live.com which is in an argument for msnportal.112.2o7.net. { 2010-01-23: That is all I got - rule removed } 3. Action: a new akamai.net FP Added: // GoodDomains[i++] = "a332.g.akamai.net"; // VOTRE CHOIX DE TEST - 2009-05-18 Reason: Edmund Scientific - the evidence is mounting. On the route to find that a *.2o7.net host was dead (it was) I got this FP. 4. Action: a new akamai.net FP Added: // GoodDomains[i++] = "a123.g.akamai.net"; // YOUR CHOICE TESTING - 2009-05-18 Reason: faceoff.com. Yet another attempt to find a *.2o7.net hosts that was not there but this was. It will take only five or so of these before I remove the rules. The whole point of this was to find false positives where it causes problems and THESE CAUSE PROBLEMS! 5. Action: removed PUBLICUS rules Removed: BadNetworks[i++] = "64.210.240.50, 255.255.255.254"; // YOUR CHOICE PUBLICUS1 - 2009-01-12 BadNetworks[i++] = "64.210.240.52, 255.255.255.254"; // YOUR CHOICE PUBLICUS2 - 2009-01-12 Reason: They changed their IP addresses and I have no time to follow them nor reason to believe I will get very many more and they are primarily ads, not trackers. But see # 26 below. What do we do when we stop ads? 6. Action: Added clickintext.net rule Added: BadDomains[i++] = ".clickintext.net"; // DNSWCD Traqueur - 2009-05-19 Reason: MVPHosts just added some of these but Airelle has quite a few. I will add MVP HOSTS but not Airelle's and call this a day. I suspect that there are more than either are catching because I have saw this one before with French and German sites. 7. Action: scanalert.com Added: GoodDomains[i++] = ".scanalert.com"; // scan - 2009-05-21 Reason: They may be a rip-off and quite frankly I don't think their images mean a thing, but images.scanalert.com should NOT be blocked because it does not in and of itself pump out malware. That was what the scan rule was created for. 8. Action: There seems to be some mass hysteria about the swine flu. Added: BadHostParts[i++] = "influenza"; BadHostParts[i++] = "swine-flu"; BadHostParts[i++] = "swineflu"; // www.cdc.gov/h1n1flu/update.htm - 2009-05-23 // www.pandemie-grippale.gouv.fr - 2009-05-23 Reason: hpHosts had a raft of these. Don't be fooled. If you get h1n1 influenza GO TO A DOCTOR ASAP. But you are going to get more information from these pages than most others. Well, you can try this one (accurate but old): http://preview.tinyurl.com/dc5er4 Le Figaro mai le rendre plus ludique mais moins précises. IF it doesn't become a pandemic I will take them back out in a month or so but I will NOT block hosts with these patterns! OTOH, if it becomes a pandemic maybe nobody will be there to take them out! I needed a transfusion at birth and didn't get one and have irregular antibodies. If there is anything going around, I GET IT! I used to be able to combat it well but this last winter I had this pneumonia that almost killed me. Maybe the swine-flu will deliver the final coup de grâce. Well, we can always hope. 9. Action: "milf" From: BadURL_Parts[i++] = "milf"; // YOUR CHOICE - 2009-05-24 To: BadURL_Parts[i++] = "milf[^o]"; // VOTRE CHOIX - 2009-05-24 Reason: milfordsunday.com 10. Action: a new akamai.net FP Added: // GoodDomains[i++] = "a1356.g.akamai.net"; // YOUR CHOICE TESTING - 2009-05-25 Reason: www.rootsweb.ancestry.com Yet another one. I was trying to find if a *.2o7.net reference was still active (it wasn't). Remember, the magic minimal number is five. I may take it up to a dozen but I will NOT go beyond that. At least this one was not catastrophic, just: a1356.g.akamai.net/f/1356/2386/4h/images.rootsweb.ancestry.com/search/searchbottom.gif 11. Action: a new akamai.net FP Added: // GoodDomains[i++] = "a1599.g.akamai.net"; // YOUR CHOICE TESTING - 2009-05-25 Reason: www.randmcnally.com - QUITE A FEW. If you start to manever around you have problems. 12. Action: Removed the last remaining PARK IP rule Removed: BadNetworks[i++] = "208.87.33.150, 255.255.255.255"; // PARK-IP Reason: www.schoolspecialtyinc.com The only reason I did any of these park IP rules was that Rodney wanted them. This is the last one that is left. Rodney has had time to observe how it works now. 13. Action: .axf8.net domain Added: BadDomains[i++] = ".axf8.net"; // DNSWCD Tracker - 2009-05-25 Reason: Sears.com and others are starting to use them 14. Action: a new akamai.net FP Added: // GoodDomains[i++] = "a60.g.akamai.net"; // YOUR CHOICE TESTING - 2009-05-26 Reason: While checking whether sheplers.com still had its *.2o7.net file this host was blocked. Due to the high number of FP blocks, I have to categorize the results a CATASTROPHE! 15. Action: atomz.com Added: BadDomains[i++] = ".atomz.com"; // PRIVUS PROBLEM - Traquer - 2009-05-27 Reason: No matter where I go, I keep ending up with this cookie. Until I get a handle on it, I want to STOP it from ever getting set. It seems like every web-site I go to out there has it. It isn't that bad, but it isn't good either! { 2010-01-23: part of sharethis.com, most notably the host l.sharethis.com - problem handled } 16. Action: "adsys." starting host name Added: BadHostWordStarts[i++] = "adsys\."; // YOUR CHOICE ADS - 2009-05-28 Reason: I added adsys.townnews.com, but because it did something wrong. If you have ABP though, it intercepts and does these first. So if you want to troll for new host names starting with "adsys.", you have to turn off ABP. All ABP provides is a hit count, NOT the actual names which we may want in the hosts file. 17. Action: "bannerad" Added: BadHostParts[i++] = "bannerad"; // AdServer - 2009-05-28 Reason: high count in ABP 18. Action: iperceptions.com Added: BadDomains[i++] = ".iperceptions.com"; // PRIVUS Tracker - 2009-05-28 Reason: Really caused a slow-down while verifying whether thomasville.com still was using thomasvillefurniture.122.2o7.net { 2010-01-23: It was made public and is still there now. I only have one block but it removed the slam-down on my computer. Evidently their bad code was not acceptable to others - too much bad JavaScript out there ... } 19. Action: ".sphere.com" Added: BadDomains[i++] = ".sphere.com"; // PRIVUS DNSWCD TEST - 2009-05-28 Reason: MVPHosts started it with stats.sphere.com. Then he added cdn11.sphere.com. Then I got cdn1.sphere.com, and www.sphere.com at time.com. It is the new DNSWCD from Omniture. Aliases will probably follow and we will not have them handing us their IP range in the future. We will have to map them out over time ala the one that killed us at boston.com. { 2010-01-23: Mapped. I know them all and AFAIK, I am the only blocker other than MVPHosts that blocks them but I have ALL of them. Rule removed since it is no longer needed. DO THESE TRACKERS REALLY THINK THEY CAN FOOL SOMEBODY WHO ANALYZES MALWARE OVER HALF THE TIME? } 20. Action: Reordered BadNetworks rules From: with one scripts.dlv4.com hanging next to its twin and 2o7.net rules separate. To: Numerical ascending order Reason: Just to have them orderly and to recognize if we have multiple redundant rules. If that occurs we will NOT merge but instead look at dropping the least important one. 21. Action: Remove 66.40.9.250 scripts.dlv4.com BadNetworks rule Removed: BadNetworks[i++] = "66.40.9.250, 255.255.255.255"; // scripts.dlv4.com - 2009-01-05 Reason: scripts.dlv4.com has only the second IP address now. 22. Action: nasty rule altered From: BadURL_Parts[i++] = "nasty"; To: BadURL_Parts[i++] = "[^y]nasty"; // MALWARE - 2009-06-01 Reason: "dynasty". You will note the Porn version of the file also says MALWARE for the milf rule now. I will add comments like these to the files IF the rules change. The rules that used to have no comments will have them added per Rodney's request. It is just that I couldn't do it back then and even now, that takes a back seat to do the other stuff that needs to be done. 23. Action: BadDomains rule added for *.gcion.com Added: BadDomains[i++] = ".gcion.com"; // Tracker - 2009-06-01 Reason: I had a gcion.com cookie show up in Firefox. Either they were using an alias or a name that did not start with "gcirm". If it is an alias that has neither this domain nor the "gcirm", then I will need to block by IP address for myself. I am also blocking the cookie but they don't use that. And here I thought they had died. 24. Action: Experimental BadDomains scorecardresearch.com Added: BadDomains[i++] = ".scorecardresearch.com"; // PRIVUS Tracker - 2009-06-01 Reason: I lost the name that did this because the only place I saw it was in ABP. I don't think it was "www. ..." so this is the only way of finding it again. { 2010-01-23: FOUND. The full name is the host beacon.scorecardresearch.com but b.scorecardresearch.com is what you will normally (ALWAYS?) encounter. They are in the hosts file where they should be. } 25. Action: tracking rule added Added: BadHostParts[i++] = "tracking"; // Tracker - 2009-06-01 Reason: I am looking at it right now in the ABP panel. I was looking for the *.2o7.net host for webmetro.com and saw a tracking.dsmmadvantage.com host. MVPHosts and Camelon also have this host so I am adding it. But I am also adding this rule as a backup. Note that it is NOT OPTIONAL. 26. Action: stats rule white-list override Added: GoodDomains[i++] = "co2stats.com"; // stats - 2009-06-01 Reason: WARNING THIS IS A LONG READ BUT IT IS WORTH IT! At the very same webmetro.com as the previous rule I find that lo and behold, I am increasing CO2. But by going to this particular web-site I am decreasing it? The darn thing burned up 5776 packets just giving me the first page! Now, by me stopping both the calls to webmetrodev.122.2o7.net and tracking.dsmmadvantage.com I have reduced the load on those servers, reduced the amount of Internet traffic, and thus decreased CO2 emissions. But in the process of writing this I probably burned up more C + O2 to do it so it is a wash. I think the good doctor needs to realize his web-site is probably adding to the problem. Oh I forgot one. If you click on the menus it shows client.roiadtracker.com in ABP. Now by contrast, going to SecureMecca.com and walzting through the home page, the Hosts page, the PAC filter page, and the Phttpd page I only download 354 glorious packets. But I guess the downloads of the files themselves constitute a problem, but I see no calls to the Yahoo embedded trackers BECAUSE I STOP THEM! I also reduce the CO2 used by using 7-Zip, and if enough people used what I provide, the CO2 emissions would be reduced by all that unnecessary chit-chat. But going to co2stats.com only burned up 280 initial packets but for some reason it kept on adding packets every few seconds (it was not the MUA doing it, it was the web site as shown by WireShark). Regardless, they are not a web tracking site so they are being given an exclusion not because I am being green, but because they are NOT a WEB TRACKER. As for webmetro.com's huge amount of packets? Hmm. Maybe they are buying the green thing to salve their consciences. I wonder if by giving c02stats.com the ability to send out a few more packets we are increasing the CO2 created? PS We block client.roiadtracker.com. 31 Mai 2009 UNresolved False Positives (HHH) -------------------------------------------- 1. Pattern: "teen" Rules: BadHostParts[i++] = "teen"; BadURL_WordStarts[i++] = "teen[^y]"; BadURL_WordEnds[i++] = "teen"; Reason: The problem lies in the URLs, not the host names which almost always deliver porn, malware, or both. I need to study them a little more since what it means is I will probably just have to delete one of the URL rules. I am amazed it took me 2+ years to all of a sudden having false positives here. Oh well, I will handle it next month. 31 Mai 2009 RESOLVED False Positives (HHH) ------------------------------------------ NONE, well, what we have above which didn't hang around long enough for me to even enter them down here.