19 Avril 2010 Changes (HHH) --------------------------- 1. Action: Ad Server rule Added: BadDomains[i++] = ".ezboard.com"; // AdServer - 2010-02-12 Reason: Actually it had a scripting problem on one site that was associated with malware. I do NOT want to add all of them. 2. Action: Hit what I believe is another block of PCs Added: BadNetworks[i++] = "89.248.160.0, 255.255.240.0"; // Ecatel PCs? - 2010-02-12 Reason: They may not be PCs but this is the THIRD TIME I HAVE HIT MALWARE in this IP address space. Ecatel isn't talking about where their servers are so we are just going to have to feel our way around on these. 3. Action: Experimental malware rule Added: BadURL_WordStarts[i++] = "hitin\.php"; // PRIVUS Malware - 2010-02-12 Reason: A lot of the redirections for the malware use this. Unlike another one, I can't recall seeing this except in a tracker situation. I DOUBT IT IS GOING TO MAKE IT! 4. Action: eloqua trackers Added: BadURL_WordStarts[i++] = "elqcfg\.[(j|p)]"; // Tracker - 2010-02-13 BadURL_WordStarts[i++] = "elqimg\.[(g|j|p)]"; // Tracker - 2010-02-13 Reason: Saw at several sites. 5. Action: flyingcroc / mtreexxx / outster trackers Added: BadNetworks[i++] = "207.66.153.90, 255.255.255.254"; // flyingcroc - 2010-02-12 Reason: They used to be just involved in tracking porn but they are branching out from there now. Normal sites are now using their tracking services. 6. Action: Removed experimental rule. Date: 2010-02-13 13:57 UTC Removed: BadURL_WordStarts[i++] = "x-locale\/"; // PRIVUS Tracker - 2009-12-27 Reason: All I was trying to do was find all of s3.amazonaws.com tracking sources. I may not have all of them but I think I do, and more to the point what I have is enough. There are some 1x1 GIF tracking removal rules added in the next item. 7. Action: Added some GIF image tracker rules, some as result of the previous action. Added: BadURL_WordStarts[i++] = "1x1_trans\.gif"; // Tracker - 2010-02-13 BadURL_WordStarts[i++] = "clear\.gif"; // PRIVUS Tracker - 2010-02-13 BadURL_WordStarts[i++] = "pixel\.gif"; // PRIVUS Tracker - 2010-02-13 BadURL_WordStarts[i++] = "spc_trans\.gif"; // Tracker - 2010-02-13 Reason: There is nothing like a transparent image to piggy-back lots of tracking information as people maneuver around. 8. Action: Starting to handle the false positives on this rule. Date: 2010-02-13 14:02 UTC From: // BadURL_Parts[i++] = "track\.[(g|j|p)]"; // YOUR CHOICE Tracker - 2009-11-16 To: // BadURL_Parts[i++] = "[^d]track\.[(g|j|p)]"; // YOUR CHOICE Tracker - 2009-11-16 Reason: s.bit.ly/TweetAndTrack.js?v=1.01 It is necessare for the link to Twitter to work. 9. Action: Modified the "anal" rule due to a false positive Date: 2010-02-13 14:39 UTC From: BadURL_WordEnds[i++] = "[^c]anal"; To: BadURL_WordEnds[i++] = "[^ck]anal"; // Malware - 2010-02-13 Reason: www.aftonbladet.se/template/ver1-0/gfx\ /partner/tvnu/Kanal%205_small.gif 10. Action: Modified the "tits" rule due to a false positive Date: 2010-02-13 14:52 UTC From: BadURL_Parts[i++] = "tits"; To: BadURL_Parts[i++] = "[^a]tits"; // Malware - 2010-02-13 Reason: www.ipcmedia.com/images/covers/crop_ChatItsFate_Nov09_e_\ d6701001e81e8fe3e94edcde01dc0ca1.gif Originally I thought of dropping the rule to the Hosts level. Then I stupidly thought of adding all of the vowels. That is NOT a good idea. If you have an "e" before it, that means the pattern "huge" precedes it so we are just going to have to feel our way along on this one. THERE MAY BE MORE CHANGES! 11. Action: Downgraded the "amateur" rule due to false positives. Date: 2010-02-13 15:16 UTC From: BadURL_Parts[i++] = "amateur"; To: BadHostParts[i++] = "amateur"; // Malware - 2010-02-13 Reason: There are 9 in MDL now, and Airelle has 132. This rule is just going to be demoted but from now on I will have to white-list my way out of problems. 12. Action: Temporary tracker rule Added: BadDomains[i++] = ".sophus3.com"; // PRIVUS Tracker - 2010-02-13 Reason: Sophus has gone into the tracking business. This is just a TEMPORARY rule to help me understand what they are doing. 13. Action: Need the other half to protect against false Adobes Added: BadHostParts[i++] = "adobe\.com"; // flash-plugin - 2010-02-15 Reason: Just guard against a preliminary strike of having some darn hosts like adobe.com.ukbranch.co.uk and adobe.com.nlbranch.nl . I can almost guarantee that some stupid INP (Internet Name Provider) is going to make these available if their past performance is any indicator. WARNING: You may need to drop the companion GoodDomains rule down a notch in protection from ".adobe.com" to "adobe.com" . 14. Action: PRIVUS tracker rule Added: BadDomains[i++] = ".outbrain.com"; // PRIVUS Tracker - 2010-02-15 BadDomains[i++] = ".buzzfeed.com"; // PRIVUS Tracker - 2010-02-15 Reason: traffic.outbrain.com is NOT the only host that is used. I noticed the other one in answering a question about why Google didn't get patterns blocked in its search. I don't like their content but that isn't what I am interested in - I WANT THEIR TRACKERS! Once I have those the buzzfeed.com rule will be gone. Actually I have no intention of having these rules to be anything BUT PRIVUS. 15. Action: Removed Ecatel (see #2) Date: 2010-02-16 Removed: BadNetworks[i++] = "89.248.160.0, 255.255.240.0"; // Ecatel PCs? - 2010-02-12 Reason: False positives - do not know range used by PCs. 16. Action: Removed phish protection rule that was too short Removed: GoodDomains[i++] = ".webs.com"; // Phish - 2009-12-07 BadHostParts[i++] = "webs\.com"; // YOUR CHOICE Phish - 2009-12-07 Reason: *.limewebs.com. I already had one and there will be others. Anybody picking a domain name this short is asking for trouble. 17. Action: Strengthened Wells Fargo rules Date: 2010-02-25 12:10 UTC From: BadHostParts[i++] = "wellsfargo\.com"; // Phish - 2009-12-08 To: BadHostParts[i++] = "wellsfargo.com"; // Phish - 2010-02-25 Reason: I noticed the phishers are also using host names like wellsfargo-com.gobbledygook.co.nl or similar. Since the pattern is long enough we can have our cake and eat it too. A "." will match any ONE 8 bit character, so if they shift to using "_" we will still have it covered. 18. Action: Got rid of some FPs From: BadURL_WordStarts[i++] = "rape"; To: BadURL_WordStarts[i++] = "rape"; // 2010-02-25 Reason: grape was what I was thinking about but it will NOT happen. By adding the date I am saying I did look at this and there is NO PROBLEM. 19. Action: A rare false positive with adult From: BadHostParts[i++] = "adult"; BadURL_Parts[i++] = "adult"; To: BadHostParts[i++] = "[^e]adult"; // Malware - 2010-02-25 BadURL_Parts[i++] = "[^e]adult"; // Malware - 2010-02-25 Reason: "arrowheadultra.com" and the fact that I want to make it clear this rule is NOT blocking porn per-se but instead is heading off malware. 20. Action: From: BadURL_WordStarts[i++] = "hitin\.php"; // PRIVUS Malware - 2010-02-12 BadURL_WordStarts[i++] = "hitin\.php"; // PRIVUS Maliciels - 2010-02-12 To: BadURL_WordStarts[i++] = "hitin\.php"; // YOUR CHOICE Malware - 2010-02-12 BadURL_WordStarts[i++] = "hitin\.php"; // VOTRE CHOIX Maliciels - 2010-02-12 Reason: There are just too many Zeus hosts using this script now. They are also using "config.bin" a lot for the config files. Evidently the multiple names that did give them an advantage in avoiding the updates from being stopped causes too much confusion. 21. Action: Zeus config files. Added: BadURL_WordStarts[i++] = "config\.bin"; // PRIVUS Malware - 2010-02-25 BadURL_WordEnds[i++] = "\.bin"; // PRIVUS Malware - 2010-02-25 Reason: I have noticed that Zeus usually use config.bin. Even if these don't cause me problems in normal browsing if they do go to others at all they will be commented out. It is better to prevent Zeus in the first place but once a machine is infected this could starve it of the config files that NONE of the AV companies detect very well. 22. Action: RealMedia rule change From: BadHostParts[i++] = "oasc"; // AdServer - 2009-10-07 To: BadHostParts[i++] = "oasc[(0|1|e)]"; // AdServer - 2010-03-01 Reason: oasci.org False Positive 23. Action: Deactivated the 17 & 18 rules in pornproxy* Date: 2010-03-01 20:05 UTC From: BadHostParts[i++] = "17"; // YOUR CHOICE BadHostParts[i++] = "18"; // YOUR CHOICE To: // BadHostParts[i++] = "17"; // YOUR CHOICE // BadHostParts[i++] = "18"; // YOUR CHOICE Reason: Just too many false positives. There was a newbie that complained he was going to have to format his hard drive just to get rid of the PAC filter. The next time my instructions are going to be simpler but I want to stop this one before it ever starts! 24. Action: Added another Malware rule Added: BadURL_WordStarts[i++] = "new-video-addon\."; // Malware - 2010-03-01 Reason: There are quite a few New-Video-Addon.#####.exe files and the AV protection is LOW. 25. Action: Added some Malware rules Added: BadURL_Parts[i++] = "nowtrue\.swf"; // YOUR CHOICE Malware - 2010-03-05 BadURL_Parts[i++] = "pdf\.pdf"; // Malware - 2010-03-05 BadURL_Parts[i++] = "swf\.swf"; // Malware - 2010-03-05 Reason: Dr Warner has discovered these. He has others that are obviously targeting the specific browser that cannot be used and these that will probably cause significant problems: "snode\.php", and "swfobject\.js". I am going to test them privately because I don't even want them having PRIVUS status 26. Action: Removed duplicate rules From: BadDomains[i++] = ".112.2o7.net"; // Tracker BadDomains[i++] = ".122.2o7.net"; // Tracker To: BadDomains[i++] = ".2o7.net"; // Tracker - 2010-03-12 Reason: I don't know what happened at the start but this rule does both. Not only that, but it is unnecessary with all of the IP rules which stop the hosts and the other "omniture" rules that strip it completely out. 27. Action: removed p0rt2.com rule Date: 2010-03-19 01:35 Removed: BadDomains[i++] = ".p0rt2.com"; // DNSWCD - MalWare Reason: I had already removed all of these from the hosts file because I never had proof that the suckers were used ANYWHERE. I left this rule just in case but in reality I never thought it was needed. But looking at all of the host names it was evident that who ever had it just had to change the numbers and they were back in business ala, a hosts file that did not have the new name. Ergo, the rule was MUCH BETTER PROTECTION. 28. Action: Added a rule for RandMcNally.com Added: GoodDomains[i++] = "randmcnally.com"; // ally.com - 2010-03-19 Reason: What is being protected is a bank account. Otherwise I would remove the rule. 29. Action: Added some BadDomains Tracker rules Added: BadDomains[i++] = ".flashtalking.com"; // Tracker - 2010-03-26 BadDomains[i++] = ".webiqonline.com"; // DNSWCD Tracker - 2010-03-26 Reason: They are using the new FLASH cookie trackers. I have no way of knowing the flashtalking.com domain in advance. Eventually the first rule is going away. 30. Action: Added a BadDomains Malware rule Added: BadDomains[i++] = ".ell6.com"; // MalWare - 2010-03-26 Reason: www.val17.ell6.com/codec/videodownloader.exe This is NOT a DNSWCD but I have no way of knowing how many other subdomains they have. 31. Action: Added a GoodDomains rule so people in China can use the only source of information left to the west. Added: GoodDomains[i++] = "google.com.hk"; // Google - 2010-03-27 Reason: Counteract BadHostParts[i++] = "google\.com"; rule. 32. Action: Added some BadURL_Parts tracker rules Added: BadURL_Parts[i++] = "click\.[(j|p)]"; // Tracker - 2010-03-26 BadURL_Parts[i++] = "gemius\.js"; // Tracker - 2010-03-26 Reason: I have noticed too many for the first one. It is a gamble and will probably have to be removed. We will see when we get there. The second one makes a little more sense. We have both xgemius.js and gemius.js at the start of a URL. By folding them into one Parts rule we handle both of them. 33. Action: Added some BadURL_WordStarts Ad rules Added: BadURL_WordStarts[i++] = "adsatt\."; // AdServer - 2010-03-26 BadURL_WordStarts[i++] = "showad\."; // AdServer - 2010-03-26 Reason: I have no idea how many adsatt.* hosts there are and the second one is EVERYWHERE. 34. Action: Added some BadURL_WordStarts Malware rules Added: BadURL_WordStarts[i++] = "cfg\.bin"; // YOUR CHOICE Malware - 2010-03-26 BadURL_WordStarts[i++] = "video-plugin\."; // YOUR CHOICE Malware - 2010-03-26 BadURL_WordStarts[i++] = "videodownloader\."; // YOUR CHOICE Malware - 2010-03-26 Reason: More of those stupid players for porn sites that are really nothing more than ways of making a pwned machine. WHEN WILL PEOPLE LEARN THAT PORN IS MORE THAN JUST CONTENT? 35. Action: Added some tracker rules Added: BadDomains[i++] = ".snoobi.com"; // DNSWCD Tracker - 2010-03-28 Reason: Since this is now my number 1 priority I am always on the lookout. I use web-sites advertised on TV and other places. When I find them I add them. 36. Action: "piwik" Date: 2010-03-29 18:38 From: BadURL_Parts[i++] = "piwik\.js"; // Tracker - 2009-10-13 To: BadURL_Parts[i++] = "piwik\.[(j|p)]"; // Tracker - 2010-03-29 Reason: They have a PHP script now 37. Action: activated some deactivated rules Date: 2010-03-29 23:25 From: // BadURL_Parts[i++] = "[^d]track\.[(g|j|p)]"; // YOUR CHOICE Tracker - 2009-11-16 // BadURL_WordStarts[i++] = "gate\.php"; // YOUR CHOICE Malware - 2010-01-08 To: BadURL_Parts[i++] = "[^d]track\.[(g|j|p)]"; // YOUR CHOICE Tracker - 2009-11-16 BadURL_WordStarts[i++] = "gate\.php"; // YOUR CHOICE Malware - 2010-01-08 Reason: The only false positive I had was handled by the ^d in track. Actually gate.php may be passe now. It looks like hitin.php is now the script of choice for Zeus but fashions come and go. 38. Action: myantispyware.com Added: GoodDomains[i++] = "myantispyware.com"; // Security - 2010-03-30 Reason: exclusion for antispy rule 40. Action: Filled in old rules with comments From: NO COMMENT To: *A* COMMENT Reason: This will be an ongoing thing until ALL of the rules in the proxy* and dbgproxy* files have a comment with a data stamp. It will wreak havoc on diffs and that is why this file and this entry tells you it will be an ongoing thing until it is filled in. If it is something that I cannot remember what clobbered a GoodDomains, I will use general (général). Eventually they will all have a purpose and date. WARNING - IT WILL SLOW THE LOAD DOWN SOME. Because it precompiles the regexps, once you start going it should be better. 41. Action: Some malware rules Added: BadDomains[i++] = ".xorg.pl"; // DNSWCD Malare - 2010-03-31 BadURL_WordStarts[i++] = "packupdate"; // DNSWCD Malware - 2010-03-31 Reason: These are some of those pseudo scanners. They all seem to dump into this domain so I am adding it. But I am also emailing the person responsible for the domain to see if we can turn this around. The other one will stay. It actually takes the form of packupdate_build#_###.exe. A few months back the same people may have had the pack_###s#.exe files. That parttern was too short. This one isn't. 42. Action: Removed less restrictive of two rules Date: 2010-03-31 18:13 Removed: BadURL_WordStarts[i++] = "new-video-addon\."; // Malware - 2010-03-01 Reason: BadURL_WordStarts[i++] = "new-video-addon"; // YOUR CHOICE Malware - 2010-02-08 The older more encompassing rule caused no false positives so why have the newer one? So far they have always been like this: New-Video-Addon.#####.exe . That does NOT mean they cannot change. It used to be pack_###s#.exe . 43. Action: Another for the tax refund phish Added: BadURL_Parts[i++] = "refundportal\.htm"; // Malware - 2010-03-31 Reason: http://GarWarner.BlogSpot.com/ 10 Mar 2010 44. Action: pornhub-x.com Added: BadHostWordStarts[i++] = "euro-defender"; // DNSWCD Malware - 2010-04-02 Reason: They first had an end host in a chain of about the following. 1. the host in action. 2. The URL newfail.com/tds/go.php?sid=1 3. The URL progshop.net/monster/index.php 4. The URL chanceofmeatballs2.com/?pid=191&sid=a16df9&d=2 (the PID and SID CHANGE). 5. the URL bf0b4.euro-antivirusz2.com/a72b8032/?gtyh=${LONGHASH} I don't worry about that one because the "antivir" rule kicks in and stops it. Later on it was replaced first by: *.euro-defender1.com . So I made a BadDomains rule only to have it foiled with them using 5965.euro-defender3.com/${LONGHASH} . Since they are all DNSWCD, I made a loop with the following results: *.euro-defender1.com EXISTS *.euro-defender2.com NXDOMAIN *.euro-defender3.com EXISTS *.euro-defender4.com NXDOMAIN *.euro-defender5.com NXDOMAIN *.euro-defender6.com EXISTS *.euro-defender7.com NXDOMAIN *.euro-defender8.com EXISTS Now I suppose I could be stupid and have FOUR BadDomains rules. But anybody who knows me knows one thing - I will believe in shutting doors. THE FIRST ONE SHOULD BE GETTING THE HELL OFF OF MICROSOFT WINDOWS. Use a Macintosh. Use some Linux distro, but USE SOMETHING ELSE. In the mean time since this also leads to porn consider it to be a a porn block 45. Action: Changed status of PCs from tmp (temporary) to permanent and the HASH REDIR rules so they are more transparent. From: BadNetworks[i++] = "67.191.128.0, 255.255.192.0"; // Comcast PCs - 2009-12-25 (tmp) BadNetworks[i++] = "64.111.196.117, 255.255.255.255"; // HASH REDIR - 2009-08-21 BadNetworks[i++] = "76.9.16.144, 255.255.255.240"; // HASH REDIR - 2009-09-10 To: BadNetworks[i++] = "67.191.128.0, 255.255.192.0"; // Comcast PCs 1 - 2010-05-05 BadNetworks[i++] = "64.111.196.117, 255.255.255.255"; // HASH-REDIR-1 - 2009-08-21 BadNetworks[i++] = "76.9.16.144, 255.255.255.240"; // HASH-REDIR-2 - 2009-09-10 Reason: See the next set of added rules. There is another one in this DAMN ISP because they have this INSANE POLICY of not letting people use commodity broadband firewalls like Linksys, et al. But they have nothing against allowing people to directly attach their computer to a broadband connection. Even with Symantec's firewall and protection in place, that is a FLAWED POLICY! You need a hardware firewall in front of PCs running Microsoft Windows! Even Linux boxes would need SeLinux if directly attached. It is getting to be a fierce world out there. THIS RULE IS THERE BECAUSE OF MALWARE. 46. Action: Added some IP rules for malware dished out by IP address Added: BadNetworks[i++] = "67.182.192.0, 255.255.192.0"; // Comcast PCs 2 - 2010-04-05 BadNetworks[i++] = "93.174.93.149, 255.255.255.255"; // Malware Ecatel - 2010-04-05 BadNetworks[i++] = "206.161.121.0, 255.255.255.0"; // HASH-REDIR-3 - 2010-04-05 Reason: They all dished up malware. In the case of the PCs, Comcast is now redirecting all port 80 requests to Sedo. I guess Sedo gives a report to Comcast. If so, Comcast will begin to see how flawed their direct connecting PCs to the Internet really is. IT IS AN ABOMINABLE POLICY! Congress needs to pass laws that it is okay to use something other than what the ISP has. COMCAST KNOWS DAMN GOOD AND WELL THAT UNTIL YOUR CABLE MODEM'S MAC ADDRESS IS PUT INTO THEIR MAC TABLE THAT YOUR ROUTER CANNOT PICK UP AN IP ADDRESS BUT THAT A MACHINE RUNNING MICROSOFT WINDOWS CAN - IT TAKES LESS TIME THAN PULLING WISDOM TEETH THAN IT TAKES TO GET THE MAC ADDRESS OF YOUR PURCHASED CABLE MODEM TO GET PUT INTO THEIR MAC ADDRESS TABLE! 46. Action: Added two Clicker Trackers Added: BadDomains[i++] = ".reachlocal.net"; // DNSWCD Clicker-Tracker - 2010-04-05 BadDomains[i++] = ".validclick.net"; // DNSWCD Clicker-Tracker - 2010-04-05 Reason: The one targets where you are at. That is bad enough. They both are DNSWCD and can lead to anything. The second one uses a hash string to determine what to dish up to you. The first hosts of each I got are: firstoptiononline33.reachlocal.net 4a6977354d512c2c.click.validclick.net 47. Action: Added two experimental ad rules Added: BadURL_WordStarts[i++] = "adfile\/"; // PRIVUS AdServer - 2010-04-05 BadURL_WordStarts[i++] = "cnwk\.1d\/"; // PRIVUS AdServer - 2010-04-05 Reason: First, I have to test that the "/adfile/ and the "/cnwk.1d/" folders will actually work. The last time I attempted the trailing "/" it seemed to fail. After we ascertain that they indeed work then I will have to live with the rules to make sure there are no false positives before I give them to others. This is NOT a pressing issue since I believe ABP's EasyList has them and they are only ad rules, after all. - TEST ONE DONE, THEY WORK - TEST TWO, NOW FOR THE FALSE POSITIVES 48. Action: Changed the IP address used for the scripts.dlv4.com From: BadNetworks[i++] = "195.10.6.225, 255.255.255.255"; // scripts.dlv4.com - 2009-01-05 To: BadNetworks[i++] = "195.10.6.0, 255.255.255.0"; // PRIVUS scripts.dlv4.com - 2010-04-09 BadNetworks[i++] = "195.10.6.45, 255.255.255.255"; // scripts.dlv4.com - 2010-04-09 Reason: 49. Action: Removed one of the rules from pornproxy file and other rules that are deprecated. Date: 2010-04-09 09:09 Removed: BadNetworks[i++] = "195.10.6.0, 255.255.255.0"; // PORN 004 - 2009-06-19 BadNetworks[i++] = "64.237.103.151, 255.255.255.255"; // adjuggler.com - 2008-11-30 BadNetworks[i++] = "212.95.58.115, 255.255.255.255"; // DNSWCD mybeliefs.info - 2009-11-15 BadNetworks[i++] = "212.95.58.121, 255.255.255.255"; // DNSWCD wegoodentertainment.info - 2009-11-15 BadNetworks[i++] = "216.65.41.188, 255.255.255.255"; // OWNBOX FE TYPO BadNetworks[i++] = "62.161.94.0, 255.255.255.0"; // xiti.com_1 - 2009-06-19 BadNetworks[i++] = "80.118.149.0, 255.255.255.0"; // xiti.com_2 - 2009-06-19 BadNetworks[i++] = "130.117.119.0, 255.255.255.0"; // xiti.com_3 - 2009-06-19 BadDomains[i++] = ".xiti.com"; // Tracker - WebBug - 2009-06-19 Reason: The wider scripts.dlv4.com rule is probably going to replace the porn rule. The other rules are no longer useful. 50. Action: PARKFUNNEL rules changed From: // BadNetworks[i++] = "66.150.161.44, 255.255.255.255"; // PARKFUNNEL - 2008-09-21 BadNetworks[i++] = "66.150.161.32, 255.255.255.224"; // PARKFUNNEL - 2009-06-19 // BadNetworks[i++] = "69.25.47.166, 255.255.255.255"; // PARKFUNNEL - 2008-09-21 BadNetworks[i++] = "69.25.47.160, 255.255.255.224"; // PARKFUNNEL - 2009-06-19 To: BadNetworks[i++] = "82.98.86.183, 255.255.255.224"; // PARKFUNNEL - 2010-04-10 Reason: ParkFunnel was purchased by Sedo. They have now moved this into their own IP address space. 51. Action: Changed some PRIVUS rules to VOTRE CHOIX (YOUR CHOICE) Date: 2010-04-17 13:31 From: BadDomains[i++] = ".buzzfeed.com"; // PRIVUS Tracker - 2010-02-15 BadDomains[i++] = ".grapeshot.co.uk"; // PRIVUS Tracker - 2010-01-14 BadDomains[i++] = ".interclick.com"; // PRIVUS Tracker - 2010-01-07 BadDomains[i++] = ".quantserve.com"; // PRIVUS - WebBug - 2009-12-03 BadDomains[i++] = ".specificclick.net"; // PRIVUS Tracker - 2010-01-20 BadURL_Parts[i++] = "analytics\.[(j|p)]"; // PRIVUS Tracker - 2010-01-12 BadURL_Parts[i++] = "proxysignature"; // PRIVUS Tracker - 2010-01-07 BadURL_WordStarts[i++] = "clear\.gif"; // PRIVUS Tracker - 2010-02-13 BadURL_WordStarts[i++] = "config\.bin"; // PRIVUS Malware - 2010-02-25 BadURL_WordStarts[i++] = "hbx_[(p|v)]"; // PRIVUS Tracker - 2009-12-18 BadURL_WordStarts[i++] = "pixel\.gif"; // PRIVUS Tracker - 2010-02-13 To: BadDomains[i++] = ".buzzfeed.com"; // YOUR CHOICE Tracker - 2010-02-15 BadDomains[i++] = ".grapeshot.co.uk"; // YOUR CHOICE Tracker - 2010-01-14 BadDomains[i++] = ".interclick.com"; // YOUR CHOICE Tracker - 2010-01-07 BadDomains[i++] = ".quantserve.com"; // YOUR CHOICE - WebBug - 2009-12-03 BadDomains[i++] = ".specificclick.net"; // YOUR CHOICE Tracker - 2010-01-20 BadURL_Parts[i++] = "analytics\.[(j|p)]"; // YOUR CHOICE Tracker - 2010-01-12 BadURL_Parts[i++] = "proxysignature"; // YOUR CHOICE Tracker - 2010-01-07 BadURL_WordStarts[i++] = "clear\.gif"; // YOUR CHOICE Tracker - 2010-02-13 BadURL_WordStarts[i++] = "config\.bin"; // YOUR CHOICE Malware - 2010-02-25 BadURL_WordStarts[i++] = "hbx_[(p|v)]"; // YOUR CHOICE Tracker - 2009-12-18 BadURL_WordStarts[i++] = "pixel\.gif"; // YOUR CHOICE Tracker - 2010-02-13 Reason: They caused no problems and they are ready to go 52. Action: Removed the following commented out *.2o7.net rules Date: 2010-04-17 22:54 Removed: // BadNetworks[i++] = "66.235.132.0, 255.255.254.0"; // 2o7.net - 2008-09-03 // BadNetworks[i++] = "66.235.142.0, 255.255.254.0"; // 2o7.net - 2008-09-14 Reason: They were there in case we had to scramble back. Now that everybody has what you need to scramble back in the logs, take them out. WHY? Because they reduce the readability and confuse even me. 53. Action: Changed the filter.oridianppc.com rules status Date: 2010-04-17 23:40 From: BadDomains[i++] = ".filter.oridianppc.com"; // MalWare - 2009-09-02 To: BadDomains[i++] = ".filter.oridianppc.com"; // DNSWCD MalWare - 2009-09-02 Reason: From my phttpd log: 10994.12776.filter.oridianppc.com 54. Action: Added temporary SPAM rule Added: BadNetworks[i++] = "111.148.252.84, 255.255.255.255"; // CHINA SPAM 2010-04-19 Reason: makingdeals.greatrxmedsource.com, health.favoredrxhere.com & others. 55. Action: Experimental Tracker & ad rules (intend to make public) Added: BadURL_WordStarts[i++] = "swf\/ad-"; // PRIVUS Tracker - 2010-04-19 BadURL_WordStarts[i++] = "userfly\.js"; // Tracker - 2010-04-19 Reason: On second thought, the userfly rule is ready to go. 56. Action: Experimental Malware rule (intend to make public) Added: BadURL_WordStarts[i++] = "iainstall\.exe"; // PRIVUS Malware - 2010-04-19 Reason: Because I have a lot for this one AntiVirus exe. 19 Avril 2010 UNresolved False Positives (HHH) ---------------------------------------------- NONE 19 Avril 2010 RESOLVED False Positives (HHH) ----------------------------------------------- 1. Pattern: tits Date: Tue Jan 26 2010 00:25:40 2010-02-13 14:52 UTC Rules: BadURL_Parts[i++] = "tits"; Reason: www.ipcmedia.com/images/covers/crop_ChatItsFate_Nov09_e_\ d6701001e81e8fe3e94edcde01dc0ca1.gif Solution: BadURL_Parts[i++] = "[^a]tits"; // Malware - 2010-02-13 Originally I thought of dropping the rule to the Hosts level. Then I stupidly thought of adding all of the vowels. That is NOT a good idea. If you have an "e" before it, that means the pattern "huge" precedes it so we are just going to have to feel our way along on this one. THERE MAY BE MORE CHANGES!