05 Octobre 2009 Changes (HHH) ----------------------------- 1. Action: Click-Tracker rule Added: BadDomains[i++] = "click.alertsweb.com"; // PRIVUS Tracker - 2009-08-28 Reason: Don't let the PRIVUS portion fool you. This will become a real rule AFTER I have mapped out all of the click trackers used at Ruler-Domains.com. We have a lot of them. We just need the rest. Well, we didn't get them so it just became public on 2009-Sep-07 04:11 UTC 2. Action: Tracker rule that will become public ASAP Added: BadDomains[i++] = ".alexametrics.com"; // PRIVUS Traqueur - 2009-08-29 Reason: I noticed somebody using atrk.alexametrics.com. How many more do they have? I ask because we have only one. It is intended that this rule become PUBLIC ASAP. I notice that EasyPrivacy has it so the test time will be VERY short. { 2010-01-23: A note needs to be made here. Just because EasyPrivacy has something does NOT mean I will automatically include it. Just because I have something does NOT mean that the EasyPrivacy people will include it (although they are free to take what I have as long as they follow the terms of the GPL). If you use a hosts file all you really need to do is redirect the hosts atrk.alexametrics.com and certify.alexametrics.com. Adding it to the PAC filter is for Chrome, IE, Opera, and Safari users on Windows Vista and Windows 7 where putting a blocking hosts file in place is infinitely harder than putting the PAC filter on. The PAC filter does NOT need DNS caching turned off and is NOT put into the %WinDir%. That was NOT a mistake on my part years ago. } 3. Action: Tracker rules driven into the URL Added: BadURL_Parts[i++] = "dblclick"; // PRIVUS AdServer - 2009-08-30 BadURL_Parts[i++] = "doubleclick"; // PRIVUS AdServer - 2009-08-30 Reason: I noticed that IMDB is swapping one spy service after another to avoid detection. SO I AM GOING TO MAP THEM ALL OUT! That is where the previous rule in #2 came from. Again, even though EasyPrivacy in ABP has the previous one they don't have these and I think they are needed. { 2010-01-23: They are public now ... see #6 below. } 4. Action: Malware redirector Added: BadDomains[i++] = ".filter.oridianppc.com"; // MalWare - 2009-09-02 Reason: They showed up in my logs and after inspection it appears that one piece of Malware redirects all requests that would have gone to Google or other search engines to hosts like: 12637.91419.filter.oridianppc.com 12635.91419.filter.oridianppc.com It is yet to be determined WHY they are going through this DNSWCD. 5. Action: Malware stoppers & white listers. Added: GoodDomains[i++] = ".adobe.com"; // flash-plugin - 2009-09-03 GoodDomains[i++] = "foxitsoftware.com"; // flash-plugin - 2009-09-03 BadURL_WordStarts[i++] = "flash-plugin"; // Malware - 2009-09-03 BadURL_WordStarts[i++] = "xplays\.php"; // Malware - 2009-09-03 Reason: This is part of a three tiered host scheme that shoves in malware with the name flash-plugin.#####.exe or flash-plugin_update.#####.exe. Despite the fact that it IS a trojan, when I did a search on the pattern flash-plugin_update.45059.exe I came back with only two links: http://safeweb.norton.com/report/show?name=thebestexe.com http://www.adobe.com/support/flash/downloads.html This was what I got from VirusTotal: http://preview.tinyurl.com/m8nzxk (5 / 41) ------------------------------------------- Authentium W32/SuspPack.AD.gen!Eldorado DrWeb Trojan.Packed.191 F-Prot W32/SuspPack.AD.gen!Eldorado Kaspersky Trojan-Downloader.Win32.CodecPack.kai VBA32 Malware-Cryptor.Win32.General.4 Now you know why I want Kaspersky on one of my machines. Despite SANS and others bashing them they are EXCELLENT for the stuff I discover. 6. Action: Drove DoubleClick rules down into the URL. From: BadURL_Parts[i++] = "dblclick"; // PRIVUS AdServer - 2009-08-30 BadURL_Parts[i++] = "doubleclick"; // PRIVUS AdServer - 2009-08-30 BadHostParts[i++] = "doubleclick"; // AdServer To: BadURL_Parts[i++] = "dblclick"; // AdServer - 2009-09-04 BadURL_Parts[i++] = "doubleclick"; // AdServer - 2009-09-04 Reason: I added these as a test just a week or so ago. We can't take the risk any more. DoubleClick has drove their stuff DEEP into the URL level to avoid filters. IOW, it is similar to metrics.apple.com which is really appleglobal.112.2o7.net but that is still at the host level. THIS STUFF ISN'T AND AdBlockPlus' EasyPrivacy IS NOT GETTING THE JOB DONE. WELL WE ARE! I still have the same philosophy - if they require we put up with DoubleClick to go to their web site then I don't want to go to their web site. 7. Action: Activated exmasters.com IP rules in main file Date: 2009-Sep-04 12:20 UTC From: // BadNetworks[i++] = "81.31.38.0, 255.255.255.128"; // YOUR CHOICE exmasters.com-1 - 2009-06-19 // BadNetworks[i++] = "89.185.228.0, 255.255.254.0"; // YOUR CHOICE exmasters.com-2 - 2009-06-19 To: BadNetworks[i++] = "81.31.38.0, 255.255.255.128"; // YOUR CHOICE exmasters.com-1 - 2009-06-19 BadNetworks[i++] = "89.185.228.0, 255.255.254.0"; // YOUR CHOICE exmasters.com-2 - 2009-06-19 Reason: I am getting tired of uncommenting them. Also, all the hosts that MDL put in seem to be staying there. It shows that a laissez-faire attitude prevails and I am tired! This only affects the proxy* and dbgproxy* files. For the pornproxy* files these rules have always been active. 8. Action: ".bidsystem.com" rule Date: 2009-Sep-07 04:27 UTC Added: BadDomains[i++] = ".bidsystem.com"; // AdServer / Tracker - 2009-08-24 Reason: This was under wraps as I tried working on something but since it is gone others have it now. They originally were a two-bit ad service but they upped the ante by making themselves a tracking service to give tailored ads. It was how Ruler-Domains.com was using them that tipped the scales. 9. Action: click.alertsweb.com Date: Added: BadDomains[i++] = "click.alertsweb.com"; // DNSWCD Tracker - 2009-08-28 // DNSWCD Traqueur - 2009-08-28 Reason: 49796b364b4473674e534d74.4a6967364e46306d4d512c2c.click.alertsweb.com Do you REALLY want to RTS all of these with what appear to be two HUGE hexadecimal hash strings in a hosts file? Actually since this one was used by Ruler-Domains and they no longer use it (they have their own IP clicker-trackers - see #12 below - they use only them now) you don't want it. 10. Action: iperceptions.com was made public Date: 2009-Sep-07 04:38 UTC From: BadDomains[i++] = ".iperceptions.com"; // PRIVUS Tracker - 2009-05-28 To: BadDomains[i++] = ".iperceptions.com"; // Tracker - 2009-09-07 Reason: 4qinvite.4q.iperceptions.com at purwater.com and the fact that the EasyPrivacy subscription for ABP has it. I have no idea how many they stop but why deprive Chrome, IE, Opera, and Safari users from having this? 11. Action: "indextools\.js" rule Added: BadURL_Parts[i++] = "indextools\.js"; // Tracker - 2009-09-11 BadURL_Parts[i++] = "indextools\.js"; // Traqueur - 2009-09-11 Reason: I noticed it was used by garryvac.com! I have saw them before but had never investigated them. Well now I have. And now they are in there. They are also in the ABP EasyPrivacy list and I just hope they are all the same. 12. Action: Ruler-Domains clicker-tracker service by IP address Added: BadNetworks[i++] = "76.9.16.144, 255.255.255.240"; // HASH REDIR - 2009-09-10 Reason: At one time they were using others clicker-trackers all over the place (I found some and added them to the hosts file). But now they seem to have stabilized and use their own. The IP addresses they have used so far are 76.9.16.147, 76.9.16.148, 76.9.16.153, 76.9.16.154, and 76.9.16.157. Since this puts them straddling two 8 IP address spaces: 76.9.16.144 ... 76.9.16.151 and 76.9.16.152 ... 76.9.16.159 I am taking out a wider swath (76.9.16.144, 76.9.16.145, 76.9.16.146, 76.9.16.158, and 76.9.16.159) but it is a good gamble this is correct. 13. Action: HITBOX IP RULES Date: 2009-Sep-15 12:07 UTC From: BadNetworks[i++] = "64.154.80.0, 255.255.252.0"; // YOUR CHOICE HITBOX1 - 2008-11-17 BadNetworks[i++] = "64.154.84.0, 255.255.254.0"; // PRIVUS HITBOX3 - 2009-06-01 BadNetworks[i++] = "64.154.86.0, 255.255.255.192"; // YOUR CHOICE HITBOX2 - 2009-01-01 To: BadNetworks[i++] = "64.154.80.0, 255.255.248.0"; // YOUR CHOICE HITBOX - 2009-09-15 Reason: They went into the "64.154.87 recently in a big way. Ergo, this entire space is THEIRS. Since it is an optional rule why not make it for the whole space? 14. Action: Free Firewalls Information Added: GoodDomains[i++] = "free-firewall.org"; // SECURITY - 2009-09-15 Reason: To bypass my free rule which I use. Since it is good information (I was using it to help poor people get protection) it is now known. 15. Action: Removed bluehost.com Date: 2009-Sep-19 18:59 UTC Removed: BadDomains[i++] = ".bluehost.com"; // WebBug - 2009-06-16 Reason: They MAY have been used by KBYU to track and gather my email addresses. With all the thrashing I did on it they have permanently black-listed ALL of my email addresses. I am pretty sure there is a San Francisco company that wants to know what happened. { 2010-01-23: Unless the San Francisco company did it. All I know is that when somebody tracks me to the point of finding my IP address, snatches my email accounts from the browser, and then sends me an email message that almost looked like a phish they are going about doing things the WRONG way. Their biggest mistake was to claim that my email addresses were from previous donations. I am a graduate of the University of Utah and have donated to KUED and if they did the same thing I would be offended EXACTLY TO THE SAME DEGREE! BYU doesn't need classes in religion. What they need are classes in ethics. This is far worse than that flap I read about the other day for the Notre Dame newspaper. I don't know who made this decision but then after lying about what they were doing was a GRAVE ERROR. I think they should fire the people that did it. I FEEL VERY STRONGLY ABOUT THIS! Feel free to disagree. } 16. Action: EasyPrivacy JavaScript and GIF tracking rules Added: BadURL_WordStarts[i++] = "dcs\.gif"; // PRIVUS Tracker - 2009-09-19 BadURL_WordStarts[i++] = "wtbase\.js"; // PRIVUS Tracker - 2009-09-19 BadURL_WordStarts[i++] = "wtid\.js"; // PRIVUS Tracker - 2009-09-19 BadURL_WordStarts[i++] = "wtinit\.js"; // PRIVUS Tracker - 2009-09-19 Reason: Noticed this was a pretty big hole for us and these will be needed by Chrome, IE, Opera and Safari users. YOU CANNOT DO THESE WITH HOST NAMES! { 2010-01-23: They are public now. } 17. Action: Thwart time-zone tracking somewhat (they still go by IP, even if you do set your machine to UTC time). Added: BadHostWordStarts[i++] = "utm\."; // Tracker - 2009-09-27 Reason: utm.myfuncards.com started it, but I have more. My only concern is whether or not to relax it because of hosts like utm2.smileycentral.com and utmtrk2.smileycentral.com 18. Action: removed DNSWCD tracker Date: 2009-09-30 Removed: BadDomains[i++] = ".web-stats.org"; // DNSWCD - Tracker Reason: DEAD! As much as I would like to say it was the PAC filter that did it in, it wasn't. Their service just never took off. The tracking game is petering out. 19. Action: Added an PRIVUS rule - SHOULD EVERYBODY HAVE THIS? Added: GoodDomains[i++] = "dashboard.godaddy.com"; // PRIVUS - 2009-09-30 Reason: It showed up in my phttp logs, but I will be DARNED if I can understand what is causing it! Until I understand it, I cannot add it for everybody. There is NO rule I can point to that causes the problem. WHAT IS IT!? { 2010-01-23: Opened to GoDaddy.com itself and a pattern squatting prohibiting rule added for phishers. } 20. Action: Gave an exclusion to two "teen" rules. Date: 2009-09-30 From: BadHostParts[i++] = "teen"; BadURL_WordEnds[i++] = "teen"; To: BadHostParts[i++] = "[^s]teen"; // Malware - 2009-10-01 BadURL_WordEnds[i++] = "[^s]teen"; // Malware - 2009-10-01 Reason: joelosteen.com - better to allow it rather than have the false positive. How many "Steens" will we have? I don't know but I would rather give this up than both rules. At least now people KNOW why it was retained in the main proxy file from the pornproxy file. 21. Action: Removed all of the SPAM BadNetworks rules Date: 2009-10-05 Removed: BadNetworks[i++] = "61.191.63.150, 255.255.255.255"; // SPAM-01-c - 2009-06-05 BadNetworks[i++] = "119.39.238.2, 255.255.255.255"; // SPAM-01-h - 2009-06-26 BadNetworks[i++] = "212.174.200.111, 255.255.255.255"; // SPAM-01-g - 2009-06-24 BadNetworks[i++] = "218.75.144.6, 255.255.255.255"; // SPAM-01-i - 2009-06-26 BadNetworks[i++] = "222.186.12.113, 255.255.255.255"; // SPAM-01-k - 2009-07-08 BadNetworks[i++] = "222.241.150.146, 255.255.255.255"; // SPAM-01-j - 2009-07-06 Reason: They are no longer used. I have identified the following new IP spam addresses but I would NEVER add them due to the previous ones I just removed: 60.12.166.154 218.10.16.155 203.93.208.86 220.196.59.35 222.186.30.145 Like I said, the instant I add them that goes into OpenDNS IP rules or Yahoo's or MSN's or ... and when that happens these IP rules are useless. There are no patterns for the hosts that won't clobber you for legitimate hosts so the only way to handle them is hosts file entries. 05 Octobre 2009 UNresolved False Positives (HHH) ------------------------------------------------ NONE 05 Octobre 2009 RESOLVED False Positives (HHH) ---------------------------------------------- NONE