09 Août 2010 Changes (HHH) -------------------------- 1. Action: Removed rule I should not have added Date: 2010-06-22 07:08 Removed: BadDomains[i++] = "marketingsolutions.yahoo.com"; // AdServer - 2010-06-21 Reason: This rule trumps it: GoodDomains[i++] = ".yahoo.com"; The only way you can counter a GoodDomains rule is either a hosts file block or a BadNetworks rule. The BadNetworks rule trumps the GoodDomains rule because it comes first and hosts file block trumps ALL PAC filter rules. 2. Action: Experimental SPAM rule Added: BadHostParts[i++] = "edrefill"; // PRIVUS SPAM - 2010-06-22 Reason: I am noticing them showing up in my GMail SPAM. I do not think it is permanent pattern but I at least need the rule to block them until I can add them to my hosts file. 3. Action: Here we go again, adding redundant rules for tracking Domains. servers though. Added: BadDomains[i++] = ".addthiscdn.com"; // Tracker - 2010-07-17 BadDomains[i++] = "analytics.clickpathmedia.com"; // Tracker - 2010-08-03 BadDomains[i++] = "analytics.edgesuite.net"; // Tracker - 2010-08-09 BadDomains[i++] = ".bizographics.com"; // Tracker - 2010-07-17 BadDomains[i++] = "bluekai.com"; // Tracker - 2010-08-09 BadDomains[i++] = ".brcdn.com"; // Tracker - 2010-08-05 BadDomains[i++] = "c.compete.com"; // Tracker - 2010-08-03 BadDomains[i++] = ".chartbeat.com"; // Tracker - 2010-07-12 BadDomains[i++] = "csi.gstatic.com"; // Tracker - 2010-08-05 BadDomains[i++] = "customerconversio.com"; // Tracker - 2010-08-03 BadDomains[i++] = ".deepmetrix.com"; // Tracker - 2010-08-03 BadDomains[i++] = "demdex.net"; // Tracker - 2010-08-09 BadDomains[i++] = "dmtracker.com"; // Tracker - 2010-08-03 BadDomains[i++] = "fetchback.com"; // Tracker - 2010-08-03 BadDomains[i++] = "ic-live.com"; // Tracker - 2010-08-03 BadDomains[i++] = "levexis.com"; // Tracker - 2010-08-03 BadDomains[i++] = "marinsm.com"; // Tracker - 2010-08-03 BadDomains[i++] = ".mathtag.com"; // Tracker - 2010-08-09 BadDomains[i++] = ".optify.net"; // Tracker - 2010-07-19 BadDomains[i++] = ".optimost.com"; // Tracker - 2010-06-22 BadDomains[i++] = "rcm.amazon.com"; // Tracker - 2010-08-09 BadDomains[i++] = ".revsci.net"; // Tracker - 2010-08-09 BadDomains[i++] = "rover.ebay.com"; // Tracker - 2010-08-03 BadDomains[i++] = "scorecardresearch.com"; // Tracker - 2010-08-03 BadDomains[i++] = "sodoit.com"; // Tracker - 2010-08-03 BadDomains[i++] = "tracking.searchmarketing.com"; // Tracker - 2010-08-03 BadDomains[i++] = ".turn.com"; // Tracker - 2010-08-09 BadDomains[i++] = ".tynt.com"; // Tracker - 2010-06-24 BadDomains[i++] = ".serving-sys.com"; // Tracker - 2010-07-01 BadDomains[i++] = ".visistat.com"; // Tracker - 2010-07-20 BadDomains[i++] = ".voicefive.com"; // Tracker - 2010-07-19 BadDomains[i++] = "web-stat.com"; // Tracker - 2010-08-03 BadDomains[i++] = "webeffective.keynote.com"; // Tracker - 2010-08-03 --- BadHostWordStarts[i++] = "stats\.bbc\.co\.uk"; // Tracker - 2010-08-09 Reason: Same as last time - some people are not using any blocking hosts file. They are also not using Firefox with AdBlockPlus. 4. Action: Redundant rules for Ad Domains Added: BadDomains[i++] = "assoc-amazon.com"; // AdServer - 2010-08-03 BadDomains[i++] = "contextweb.com"; // AdServer - 2010-06-19 BadDomains[i++] = "lduhtrp.net"; // WebBug - 2010-08-09 BadDomains[i++] = "media6degrees.com"; // AdServer - 2010-08-03 Reason: Same as last time - some people are not using any blocking hosts file. They are also not using Firefox with AdBlockPlus. 5. Action: exclusion for a filter rule. From: BadURL_WordStarts[i++] = "ads\.php"; // YOUR CHOICE Tracker - 2010-06-09 To: BadURL_WordStarts[i++] = "[^o]ads\.php"; // YOUR CHOICE Tracker - 2010-06-09 Reason: www.moschip.com/mcs9865_downloads.php 6. Action: Removed Google tracking rule Date: 2010-07-11 02:13 Removed: BadURL_Parts[i++] = "google\.com\/uds\/stats"; // Tracker - 2010-05-23 Reason: The GoodDomains rule that prevents Google pretenders has precedence so the rule is useless. I MAY BE DROPPING GOOGLE'S STATUS TO NORMAL SO THESE RULES CAN EXIST. 7. Action: Tracker rule Added: BadURL_WordStarts[i++] = "xiti\.js"; // Tracker - 2010-07-12 Reason: At Tour de France web-site reminded how big they are. I even had stuff donated that is from their domain at the goodwill store I used to work at. It doesn't matter, a tracker is a tracker. 8. Action: Increased scope of AmazonAWS tracker rule Date: 2010-07-13 From: BadURL_Parts[i++] = "s3.amazonaws.com\/new.cetrk.com"; // Tracker - 2010-05-23 To: BadURL_Parts[i++] = "amazonaws.com\/new.cetrk.com"; // Tracker - 2010-07-13 Reason: The likelihood of a false postive is VERY LOW. I have never observed the shorter pattern but this is just in case because they are a NOTORIOUSLY BAD Flash Cookie tracker that persists across multiple applications: multiple browsers, RealPlayer, et al. 9. Action: Ad Server rule Added: BadURL_WordStarts[i++] = "ad_manager"; // AdServer - 2010-07-19 Reason: www.tampabay.com/universal/scripts/doubleclick/ad_manager.js 10. Action: Tracker rule Added: BadURL_WordStarts[i++] = "leadgen_tracking\.js"; // Tracker - 2010-07-19 Reason: Existing rule handling this is optional. 11. Action: Embedded GoogleAnalytics Tracking Rule Added: BadURL_WordStarts[i++] = "gaaddons\.js"; // Tracker - 2010-07-20 12. Action: Visa Verify From: GoodDomains[i++] = ".visa.com"; // Phish - 2009-12-08 To: GoodDomains[i++] = "securesuite.net"; // Phish - 2010-07-30 GoodDomains[i++] = "verifiedbyvisa.com"; // Phish - 2010-07-30 GoodDomains[i++] = ".visa.com"; // Phish - 2009-12-08 BadHostParts[i++] = "securesuite\.net"; // Phish - 2010-07-30 Reason: Can't get there so we do what we can to get there and at the same time make it so we can provide some protection while allowing people to get there. Now I need the ones for MasterCard now. When I first hit this it looked like a PHISH, except it didn't come in the email. When you login into your bank you have NO control over it. 13. Action: Linksys / Cisco exclusion Added: GoodDomains[i++] = ".cisco.com"; // ".bin" - 2010-07-30 BadHostParts[i++] = "cisco\.com"; // ".bin" - 2010-07-30 Reason: Linksys download is blocked by the ".bin" rule for ZBot. I realize the BadURL_WordEnds is a PRIVUS rule right now. That is NOT because it is meant only for me. It was meant for everybody but I need to vet it to make sure it does NOT cause any problems. I will try with the DLink router I have and stop there and release the ".bin" rule to the public as optional. WHY? Because the ZBot people are locked into ".cfg" or ".bin" by the way Microsoft Windows handles things with file extensions. I have observed WAY too many Zeus config files that end in ".bin" to not want this rule. As I see it, the only people that will hit it a lot are the ones that update their home router firmware and motherboard firmware. Since they are usually able to scramble to for their own particular manufacturer for the motherboards and don't do it all that often I DESPERATELY need this rule and any others like it so if you have them, let me know what they are. 14. Action: New GoDaddy Park IP address Added: BadNetworks[i++] = "68.178.232.99, 255.255.255.255"; // GoDaddy Faux-Parc 3 - 2010-07-30 Reason: I have caught them not only reactivating and leading to malware but actually got a SPAM email message the other day going to this currently rated DomainWest.com park IP address. I am still wondering if it deserves that status but it certainly deserves this treatment. I just rescinded myself - this is now just a pseudo parker. DomainWest may have it but it is also redirecting back to malware now. 15. Action: handled "secret" problems. Removed: GoodDomains[i++] = "windowssecrets.com"; // secret - 2009-06-06 From: BadHostParts[i++] = "secret"; // PROXY - 2009-02-05 To: // BadHostParts[i++] = "secret"; // YOUR CHOICE PROXY - 2010-08-02 Reason: "camisecret.com and others. There was no reason other than the proxies that I was aware of. This rule may be removed in the future. 16. Action: Collapsed all channelintelligence.com into one rule From: BadDomains[i++] = ".links.channelintelligence.com"; // Tracker - 2009-11-03 BadDomains[i++] = ".origin.channelintelligence.com"; // Tracker - 2009-11-03 BadDomains[i++] = ".rdr.channelintelligence.com"; // Tracker - 2009-11-03 To: BadDomains[i++] = "channelintelligence.com"; // Tracker - 2010-08-03 Reason: AdBlockPlus has it this way and I haven't saw the content.channelintelligence.com which was what caused the rule to be done this way. Also, almost everything I am seeing now is NOT in these sub-domains. Mostly, I see cts.channelintelligence.com. 17. Action: PRIVUS Ad & Tracker Rules. Added: BadDomains[i++] = "cobaltgroup.com" // PRIVUS Tracker - 2010-08-05 BadDomains[i++] = "cobaltnitra.com" // PRIVUS Tracker - 2010-08-05 BadURL_WordStarts[i++] = "adaptive\.php"; // PRIVUS Tracker - 2010-08-03 BadURL_WordStarts[i++] = "adjs\.php"; // PRIVUS AdServer - 2010-08-04 BadURL_WordStarts[i++] = "[(d|e|m|n|s|t|u|z)]\/adx\.js"; // PRIVUS AdServer - 2010-08-04 BadURL_WordStarts[i++] = "google_analytics"; // PRIVUS Tracker - 2010-08-03 BadHostWordStarts[i++] = "ad\."; // PRIVUS AdServer - 2010-08-03 Reason: - adaptive.php was on MHZNetworks TV - I have noticed these before and they seem to be done ad-hoc by just a few web sites so I gnored it until now. Here are the patterns AdBlockPlus has: "/modules/contrib/google_analytics/*" "/modules/contributions/google_analytics/*" "/modules/google_analytics/*" "/modules/google_analytics_event_tracking/*" I think it is a lot simpler than that and that this one rule can do them all. I have been wrong more than a dozen times before though. - I thought I tried the "ad\." rule at one time but a look at the logs indicates it needs to be tried. I will probably need to remove it but we will go from here. 18. Action: Added various ad server rules that showed up in TV ads Added: BadURL_WordStarts[i++] = "adimages\."; // AdServer - 2010-08-03 BadURL_WordStarts[i++] = "adsfac\."; // AdServer - 2010-08-03 BadURL_WordStarts[i++] = "adsremote\."; // AdServer - 2010-08-03 BadURL_WordStarts[i++] = "files\/ads\/"; // AdServer - 2010-08-03 BadURL_WordStarts[i++] = "flashads\."; // AdServer - 2010-08-03 BadURL_WordStarts[i++] = "flashads\/"; // AdServer - 2010-08-03 BadURL_WordStarts[i++] = "scripts\/ad-"; // AdServer - 2010-08-03 BadURL_WordStarts[i++] = "scripts\/ad\."; // AdServer - 2010-08-03 BadURL_WordStarts[i++] = "scripts\/ad\/"; // AdServer - 2010-08-03 BadURL_WordStarts[i++] = "scripts\/ads\/"; // AdServer - 2010-08-03 BadURL_WordStarts[i++] = "www\/delivery\/"; // AdServer - 2010-08-03 Reason: I did not have them and they were ALL from TV ads that now have blossomed past more than just Extenze. I was beginning to think only they advertised. 19. Action: Added Tracker rules that are showing up in TV ads Added: BadDomains[i++] = ".displaymarketplace.com"; // Tracker - 2010-08-04 BadURL_WordStarts[i++] = "arstechnica.com\/breath.gif"; // Tracker - 2010-08-03 BadURL_WordStarts[i++] = "brightcove.com\/1pix\.gif"; // Tracker - 2010-08-03 BadURL_WordStarts[i++] = "google\.com\/uds\/stats"; // Tracker - 2010-08-04 BadURL_WordStarts[i++] = "googleusercontent.com\/tracker"; // Tracker - 2010-08-03 BadURL_WordStarts[i++] = "id.google.com\/verify\/"; // Tracker - 2010-08-03 BadURL_WordStarts[i++] = "offers.keynote.com\/wt\/"; // Tracker - 2010-08-03 BadURL_WordStarts[i++] = "scripts\/clickjs\.php"; // Tracker - 2010-08-03 BadURL_WordStarts[i++] = "stats\/mint\/"; // Tracker - 2010-08-09 Reason: I did not have them and they were ALL from TV ads. I am thinking of dropping the Google exclusion. If I don't, I will have to take those back out. For now I am commenting out the Google exclusion for myself to see what happens. 20. Action: Comments standardized Date: 2010-08-03 From: ADS To: AdServer (English), AdServeur (Français) Reason: Consistency. There are others that need it along with a date if I can ever get around to it. 21. Action: Exclusion rule for a legitimate site. Added: GoodDomains[i++] = "edyoung.com"; // young - 2010-08-09 Reason: BadHostParts "young" blocks it. There are two other websites in my block log (resurrected): woonyoung.com and young-e.net. In both cases they are just spelling it different because they are pronounced almost the same but perhaps would be better spelled as Jung which is pronounced yung. I will add those if somebody complains but now that all of my phttp daemon logs are back - all of the other blocks are either porn or malware + porn. 22. Action: Although this should be in #3 it requires special handling Added: GoodDomains[i++] = "clk.atdmt.com"; // atdmt.com - 2010-08-09 --- BadDomains[i++] = ".atdmt.com"; // Tracker - 2010-08-09 Reason: Same as # 3 above, but we need an exclusion for the host clk.atdmt.com 09 Août 2010 UNresolved False Positives (HHH) --------------------------------------------- NONE 09 Août 2010 RESOLVED False Positives (HHH) ------------------------------------------- 1. Pattern: "ads\.php"; Rules: BadURL_WordStarts[i++] = "ads\.php"; Reason: www.moschip.com/mcs9865_downloads.php Solution: BadURL_WordStarts[i++] = "[^o]ads\.php"; 2. Pattern: visa.com Rules: BadHostParts[i++] = "visa\.com"; // Phish - 2009-12-08 Reason: VerifiedByVisa.com was blaocked Solution: ADDED: GoodDomains[i++] = "securesuite.net"; // Phish - 2010-07-30 GoodDomains[i++] = "verifiedbyvisa.com"; // Phish - 2010-07-30 BadHostParts[i++] = "securesuite\.net"; // Phish - 2010-07-30 3. Pattern: "secret" Date: 02 Août 2010 Rules: GoodDomains[i++] = "windowssecrets.com"; // secret - 2009-06-06 BadHostParts[i++] = "secret"; // PROXY - 2009-02-05 Reason: camisecret.com and others Solution: Removed first rule, second rule is now: // BadHostParts[i++] = "secret"; // YOUR CHOICE PROXY - 2010-08-02