22 Juin 2009 Changes (HHH) -------------------------- 1. Action: NEW HITBOX IP = 64.154.85.107 Added: BadNetworks[i++] = "64.154.84.0, 255.255.254.0"; // PRIVUS HITBOX3 - 2009-06-01 Reason: I went to yellowpages.ca expecting to find either the *.2o7.net Airelle had or an alias. I found neither. But as I scrolled through the WireShark log because there was NOTHING blocked (rare) I saw the tell-tale ehg-*.hitbox.com. The ws.yellowpages.ca host which is an alias to ehg-yellowpages.hitbox.com has been added to the hosts file and this experimental rule were added. { 2010-01-23: The rule was broadened and is in the PAC filter now - but HitBox.com is being phased out in favor of newer trackers. } 2. Action: Privatized akamai hosts From: All rules from YOUR CHOICE (VOTRE CHOIX) To: PRIVUS Reason: All I have to show for this experiment is six FALSE POSITIVES and NO TRUE NEGATIVES. Since no other people are reporting on it the experiment will continue but PRIVATELY. Only myself and Rodney (if he chooses to do so) will have these rules. I did them only to prove a point - blocking akamai is counter-productive. BTW, the GoodDomains rule in the pornproxy has now become active again so you will have to comment it out if you use that file. 3. Action: co2stats.com Removed: GoodDomains[i++] = "co2stats.com"; // stats - 2009-06-01 Reason: The green people can have it. I am not a Martian. 4. Action: NEW SPAMMER RULES Added: BadNetworks[i++] = "58.17.3.32, 255.255.255.240"; // SPAM-01-a - 2009-06-05 BadNetworks[i++] = "60.191.239.181, 255.255.255.240"; // SPAM-01-b1 - 2009-06-05 BadNetworks[i++] = "60.191.239.192, 55.255.255.252"; // SPAM-01-b2 - 2009-06-05 BadNetworks[i++] = "61.191.63.150, 255.255.255.255"; // SPAM-01-c - 2009-06-05 BadNetworks[i++] = "203.93.208.86, 255.255.255.255"; // SPAM-01-d - 2009-06-05 Reason: I have been monitoring some really pesky spammer over the last three months. They marked themselves almost completely with their last host: widewild.com. It added the last two rules here which may expand out. What I got a chuckle out of on this last one is that they sent it from SOMEBODY ELSE AT SecureMecca.net! AFAIK, the only user in that domain is hhhobbit. Here is the From line: From: "Adebowale Ackart" Aussie? BLOCKED! 5. Action: Added rules for more commonly used hosts Date: 06 Juin 2009 Added: GoodDomains[i++] = "mywot.com"; // xxx - 2009-06-06 GoodDomains[i++] = "surfcanyon.com"; // surf - 2009-06-06 GoodDomains[i++] = "windowssecrets.com"; // secret - 2009-06-06 Reason: Stefan Welch submissions, accepted 6. Action: internetserviceteam.com Date: 06 Juin 2009 Added: BadDomains[i++] = ".internetserviceteam.com"; // DNSWCD MALICIELS - 2009-06-06 Reason: Stefan Welch submissions, accepted 7. Action: changed the tgp rule Date: 08 Juin 2009 From: BadURL_Parts[i++] = "[^_k]tgp[^r]"; To: BadURL_Parts[i++] = "[^_k]tgp[^br]"; // MALWARE - 2009-06-08 Reason: http://mywot.surfcanyon.com/search?q=securemecca.com+sans search results ALL had the string "...zTGpB..." in the results which are given for use by lrd.yahooapis.com (see next rule). 8. Action: Added a white-list rule Date: 08 Juin 2009 Added: GoodDomains[i++] = ".yahooapis.com"; // tgp - 2009-06-08 Reason: See previous rule 7. Besides "...zTGpB..." who knows how many other collisions there are going to be? 9. Action: DNSWCD Malware Domain Date: 08 Juin 2009 Added: BadDomains[i++] = ".banner-count.com"; // DNSWCD MalWare - 2009-06-08 Reason: MDL removed one, MVPHosts still has, DNSWCD, when they are dead, remove the rule. 10. Action: Phoenix hosts Date: 10 Juin 2009 Added: // BadURL_WordStarts[i++] = "install"; // YOUR CHOICE MALWARE - 2009-06-10 Reason: At first it started with installer_1.exe. Thinking that they would make it installer_2.exe I started off with a general URL rule along the lines of installer\_[(0-9)]\.exe but then they came up with the name Install123.exe on the same host so I came up with this. MDL removed all of these hosts and I will have to enable this rule and go through manually to see which ones are coming back and put them back in. But for now we have to live with these. PEOPLE NEED TO WHITE-LIST THE HOSTS THEY TRUST TO DO AN INSTALL! But for now it is commented out. There is a potential for a collision. 11. Action: Removed swine flu rules Date: 10 Juin 2009 Removed: BadHostParts[i++] = "influenza"; BadHostParts[i++] = "swine-flu"; BadHostParts[i++] = "swineflu"; // www.cdc.gov/h1n1flu/update.htm - 2009-05-23 // www.pandemie-grippale.gouv.fr - 2009-05-23 Reason: The pandemic of human emotion and fear over something you can do little about except wash your hands, diet, and rest is over. 12. Action: Removed experimental akamai hosts rules. Date: 10 Juin 2009 Removed: // GoodDomains[i++] = "a60.g.akamai.net"; // PRIVUS TESTING - 2009-05-26 // GoodDomains[i++] = "a123.g.akamai.net"; // PRIVUS TESTING - 2009-05-18 // GoodDomains[i++] = "a248.e.akamai.net"; // PRIVUS TESTING - 2009-04-26 // GoodDomains[i++] = "a332.g.akamai.net"; // PRIVUS TESTING - 2009-05-18 // GoodDomains[i++] = "a1356.g.akamai.net"; // PRIVUS TESTING - 2009-05-25 // GoodDomains[i++] = "a1599.g.akamai.net"; // PRIVUS TESTING - 2009-05-25 // BadDomains[i++] = ".akamai.net"; // PRIVUS TESTING - 2009-04-26 // BadDomains[i++] = ".akamaiedge.net"; // PRIVUS TESTING - 2009-04-26 // BadDomains[i++] = ".akamaitech.net"; // PRIVUS TESTING - 2009-04-26 Reason: The experiment is over. I got nothing but these six FALSE POSITIVES, and NO TRUE NEGATIVES. For two weeks I got nothing. I have bigger fish to fry now - see below. 13. Action: Added a white-list rule for technet.com Date: 13 Juin 2009 Added: GoodDomains[i++] = ".technet.com"; // 2009-06-13 Reason: /blogs.technet.com/mmpc/archive/2008/11/12/\ win32-fakesecsen-a-nasty-piece-of-work.aspx I really do NOT want to drop the "nasty" rule but will if I get it too many more times. 14. Action: Chase.com Date: 14 Juin 2009 Added: GoodDomains[i++] = ".chase.com"; // 2009-06-14 Reason: chaseonline.chase.com:443 - I have NO IDEA what was blocking it either. 15. Action: Removed experimental "*.atomz.com" rule. Date: 15 Juin 2009 Removed: BadDomains[i++] = ".atomz.com"; // PRIVUS PROBLEM - Tracker - 2009-05-27 Reason: Oreilly.com uses content.atomz.com to deliver content { 2010-01-13: That was why I also removed the host from the hosts file. Since it was just a browser cookie, contain the problem by not allowing that cookie. } 16. Action: Expanded a SPAM rule Date: 15 Juin 2009 From: BadNetworks[i++] = "60.191.239.181, 255.255.255.240"; // SPAM-01-b1 - 2009-06-05 To: BadNetworks[i++] = "60.191.239.164, 255.255.255.224"; // SPAM-01-b1 - 2009-06-15 Reason: bshp.cuqvenad.cn 17. Action: Added two more SPAM rules Date: 15 Juin 2009 Added: BadNetworks[i++] = "60.191.221.123, 255.255.255.255"; // SPAM-01-e - 2009-06-15 BadNetworks[i++] = "61.191.191.241, 255.255.255.255"; // SPAM-01-f - 2009-06-15 Reason: bshp.cuqvenad.cn 18. Action: Wrapped Network checks to only work with an IPv4 address Date: 15 Juin 2009 From: What it was To: All additions are in FindProxyForURL(url, host) with non code comments added with a "#" preceding them. var HasIPv4Address = true; # added as last variable /////////////////////////////////////////////////////////////////////// // Check to make sure we can get an IPv4 address from the given host // // name. If we cannot do that then skip the Networks tests. // /////////////////////////////////////////////////////////////////////// if (! isResolvable(host)) { HasIPv4Address = false; } # The above was added before the network checks # the next line was added before each network loop (2) if (HasIPv4Address) { # and the next line closes the if } Reason: To prevent the 200+ DNS requests we have been getting. I thought Danny had handled this and when I ask for help with his excellent memory he bails out on me. WHAT GIVES WITH DANNY? 19. Action: Added *.0catch.com, *.bluehost.com, *.hostgator.com, and *.hostmonster.com rules Date: 16 Juin 2009 Added: BadDomains[i++] = ".0catch.com"; // PRIVUS AdServer - 2009-06-16 BadDomains[i++] = ".bluehost.com"; // PRIVUS - WebBug - 2009-06-16 BadDomains[i++] = ".hostgator.com"; // PRIVUS - WebBug - 2009-06-16 BadDomains[i++] = ".hostmonster.com"; // PRIVUS - WebBug - 2009-06-16 Reason: Saw several in WireShark, added them and will see how much these domains are used. Both bluehost.com and hostmonster.com left LSO Flash cookies that BetterPrivacy removed. hostgator.com has stuff in the regular cookies I don't like, and then there is firewalltester.bluehost.com which I have already added to the hosts file. In just a few short days, ALL OF THEM are going from experimental to production. THEY ARE AWFUL trackers and ad pushers. See # 27. { 2010-01-23: The 1st is public now. The 2nd is their host firewalltester.bluehost.com which was stopped by of all things my "firewall" proxy rule as in these STUPID kids who think that all the commercial filters exist for are to stop content. Well they don't. They are also used to filter out bad stuff and to preserve precious network bandwidth - YouTube can bring a school network to a screeching halt. The 3rd & the 4th are BIG problems. Yes they track and quite frankly IMHO you shouldn't select them as your domain / web service provider. But hackers are actually after people's accounts with these service providers so I actually white-listed the domain and blocked the pattern pretenders with these rules: GoodDomains[i++] = ".hostgator.com"; GoodDomains[i++] = ".hostmonster.com"; BadHostParts[i++] = "hostgator\.com"; BadHostParts[i++] = "hostmonster\.com"; If you disagree with me on the first two and think I should have only the last two which will stop not only the pattern squatters but also the domains themselves, let me know ;^) } 20. Action: Added rules from French file to the English file Date: 17 Juin 2009 Added: BadNetworks[i++] = "69.72.142.98, 255.255.255.255"; // wfb.zoneedit.com-1 2009-02-14 BadNetworks[i++] = "216.98.141.250, 255.255.255.255"; // wfb.zoneedit.com-2 2009-02-14 Reason: BEATS ME WHY THEY WEREN'T ADDED. I WAS SUPPOSED TO ADD THEM TO BOTH FILES SINCE THIS HAD A TROJAN. I suspect it the aliases to it still have trojans. 21. Action: Removed last vestiges of last spammer and USELESS RULE Date: 17 Juin 2009 Removed: BadNetworks[i++] = "208.66.192.0, 255.255.252.0"; // McColo - 2008-11-16 BadNetworks[i++] = "208.67.70.27, 255.255.255.255"; // YieldManager BadNetworks[i++] = "216.130.162.145, 255.255.255.255"; // PORN Malware - 2008-11-27 BadNetworks[i++] = "216.240.129.82, 255.255.255.255"; // PORN 010 (TROJAN) Reason: No longer needed / used. You could use IP rules to capture new YieldManager aliases but I am not going to do it this way any more. That entire 24/8 subnet for malware now has only one host left in it. 22. Action: MASSIVE REMOVAL OF OLD IP RULES. Date: 19 Juin 2009 Removed: BadNetworks[i++] = "61.145.126.204, 255.255.255.255"; // MALWARE - 2009-03-12 BadNetworks[i++] = "64.28.176.0, 255.255.248.0"; // PORN 006.1 (TROJAN) BadNetworks[i++] = "64.28.184.0, 255.255.254.0"; // PORN 006.2 (TROJAN) BadNetworks[i++] = "64.136.25.165, 255.255.255.255"; // SITETRACKER+FREESTATS BadNetworks[i++] = "64.152.73.0, 255.255.255.0"; // GATORBELNK BadNetworks[i++] = "64.255.172.50, 255.255.255.255"; // PORN 008 BadNetworks[i++] = "66.116.125.150, 255.255.255.255"; // PORN 009 BadNetworks[i++] = "69.31.128.0, 255.255.255.0"; // DISNEY PORN BadNetworks[i++] = "72.9.98.66, 255.255.255.255"; // DP Park BadNetworks[i++] = "72.232.116.0, 255.255.255.0"; // PORN 002 BadNetworks[i++] = "78.108.177.0, 255.255.255.0"; // PORN 013 BadNetworks[i++] = "80.77.85.0, 255.255.255.0"; // PORN 001 BadNetworks[i++] = "81.29.249.27, 255.255.255.255"; // PORN 007 (TROJAN) BadNetworks[i++] = "81.176.69.192, 255.255.255.192"; // HOTLOG1 BadNetworks[i++] = "217.16.31.112, 255.255.255.240"; // HOTLOG2 BadNetworks[i++] = "85.255.113.0, 255.255.255.248"; // PORN 005 (TROJAN) BadNetworks[i++] = "85.255.121.76, 255.255.255.255"; // PORN 011 (TROJAN) BadNetworks[i++] = "85.255.121.176, 255.255.255.254"; // PORN 003 BadNetworks[i++] = "87.242.90.132, 255.255.255.252"; // ADWARE BadNetworks[i++] = "89.145.112.0, 255.255.254.0"; // Phorm.com - 2008-11-19 BadNetworks[i++] = "195.56.77.0, 255.255.255.0"; // PORN 012 BadNetworks[i++] = "209.62.20.245, 255.255.255.255"; // Suspicious IP - 2008-12-22 Reason: Hey, Rodney bailed out on me, I had nothing in my Host <---> IP database, so what could I do but remove them? I had no alternatives. You do NOT keep stuff that doesn't do anything any more except perhaps to contribute a lot of false positives. 23. Action: Broadened PARKFUNNEL rules to cover their address space. Date: 19 Juin 2009 From: BadNetworks[i++] = "66.150.161.44, 255.255.255.255"; // PARKFUNNEL - 2008-09-21 BadNetworks[i++] = "69.25.47.166, 255.255.255.255"; // PARKFUNNEL - 2008-09-21 To: BadNetworks[i++] = "66.150.161.32, 255.255.255.224"; // PARKFUNNEL - 2009-06-19 BadNetworks[i++] = "69.25.47.160, 255.255.255.224"; // PARKFUNNEL - 2009-06-19 Reason: Hey, they may change it again and I sincerely doubt anybody is going to encounter any false positives here. 24. Action: Changed LOP to MALWARE (LOP) and added date. Date: 19 Juin 2009 From: BadNetworks[i++] = "66.220.17.0, 255.255.255.0"; // LOP To: BadNetworks[i++] = "66.220.17.0, 255.255.255.0"; // MALWARE (LOP) - 2009-06-19 Reason: It isn't LOP any more. It is all over the wall. LOP started here but it is all over the place and most of the stuff here isn't LOP infectors any more. 25. Action: Some IP rules that I considered removing: Date: 19 Juin 2009 Monitor: [1] // landings.trafficz.com FE - 2009-01-14 BadNetworks[i++] = "65.243.103.55, 255.255.255.255"; [2] // next rule - all *.*toolbar.com hosts redirect to hosting.conduit.com BadNetworks[i++] = "66.77.197.154, 255.255.255.255"; // 2008-11-24 [3] // wfb.zoneedit.com-1 2009-02-14 BadNetworks[i++] = "69.72.142.98, 255.255.255.255"; // wfb.zoneedit.com-2 2009-02-14 BadNetworks[i++] = "216.98.141.250, 255.255.255.255"; [4] // PORN MALWARE - 2008-11-30 BadNetworks[i++] = "193.110.146.68, 255.255.255.254"; BadNetworks[i++] = "193.110.146.70, 255.255.255.255"; [5] // scripts.dlv4.com - 2009-01-05 BadNetworks[i++] = "195.10.6.225, 255.255.255.255"; [6] // PORN 004 - 2009-06-19 BadNetworks[i++] = "195.10.6.0, 255.255.255.0"; Reason: [1] Check to see if the hosts that are parked that say landings.trafficz.com are really going there [2] Just take a few from Airelle's file every so often and make sure they still go here. [3] Just check every so often to see when they pull the plug. THIS IS TROJAN COUNTRY! [4] I don't care how few there are. Keep these rules as long as any hosts at all are in the 193.110.146.68 to 193.110.146.70 IP address space. [5] I know I said in my email message that these are trackers. They are a little more than that. At one time they were aliasing into the moon and they do have scripts that redirect to infector hosts. [6] GIVE THIS ONE BACK TO RODNEY. I don't know whether they are contracting expanding, or what. Some of the hosts call on the scripts.dlv4.com through the aliases like www.2kkh3naw5kinmzcw.com. I think that handles the trojan infection bottleneck, but what if I am wrong? OTOH, if I block the whole thing that could cause them to pull the plug - but I have them blocked enough to contain them. 26. Action: Added exmasters.com IP rules. YOUR CHOICE (VOTRE CHOIX) for regular files, PORN for pornproxy* files. Date: 19 Juin 2009 Added: // BadNetworks[i++] = "81.31.38.0, 255.255.255.128"; // YOUR CHOICE exmasters.com-1 - 2009-06-19 // BadNetworks[i++] = "89.185.228.0, 255.255.254.0"; // YOUR CHOICE exmasters.com-2 - 2009-06-19 Reason: With the start up again of bad hosts coming into this domain I was sorely tempted to just block. Then I made the decision to block only for myself, and then I thought that isn't fair either. People can make up their mind for themselves after some investigation. The default of not being activate for the regular, but activated for the pornproxies seems to be best. 27. Action: See #19 Date: 20 Juin 2009 From: BadDomains[i++] = ".0catch.com"; // PRIVUS AdServer - 2009-06-16 BadDomains[i++] = ".bluehost.com"; // PRIVUS - WebBug - 2009-06-16 BadDomains[i++] = ".hostgator.com"; // PRIVUS - WebBug - 2009-06-16 BadDomains[i++] = ".hostmonster.com"; // PRIVUS - WebBug - 2009-06-16 To: BadDomains[i++] = ".0catch.com"; // AdServer - 2009-06-16 BadDomains[i++] = ".bluehost.com"; // WebBug - 2009-06-16 BadDomains[i++] = ".hostgator.com"; // WebBug - 2009-06-16 BadDomains[i++] = ".hostmonster.com"; // WebBug - 2009-06-16 Reason: See #19. The more I looked at these the more I was convinced I am NOT going to live with them very long. FLASH COOKIES? AND THEY HAD PERSONALLY IDENTIFIABLE INFORMATION IN THEM, AT LEAST EVERYTHING THAT THEY COULD GET! hostgator.com's regular browser cookie wasn't much better. 0catch.com had its browser cookie set by another host since I already block it in the hosts file. All of them are also joining the blocked cookie list. 28. Action: Malware count for smtp.ru rising at MDL Date: 20 Juin 2009 Added: BadDomains[i++] = ".smtp.ru"; // DNSWCD MALWARE - 2009-06-20 Reason: I can't go out and track down all of them. The ones that are showing up at MDL are a pittance compared to what Airelle has. You just cannot tell when they are really gone since it is a DNSWCD. 29. Action: A new tracker I know very little about since the cookie disappeared before I could look at it. Date: 20 Juin 2009 Added: BadDomains[i++] = ".tophosts.com"; // PRIVUS WebBug - 2009-06-20 Reason: The cookie just disappeared on me; Airelle classifies it as a hosts.trc; but ostensibly it supposedly provides listings of the top hosting providers. I would not DARE give this rule to others without knowing at least SOMETHING about it! If I see a cookie set with it blocked, then I will at least block the cookie. { 2010-01-23: Found ... oascentral.tophosts.com, a RealMedia server, but the cookie gets set without the host being called - WebBug } 22 Juin 2009 UNresolved False Positives (HHH) --------------------------------------------- NONE 22 Juin 2009 RESOLVED False Positives (HHH) ------------------------------------------- 1. Pattern: "teen" Date: Rules: BadHostParts[i++] = "teen"; BadURL_WordStarts[i++] = "teen[^y]"; BadURL_WordEnds[i++] = "teen"; Reason: The problem lies in the URLs, not the host names which almost always deliver porn, malware, or both. I need to study them a little more since what it means is I will probably just have to delete one of the URL rules. I am amazed it took me 2+ years to all of a sudden having false positives here. Oh well, I will handle it next month. Solution: Let it ride and see what happens.