Rodney: I realize you believe parkers are bad. They really aren't, and they aren't worth blocking. I looked at the lists you gave me some time back and have the following notes: 8.15.7.117 (I DID *NOT* HAVE THIS PARK IP ADDRESS): =========== Park IP address with Tucows. Ones that would pique my interest are: webtrends.net (ALIVE 63.88.212.87) www.webtrends.net (ALIVE 216.64.169.222) www.wishbone.com (ALIVE 216.234.246.158) www.xclicks.net (ALIVE 70.85.223.162) www.your-videos.org DEAD www.zcodec.com DEAD A lot of these are dead now. You usually don't stay on a park list forever. The reason I know about wishbone.com is that the owner had conversations with me several years back. I still have it as a block but when I did a wget on it, I find that this IP address does a redirect to searchportal.information.com which I block. So this IP address is probably part of what I term as DomainSponsor_SearchPortal.Information. The other host involved is landing.domainsponsor.com which I also block. SO, I am probably not going to block *.wishbone.com hosts any more; it is just that the guy has come back again and again before. www.webtrends.net is still alive and in business. They used the shorter webtrends.net as a back-end entry to their "service". The back-end seems to be down right now. I get a chuckle out of them using QuantCast's data collector services: secure.quantserve.com/quant.js secure.quantserve.com/pixel/p-8djiDi4nHQF3M.gif The Dead.txt file contains the dead hosts and the Parked.txt file contains the Parked hosts. I still cannot understand your fear of Parked hosts. In the cases where there are redirects, I normally handle them. For example in the cases of those that alias to or are redirected to park.funnel.revenuedirect.com.akadns.net I both block the host itself in the hosts file (for the redirect) or the IP addresses (for the aliases): // PARKFUNNEL - 2008-09-21 BadNetworks[i++] = "66.150.161.44, 255.255.255.255"; BadNetworks[i++] = "69.25.47.166, 255.255.255.255"; As another example, take the host www.lab-wire.com which has been parked with EST Domains. Now I don't like EST or many of their practices, but they have been stripped of their rights to sell IP addresses now so they are effectively gone. If you go to this host, you get redirected (which gives them their hit count for the www.lab-wire.com host) to: www.searchnut.com/?domain=refererdetect Again, I block them. So does MalWareDomain Lists file, MVPHosts, and everybody else. If you can show me a case of redirect where there is a PARK IP address that I haven't handled properly (and with the most intelligent way of doing it), I WILL HANDLE IT! I prefer some approach that doesn't have me monitoring IP addresses. Why not? LOOK AT ALL THE DEAD AND PARKED HOSTS IN WHAT YOU GAVE ME (actually the dead count went up after I removed all of the hosts that had 0.0.0.0 or 127.0.0.1 for their IP address)! $ wc -l Dead.txt Parked.txt 14273 Dead.txt 5720 Parked.txt 19993 total $ wc -l Host2IP.txt 25210 Host2IP.txt It almost matches the live count. AND I HAVE ADDED SEVERAL MORE PARK IP ADDRESSES SINCE THIS COUNT! HANDLING THE PROBLEMS WITH PATTERN MATCHES WORKS BEST: ====================================================== (*** NEW ***) CASE 1: (MANY *.*TOOLBAR.COM HOSTS) ------------------------------------------------- I handled the case of the *.*toolbar.com hosts with two rules: // next rule - all *.*toolbar.com hosts redirect to hosting.conduit.com BadNetworks[i++] = "66.77.197.154, 255.255.255.255"; // 2008-11-24 BadDomains[i++] = "toolbar.com"; // DNSWCDs - *.*toolbar.com How many does that whack out of your file? $ grep -c toolbar.com Host2IP.txt 2327 That is whittling it down. BTW, the partial list of hosts (just the wildcard domain names) is in the hhh*.txt file for the PAC filter but they are in the ToolBarDomains.txt file. That was what I used to remove the hosts from Analysis.txt into the ExistingRules.txt with code like the following: cat ToolBarDomains.txt file | while read DOMAIN do rm -f foo grep ${DOMAIN} Analysis.txt >> ExistingRules.txt grep -v ${DOMAIN} Analysis.txt > foo rm -f Analysis.txt mv foo Analysis.txt sync ; sync ; sync ; sleep 3 done CASE 2: (EXISTING BLOCKS OF AD SERVERS I ALREADY HAVE) ------------------------------------------------------ BadDomains[i++] = ".hpg.com.br"; BadDomains[i++] = ".hpg.ig.com.br"; Now here are the counts: $ grep -c hpg.com.br IP2Host.txt 897 $ grep -c hpg.ig.com.br IP2Host.txt 1068 Blocking 1965 hosts with nothing but these two patterns is nothing to sneeze at. (*** NEW ***) CASE 3: (ADSEL*.CU.IMGIS.COM & ADSEL*.IMGIS.COM) -------------------------------------------------------------- $ grep -c imgis.com IP2Host.txt 162 So I added this rule: BadDomains[i++] = ".imgis.com"; // DNSWCD AdServeur CASE 4: (*ADULT*) ----------------- $ grep -c adult IP2Host.txt 317 BadURL_Parts[i++] = "adult"; This rule is going to remain there for some time to come. It may to have to drop to the host level but it is going to be there! CASE 5: (*AMATEUR*) ------------------- For some reason this rule got dropped. With a count of 43 at Malware Domain List's hosts file it is now reinstated. Here is how many we have here: $ grep -c amateur IP2Host.txt 290 BadURL_Parts[i++] = "amateur"; CASE 6: (*PORN*) ---------------- $ grep -c porn IP2Host.txt 1120 BadURL_Parts[i++] = "porn"; This rule is ery unlikely to drop to just the HOST level. I cannot think of an English word that has this as a pattern other than what it is short for. CASE 7: (*FUCK*) --------------- $ grep -c fuck Analysis.txt 206 BadURL_Parts[i++] = "fuck"; CASE 8: (*anal[^oy]* AND *[^c]anal* RULES) ------------------------------------------ $ grep -c anal IP2Host.txt 229 Only 6 (4 canal, 2 analo) of your hosts slips through these rules. The latter two had NOTHING to do with porn. CASE 9: (all other PAC non-IP PAC filter *Part* rules) ------------------------------------------------------ Rather than listing all of them, look at the two files named NoRegExpRemove.txt and RegExpRemove.txt. I used the patterns in these file to move the matching patterns in Analysis.txt into ExistingRules.txt. I did it with the following interactive shell script so you can see how to to it: for FILE in NoRegExpRemove.txt RegExpRemove.txt do cat ${FILE} | while read PATTERN do rm -f foo grep ${PATTERN} Analysis.txt >> ExistingRules.txt grep -v ${PATTERN} Analysis.txt > foo rm -f Analysis.txt mv foo Analysis.txt sync ; sync ; sync ; sleep 2 done done The rest of the hosts in Analysis.txt that didn't match these patterns are looked at for IP addresses to block (unless I can see other patterns). But consider how we have whittled things down by looking at the counts: 14298 Dead.txt 8043 Parked.txt 8128 ExistingRules.txt 9009 Analysis.txt ----------------------- 39478 total I made a mistake in the fact that more parked hosts existed (see the IP analysis below). Also, the figure is a little misleading since the Parked.txt, ExistingRules.txt, and Analysis.txt files have duplicate entries for hosts that have more than one IP address. Still, reducing what we have to look at leaves us with only about 9009 / 39478 * 100 = 23% of what we started with. NOW WE CAN LOOK AT IP RULES. The nice thing about pattern match rules is that they live forever. Host names can come and go, IP addresses can change, and pattern match rules just continue to block like nothing has changed. Even if the host is parked they STILL block it! I LOVE PATTERN MATCHES! HANDLING THE PROBLEMS WITH IP RULES ANALYSIS: ============================================= Now for some more analysis. Again, I will take them one IP at a time. I have already done your 8.15.7.117 IP address. It is just that I stopped to do the pattern matches that reduces some of this considerably. By that I mean that I used these patterns to PHYSICALLY remove some of the stuff that I am looking at. IOW, why have a Porn malware IP rule when our block of "adult" and other terms handles it? They can pick up and move from one IP address to another, but they are stuck with their host names that they have. 38.113.1.116: ============= $ grep -c 038.113.001.116 Analysis.txt 124 That is a lot of hosts. The only way you can be sure you have the real deal is pull some of them down and look at them. fishclix.com (have in my hosts file): Tracker and banner pusher (YES, I analyzed their index.html file) hypergurl.com: -------------- Other than its use of pagead2.googlesyndication.com and feeds.feedburner.com which I have both of in my hosts file, I cannot see what it is doing wrong. I think it is feeds.feedburner.com that causes Airelle to rate it as a tracker. It isn't worth blocking, and from what I see, not worth going to either. But then, all I ever look at is the index.html (or other file name if redirected) and any scripts a host uses. hotelsiestaelsalvador.com: -------------------------- Not a porn site as Airelle has it but it is slowing my machine down like MAD! I cannot scroll the browser smoothly either. What is going on? Its biggest problem is it is using Mootools - My Object Oriented javascript. It tracks where your mouse goes for context sensitive menus. In other words, it is BADLY coded. It is that tracking of the mouse that kills you. If you look at: www.hotelsiestaelsalvador.com/modules/ja_slideshow/ja-slideshow.js you will see the use of random, an exploit. BADLY coded site. They just need to recreate their site with a better design. I may block them myself until they come to their senses. www.pleasuresforless.com: ------------------------- Typical porn site - no exploits. saphinhealth.com: ----------------- No web site per-se. It MAY have back end stuff. Hold on and I will check for that a MalwareDomainList. Nothing - doing Google search. Have saphinhealth.com/vdzkg/bizar/bizar_15.html . Checking it out. Gone. This was probably a bad site. It isn't any more. I checked out several more scripts referenced by Google and all of them were gone too. tangerineturtle.com: -------------------- No JavaScript code at all? This site is misclassified by Airelle (no porn) and should NOT be blocked unless I am missing something. It does give you a unique Customer ID each time you go to them and counts how many people have visited. REMOVE THIS HOST! THERE IS NOTHING WRONG WITH IT! SUMMARY: -------- You are going to affect more good hosts than bad hosts. This is a misclassfied IP address. There may be some bad hosts here. If there are, block them by host name only. I did several other hosts, all of them giving next to nothing. 63.251.179.13: ============== ARE YOU SURE YOU HAVE THIS ONE RIGHT? I have only one host at this IP address! Maybe you meant 063.251.171.080 (63.251.171.80) and 063.251.171.081 (63.251.171.81) instead. I have a ton of them so I am going to look at them instead. www.888casinoonet.com: ---------------------- An interactive DNS lookup (I tie isparked.c with my dck script that checks for the IP address of HOSTNAME.TLD and www.HOSTNAME.TLD at the same time) revealed that it was parked. I don't know what IP address triggered the "InternapNetworkServices2" PARK message, but I just got it and all it has is a call to tracker.tradedoubler.com (blocked by hosts file entry) so it is indeed parked. I am going to have to add all of these addresses into that park domain I still don't have: 063.251.171.080 888casinoonet.com 063.251.171.080 888casinoonet.com (WWW) 063.251.171.081 888casinoonet.com 063.251.171.081 888casinoonet.com (WWW) 066.150.161.136 888casinoonet.com 066.150.161.136 888casinoonet.com (WWW) 066.150.161.140 888casinoonet.com 066.150.161.140 888casinoonet.com (WWW) 066.150.161.141 888casinoonet.com 066.150.161.141 888casinoonet.com (WWW) 069.025.027.170 888casinoonet.com 069.025.027.170 888casinoonet.com (WWW) 069.025.027.173 888casinoonet.com 069.025.027.173 888casinoonet.com (WWW) SUMMARY: -------- IGNORING - will add these IP addresses to my park files if I don't already have them. I tried mobilemice.com which is parked with a call to dotster.revenuedirect.com (which is really just an alias to park.funnel.revenuedirect.com.akadns.net which I block by IP but I just added this host to my hosts file in case they change their IP address.). www.islandfootcare.com - A PHP park redirect. ieservicetool.com - a park with www.mydomain.com. THEY ARE ALL PARKS! I am moving the remaining names associated with these two IP addresses from all other files they are in out of those files into Parked.txt! 64.237.52.114 ... 64.237.52.117: ================================ I would classify almost all of these as Rogue-ware. But my counts are much different than yours. In fact, I only have 47 of them in my IP2Host.txt file. That isn't enough for a block. That MAY be enough for a block if hundreds more are added to take the places of the ones that probably ended up in the PARK IP addresses. I don't think this is likely because Microsoft is pursuing and litigating against these scum - and they are having success! There are certain patterns I am looking at though: "antivir" SHOWS GREAT PROMISE WITH WHITE-LIST "cleaner" ??? "registry" SHOWS PROMISE "spy" TOO SHORT "spyware" PROMISE WITH WHITE-LIST Now I don't have to worry about them picking up their web sites and moving to another IP address. I will still stop them if I use patterns. Now you know the beauty of patterns! SUMMARY: -------- Which of these patterns do you like? With Microsoft aggressively onto pursuing the rogue-ware vendors they have to be nimble now. In fact, I just don't think they are going to continue doing what they did to the level they did it. LET'S USE PATTERNS AND HOST BLOCKS! 64.255.161.102: =============== I have already added the following BadDomain to the PAC filter: BadDomains[i++] = ".erasercash.com"; // DNSWCD AdServer - 2008-11-28 I cannot remember when I added it but it was during looking at this stuff here so I changed it to have today's date. SUMMARY: -------- DONE. And I don't care if they change their IP address. I still have them blocked. 66.150.161.44: ============== GONE! There are no hosts at this IP address. In fact, I have only the following in the entire 66.150.*.* address space. 066.150.014.022 zangocash.com (WWW) 066.150.051.153 getfound.com (WWW) 066.150.051.167 searchfeed.com (WWW) SUMMARY: -------- I imagine many of these are those hosts that have been removed from the .NU domain. Why do I say that? zangocash.com and zango.com are NOT good domains. 66.230.170.107: =============== Either dying, parking, or existing rules brought the count down from 195 to 140. I TOOK DAYS TO DO THE HOSTS AT THIS IP ADDRESS! That was because I was TRYING to find something wrong and couldn't find ANYTHING wrong! www.bikini-pics.com: -------------------- No problems on Linux, but why so little? In the index.html file: pagead2.googlesyndication.com/pagead/show_ads.js No wonder. The host exists just to show some ads (which I block by hosts file entry). cumonmonica.com: ---------------- Nothing out of the ordinary. Just straight porn with no exploits. hotmalepics.com: ---------------- It calls falconlive.com which knows enough to know exactly where you are at. It has links to sites that purport to give you something that is free for a few days - we know where that is headed - straight to an infected PC. jeanie-rivers.com: ------------------ links to refer.ccbill.com (used to have dialers and still have exploits) and promos.fling.com. promos.fling.com is a BAD HOST. But this one isn't doing anything wrong. shemaletop100.com: ------------------ calls track.vscash.com. Uses Math.random() in doing it so thus it is an exploit. But there is no malware here. taboo2000.com: -------------- Nothing. SYNOPSIS: -------- None of the hosts I looked at had anything wrong in them. I finally ran a script to find who thought what hosts were bad. None of them were in MalwareDomainList's hosts file. That probably means they won't infect a MS Windows system. You would expect at least SOME of them to be there if they did infect Windows machines. There were NONE. The following hosts I analyzed (I actually did many more but didn't think to start recording them) were in Airelle's hosts.rsk file (remember that some are in the preceding list of hosts): alcopestcontrol.com HIS SHOULD NOT BE BLOCKED! alectrablue.com looked at - no problem anna-kournikova-pic.com looked at - they have paparazzifilth.com which I now block. They also had a pagead2.googlesyndication.com ad which I block. They have a up a pop-up promos.fling.com JavaScript which I also block. But NONE of these other hosts are in this IP address space. NONE! I HAVE IT CONTAINED (and you can still look at the porn if you so choose - I choose not to.) anna-kournikova-picture.com Didn't I just do this host? No, this one has a Javscript at ads.vs.com that it calls. Looking at it ... OOPS. I can't look at it because I already block it. For those that want it back to looking at their porn. I just stopped anything that was going to harm them! aria-giovanni-pic.com WHAT ON EARTH! This is a GoDaddy park host!. Lets look at the IP address again. It is now 68.178.232.99, a GoDaddy PARK IP. askmeni.com Calls hc2.humanclick.com - I have - blocked. Calls promos.fling.com - I have - blocked. ava-vincent.com www.nscash.com/hit.php?s=2&p=2&w=101750&t=main I used to have them. I looked at the file and then attempted to pull down the JavaScript files used at nscash.com. They seem to still be running a clean act now. You can see all of the hosts Airelle has in his hosts.rsk file in the file named 066_230_170_107.txt. Malware Domain List has NONE of these hosts. Most of the hosts are porn, but none in and of themselves seems to deliver malware - at least not that I could find. HAPPY SEARCHING! I AM TIRED OF IT! SUMMARY: -------- NOT BLOCKING except what ever is blocked by pattern or hosts file entries. Here are the new hosts file additions which are the only thing to come out of this effort: paparazzifilth.com www.paparazzifilth.com MOVING ON. 69.50.160.58-62, 69.50.161.163-170: =================================== WHERE ARE THEY? My rules had NOTHING to do with their disappearance either. I have none in both Analysis.txt (reduced in size from IP2Host.txt by my rules) and IP2Host.txt. Here is the last remaining host starting with a pad 3 filled IP address starting with just 069.050.16 I had : 069.050.166.196 spyware-cash.com (WWW) SUMMARY: -------- NOTHING TO BLOCK. DONE. 69.50.161.197: ============== NO HOSTS LEFT AT THIS IP ADDRESS - THEY EITHER MOVED EN-MASSE OR WERE PARKED. SUMMARY: -------- NOTHING TO BLOCK. DONE. 69.50.161.198: ============== NO HOSTS LEFT AT THIS IP ADDRESS - THEY EITHER MOVED EN-MASSE OR WERE PARKED. SUMMARY: -------- NOTHING TO BLOCK. DONE. 193.110.146.69: =============== NOW WE HAVE SOMTHING! Well at least we have some hosts to look at. But there is also a raft of hosts at 193.110.146.68 and 193.110.146.70 as well. I looked at oversexe.com which led to a script that subverted IE's controls over flash. It called www.saxodvd.com/page/avantages.html. that page loaded www.saxodvd.com/page/telecharger.html. It (avantages) also called ktu.sv2.biz/sp2popup.js. That host is blocked. But in the telecharger.html file there is a function named ie_flash_workaround that subverts IE controls against loading the Flash Player controls. THAT IS AN exploit. Which leads me wondering what to do with saxodvd.com and IP addresses 193.110.146.068 and 193.110.146.070. The same thing occurred with zz-amateur.lemoncast.com. They are all inter-related and meshed together. By that I mean that they are all part of the FR-CARPE-DIEM group. Chuck them all in as far as I am concerned. Want to vote on it? I will submit it to the forum but for now they are there. I did lookups with several more hosts with same results, exploits are rampant. I NEVER FOUND MALWARE THOUGH. So I am blocking based on their JavaScript behavior, not as a source of malware. But with that many exploits every time I turn around I am assuming the malware will follow. SUMMARY: -------- Added two rules: BadNetworks[i++] = "193.110.146.68, 255.255.255.254"; // PORN MALWARE - 2008-11-30 BadNetworks[i++] = "193.110.146.70, 255.255.255.255"; // PORN MALWARE - 2008-11-30 207.246.158.16: =============== This one is rather interesting. Here are the counts I have for the three files: Analysis.txt 34 ExistingRules.txt 103 -------------------------- IP2Host.txt 137 I think that shows just how powerful the existing rules are. I went to here in the browser with this host and many others that were left in the Analysis.txt section: http://ebony.black-space.com http://africa.black-space.com http://art.softcore-space.com http://bdsm.fetish-space.com http://beautiful.black-space.com http://www.black-space.com http://black.erosvillage.com (blocked by "eros" start rule) http://booty.black-space.com (redirs to ss.mtree.com/xtarc/590853/362/0/arg_tour=rex1?mta=100001) http://busty.black-space.com http://ebony.black-space.com http://erosvillage.com (blocked by "eros" start rule) http://www.erosvillage.com (blocked by "eros" start rule) http://fantasy.fetish-space.com http://fetish-space.com http://www.fetish-space.com http://fetish.erosvillage.com (blocked by "eros" start rule) http://foot.fetish-space.com http://hairy.fetish-space.com http://leather.fetish-space.com http://models.softcore-space.com http://plumpers.fetish-space.com http://pregnant.fetish-space.com http://pretty.softcore-space.com http://softcore-space.com http://www.softcore-space.com http://softcore.erosvillage.com (blocked by "eros" start rule) http://swimsuit.softcore-space.com http://tease.softcore-space.com http://tranny.fetish-space.com http://undies.softcore-space.com http://vixens.black-space.com http://weird.fetish-space.com Almost all of them are redirecting (those that didn't are noted where they take you to) me to: http://www.mtreexxx.net/cpd/offer/404.html I block that host and several others in the mtreexxx.net domain in my hosts file and have the "xxx" URL rule in the filter. IOW, I *AM* already stopping most of these with what I already have. But here is one that had a front end page: http://maleserver.com http://www.maleserver.com (they take you to: http://www.mtreexxx.net/cpd/freepass/?site=fh&cat=Gay if you click on the link) In short, this IP is nothing more than a front-end for mtreexxx.net's porn service which is a small portion of mtree.com. Until I did these tests, I had NO *.mtree.* hosts at all in my PHTTP daemon logs! Need I say any more? This goes back over two years ago and I trusted what Mike Burgess (MVPHosts) came up with. It is still working like a champ. I had just never looked at it in detail. Now I am so I picked one host: http://vixens.black-space.com put the following rules in the PAC filters: GoodDomains[i++] = "mtreexxx.net"; GoodDomains[i++] = "mtree.com"; and commented out ALL of the "*mtree*" hosts in the blocking hosts files only to be surprised with a nice white page and this host in my block log: www.streamatelive.com/streamate/?mci=mt1x ... So I commented out all *streamatelive* hosts in the hosts file and added one more rule in the PAC filter: GoodDomains[i++] = "streamatelive.com"; That was to counteract the "live" rule, but that rule has been removed. Imagine my surprise when I tried to go into there that I was stopped again and had the following blocks in the PHTTPD log: static.gfx.streamate.com www.streamate.com So I continue on and deactivate all *streamate* hosts in the hosts file and add yet another rule to the PAC filter: GoodDomains[i++] = "streamate.com"; ARE WE GOING TO GET ANYWHERE NOW? Yes, we did. I am finally now at the https://secure.streamate.com/signup/ page. I noticed in WireShark that I went through secure.naiadsystems.com. Not being sure what they did I blocked secure.naiadsystems.com, naiadsystems.com, and www.naiadsystems.com and tried it again to see what happens. This is STRANGE. I didn't get them this time and there was no block. I tried several times since and never got them again. Doing a little bit of research I came up with these URLs that indicate things aren't rosy: http://www.exterminate-it.com/malpedia/remove-naiadsystems-com http://www.exterminate-it.com/malpedia/remove-smartclicks-com But I really could use that string with secure.naiadsystems.com to see what was going on there. SUMMARY: -------- Present blocks are good enough except for one thing. I am now also considering blocking secure.naiadsystems.com. I just need that darn string. I sense it and the other naiadsystems.com hosts are infectors but without the proof, what can you do? 216.130.162.145: ================ SUMMARY: -------- I may have jumped the gun but most of these are in the *.partie-privee.com and I saw enough that although I didn't see any malware, it had lots of exploits. ALL hosts at this IP address are in only the ExistingRules.txt and IP2Host.txt files. That is because I have already made this rule active: BadNetworks[i++] = "216.130.162.145, 255.255.255.255"; // PORN Malware - 2008-11-27 Good enough. ALL DONE. I am listening to BlueGrass music and enjoying lfe now.