21 Juin 2010 Changes (HHH) -------------------------- 1. Action: Override of FaceBook rule Added: GoodDomains[i++] = "facebook.net"; // Phish - 2010-05-27 Reason: connect.facebook.net/en_US/all.js gets blocked by: BadHostParts[i++] = "facebook"; 2. Action: split a rule apart Date: 2010-05-28 00:29 From: BadURL_WordStarts[i++] = "counter\.[(j|p)]"; // Tracker - 2010-05-22 To: BadURL_WordStarts[i++] = "counter\.js"; // Tracker - 2010-05-28 BadURL_WordStarts[i++] = "counter\.php"; // Tracker - 2010-05-28 Reason: gstatic.com/buzz/api/buzz_counter.png And here I thought what I had would handle both and have no FPs. Sigh. 3. Action: Add some AdServers to PAC for redundancy Added: BadDomains[i++] = ".adbrite.com"; // AdServer - 2010-05-28 BadDomains[i++] = ".adshuffle.com"; // AdServer - 2010-05-29 Reason: For people who do not use hosts file and are using some other browser other than Firefox or Firefox without ABP. 4. Action: Add tracker pattern to PAC Added: BadURL_WordStarts[i++] = "foresee\/"; // Tracker - 2010-05-28 BadURL_WordStarts[i++] = "foresee"; // PRIVUS Tracker - 2010-05-28 Reason: www.childfund.org/foresee/foresee-trigger.js www.channel4.com/foresee_c4/CPPS_omni.js www.channel4.com/foresee_c4/foresee-trigger.js The second one will probably bite the dust but what do we have besides foresee_c4? * 5. Action: Add some Trackers to PAC for redundancy * Added: BadDomains[i++] = ".demandbase.com"; // Tracker - 2010-06-19 * BadDomains[i++] = ".getclicky.com"; // Tracker - 2010-05-29 * BadDomains[i++] = "mmismm.com"; // Tracker - 2010-06-05 * BadDomains[i++] = "searchignite.com"; // Tracker - 2010-06-05 * BadDomains[i++] = "spotxchange.com"; // Tracker - 2010-06-05 * BadDomains[i++] = ".users.51.la"; // Tracker - 2010-05-31 * BadDomains[i++] = ".viglink.com"; // Tracker - 2010-06-05 * Reason: For people who do not use hosts file and are using * some other browser other than Firefox or Firefox * without ABP. 6. Action: SageAnalytics Added: BadNetworks[i++] = "212.62.17.192, 255.255.255.192"; // PRIVUS SageAnalyst - 2010-06-03 BadNetworks[i++] = "212.62.17.224, 255.255.255.248"; // YOUR CHOICE SageAnalyst - 2010-06-03 Reason: www.report.shell.com ALIAS shellreport.st.sageanalyst.net How many more are there? 7. Action: Ad rules that cannot be blocked with hosts Added: BadURL_Parts[i++] = "google-adsense-"; // AdServer - 2010-06-03 BadURL_WordStarts[i++] = "adsyndication"; // AdServer - 2010-06-05 Reason: Google's AdSense isn't just an ad server. Technically it is a tracker / ad pusher. But these can not be done with a hosts entry in a hosts file. The "img/ads/*" rule supposedly has problems at ikea.com but so far I can not duplicate it. 8. Action: coremetrics & other patterns at Akamai blocked a payment at NewEgg.com and TigerDirect.com. More specifically it causes problems for the Visa Verify process. FINE! BLAME THEM FOR YOUR MACHINE IF IT GETS INFECTED. I AM OUTTA HERE! Date: 2010-06-04 09:03 Removed: BadURL_Parts[i++] = "coremetrics"; // Tracker - 2009-11-23 Added: GoodDomains[i++] = ".akamai.net"; // VisaVerify - 2010-06-04 Reason: Could not make a payment at NewEgg.com * 9. Action: Add some rules similar to #5 but for AdServers (Redundancy) * Added: BadDomains[i++] = ".afy11.net"; // AdServer - 2010-06-18 * BadDomains[i++] = ".blogads.com"; // AdServer - 2010-06-19 * BadDomains[i++] = ".collective-media.net"; // AdServer - 2010-06-19 * BadDomains[i++] = ".dotomi.com"; // AdServer - 2010-06-05 * BadDomains[i++] = ".fimserve.com"; // AdServer - 2010-06-19 * BadDomains[i++] = ".fmpub.net"; // AdServer - 2010-06-19 * BadDomains[i++] = "imiclk.com"; // AdServer - 2010-06-05 * BadDomains[i++] = "googleadservices.com"; // AdServer - 2010-06-21 * BadDomains[i++] = "marketingsolutions.yahoo.com"; // AdServer - 2010-06-21 * Reason: For people who do not use hosts file and are using * some other browser other than Firefox or Firefox * without ABP. You may need to do constrain the * marketingsolutions.yahoo.com to have a leading "wa." * since all I have are srv1.wa, srv2.wa, and srv3.wa in * this domain. 10. Action: Exclusions to allow tracking Added: GoodDomains[i++] = "promo.tubemogul.com"; // tube (comedy.com) - 2010-06-05 GoodDomains[i++] = "promo2.tubemogul.com"; // tube (comedy.com) - 2010-06-05 Reason: For Comedy.com and any others that use this tracking service. 11. Action: Removed malware rules that may have been out of date when added. Removed: BadHostWordStarts[i++] = "euro-defender"; // DNSWCD Malware - 2010-04-02 Reason: ALL GONE! More may be removed later (and listed here). *12. Action: Tracker rules that cannot be blocked with hosts * Added: BadURL_WordStarts[i++] = "click_tracking\.js"; // Tracker - 2010-06-19 * BadURL_WordStarts[i++] = "clicktracking\/"; // Tracker - 2010-06-05 * BadURL_WordStarts[i++] = "demandbase\.js"; // Tracker - 2010-06-19 * BadURL_WordStarts[i++] = "elqnow\/"; // Tracker - 2010-06-05 * BadURL_WordStarts[i++] = "fttrack2\.js"; // Tracker (ft.com) - 2010-06-05 * Reason: These can not be done eith a hosts entry in a hosts * file. 13. Action: Added a rule for one of the MishInc FLV To Mp3 Distributors Added: BadDomains[i++] = ".brothersoft.com"; // MalWare - 2010-06-05 Reason: This is a SEMI-DNSWCD. It is also the distributor of one of the avenues in for malware for the Macintosh. 14. Action: Trying to understand some ad server rules that EasyList has Added: BadURL_WordStarts[i++] = "img\/ad_"; // PRIVUS AdServer - 2010-06-05 BadURL_WordStarts[i++] = "img\/ads\/"; // PRIVUS AdServer - 2010-06-05 Reason: I saw that AdBlock Plus had an exclusion for the second at ikea.com. I supposedly do not block any more than they do but the contents get shoved 1/2 way down the screen. These SHOULD work but they don't and I want to find out WHY they don't work. I don't strip anything more out than the ABP Panel shows so they should look the same but they don't. These rules will PROBABLY be removed in the future. I suspect that they are taking things out that they don't show because I don't have anything close to their exclusion pattern: @@||ikea.com/ms/img/ads/$background,image showing up in the phttpd log. 15. Action: Removed experimental rule Date: 2010-06-06 05:16 Removed: BadURL_Parts[i++] = "omniture"; // PRIVUS Tracker - 2010-01-07 Reason: The Provo Linux User Group is using Omniture's building for their meetings. So not only this rule is going away (it gave nothing in terms of new scripts - I have them all now) but I am removing the Domain itself from the hosts file - into the bowels of the beast once a month! But I need to know why Ubuntu doesn't want swfdec/gnash preinstalled and whether or not I would be better off putting on Adobe's Flash player instead. I am getting pressured to install something. I also need good /etc/fstab for FAT32 partitions - something that enables any user logging in to read / write to that partition. 16. Action: Added AV Phishing rule Added: BadHostParts[i++] = "avast.com"; // Phish - 2010-06-08 Reason: vvww-avast.com was recently parked at GoDaddy. This rule combined with a more restrictive NOW: GoodDomains[i++] = "avast.com"; TIGHTENED: GoodDomains[i++] = ".avast.com"; would stop it but this is better than nothing and if they do make the mistake of using avast-com this rule with the more lenient rule will stop it. C'est la vie. 17. Action: Downgraded a rule From: BadURL_Parts[i++] = "ads\.php"; // YOUR CHOICE Tracker - 2009-11-07 To: BadURL_WordStarts[i++] = "ads\.php"; // YOUR CHOICE Tracker - 2010-06-09 Reason: downloads.php 18. Action: Removed malware rules Date: 2010-06-19 07:25 Removed: BadDomains[i++] = ".cometruestar.ru"; // DNSWCD MalWare - 2010-04-20 BadDomains[i++] = ".genuinecolors.ru"; // DNSWCD MalWare - 2010-04-20 BadDomains[i++] = ".genuinehollywood.ru"; // DNSWCD MalWare - 2010-04-20 BadDomains[i++] = ".trueworldmedia.ru"; // DNSWCD MalWare - 2010-04-20 BadDomains[i++] = ".yourblenderparts.ru"; // DNSWCD MalWare - 2010-04-24 BadDomains[i++] = ".yourtruegame.ru"; // DNSWCD MalWare - 2010-04-20 BadDomains[i++] = ".yourtruemate.ru"; // DNSWCD MalWare - 2010-04-20 MinPAC: You need to remove these if you have them. Reason: They have been dead for more than a month. I hope they don't come back but you can never tell. Now for the big question - did the Russian Government do it or was it retaliation by the Chinese government? I am sorry but it bears all the hallmarks of government sanctioned and maybe even sponsored hacking. 19. Action: Some optional tracking rules Added: BadURL_WordStarts[i++] = "pixeltrack\.php"; // YOUR CHOICE Tracker - 2010-06-19 BadURL_WordStarts[i++] = "pixeltracking\.html"; // YOUR CHOICE Tracker - 2010-06-19 Reason: The first is used by devshed.com. The second is used by wsj.com, wsj.net, barrons.com. 20. Action: Added malware rule. Added: BadHostWordStarts[i++] = "downloads\.pix[(f|o)]"; // Malware - 2010-06-21 MinPAC: Add if you want but it will be gone in the next update. Reason: They are in the form downloads.pixfox-###.net and downloads.pixoff-###.net. So far they have always had a leading zero, but this will shut them down for the month or few weeks they remain in business. 21 Juin 2010 UNresolved False Positives (HHH) --------------------------------------------- NONE 21 Juin 2010 RESOLVED False Positives (HHH) ------------------------------------------- 1. Pattern: counter Rules: BadURL_WordStarts[i++] = "counter\.[(j|p)]"; Reason: gstatic.com/buzz/api/buzz_counter.png Solution: BadURL_WordStarts[i++] = "counter\.js"; BadURL_WordStarts[i++] = "counter\.php"; 2. Pattern: coremetrics & other patterns at Akamai blocked a payment at NewEgg.com and TigerDirect.com. More specifically it causes problems for the Visa Verify process. FINE! BLAME THEM FOR YOUR MACHINE IF IT GETS INFECTED. I AM OUTTA HERE! Date: 2010-06-04 09:03 Rules: BadURL_Parts[i++] = "coremetrics"; // Tracker - 2009-11-23 Reason: Could not make a payment at NewEgg.com Solution: I DO NOT KNOW IF THIS IS ENOUGH BUT WE WILL FIND OUT Removed: BadURL_Parts[i++] = "coremetrics"; // Tracker - 2009-11-23 Added: GoodDomains[i++] = ".akamai.net"; // VisaVerify - 2010-06-04