28 Décembre 2009 Changes (HHH) ------------------------------ 1. Action: YAZB (Yet Another Zeus Bot rule) Added: GoodDomains[i++] = "cdc.gov"; // Phish - 2009-12-02 BadHostParts[i++] = "cdc\.gov"; // Phish - 2009-12-02 Reason: http://garwarner.blogspot.com/ (2009-12-02) 2. Action: Rules to cover the holes of the "[^ehn]cock"; rule Added: BadURL_Parts[i++] = "gecock"; // Malware - 2009-12-02 BadURL_Parts[i++] = "tecock"; // Malware - 2009-12-02 BadURL_Parts[i++] = "vecock"; // Malware - 2009-12-02 Reason: Several of these HAVE led to malware 3. Action: white-list rules for my November log Added: GoodDomains[i++] = "comcast.com"; // 2009-12-02 GoodDomains[i++] = "comcast.net"; // 2009-12-02 GoodDomains[i++] = "mozilla.com"; // 2009-12-02 GoodDomains[i++] = "mozilla.org"; // 2009-12-02 Reason: In every case I don't know what triggered it because they were using port 443. It doesn't matter, we need them and also one for Cox if they need it. 4. Action: Removed two optional rules Date: 2009-Dec-02 10:31 UTC Removed: // BadURL_Parts[i++] = "gratis"; // YOUR CHOICE // BadURL_Parts[i++] = "gratuit"; // YOUR CHOICE Reason: Too many false positives at sites in Espanol, Francais and Italiano. 5. Action: Testing stricter rule for chase.com and all the others Added: // BadHostParts[i++] = "ally\.com"; // YOUR CHOICE Phish - 2009-12-03 // BadHostParts[i++] = "chase\.com"; // YOUR CHOICE Phish - 2009-12-03 // BadHostParts[i++] = "fdic\.gov"; // YOUR CHOICE Phish - 2009-12-03 // BadHostParts[i++] = "irs\.gov"; // YOUR CHOICE Phish - 2009-12-03 // BadHostParts[i++] = "nacha\.org"; // YOUR CHOICE Phish - 2009-12-03 BadHostParts[i++] = "refund-services\.irs"; // YOUR CHOICE Phish - 2009-12-03 BadHostParts[i++] = "refunds\.irs"; // YOUR CHOICE Phish - 2009-12-03 BadHostParts[i++] = "ustreasury"; // YOUR CHOICE Phish - 2009-12-03 Reason: There will be some false positives but I want this one as tight as I can get. PEOPLE CAN NOT ONLY GET INFECTED BUT LOSE MONEY HERE. Initially I was going to test them myself but this is too important. If people want the protection and can afford the false positives I say, LET THEM! The next step would be to put dots in front of all of the ".com" domains. 6. Action: BadNetworks SPAM rules Added: BadNetworks[i++] = "58.218.250.107, 255.255.255.255"; // SPAM - 2009-12-02 Reason: This seems to be the one that the spammers at GMail have shifted to. If the others are no longer used they will be removed - the norm. 7. Action: Make the "rx" rule public From: BadHostParts[i++] = "rx"; // PRIVUS - SPAM - 2009-11-12 To: // BadHostParts[i++] = "rx"; // YOUR CHOICE SPAM - 2009-11-12 Reason: No false positives and it isn't active. But at least people will have the option of using it. { 2010-01-23: LOTS of false positives and for every one new exclusion character was added. } 8. Action: Removed "qsrch" rule Date: 2009-Dec-03 20:12 UTC Removed: BadHostParts[i++] = "qsrch"; Reason: qsrch.net hosts are basically parked with the serivce searchportal.information.com. qsrch.com hosts are not doing anything wrong any more. 9. Action: Added tracker from ComedyCentral.com Added: BadURL_WordStarts[i++] = "mtvi_reporting"; // Tracker - 2009-12-03 Reason: Went searching to see if viacomedycentralrl.112.2o7.net was still alive and found this from EasyPrivacy 10. Action: Tracking cookie block - just in case Added: BadDomains[i++] = ".paypopup.com"; // DNSWCD Tracker - 2009-12-04 Reason: I caught them using others not in my hosts file. 11. Action: Stop the flawed Akamai downloaders from being used Added: BadURL_Parts[i++] = "2\.2\.2\.[(0|1)]\.cab"; // Malware - 2009-12-06 Reason: http://msmvps.com/blogs/spywaresucks/archive/2008/05/07/1615714.aspx Search for either dlm-proxy-2.2.2.0.cab or dlm-proxy-2.2.2.1.cab which are in finer HJT (HiJackThis) logs everywhere. Now can we stop blocking download.akamaitools.com.edgesuite.net? I will talk to Akamai about the problem. Maybe something can be done. 12. Action: Activate some of the commented out rules Date: 2009-Dec-06 22:42 UTC From: // BadURL_Parts[i++] = "adcheck\.fcgi"; // YOUR CHOICE Tracker - 2009-11-16 // BadURL_Parts[i++] = "googlead"; // YOUR CHOICE AdServer - 2009-11-16 To: BadURL_Parts[i++] = "adcheck\.fcgi"; // YOUR CHOICE Tracker - 2009-11-16 BadURL_Parts[i++] = "googlead"; // YOUR CHOICE AdServer - 2009-11-16 Reason: I cannot see any reason for false positives with these. 13. Action: YAZBSM (Yet Another ZeusBot Spam Message) Added: GoodDomains[i++] = ".americanexpress.com"; // Phish - 2009-12-06 BadHostParts[i++] = "americanexpress\.com"; // Phish - 2009-12-06 Reason: http://garwarner.blogspot.com/ 2009-Dec-06 23:33 UTC 14. Action: Removed domains in preparation for the next rules Date: 2009-Dec-07 14:54 UTC Removed: GoodDomains[i++] = "dashboard.godaddy.com"; // 2009-11-02 GoodDomains[i++] = "freewebs.com"; // PRIVUS RULE BadDomains[i++] = ".hostmonster.com"; // WebBug - 2009-06-16 GoodDomains[i++] = "securemecca.com"; // HHH GoodDomains[i++] = "yahoo.com"; GoodDomains[i++] = ".yahooapis.com"; // tgp - 2009-06-08 Reason: http://garwarner.blogspot.com/ 2009-12-05 NOTE: I had to remove hostmonster.com form both the hosts file and the PAC filter for a higher purpose. Long live the WebBug 15. Action: Added some rules for the cPanel garbage Added: GoodDomains[i++] = ".123-reg.co.uk"; // Phish - 2009-12-07 GoodDomains[i++] = ".1and1.co.uk"; // Phish - 2009-12-07 GoodDomains[i++] = ".1and1.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".1und1.de"; // Phish - 2009-12-07 GoodDomains[i++] = ".4shared.com"; // Phish - 2009-12-07 GoodDomains[i++] = "all-inkl.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".angelfire.com"; // Phish - 2009-12-07 GoodDomains[i++] = "arcor.de"; // Phish - 2009-12-07 GoodDomains[i++] = "arcor-online.net"; // Phish - 2009-12-07 GoodDomains[i++] = ".aruba.it"; // Phish - 2009-12-07 GoodDomains[i++] = ".awardspace.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".bluehost.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".dreamhost.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".dynadot.com"; // Phish - 2009-12-07 GoodDomains[i++] = "earthlink.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".fasthosts.co.uk"; // Phish - 2009-12-07 GoodDomains[i++] = ".freewebs.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".godaddy.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".homestead.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".hostmonster.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".hostsfile.org"; // Phish - 2009-12-07 GoodDomains[i++] = ".jeeran.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".locaweb.com.br"; // Phish - 2009-12-07 GoodDomains[i++] = ".lunarpages.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".lycos.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".mediafire.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".mozy.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".namecheap.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".netbenefit.co.uk"; // Phish - 2009-12-07 GoodDomains[i++] = ".networksolutions.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".securemecca.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".sitesell.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".strato.de"; // Phish - 2009-12-07 GoodDomains[i++] = ".webs.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".yahoo.com"; // Phish - 2009-12-07 GoodDomains[i++] = ".yahooapis.com"; // Phish - 2009-12-07 -------------------------------------------------------------------- BadHostParts[i++] = "123-reg\.co\.uk"; // Phish - 2009-12-07 BadHostParts[i++] = "1and1\.co\.uk"; // Phish - 2009-12-07 BadHostParts[i++] = "1and1\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "1und1\.de"; // Phish - 2009-12-07 BadHostParts[i++] = "4shared\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "all-inkl\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "angelfire\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "arcor\.de"; // Phish - 2009-12-07 BadHostParts[i++] = "arcor-online\.net"; // Phish - 2009-12-07 BadHostParts[i++] = "aruba\.it"; // Phish - 2009-12-07 BadHostParts[i++] = "awardspace\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "bluehost\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "dreamhost\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "dynadot\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "earthlink\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "fasthosts\.co\.uk"; // Phish - 2009-12-07 BadHostParts[i++] = "freewebs\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "godaddy\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "homestead\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "hostmonster\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "hostsfile\.org"; // Phish - 2009-12-07 BadHostParts[i++] = "jeeran\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "locaweb\.com\.br"; // Phish - 2009-12-07 BadHostParts[i++] = "lunarpages\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "lycos\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "mediafire\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "mozy\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "namecheap\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "netbenefit\.co\.uk"; // Phish - 2009-12-07 BadHostParts[i++] = "networksolutions\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "securemecca\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "sitesell\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "strato\.de"; // Phish - 2009-12-07 // BadHostParts[i++] = "webs\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "yahoo\.com"; // Phish - 2009-12-07 BadHostParts[i++] = "yahooapis\.com"; // Phish - 2009-12-07 -------------------------------------------------------------------- BadHostWordStarts[i++] = "cpanel\."; // Phish - 2009-12-07 BadHostWordStarts[i++] = "webs\.com"; // Phish - 2009-12-07 Reason: http://garwarner.blogspot.com/ 2009-12-05 People will have to do the others on their own. I went past where I should have stopped, but this is a rather critical issue if people's credentials are stolen or their machines are infected or both. I cannot count on them using a good MUA like Thunderbird or Claws Mail. If they are using WebMail, Outlook, or Outlook Express they may be fooled. I don't know what Microsoft calls their POP / IMAP program today because I JUST PLAIN DON'T CARE! From a security point of view it SUCKS. 16. Action: Prepared for the next additions to what went on in the previous section. Date: 2009-Dec-09 05:26 UTC Removed: GoodDomains[i++] = "ebay.com"; // 17 & 18 GoodDomains[i++] = ".ebayimg.com"; // 17 & 18 GoodDomains[i++] = ".ebaystatic.com"; // 17 & 18 GoodDomains[i++] = ".google.com"; GoodDomains[i++] = ".googlepages.com"; // 17 & 18 BadDomains[i++] = ".hostgator.com"; // WebBug - 2009-06-16 GoodDomains[i++] = ".monster.com"; Reason: If people want to use their service at hostgator.com I will let them. The others are being changed. and are being put in BOTH proxy and pornproxy. 17. Action: Added some more phish rules. Added: GoodDomains[i++] = ".50webs.com"; // Phish - 2009-12-08 GoodDomains[i++] = "ebay.com"; // Phish - 2009-12-08 GoodDomains[i++] = ".ebayimg.com"; // Phish - 2009-12-08 GoodDomains[i++] = ".ebaystatic.com"; // Phish - 2009-12-08 GoodDomains[i++] = "google.com"; // Phish - 2009-12-10 GoodDomains[i++] = "googlepages.com"; // Phish - 2009-12-10 GoodDomains[i++] = ".hostgator.com"; // Phish - 2009-12-08 GoodDomains[i++] = ".mastercard.com"; // Phish - 2009-12-08 GoodDomains[i++] = ".monster.com"; // Phish - 2009-12-08 GoodDomains[i++] = ".paypal.com"; // Phish - 2009-12-08 GoodDomains[i++] = ".visa.com"; // Phish - 2009-12-08 GoodDomains[i++] = ".wellsfargo.com"; // Phish - 2009-12-08 -------------------------------------------------------------------- BadHostParts[i++] = "50webs\.com"; // Phish - 2009-12-08 // BadHostParts[i++] = "ebay\.com"; // Phish - 2009-12-08 BadHostParts[i++] = "ebayimg\.com"; // Phish - 2009-12-08 BadHostParts[i++] = "ebaystatic\.com"; // Phish - 2009-12-08 BadHostParts[i++] = "google\.com"; // Phish - 2009-12-10 BadHostParts[i++] = "googlepages\.com"; // Phish - 2009-12-10 BadHostParts[i++] = "hostgator\.com"; // Phish - 2009-12-08 BadHostParts[i++] = "mastercard\.com"; // Phish - 2009-12-08 BadHostParts[i++] = "monster\.com"; // Phish - 2009-12-08 BadHostParts[i++] = "paypal\.com"; // Phish - 2009-12-08 // BadHostParts[i++] = "visa\.com"; // Phish - 2009-12-08 BadHostParts[i++] = "wellsfargo\.com"; // Phish - 2009-12-08 -------------------------------------------------------------------- BadHostWordStarts[i++] = "ebay\.com"; // Phish - 2009-12-08 BadHostWordStarts[i++] = "visa\.com"; // Phish - 2009-12-08 Reason: Some of these were in my misnamed TypoSquatter.txt file. I have now renamed it PatternSquatter.txt since that is more appropriately what is going on here. The others are here in an article at the Washington Post: http://preview.tinyurl.com/yajyooj 18. Action: Added some private rules to discover trackers Date: 2009-Dec-10 06:54 UTC Added: BadNetworks[i++] = "74.200.247.59, 255.255.255.255"; // PRIVUS 2009-12-10 BadNetworks[i++] = "74.200.247.61, 255.255.255.255"; // PRIVUS 2009-12-10 BadNetworks[i++] = "76.74.254.120, 255.255.255.254"; // PRIVUS 2009-12-10 Reason: stats.wordpress.com I finally just decided to add the date rather than this string. { 2010-01-23: Rules removed - only stats.wordpress.com. } 19. Action: Removed experimental rule Date: 2009-Dec-11 08:00 UTC Removed: BadDomains[i++] = ".firstlightera.com"; // PRIVUS - AdServer - 2009-10-06 Reason: It was only temporary to find out if it was needed. Well it is. Go to here with and without it and see the difference: http://preview.tinyurl.com/ybhloxo That was precisely what I was after. Mostly, it has some legitimate uses, like setting up the cascade style sheets. 20. Action: Activated a rule before its vetting Date: 2009-Dec-13 08:56 UTC From: // BadHostParts[i++] = "visa\.com"; // Phish - 2009-12-08 To: BadHostParts[i++] = "visa\.com"; // Phish - 2009-12-08 Reason: 21. Action: KoobFace Malware pattern block Added: BadURL_WordStarts[i++] = "\.sys"; // Malware - 2009-12-14 Reason: I will include the patterns for the hosts MDL (MalwareDomainList) shows for why this is needed. 22. Action: usbank.com - it is NOT usbank-online.com Added: GoodDomains[i++] = "usbank.com"; // Phish - 2009-12-14 BadHostParts[i++] = "usbank\.com"; // Phish - 2009-12-14 Reason: See enclosed usbank-online.com.eml email message. That host was also added to the add.Dead file since it is already dead. 23. Action: Removed ALL IP SPAM rules Date: 2009-Dec-16 13:18 UTC Removed: BadNetworks[i++] = "58.218.250.107, 255.255.255.255"; // SPAM - 2009-12-02 BadNetworks[i++] = "60.12.166.154, 255.255.255.255"; // SPAM - 2009-10-10 BadNetworks[i++] = "218.10.16.155, 255.255.255.255"; // SPAM - 2009-10-12 BadNetworks[i++] = "222.170.127.122, 255.255.255.255"; // SPAM - 2009-11-05 Reason: Even the ones that were added less than a week ago have had their IP address changed. 24. Action: Over-ride for the "rx" rule in case they activate it Added: GoodDomains[i++] = "aarpmedicarerx.com; // SPAM - 2009-12-17 Reason: Just in case they activate the rule. I noticed that the instant that rule became public all of the spam hosts that were doing fake pharmacy all of a sudden dropped the "rx" from their host names. 25. Action: over-ride of the "xxx" rule Added: GoodDomains[i++] = "dslreports.com"; // xxx - 2009-12-17 Reason: There is no reason to prevent pattern pretenders. We will have these from time to time. Therefore I am starting a count from here - ONE. When it reaches SEVEN then I will drop the "xxx" rule from URL to Host status. 26. Action: Added two ad server rules. Actually one tracks too. Added: BadURL_Parts[i++] = "behaviorads"; // AdServer - 2009-12-17 BadURL_WordStarts[i++] = "adssrv\."; // AdServer - 2009-12-17 Reason: Believe it or not, Rodney was having problems with his browser and especially anything involving active content. These suckers just plopped out. I also got the host ehg-morningstar.hitbox.com for sure and am investigating im.mstar.com. I HIT THE JACKPOT! 27. Action: av2008 ---> av2010 Date: 2009-Dec-19 02:32 UTC From: BadURL_Parts[i++] = "av2008"; // Rogue-Ware 2009-03-28 To: BadURL_Parts[i++] = "av2010"; // Rogue-Ware 2009-12-18 Reason: Who wants a two year old AntiVirus package? They want to infect themselves with the latest miserable pile of garbage. 28. Action: Added a low level rule to totally strip some HitBox calls Added: BadURL_WordStarts[i++] = "hbx_[(p|v)]"; // PRIVUS Tracker - 2009-12-18 Reason: Just to see how many HitBox hosts and aliases it makes disappear. { 2010-01-23: Almost none, the domain is going away and this rule is very likely going to be removed. } 29. Action: dotster.com Added: GoodDomains[i++] = ".dotster.com"; // Phish - 2009-12-19 BadHostParts[i++] = "dotster\.com"; // Phish - 2009-12-19 Reason: They immediately take you to https so I don't know what is causing it but since hackers may take advantage of it we are adding it. We also get rid of the false positive (which I didn't notice at the site). 30. Action: Wouldn't you know it - TrendMicro.com killed our rule. Added: GoodDomains[i++] = ".antivirus.com"; // Security - 2009-12-19 Reason: It not only crossed the "antivir" rule but also the sanity of TrendSecure is now in question. WHY BREAK WHAT IS FIXED? We do not need a strengthening rule. The existing "antivir rule does the trick. 31. Action: Made "analytics" rule PRIVUS and dropped its scope Date: 2009-Dec-19 15:28 UTC From: // BadURL_Parts[i++] = "analytics"; // YOUR CHOICE Tracker - 2009-11-16 To: BadHostParts[i++] = "analytics"; // PRIVUS Tracker - 2009-11-16 Reason: False positives. Not only that but if it has too many in the dropped Host area I will remove it altogether. { 2010-01-23: Rule removed. Note that my memory has actually improved with age but if I ever think of doing this again and forget this stands as a reminder do NOT go that way ever again. } 32. Action: Need an exclusion for MorningStar.com Added: GoodDomains[i++] = ".morningstar.com"; // mauvais LSO permettre - 2009-12-21 Reason: Their streaming content comes via the ads.morningstar.com host so we have to allow it. This host and the host bin.clearspring.com which ads.morningstr.com calls have been moved into the header section of the hosts file. Both of those hosts have to be removed or commented out to allow streaming content from this host. 33. Action: "rx" over-ride rules Date: 2009-Dec-22 15:48 UTC Added: GoodDomains[i++] = "humanarxplans.com"; // SPAM - 2009-12-22 GoodDomains[i++] = "reliantrxwa.com"; // SPAM - 2009-12-22 GoodDomains[i++] = "rxcareercenter.com"; // SPAM - 2009-12-22 Reason: Just in case somebody activates the "rx" rule. But I have noticed ever since I put the "rx" rule out there for everybody the false pharmacies have dropped the "rx" term like a hot potato. 34. Action: Dropped the "hot" ending rule to Host level only Date: 2009-Dec-22 20:27 UTC From: // BadURL_WordEnds[i++] = "[^s]hot"; // YOUR CHOICE // BadURL_WordEnds[i++] = "[^s]hot"; // VOTRE CHOIX To: // BadHostWordEnds[i++] = "[^s]hot"; // YOUR CHOICE - 2009-12-22 // BadHostWordEnds[i++] = "[^s]hot"; // VOTRE CHOIX - 2009-12-22 Reason: Rodney has a false positive and it really should be operating only at the host level, even if it is only optional. I can't think of a malware term ending in that at the URL level. 35. Action: Added yet another pair of Phish rules for a Espana bank and one more rule for banks in general Added: GoodDomains[i++] = ".bbva.es"; // Phish - 2009-12-22 BadHostParts[i++] = "bbva\.es"; // Phish - 2009-12-22 BadURL_Parts[i++] = "cardstatement\.exe"; // Phish - 2009-12-22 Reason: http://GarWarner.BlogSpot.com 2009-12-22 36. Action: reduced exclusion range to only what is necessary Date: 2009-Dec-25 20:55 UTC From: GoodDomains[i++] = ".morningstar.com"; // bad LSO allow - 2009-12-21 To: GoodDomains[i++] = "ads.morningstar.com"; // bad LSO allow - 2009-12-21 Reason: Why give them anything more than they should get? MVPHosts is going to continue to block both this host and the bin.clearspring.com host it calls on. 37. Action: Temporary IP rule Added: BadNetworks[i++] = "67.191.128.0, 255.255.192.0"; // Comcast PCs - 2009-12-25 (tmp) Reason: http://www.SecureMecca.com/Comcast/67_191_143_141.png http://preview.tinyurl.com/ydrm9yy (the included file named forcomcast.txt) This needs to be removed in a month or so. Either that or we need to start black-netting all of the major ISP's PC network space to prevent this stuff. 38. Action: Temporary Ad Server domain Added: BadDomains[i++] = ".mochiads.com"; // DNSWCD AdServer - 2009-12-26 Reason: The number of the hosts in the domain looks rather thin. Let's see if there is anything else. If not remove it in a few months. LOOK AT ALL OF THE OTHERS LIKE THIS RIGHT NOW. 39. Action: Altered the header considerably Date: 2009-12-26 17:38 UTC From: Analyse sémantique & Word Analyzer: AKA (EN only) (using 441,000+ porn host names) Version: 3.0.5 To: Analyse Sémantique, Traqueur, et Maliciels : & Pattern, Tracker, and Malware Analyzer alias (EN only) { GONE } Version: 3.1.0 Reason: To more truly reflect the purpose of the PAC filter which is to primarily stop malware and trackers using the pattern analyzing skills I have developed. 40. Action: Stop g-ecx.images-amazon.com's Flash cookies and image trackers (primarily GIF) Added: // BadURL_WordStarts[i++] = "ptv8\.swf"; // PRIVUS Tracker - 2009-12-27 // BadURL_WordStarts[i++] = "x-locale\/"; // PRIVUS Tracker - 2009-12-27 BadURL_Parts[i++] = "transparent-pixel"; // PRIVUS Tracker - 2009-12-27 Reason: I WAS blocking the g-ecx.images-amazon.com host privately. I am discovering the flash files the hard way, and I have been doing this for over a month since this is our instacontent friend. I am allowing the rules above since this tracks across multiple domains like imdb.com, amazon.com and others. Most of the images are not used for tracking and the second rule gives some false positives but FAR FEWER THAN THE HOST! What I am doing right now is allowing the LSO to be added to, and after that is done the first two rules will be activated. The first IS a tracker. I don't think there are are static tracking images that have something other than the "transparent-pixel" pattern in them. But there may be other flash files. I AM TRYING TO FIND THEM! After that is done the second rule will silently disappear. It may come back from time to time but it will ALWAYS be PRIVUS, and it MAY cause some problems. But primarily, most of the images are just little tiny slivers. { 2010-01-13: The 1st and 3rd are now public. THERE IS NO INTENTION WHAT SO EVER IN MAKING THE 2ND RULE *PUBLIC*! It is only to discover the others. When that discovery stops it will be commented out then reactivated every so often. I had them all commented out at one time to let them have enough rope to hang themselves. } 41. Action: Microsoft Tracker / AdServer (in this case Tracker) Added: BadURL_WordStarts[i++] = "trans_pixel"; // Tracker - 2009-12-29 (ASP) Reason: c.microsoft.com/trans_pixel.asp?TYPE=SSPV... BUT I WOULD SWEAR I HAVE SAW THIS BEING USED THE SAME WAY WITH A PHP SCRIPT SO I AM HOPEFULLY GOING TO KILL TWO BIRDS WITH ONE STONE. 42. Action: WHY CAN'T THESE BANKS PICK HOST NAMES THAT PATTERN SQUATTER RESISTANT LIKE Wells Fargo DOES? I have to add these because Ally Bank is also known by this name. Added: GoodDomains[i++] = ".allybank.com"; // Phish - 2009-12-29 BadHostParts[i++] = "allybank\.com"; // Phish - 2009-12-29 Reason: They advertised it this way on TV. 43. Action: Activated some of the stronger rules for Zeus pattern phishers. Some of them were driven before their time because the number of Zeus infections has SKY-ROCKETED! Date: From: // BadHostParts[i++] = "chase\.com"; // YOUR CHOICE Phish - 2009-12-03 // BadHostParts[i++] = "fdic\.gov"; // YOUR CHOICE Phish - 2009-12-03 // BadHostParts[i++] = "irs\.gov"; // YOUR CHOICE Phish - 2009-12-03 // BadHostParts[i++] = "nacha\.org"; // YOUR CHOICE Phish - 2009-12-03 BadHostWordStarts[i++] = "adserver"; // PRIVUS AdServer - 2009-10-06 To: BadHostParts[i++] = "chase\.com"; // YOUR CHOICE Phish - 2009-12-03 BadHostParts[i++] = "fdic\.gov"; // YOUR CHOICE Phish - 2009-12-03 BadHostParts[i++] = "irs\.gov"; // YOUR CHOICE Phish - 2009-12-03 BadHostParts[i++] = "nacha\.org"; // YOUR CHOICE Phish - 2009-12-03 BadHostWordStarts[i++] = "adserver"; // YOUR CHOICE AdServer - 2009-10-06 Reason: The phishers were too important to leave this security hole open too long. The adserver was ready to go. If we don't have any false positives reported, after a while (a long while?) we can remove the BadHostWordStarts rules for chase, fdic, irs, and nacha. 28 Décembre 2009 UNresolved False Positives (HHH) ------------------------------------------------- NONE 28 Décembre 2009 RESOLVED False Positives (HHH) ----------------------------------------------- 1. Pattern: "xxx" Date: 2009-Dec-19 04:31 UTC Rules: BadURL_Parts[i++] = "xxx"; GoodDomains[i++] = "dslreports.com"; GoodDomains[i++] = "mywot.com"; Reason: I still don't want to drop the level of the rule Solution: I am starting the count not from mywot.com but from the dslreports.com. This makes ONE. When the count reaches SEVEN, the first rule above will become: BadHostParts[i++] = "xxx"; 2. Pattern: "analytics" Solution: See change number 31 above.