24 Mai 2010 Changes (HHH) --------------------------- 1. Action: I should have done these sooner. The tools that were used in analyzing hpHosts hosts file were also used here. SORRY. Better LATE than NEVER I guess. Added: BadDomains[i++] = ".cometruestar.ru"; // DNSWCD MalWare - 2010-04-20 BadDomains[i++] = ".genuinecolors.ru"; // DNSWCD MalWare - 2010-04-20 BadDomains[i++] = ".genuinehollywood.ru"; // DNSWCD MalWare - 2010-04-20 BadDomains[i++] = ".trueworldmedia.ru"; // DNSWCD MalWare - 2010-04-20 BadDomains[i++] = ".yourtruegame.ru"; // DNSWCD MalWare - 2010-04-20 BadDomains[i++] = ".yourtruemate.ru"; // DNSWCD MalWare - 2010-04-20 Reason: See point 10 below for the other two domains like this one. Counts by domain for what MDL had for these: 00026 cometruestar.ru 00023 genuinehollywood.ru 00019 genuinecolors.ru 00017 yourtruegame.ru 00016 trueworldmedia.ru 00015 yourtruemate.ru { They move their IP addresses around - tested - and the long host names they use are always changing. But the domains themselves are SORT of static and thus these rules. It probably will not last long. Here is what the IP addresses are over time, by DATE. If they are duplicated an asterisk will be put to the left of them. ------------ 2010-04-20 00:07 ------------ 083.096.148.095 087.098.162.012 * 091.121.056.065 * 091.121.079.007 091.121.113.084 * 091.121.222.227 094.023.029.106 * 195.242.099.068 ------------ 2010-04-22 12:42 ------------ * 091.121.056.065 091.121.065.117 * 091.121.079.007 091.121.155.020 091.121.156.169 * 091.121.222.227 * 195.242.099.068 ------------ 2010-04-23 22:39 ------------ * 082.211.007.032 085.158.005.005 * 087.230.053.082 * 088.191.079.223 * 093.089.080.117 * 094.136.061.205 217.172.170.116 ------------ 2010-04-29 21:47 ------------ * 082.211.007.032 * 087.230.053.082 * 088.191.079.223 * 093.089.080.117 * 094.136.061.205 ------------ 2010-05-01 00:05 ------------ * 082.211.007.032 * 087.230.053.082 * 088.191.079.223 * 093.089.080.117 * 094.136.061.205 (this is a duplicate of the previous one) ------------ 2010-05-04 18:37 ------------ 062.067.246.113 * 062.193.208.175 * 078.041.156.236 * 080.248.221.213 * 082.211.007.032 * 087.230.053.082 088.198.049.197 091.204.116.114 * 093.089.080.117 * 094.076.254.248 * 094.136.061.205 217.160.019.018 ------------ 2010-05-05 12:27 ------------ * 062.193.208.175 * 078.041.156.236 * 080.248.221.213 * 087.230.053.082 091.121.160.223 * 093.089.080.117 * 094.076.254.248 095.154.248.161 } 2. Action: Made the BadURL_Parts in proxy* and dbgproxy* that used to be an implicit Malware (Maliciels) explicitly that way in all *proxy* files. Date: 2010-04-20 00:07 Added: // Malware - 2010-04-20 // Maliciels - 2010-04-20 Reason: One might assume they are porn in the pornproxy* files when in fact they are REALLY double duty rules, both porn and MALWARE (MALICIELS). Now all of the rules in the pornproxy* files that have no comment are implicitly PORN. The date will change but eventually ALL of the rules, not just the BADURL_Parts will be filled out in the same manner. 3. Action: Just when I thought the park.funnel.revenuedirect.com.akadns.net (PARKFUNNEL) changed their IP addresses, the old one roars back. So I am adding these back in ... Added: BadNetworks[i++] = "66.150.161.32, 255.255.255.224"; // PARKFUNNEL - 2010-04-20 BadNetworks[i++] = "69.25.47.160, 255.255.255.224"; // PARKFUNNEL - 2010-04-20 Reason: They can't make up their mind where to put it at. If I ever remove them again, remind me to put them back in! 4. Action: Continued from step 2 into the BadHostParts rules. Date: 2010-04-20 11:42 Added: // Malware - 2010-04-20 // Maliciels - 2010-04-20 Reason: To have a reason for everything. There is one rule that does not have these comments the "--". That is because that is an illegal host name but Airelle has the most in hosts.mis, then hosts.sex It seems to abused by everybody. Note that "huge" is in the BadURL_Parts rules in the pornproxy* files but is in the BadHostParts rules in the proxy* files. The designation is still the same - Maliciels / Malware. The BadURL_WordStarts rules are all commented in. The only sections that need to be filled in are the BadHostWordStarts (4 rules), BadURL_WordEnds (5 rules), and BadHostWordEnds (4 rules). Any rules left in the pornproxy* files after that are PORN, IMPLICITLY. BadHostWordStarts: FINISEZ - 2010-04-22 06:53 BadURL_WordEnds: FINISEZ - 2010-04-22 07:01 BadHostWordEnds: FINISEZ - 2010-04-22 07:05 5. Action: Changed the location of two rules: Date: 2010-04-21 22:55 Rule 1: BadURL_WordStarts[i++] = "adsatt\."; Rule 2: BadURL_WordStarts[i++] = "cfg\.bin"; From: WHERE THEY WERE AT - WRONG PLACE To: first ( "adsatt\." ) below this rule: BadURL_WordStarts[i++] = "adrelated\."; and the second ( "cfg\.bin" ) below this rule: BadURL_WordStarts[i++] = "bot\.exe"; Reason: You can NOT have these complicated expressions too near the top of the list so I moved them where they needed to be in preparation for adding the next rules. 6. Action: Added some ad server rules Date: 2010-04-21 22:59 Added: BadURL_WordStarts[i++] = "images\/ad_"; // AdServer - 2010-04-21 BadURL_WordStarts[i++] = "images\/ad-"; // AdServer - 2010-04-21 BadURL_WordStarts[i++] = "images\/ads-"; // AdServer - 2010-04-21 BadURL_WordStarts[i++] = "images\/ads\/"; // AdServer - 2010-04-21 Reason: GoDaddy's park page looked HORRIBLE with the host images-pw.secureserver.net blocked. I already have the tracker handled so I took care of these ads. Now people can delete the images-pw.secureserver.net host, block the ads, and have a much prettier page. Actually, only the first one is needed but I have observed ALL of these so many times I thought I may as well add ALL of them and get it done. 7. Action: Removed a domain Date: 2010-04-22 06:33 Removed: BadDomains[i++] = ".click-new-download.com"; // P2P - 2009-03-24 Reason: It is now parked at GoDaddy (shows the parked page). WILL SOMEBODY PLEASE MONITOR THIS SUCKER AND TELL ME WHEN THEY START REDIRECTING TO MALWARE AGAIN! Parking at GoDaddy is nothing more than a revolving door. They go in and lay low as a parker for a brief time. Then they start using GoDaddy as a REDIRECTOR. I am sure GoDaddy has caught on - as long as they get money coming into their coffers they don't care as long as it leads only to LOW ORDER malware. It is NOT okay if it leads to ZBot, QakBot, KoobFace or something else that is considered higher order and GoDaddy will stop the redirect. But for everything else it is GIVE ME THE MONEY, HONEY! I should know - I have four domains that are registered with them. 8. Action: Changed a comment to reflect true status Date: 23 Avril 2010 From: BadDomains[i++] = ".directtrack.com"; // Tracker To: BadDomains[i++] = ".directtrack.com"; // DNSWCD Tracker - 2010-04-23 MinPAC: RODNEY - ADD THIS RULE TO minproxy_en.txt! Reason: http://cellularabroad.com was using: cellularabroad.directtrack.com $ host djfsdka7348.directtrack.com djfsdka7348.directtrack.com has address 207.67.0.233 9. Action: Added white-list rule Added: GoodDomains[i++] = "antivirus.about.com"; // antivir - 2010-04-24 Reason: Tried to find information on recent McAfee SNAFU. 10. Action: Some more (SEE #1) wapdodoit.ru, yourblenderparts.ru Added: BadDomains[i++] = ".wapdodoit.ru"; // DNSWCD MalWare - 2010-04-24 BadDomains[i++] = ".yourblenderparts.ru"; // DNSWCD MalWare - 2010-04-24 Reason: Some more have popped up - what can I say? Also monitor ayaco.ru, and stirparts.ru 11. Action: I held off until it had a web server - NOW IT DOES! Added: BadNetworks[i++] = "222.222.222.222, 255.255.255.255"; // Malware - 2010-04-24 Reason: I don't care what they are using it for - I DON'T WANT WHAT EVER THEY ARE SELLING! 12. Action: Removed useless rules Date: 2010-04-27 02:02 Removed: BadNetworks[i++] = "62.32.97.0, 255.255.255.0"; // PRIVUS intellitxt1 BadNetworks[i++] = "207.211.21.0, 255.255.255.0"; // PRIVUS intellitxt2 BadNetworks[i++] = "207.211.65.0, 255.255.255.0"; // PRIVUS intellitxt3 Reason: They have only a few aliases and they are known. I feel sorry for these people because they approached things heads up and got whacked. It is almost enough for me to just remove all of their hosts from the hosts file. In fact, I think I will do EXACTLY that. Since there are less than 100 people using the hosts file and only 2 people using the PAC filter it is time to say goodbye to the IntelliTxt hosts in the hosts file. 13. Action: Removed a lot of old useless rules Date: 2010-04-29 12:59 Removed: BadDomains[i++] = ".8866.org"; // Malware - 2008-12-14 BadDomains[i++] = ".adgardener.com"; // AdServer BadDomains[i++] = ".adisn.com"; // Tracker - 2009-08-19 BadDomains[i++] = ".erasercash.com"; // DNSWCD AdServer - 2008-11-28 BadDomains[i++] = ".falkag.net"; // Tracker BadDomains[i++] = ".g.ak.nbci.com"; // AdTracker - 2009-01-08 BadDomains[i++] = ".hpg.com.br"; // DNSWCD AdServer BadDomains[i++] = ".imgis.com"; // DNSWCD AdServer - 2008-11-28 BadDomains[i++] = ".liveadvert.com"; // AdServer BadDomains[i++] = ".mybeliefs.info"; // DNSWCD - WebBug - 2009-06-22 BadDomains[i++] = ".mycomputer.com"; // Tracker - 2009-01-12 BadDomains[i++] = ".wegoodentertainment.info"; // DNSWCD - WebBug - 2009-11-16 MinPAC: I have removed the hpg.com.br rule - it causes FPs. Reason: Most are useless now, and the ones noted that cause FPs should have never been there. 14. Action: Reviewed some rules in conjunction with #13 and I am keeping them for now From: BadDomains[i++] = ".ezboard.com"; // AdServer - 2010-02-12 To: BadDomains[i++] = ".ezboard.com"; // DNSWCD AdServer - 2010-02-12 MinPAC: alexametrics.com and clicktale.net had their date changed because some people may use ONLY the PAC filter AND I am almost positive we had more than just s.clicktale.net. But ".ezboard.com" has its designation changed. The last one was ".smtp.ru". After review it also can be blocked ONLY with the PAC filter (see Airelle's files). Reason: They are still being used after review. 15. Action: Added some anti Qakbot Trojan / worm rules Added: BadURL_WordStarts[i++] = "_qbot"; // PRIVUS Malware - 2010-05-01 BadURL_WordStarts[i++] = "_qbot\.dll"; // Malware - 2010-05-01 BadURL_WordStarts[i++] = "_qbotinj\.exe"; // Malware - 2010-05-01 Reason: http://www.theregister.co.uk/2010/04/23/nhs_worm_infection/ I do not see how it is possible they could have been infected with a year old Trojan. They had to have the following things wrong: http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-i http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-ii They were using either IE (probably IE-6 on W2K) or Quicktime, but with all the stuff I see any half way decent AV package SHOULD be able to protect you. I think they need to say to hell with it and skip the intermediate step of OpenOffice and either Firefox or Google Chrome on Windows and skip straight to Linux with the learning curve of both those things added to it. WHAT NEED DOES A HOSPITAL HAVE OF QuickTime MEDIA? DO THEY REALLY ***NEED*** IT? I imagine that PRIVUS rule will bite the dust fairly soon. 16. Action: Some more tracker rules Added: BadURL_WordStarts[i++] = "sitestat\.js"; // Tracker - 2010-05-01 BadURL_WordStarts[i++] = "sitestats\.gif"; // Tracker - 2010-05-01 Reason: Several sites used these rules to track me. 17. Action: Need GoodDomains rule Added: GoodDomains[i++] = "rajshri.com"; // Zedo - 2010-05-01 Reason: BadDomains[i++] = ".zedo.com"; rule clobbers it 18. Action: Mishmash of Ad, Parker, and Tracker rules Added: BadDomains[i++] = ".cpxinteractive.com"; // AdServer - 2010-05-01 BadDomains[i++] = ".domainsponsor.com"; // Parker - 2010-05-01 BadDomains[i++] = ".fwmrm.com"; // AdServer - 2010-05-01 BadDomains[i++] = ".hitslink.com"; // Tracker - 2010-05-01 BadDomains[i++] = "smarttargetting.co.uk"; // Tracker - 2010-05-01 BadDomains[i++] = "smarttargetting.net"; // Tracker - 2010-05-01 BadDomains[i++] = ".spylog.ru"; // Tracker - 2010-05-01 MinPAC: The ".fwmrm.com" domain while not a DNSWCD has many of of the same characteristics. You almost NEVER know what your are going to get. The one I got was NOT in any hosts file. Reason: Since Trackers and WebBugs are priority number one I just add them as I see them. Many people will NOT use a blocking (Redirect To Self - RTS) hosts file so these rules were needed. In the case of the rule mentioned in the MinPAC comment it is the only way to fly. 19. Action: 216.240.187.175 is a redir to parkers Removed: BadDomains[i++] = ".mylongtail.com"; // DNSWCD - Tracker MinPAC: REMOVE THIS RULE - IT IS NOW USELESS. Reason: I did a pull down of the domain in question and it redirected to SearchPortal.DomainSponsor.com - PARKED 20. Action: Removed one Host rule to preparation for URL rules Removed: BadHostParts[i++] = "bannerad"; // AdServer - 2009-05-28 Reason: I am finally putting these into the URL level 21. Action: Added some AdServer rules Added: BadURL_WordStarts[i++] = "bannerads-"; // AdServer - 2010-05-04 BadURL_WordStarts[i++] = "_ad\.aspx"; // AdServer - 2010-05-04 BadURL_WordStarts[i++] = "ad\.aspx"; // AdServer - 2010-05-04 BadURL_WordStarts[i++] = "_bannerad\."; // AdServer - 2010-05-04 BadURL_WordStarts[i++] = "bannerad\."; // AdServer - 2010-05-04 BadURL_WordStarts[i++] = "bannerads\/"; // AdServer - 2010-05-04 Reason: Needed some time to think about the other stuff below Normally I do not bother with ad rules but some of these were also doing tracking. 22. Action: Removed the "free" rule and some other "free" white-lists Date: 2010-05-04 18:06 Removed: GoodDomains[i++] = "checkoutfree.com"; // ussearch.com GoodDomains[i++] = ".free-graphics.com"; GoodDomains[i++] = "freenet-homepage.de"; GoodDomains[i++] = "freepatentsonline.com"; GoodDomains[i++] = "freenode.net"; GoodDomains[i++] = "freeos.com"; GoodDomains[i++] = ".freeresumeexamples.net"; // BadHostParts[i++] = "[^g]free[^bdz]"; // YOUR CHOICE - 2009-05-07 Reason: As commendable as the "free" rule was it just has too many FPs. Au Revoir except for me. 23. Action: Altered the free (& some other) rules left to indicate status From: GoodDomains[i++] = "abcdelasecurite.free.fr"; GoodDomains[i++] = ".ac.uk"; // 2009-02-17 GoodDomains[i++] = "assiste.com.free.fr"; GoodDomains[i++] = ".bluecoat.com"; GoodDomains[i++] = "bytecrime.org"; GoodDomains[i++] = ".edu"; GoodDomains[i++] = ".edu.cn"; // 2009-02-17 GoodDomains[i++] = ".edu.tw"; // 2009-04-07 GoodDomains[i++] = "freepcsecurity.co.uk"; // 2009-07-17 GoodDomains[i++] = ".gov"; GoodDomains[i++] = "javacoolsoftware.com"; To: GoodDomains[i++] = "abcdelasecurite.free.fr"; // SECURITY - 2010-05-04 GoodDomains[i++] = ".ac.uk"; // EDU - 2010-05-04 GoodDomains[i++] = "assiste.com.free.fr"; // SECURITY - 2010-05-04 GoodDomains[i++] = ".bluecoat.com"; // SECURITY - 2010-05-04 GoodDomains[i++] = "bytecrime.org"; // SECURITY - 2010-05-04 GoodDomains[i++] = ".edu"; // EDU - 2010-05-04 GoodDomains[i++] = ".edu.cn"; // EDU - 2010-05-04 GoodDomains[i++] = ".edu.tw"; // EDU - 2010-05-04 GoodDomains[i++] = "freepcsecurity.co.uk"; // SECURITY - 2010-05-04 GoodDomains[i++] = ".gov"; // Phish - 2010-05-04 GoodDomains[i++] = "javacoolsoftware.com"; // SECURITY - 2010-05-04 Reason: Make their purpose clear. There are some more that need to be done and the moniker will probably just be "general" for most of them 24. Action: REDIR host that is mixed with other that go to malware Added: BadDomains[i++] = ".sendori.com"; // YOUR CHOICE DNSWCD REDIR - 2010-05-05 MinPAC: You may not want to add it. This is mixed in with with a lot of other REDIRS (more are in hosts file) that you have no control where you end up at. the problem is, for sites like gophersearch.com they go to nothing 95% of the time or something that is innocuous. It took an entire afternoon on the last pseudo search site and I put that sucker right back in the hosts file and it is going to STAY THERE UNTIL IT IS LONG DEAD. So decide for yourself. Oh yes, gopherserch.com is going to stay there until it is dead too. Reason: Look at the other IP REDIR rules because at any given time ANY OF THESE CAN REDIRECT TO MALWARE. REDIRECTORS ARE NOW ADDED INTO MY CATCH ALL PHRASE "WHEN I SEE SOMETHING I DON'T LIKE." *I* *BLOCK* *THESE* *DANGEROUS* *SUCKERS*! That especially goes for GoDaddy's pseudo parks. I am tired of dangerous redirections all over the Internet! 25. Action: GoDaddy's Pseudo-Park most numerous pseudo park Added: BadNetworks[i++] = "64.202.189.170, 255.255.255.255"; // GoDaddy Pseudo-Parker 1 - 2010-05-06 BadNetworks[i++] = "68.178.232.100, 255.255.255.255"; // GoDaddy Faux-Parc 2 - 2010-05-06 MinPAC: ??? I don't know what to advise. Either you get a park message or redirected to a host that may or may not be malevolent. Reason: YOU DON'T KNOW WHAT YOU ARE GOING TO GET!. Well at least with all of these you will now get a pretty white page: http://www.SecureMecca.biz http://www.SecureMecca.info http://www.SecureMecca.org http://www.SecureMecca.us IT DOES NOT BOTHER ME! By the way. I will give (transfer) any or all of these domains to any Islamic organization that promises to use them for peaceful and / or educational purposes. For example, information on making the Hajj (pilgrimage to Mecca) would be entirely appropriate. I am not a Muslim but if you ask me what we need is to promote the things we all share in common. There can be dangerous things in all religions but the respect and proper treatment of others would make the world a better place for everyone. If some Born Again Christian finds that offensive, so be it - I hope you don't use the PAC filter and I hope you use Microsoft Windows and I hope you get infected. C'est la vie! PS Also do not use the Firefox browser and even if you do under no circumstances install the NoScript plugin! https://addons.mozilla.org/en-US/firefox/addon/722 http://extensions.geckozone.org/NoScript 26. Action: Added some crackgen / file sharing rules Added: BadURL_Parts[i++] = "3rabnaar"; // Malware - 2010-05-07 BadHostWordStarts[i++] = "crack"; // PRIVUS Malware - 2010-05-07 BadHostWordEnds[i++] = "crack"; // PRIVUS Malware - 2010-05-07 BadHostWordEnds[i++] = "cracks"; // PRIVUS Malware - 2010-05-07 Reason: Michel had these in his rules and after looking at both hosts.rsk and hosts.sex of Airelle, it actually has more of a Maliciels count than porn. 27. Action: Added some rules for the latest flash*.exe file names Added: BadURL_WordStarts[i++] = "flash-video-plugin"; // Malware - 2010-05-07 Reason: How the latest ones are coming in ... 28. Action: Weakened one of our phishing rules Date: 2010-05-07 20:50 From: GoodDomains[i++] = ".facebook.com"; // Phish - 2009-11-15 To: GoodDomains[i++] = "facebook.com"; // Phish - 2009-11-15 MinPAC: Only if it is in your list Reason: Somebody called it without the "www." so now we have to live more dangerously. We are still MUCH better off than having NOTHING! 29. Action: GoodDomains rules are filled in with comments Date: 2010-05-08 04:02 From: GoodDomains[i++] = "eurotunnel.com"; GoodDomains[i++] = "hotmail.com"; GoodDomains[i++] = "hotwire.com"; GoodDomains[i++] = "imdb.com"; GoodDomains[i++] = "privacydigest.com"; GoodDomains[i++] = "siteadvisor.com"; GoodDomains[i++] = "siteadvisor.cn"; // 2009-01-13 GoodDomains[i++] = "skyangel.com"; GoodDomains[i++] = "spywareremove.com"; GoodDomains[i++] = ".tbs.com"; GoodDomains[i++] = "virginmedia.com"; GoodDomains[i++] = "virginmega.fr"; GoodDomains[i++] = "wikimedia.org"; GoodDomains[i++] = "wikipedia.org"; GoodDomains[i++] = "womenssportsfoundation.org"; GoodDomains[i++] = "wwwomen.com"; GoodDomains[i++] = "youngdemocrats.net"; GoodDomains[i++] = "youngrepublicans.com"; -------------------------------------------------------- To: GoodDomains[i++] = "eurotunnel.com"; // PROXY - 2010-05-07 GoodDomains[i++] = "hotmail.com"; // general - 2010-05-07 GoodDomains[i++] = "hotwire.com"; // general - 2010-05-07 GoodDomains[i++] = "imdb.com"; // general - 2010-05-07 GoodDomains[i++] = "privacydigest.com"; // SECURITY - 2010-05-07 GoodDomains[i++] = "siteadvisor.com"; // SECURITY - 2010-05-07 GoodDomains[i++] = "siteadvisor.cn"; // SECURITY - 2009-01-13 GoodDomains[i++] = "skyangel.com"; // "[^hnrv]angel" - 2010-05-07 GoodDomains[i++] = "spywareremove.com"; // SECURITY - 2010-05-07 GoodDomains[i++] = ".tbs.com"; // general - 2010-05-07 GoodDomains[i++] = "virginmedia.com"; // "virgin[^im]" - 2010-05-07 GoodDomains[i++] = "virginmega.fr"; // "virgin[^im]" - 2010-05-07 GoodDomains[i++] = "wikimedia.org"; // general - 2010-05-07 GoodDomains[i++] = "wikipedia.org"; // general - 2010-05-07 GoodDomains[i++] = "womenssportsfoundation.org"; // "women" - 2010-05-07 GoodDomains[i++] = "wwwomen.com"; // "women" - 2010-05-07 GoodDomains[i++] = "youngdemocrats.net"; // "young" - 2010-05-07 GoodDomains[i++] = "youngrepublicans.com"; // "young" - 2010-05-07 MinPAC: Only if one of them is in your list Reason: Consistency; I realize some don't have dates but I can not fill those in. The ones that have dates but no reason should be considered "general" / "général". 30. Action: Tracker rules Added: BadURL_WordStarts[i++] = "blank\.gif"; // PRIVUS Tracker - 2010-05-08 BadDomains[i++] = ".industrybrains.com"; // Tracker - 2010-05-08 MinPAC: DMSWCD should not be the ONLY criteria. The number of given hosts involved and the chance of FPs are also involved. In this case there are not that many hosts for the second rule. But at least one person is NOT using a hosts file and only the PAC filter. In this case there is practically zero chance of FPs, and almost no chance of another host in the domain. Yet this rule IS a good candidate for inclusion. Why? Because ABP's EasyPrivacy has the equivalent of this rule. It has MILLIONS of people using it and nobody has had a complaint. Reason: It is needed - there may be another host in the domain the hosts file does not stop and some people will not use the hosts file. 31. Action: Insignificant weakening of the "angel" rule From: GoodDomains[i++] = "skyangel.com"; // "[^hnrv]angel" - 2010-05-07 BadHostParts[i++] = "[^hnrv]angel"; // Malware - 2010-01-04 To: GoodDomains[i++] = "skyangel.com"; // "[^hnrv]angel[^w]" - 2010-05-07 BadHostParts[i++] = "[^hnrv]angel[^w]"; // Malware - 2010-01-04 Reason: http://www.AngelWars.com (see RESOLVED FPs below) 1 angelw_Parts.txt 12 angelw_Passed_All_Rules.txt 0 angelw_Starts_and_Ends.txt 13 total 32. Action: BAD DOMAIN Added: BadDomains[i++] = ".acleareu.com"; // DNSWCD Malware - 2010-05-14 MinPAC: ADD IT! Reason: This was given as PhishTank submission It may well not be a Malware host but it did redirect to www.xxx-porn-j.com and as such it is a very dangerous host - more so than just a phish. 33. Action: Removed problem rule Removed: BadHostParts[i++] = "stats"; // YOUR CHOICE - Tracker - 2009-04-21 Reason: hosted.stats.com, versus.stats.com (it was meant to be experimental - should have known better) 34. Action: Attempt to replace *.addthis.com hosts with filter rules Added: BadURL_Parts[i++] = "addthis.com\/at\/"; // PRIVUS Tracker - 2010-05-22 BadURL_Parts[i++] = "addthis.com\/live\/"; // PRIVUS Tracker - 2010-05-22 Reason: They with clearspring are some of the newer and better trackers and if you don't cave in hundreds of social sites will deprive you of their services. 35. Action: GAMBLE DID NOT PAY OFF From: BadURL_Parts[i++] = "counter\.[(c|j)]"; // YOUR CHOICE Tracker - 2009-11-16 To: BadURL_WordStarts[i++] = "bh_counter\.js"; // Tracker - 2010-05-22 BadURL_WordStarts[i++] = "counter\.[(j|p)]"; // Tracker - 2010-05-22 BadURL_WordStarts[i++] = "statcounter\.js"; // Tracker - 2010-05-22 Reason: roadid.com/Scripts/jquery.charcounter.js 36. Action: Change in what is left of RealMedia (almost gone now) Date: 2010-05-23 04:47 (UTC) From: BadNetworks[i++] = "212.113.31.48, 255.255.255.248"; // YOUR CHOICE REALMEDIA-4 - 2009-02-23 To: BadNetworks[i++] = "63.97.94.8, 255.255.255.192"; // PRIVUS REALMEDIA-6 - 2010-05-23 BadNetworks[i++] = "63.97.94.64, 255.255.255.240"; // PRIVUS REALMEDIA-7 - 2010-05-23 Reason: Their IP address space shifted 37. Action: Removed the galler rules Date: 2010-05-23 04:49 (UTC) Removed: BadHostParts[i++] = "galleri"; // Malware - 2010-04-20 BadHostParts[i++] = "gallery"; // Malware - 2010-04-20 Reason: Too many false positives and very little pay back. 38. Action: Added a REALLY BAD GIF and SWF tracker Added: BadURL_Parts[i++] = "s3.amazonaws.com\/new.cetrk.com"; // Tracker - 2010-05-23 Reason: This is not the only one but it complement my image trackers (they have some scripts as well). 39. Action: Guard against FALSE pac files Added: BadURL_WordEnds[i++] = "\.pac"; // Malware - 2010-05-23 Reason: 208.64.66.170:8099/config.pac DO NOT GO TO THIS IN THE BROWSER! Pull it down with wget. 40. Action: Added some PAC filter rules for ads for people who do not use hosts files. Added: BadDomains[i++] = ".amgdgt.com"; // AdServer - 2010-05-23 BadDomains[i++] = ".bluestreak.com"; // AdServer - 2010-05-23 BadURL_WordStarts[i++] = "loadad\.aspx"; // AdServer - 2010-05-24 Reason: As stated - one person will NOT use a blocking hosts file. 41. Action: Added some PAC filter rules for trackers for people who do not use hosts files. Added: BadDomains[i++] = ".trafficmp.com"; // Tracker - 2010-05-23 BadDomains[i++] = ".webtrendslive.com"; // Tracker - 2010-05-23 BadDomains[i++] = ".yousee.com"; // DNSWCD Tracker - 2010-05-23 BadURL_Parts[i++] = "4theclueless.com\/adlogger\/"; // Tracker - 2010-05-23 BadURL_Parts[i++] = "directnews.co.uk\/feedtrack\/"; // Tracker - 2010-05-23 BadURL_Parts[i++] = "environmentalgraffiti.com\/eg\/hits\/logger"; // Tracker - 2010-05-23 BadURL_Parts[i++] = "google\.com\/uds\/stats"; // Tracker - 2010-05-23 BadURL_Parts[i++] = "media-imdb.com\/twilight\/"; // Tracker - 2010-05-23 BadURL_WordStarts[i++] = "iperceptions\.js"; // Tracker - 2010-05-24 BadURL_WordStarts[i++] = "watsontracker\/"; // Tracker - 2010-05-24 BadURL_WordStarts[i++] = "zaehlpixel\.php"; // Tracker - 2010-05-24 BadHostWordEnds[i++] = "l.sharethis.com"; // Tracker - 2010-05-24 MinPAC: You may want to add the trafficmp.com rule and the yousee.com rules. Reason: Some are generic but the yousee.com rule is for something that may potentially be a redirect. 42. Action: Experimental Tracker Rule Added: BadDomains[i++] = ".singlefeed.com"; // PRIVUS Tracker - 2010-05-23 Reason: reporting.singlefeed.com/z/track.js?v=1.1 THIS RULE IS INTENDED TO GO AWAY. DO NOT ADD IT! (unless you want to experiment with it as well) 24 Mai 2010 UNresolved False Positives (HHH) -------------------------------------------- NONE 24 Mai 2010 RESOLVED False Positives (HHH) ------------------------------------------ 1. Pattern: "antivir: Date: 2010-04-24 10:32 Rules: BadHostParts[i++] = "antivir"; Reason: People need the info Solution: GoodDomains[i++] = "antivirus.about.com"; // antivir - 2010-04-24 (McAfee REMOVED svchost.exe? WILL THEY BE HERE ON 2011-04-24?) 2. Pattern: facebook.com Date: 2010-05-07 20:50 Rules: GoodDomains[i++] = ".facebook.com"; BadHostParts[i++] = "facebook"; Reason: Someone called it direct. You probably need to drop the leading DOT. MinPAC: Only if it is in your list Solution: GoodDomains[i++] = "facebook.com"; (we weakened the rule) 3. Pattern: "angel" Rules: BadHostParts[i++] = "[^hnrv]angel"; // Malware - 2010-01-04 Reason: http://www.AngelWars.com/ Solution: BadHostParts[i++] = "[^hnrv]angel[^w]"; // Malware - 2010-01-04 Thanks to lists provided by Fabrice Prigent of Université Toulouse 1 Capitole: http://cri.univ-tlse1.fr/blacklists/ I now have: $ wc -l ../Hosts/mypornlist porn_sans_IPS_AND_MINE 63079 ../Hosts/mypornlist 800209 porn_sans_IPS_AND_MINE 863288 total That is almost double what I had and in addition it is more up to date. I lost almost NOTHING by this change in protection based on a new and better updated list. AngelWar2.com or AngelWars3.com anybody? 4. Pattern: "stats" in hosts Date: 2010-05-21 23:16 Rules: BadHostParts[i++] = "stats"; // YOUR CHOICE - Tracker - 2009-04-21 Reason: hosted.stats.com, versus.stats.com (it was meant to be experimental - should have known better) Solution: REMOVE THE RULE!