20 Février 2012 Changes (HHH) ----------------------------- 1. Action: Tracker rules that cannot be handled by host blocks Added: BadDomains[i++] = ".linkpulse.com"; // Tracker - 2012-01-16 // blocking hosts file analysis - I do NOT have all BadDomains[i++] = "maps-4-u.com"; // DNSWCD Tracker - 2012-01-02 // From observing cookies in deletion - also has flash cookie BadDomains[i++] = "sellpoint.net"; // Tracker - 2012-02-28 // one of Camera review sites. --- BadURL_WordStarts[i++] = "4info.com\/alert\/listeners\/"; // Tracker - 2012-01-30 // Cookie Analysis of alerts.4info.com BadURL_WordStarts[i++] = "clients1.google.ca\generate_204"; // Tracker - 2012-02-09 BadURL_WordStarts[i++] = "clients1.google.com\generate_204"; // Tracker - 2012-02-09 BadURL_WordStarts[i++] = "clients1.google.fr\generate_204"; // Tracker - 2012-02-09 // http://www.google.ca/ http://www.google.com/ http://www.google.fr/ BadURL_WordStarts[i++] = "google_page_track"; // Tracker - 2012-01-28 // http://www.flyingmosters-movie.com BadURL_WordStarts[i++] = "hints.netflame.cc\/"; // Tracker - 2012-02-09 // http://www.adl.org/ BadURL_WordStarts[i++] = "youtube\.com\/set_awesome"; // Tracker - 2012-02-09 // http://shop.nuance.com/store/nuanceus/Content/pbPage.DragonOrder --- BadHostWordStarts[i++] = "wtsdc\."; // Tracker - 2012-02-09 // http://thenewlogistics.ups.com/ MinPAC: Add the maps-4-u.com rule Reason: Added because they are discovered on web-sites. 2. Action: Advertiser rules that cannot be handled by host blocks Added: BadDomains[i++] = ".admulti.com"; // DNSWCD AdServer - 2012-01-16 // seeing others than the ones I have and DNSWCD BadDomains[i++] = ".amazon-adsystem.com"; // AdServer - 2012-01-16 // seeing others than the ones I have BadDomains[i++] = "eyereturn.com"; // AdServer - 2012-01-28 // http://www.jennycraig.com/ BadDomains[i++] = ".luxup.ru"; // DNSWCD AdServer - 2012-01-16 // blocking hosts file analysis BadDomains[i++] = ".networldmedia.net"; // AdServer - 2012-02-27 // http://www.hotwire.com BadDomains[i++] = ".ringrevenue.com"; // DNSWCD AdServer - 2012-01-16 // blocking hosts file analysis BadDomains[i++] = "smaato.net"; // AdServer - 2012-01-16 // blocking hosts file analysis --- BadURL_Parts[i++] = "_radio_ad_"; // AdServer - 2012-01-16 // test block of [www.]enterpriseefficiency.com // www.enterpriseefficiency.com/e2_radio_ad_js.asp --- BadURL_WordStarts[i++] = "ads\/freewheel\/"; // AdServer - 2012-01-16 // http://www.golf.com BadURL_WordStarts[i++] = "adsense\/"; // AdServer - 2012-01-20 // http://www.overstock.com/ BadURL_WordStarts[i++] = "pricegrabber.com/cb_table.php"; // AdServer - 2012-02-28 BadURL_WordStarts[i++] = "pricegrabber.com/mlink.php"; // AdServer - 2012-02-28 // http://www.cameralabs.com/reviews/Canon_PowerShot_SX210_IS/ BadURL_WordStarts[i++] = "related-ads\."; // AdServer - 2012-02-09 // http://www.amazon.com/Nikon-D700-FX-Format-3-0-Inch-Body/dp/B001BTCSI6 BadURL_WordStarts[i++] = "survey_monkey\."; // AdServer - 2012-01-28 // http://www.flyingmosters-movie.com BadURL_WordStarts[i++] = "surveymonkey.com\/jspop\.aspx"; // AdServer - 2012-01-28 // http://www.flyingmosters-movie.com BadURL_WordStarts[i++] = "web_ads\/"; // AdServer - 2012-02-13 // PhishTank Spam BadURL_WordStarts[i++] = "webads_"; // AdServer - 2012-02-13 // PhishTank Spam MinPAC: Add the admulti.com, luxup.ru, and ringrevenue.com rules Reason: Added because they are discovered on web-sites. 3. Action: Redundant Tracker rules. Added: BadDomains[i++] = ".clickshift.com"; // Tracker - 2012-01-28 // http://www.cricut.com/ BadDomains[i++] = "cxense.com"; // Tracker - 2012-01-06 // http://www.concordmonitor.com/blogentry/* BadDomains[i++] = ".parsely.com"; // Tracker - 2012-01-16 // blocking hosts file analysis BadDomains[i++] = ".uimserv.net"; // Tracker - 2012-01-16 // blocking hosts file analysis BadDomains[i++] = "userreport.com"; // Tracker - 2012-01-16 // blocking hosts file analysis BadDomains[i++] = "valuedopinions.co.uk"; // Tracker - 2012-02-01 http://preview.tinyurl.com/782uvdh --- MinPAC: NONE Reason: For people who do not use a hosts black list and for new hosts within a domain we don't know about yet. 4. Action: Redundant Ad Server rules. Added: BadDomains[i++] = "orangeads.fr"; // AdServer - 2012-01-16 // do not know all hosts in domain BadDomains[i++] = "pay-click.ru"; // AdServer - 2012-01-16 // blocking hosts file analysis BadDomains[i++] = "teracent.net"; // AdServer - 2012-01-16 // blocking hosts file analysis BadDomains[i++] = "undertone.com"; // AdServer - 2012-01-21 // http://emeraldcoastfl.com/ --- BadHostWordEnds[i++] = "shareasale.com"; // AdServer - 2012-01-28 // http://smartypantsconsignment.com/ MinPAC: NONE Reason: For people who do not use a hosts black list and for new hosts within a domain we don't know about yet. 5. Action: Remove Phish rule Date: 2012-01-02 Removed: BadNetworks[i++] = "209.81.105.157, 255.255.255.255"; // PAC Phish - 2011-12-12 Reason: The phish server for this file is gone, as is the PAC redirector that did it which was here: epaper.yosungroup.com/epaper/images/4/4m89fh39fg95.pac 6. Action: Removed old spam rules Date: 2012-01-02 Removed: BadDomains[i++] = "fyxm.net"; // DNSWCD Spam - 2011-08-06 BadDomains[i++] = ".ojolink.fr"; // DNSWCD Spam - 2011-08-06 MinPAC: Remove them if you have them. Reason: The threat has passed. Yes, there are millions of hits with Google search but most links are gone and none are malware. Use your common sense - are you really going to get the free Avast from ojolink.fr? 7. Action: PRIVUS rule for mailbox hosts in Russia going WAY back Date: 2012-01-16 Added: BadNetworks[i++] = "194.186.88.36, 255.255.255.224"; // PRIVUS Malware - 2012-01-16 MinPAC: DO NOT ADD THIS! Reason: The mailbox type hosts in Russia just keep geting infected files from time to time. But the last byte only has values of 36, 37, 38, 45, 46, 47, 52, 57, 58, 59. The rule actually extends to 63 but since I am the only one using it ... 8. Action: Removed deprecated rule Date: 2012-01-16 Removed: BadDomains[i++] = ".ce.ms"; // Malware - 2011-07-18 MinPAC: REMOVE IT IF YOU HAVE IT Reason: All of the *.ce.ms hosts I had just dropped out of DNS. 9. Action: Removed deprecated rules Date: 2012-01-16 Removed: BadDomains[i++] = ".enquisite.com"; // Tracker - 2011-07-14 BadDomains[i++] = ".internetserviceteam.com"; // DNSWCD Malware - 2009-06-06 MinPAC: REMOVE THEM IF YOU HAVE THEM Reason: All of the hosts are gone for enquisite.com, hpHosts removed all hosts for second. 10. Action: Add a new spam rule Date: 2012-01-20 Added: BadDomains[i++] = ".whitegloveaudience.com"; // DNSWCD Spam - 2012-01-20 MinPAC: Safe to add but volatile Reason: New DNSWCD spam domain at GMail.com 11. Action: Removed all debug statements in proxy_en.txt and proxy_fr.txt Date: 2012-01-20 From: debug active To: all debug statements removed MinPAC: DO NOT HAVE ANY DEBUG IN YOUR FILES! Reason: Even after editing the debug out of my own files I still keep getting a "proxy pac file loaded" message. I had them in the C:\etc\OneFile\ folder. I have already altered the scripts for that and set my own Internet Settings to the proxy_fr.txt file in that folder. Originally I just commented them out but that was to make sure I did not delete too much. But there is no guarantee with the proxy_en.txt and proxy_fr.txt files having no debug and them in a subfolder to make sure Internet Settings only has files with no debug in them that it will fix this problem that seems to have both Microsoft and the Boogle Chrome browser still popping up the message "proxy pac file loaded". If it doesn't then we have some sort of caching of an old proxy file that I can NOT get rid of. 12. Action: Comment out optional beacon rules Date: 2012-01-20 From: BadURL_WordStarts[i++] = "beacon[^t]"; // YOUR CHOICE Tracker - 2011-02-12 BadURL_WordEnds[i++] = "beacon"; // YOUR CHOICE AdServer - 2011-08-12 To: // BadURL_WordStarts[i++] = "beacon[^t]"; // YOUR CHOICE Tracker - 2011-02-12 // BadURL_WordEnds[i++] = "beacon"; // YOUR CHOICE AdServer - 2011-08-12 Reason: Conflicted with Amazon.com 13. Action: Altered "eros" end rule Date: 2012-01-23 From: BadURL_WordEnds[i++] = "[^hm]eros"; // Malware - 2010-08-26 To: BadURL_WordEnds[i++] = "[^bhm]eros"; // Malware - 2012-01-23 Reason: bomberos - it is firefighter in Spanish. It beats me what it was doing on a not found page. I am adding the one and only one host that the rules don't trap to the hosts file. 14. Action: PRIVUS Spam rules Date: 2012-01-20 Added: BadHostParts[i++] = "pills"; // PRIVUS SPAM - 2012-01-20 --- BadHostWordStarts[i++] = "pills"; // PRIVUS SPAM - 2012-01-20 --- BadHostWordEnds[i++] = "pills"; // PRIVUS SPAM - 2012-01-20 Reason: 12% of my spam hosts have this key-word in them. I need the protection while adding the hosts and there is an eye towards adding the last two as optional (YOUR CHOICE / VOTRE CHOIX) for everybody with some modifications. The Parts rule will probably forever be PRIVUS. 15. Action: Phish pickups in Sweden Date: 2012-01-28 Added: BadNetworks[i++] = "79.142.78.0, 255.255.254.0"; // Phish - 2012-01-28 MinPAC: VOLATILE Reason: These are these new style phish that the whole form is either an HTML attachement or the HTML is in-line and they pull down images from various web-sites to build confidence. But when you click on the los (enter) it goes to these PCs that suck down the entered information and then redirect you on to the relevant banking site. Here are the Jotti, Virscan, and VirusTotal scans in that order: http://preview.tinyurl.com/8xm6pup http://r.virscan.org/report/dae7873b36cc3c9532fd03c693eda3ca.html http://preview.tinyurl.com/7wwofpd The scan rates are 1/20, 2/36, and 0/43 respectively. They stubbornly REFUSE to get any better at detection either. Here is the rescan at VirusTotal NOW: http://preview.tinyurl.com/7l3dym9 Sophos: Mal/Phish-A TrendMicro: HTML_PHISH.RC TrendMicro-Housecall: HTML_PHISH.RC This is the BEST detection you will get. So there has to be some other filtration protecting people. Fortunately, Thunderbird stuffs it into the Junk folder. But tests of GMail, HotMail, and Yahoo web-mails has them ignoring it. It will also showing up looking as legititmate as possible in Outlook Express and Outlook. 16. Action: Spam rule Date: 2012-01-28 Added: BadDomains[i++] = ".carbonoverture.com"; // Spam - 2012-01-28 MinPAC: VOLATILE BUT SAFE Reason: GMail spam 17. Action: Reduced complexity of rule Date: 2012-01-28 From: BadURL_Parts[i++] = "click\.[(j|p)]"; // Tracker - 2010-03-26 To: BadURL_Parts[i++] = "click\.js"; // Tracker - 2012-01-28 BadURL_Parts[i++] = "click\.php"; // Tracker - 2012-01-28 Reason: "click.png". Every one I have trapped has been a FP, not even a tracking image. I haven't noticed any of them missing but there was an AWFUL lot of blocks here: http:// www.trytrialaser.com So I decided to split it up. 18. Action: Remove useless rule Date: 2012-01-30 Removed: BadURL_WordEnds[i++] = "\.psd"; // PRIVUS Malware - 2011-09-26 Reason: No TP and one FP: cdn0.media.cyclingnews.futurecdn.net/2012/01/25/2/\ mbk272.danny.pic1.psd_copy_70.jpg It wasn't noticeable but if the rule doesn't help then why have it? It is just a matter of time before I have more FPs. 19. Action: Strengthen existing Tracker rule Date: 2012-01-30 From: BadURL_WordStarts[i++] = "googlytics-1\.swf"; // Tracker - 2011-07-15 To: BadURL_WordStarts[i++] = "googlytics-"; // Tracker - 2012-01-30 Reason: Have observed 2 and 3 replacing 1. They are creating flash cookies at longtail.com hosts which was what started me into looking at the domain. They also supposedly have adaptv*.swf at lp.longtail.com but I have never saw it. They also have yourlytics-1.js at various hosts in the domain but with one proven FP and very little gained I don't want to muck with it. You have the same problem there. They have probably replaced yourlytics-1.js with yourlytics-2.js and yourlytics-3.js by now. But it is primarily these SWF files that are setting the flash cookie. 20. Action: Spelunking Date: 2012-01-30 Added: BadDomains[i++] = "mybuys.com"; // PRIVUS Tracker - 2012-01-30 MinPAC: DO NOT ADD THIS Reason: I just saw two of their hosts and am adding them because of a cookie I had set. I am adding the hosts. THIS IS NOT MEANT FOR PUBLIC CONSUMPTION! It may be that in the future but I think the blocks I have contains them. I wonder how MVPHosts found them before me? Like MVPHosts, I cannot add until I see it. 21. Action: Expiremental AdServer rule Date: 2012-02-01 Added: BadURL_WordStarts[i++] = "adswrapper3\."; // PRIVUS AdServer - 2012-02-01 Reason: To see if it is worthwhile to add it. 22. Action: Remove SecureMecca.com from protection Date: 2012-02-06 From: GoodDomains[i++] = "securemecca.com"; // Phish - 2009-12-07 BadHostParts[i++] = "securemecca\.com"; // Phish - 2009-12-07 To: // GoodDomains[i++] = "securemecca.com"; // Phish - 2009-12-07 // BadHostParts[i++] = "securemecca\.com"; // Phish - 2009-12-07 MinPAC: Comment them out if you have them. Reason: There are no typo-squatters. The cybermecca.com has been gone for years. For the second reason see number 23 here. The third reason is that it gets in the way of me testing my other potential rules. I always have to comment them out. 23. Action: Stop securemecca.com's spy COLD Date: 2012-02-06 Added: BadURL_WordEnds[i++] = "whv2_001\.js"; // Tracker - 2012-02-06 Reason: The image is still being set with optional parameters. This stops it altogether. I didn't ask for them and they won't let me opt it out. SO NOW I AM RIPPING IT OUT! I originally wanted the rule like this but I don't think there will be too many FPs: BadURL_WordEnds[i++] = "js_source\/whv2_001\.js"; If they add another I will keep adding rules until they are all gone. 24. Action: Yet another modification to rules Date: 2012-02-06 From: BadURL_Parts[i++] = "[^aceilnorst]cul[^ilt]"; // YOUR CHOICE - 2008-06-30 To: BadURL_Parts[i++] = "[^aceilnorst]cul[^iltv]"; // YOUR CHOICE - 2012-02-06 Reason: l.yimg.com/cv/ip/ap/default/120130/john_culver_ac.jpg I would just remove the rule but it is embedded in the comments. Besides, it is our hallmark rule now. Is is also optional - they can remove any time they want to. 25. Action: New Spam rule Date: 2012-02-09 Added: BadDomains[i++] = ".steadydriven.com"; // DNSWCD Spam - 2012-02-09 MinPAC: VOLATILE Reason: GMail Spam 26. Action: Improper Classification Date: 2012-02-09 From: BadHostWordStarts[i++] = "sdc\."; // AdServer - 2010-02-05 To: BadHostWordStarts[i++] = "sdc\."; // Tracker - 2012-02-09 Reason: It is a tracker, not an ad server. 27. Action: Weaken the phish rule for bbva.es Date: 2012-02-13 From: GoodDomains[i++] = ".bbva.es"; // Phish - 2009-12-22 To: // GoodDomains[i++] = ".bbva.es"; // Phish - 2009-12-22 (necesidad www) GoodDomains[i++] = "bbva.es"; // Phish - 2012-02-13 Reason: bbva.es sent me an email with their URL being: https://bbva.es/ If they had used this URL the customer would have no problems with the present rule: https://www.bbva.es/ With the newer weakened rule this will also make it past: http://falsobbva.es/ C'est la vie. 28. Action: A new Casino rule Date: 2012-02-28 Added: BadHostParts[i++] = "sportsbook"; // YOUR CHOICE Casino - 2012-02-28 Reason: It is hard to determine who is what. Just block all of them, especially since one of them is the ".cm" domain 29. Action: Alter a rule Date: 2012-02-28 From: BadURL_WordStarts[i++] = "analytics\.[(j|p)]"; // YOUR CHOICE Tracker - 2011-04-01 To: BadURL_WordStarts[i++] = "analytics\.js"; // YOUR CHOICE Tracker - 2012-02-28 BadURL_WordStarts[i++] = "analytics\.php"; // YOUR CHOICE Tracker - 2012-02-28 Reason: FPs involving analytics.jpg 30. Action: Pair of tracker rules Date: 2012-02-28 Added: BadURL_WordStarts[i++] = "getclicky\."; // Tracker - 2012-02-28 BadURL_WordStarts[i++] = "getclicky_"; // Tracker - 2012-02-28 Reason: Have saw these scripts and want to remove this rule: BadDomains[i++] = ".getclicky.com"; 31. Action: Comment out rules that are no longer needed Date: 2012-02-28 From: GoodDomains[i++] = "hotmail.com"; // general - 2010-05-07 GoodDomains[i++] = "hotwire.com"; // general - 2010-05-07 To: // GoodDomains[i++] = "hotmail.com"; // general - 2010-05-07 // GoodDomains[i++] = "hotwire.com"; // general - 2010-05-07 MinPAC: COMMENT THEM OUT IF YOU GAVE THEM AN EXCLUSION Reason: The hot rules that caused problems have been commented out a long time ago. We need to let the other PAC filter rules do their work at these domains, especially the first. ZZ. Action: Adding dates to all rules From: NO DATE To: ADD THIS TO END - 2008-06-30 Reason: They need to have dates. Rules: 20 Février 2012 UNresolved False Positives (HHH) ------------------------------------------------ NONE 20 Février 2012 RESOLVED False Positives (HHH) ---------------------------------------------- NONE I am no longer entering in the False Positives that are resolved quickly. This and the preceding list are just for those problem rules that are hard to resolve. I have noticed that as the PAC filter has matured that there are less and less of them all the time.