30 Novembre 2008 Changes (HHH) ------------------------------ 1. Action: "sex: From: BadURL_WordStarts[i++] = "sex"; BadURL_WordEnds[i++] = "sex"; To: BadHostWordStarts[i++] = "sex"; BadHostWordEnds[i++] = "sex"; Reason: http://www.mayoclinic.com/health/female-sexual-dysfunction/DS00701 2. Action: Removal of white list rules and some "Bad" rules Removed: GoodDomains[i++] = "1800flowers.com"; GoodDomains[i++] = ".akamai.net"; // "17" & "18" GoodDomains[i++] = ".aol.com"; GoodDomains[i++] = ".aolcdn.com"; GoodDomains[i++] = "apple.com"; GoodDomains[i++] = ".avast.com"; // "17" & "18" GoodDomains[i++] = ".avgate.net"; // "17" & "18" GoodDomains[i++] = ".coolclips.com"; GoodDomains[i++] = ".ebony.com"; GoodDomains[i++] = "ebonyjet.com"; GoodDomains[i++] = "filtersetg.com"; GoodDomains[i++] = "indigipix.com"; GoodDomains[i++] = ".mqcdn.com"; // "17" && "18" GoodDomains[i++] = ".over-blog.com"; // "17" && "18" GoodDomains[i++] = "phillips.com"; GoodDomains[i++] = "phillips.fr"; GoodDomains[i++] = ".photobucket.com"; // "17" && "18" GoodDomains[i++] = ".vegas.com"; // "vegas" GoodDomains[i++] = "visitlasvegas.com"; // "vegas" GoodDomains[i++] = "webbweavers.com"; // "bbw" -------------------------------------- // BadHostWordStarts[i++] = "live"; // YOUR CHOICE Reason: Usually what caused a problem were the porn rules "17" and "18" but since they are gone, they should not have any problems. We may need to put them back in but, who knows. For now I am just commenting a lot of these out. If they need to be put back in I will just uncomment them. 3. Action: Refused access to AVG registration Added: GoodDomains[i++] = ".avg.com"; // "[^g]free[^d]" Reason: http://registration-free.avg.com/... I realize that this only occurs if they activate the "[^g]free[^d]" rule but you have to assume some people will activate that rule. 4. Action: Handle all dwnld1.com aliases Added: BadNetworks[i++] = "67.228.177.143, 255.255.255.255"; // dwnld1.com_1 - 2008-11-13 BadNetworks[i++] = "67.228.177.146, 255.255.255.255"; // dwnld1.com_2 - 2008-11-13 Reason: I can't handle every picayune alias that downloads trash that is supposed to protect Windows machines that does exactly the opposite. This one will handle at least some of them. Here are some URLs on them: http://safeweb.norton.com/report/show?name=bestguardownload.com http://malwaredomains.com/?p=313 5. Action: McColo debacle Added: BadNetworks[i++] = "208.66.192.0, 255.255.252.0"; // McColo - 2008-11-16 Reason: SPAM debacle over? I doubt it. I knew about them over two years ago. It's this pesky group that started out in Colorado (but are probably really in Moscow, Russia) that is filling my Comcast email box with SPAM. At least there ads aren't for male enhancement products I don't need. 6. Action: Removed temporary IT block Removed: BadNetworks[i++] = "194.242.61.128, 255.255.255.255"; // TEMP Reason: This was meant to be only a temporary block for one web server. I believe they should have fixed the problem by now. If not? C'est la vie. 7. Action: Modified Russian Malware rule to be active. From: // BadDomains[i++] = ".ru"; // YOUR CHOICE - MalWare To: BadDomains[i++] = ".ru"; // YOUR CHOICE - MalWare Reason: I need something to put on my advertising shirts and calling cards. What better way is there to do that than to say we block both China and Russia? Seriously though, the counts are: hosts.rsk: 1025 MalWareDomainList: 281 That isn't pocket change people! For myself that means I will have to comment out the Russia rule. That proves it isn't a personal decision. I would like to leave it commented out, but I am on Linux, not Windows. 8. Action: Added rule for Hong Kong domain. Added: // BadDomains[i++] = ".hk"; // YOUR CHOICE - MalWare Reason: It certainly is warranted by McAfee and other reports but not by the counts we have in our files. I cannot put it in any way other than this. 9. Action: Removed PERSONAL RealMedia rule Removed: BadNetworks[i++] = "96.17.111.8, 255.255.255.128"; // ALLMINE RealMedia Reason: http://www.wcsh6.com FALSE POSITIVE IP addresses 96.17.111.11 & 96.17.111.67 THIS ONE ILLUSTRATES JUST WHY YOU NEED TO HAVE ONLY ONE OR TWO EXPERIMENTAL RULES SPREAD ACROSS PEOPLE! Now that it is shifted from Porn to Ads, maybe this will be possible. You need to do the same thing with the Ads, BUT do NOT WORK THROUGH THEM LINEARLY. Here are the ones identified with hit counts in AdBlock Plus that I am looking at: .atdmt.com # BE CAREFUL! # the block of the whole domain may be dangerous. I # do not block either switch.atdmt.com or clk.atdmt.com # because of their affect on Hotmail signup and MSN # Messenger respectively. .ic-live. # isn't [www.]ic-live.com enough? kontera # think we have all of them BUT will add /ads/*$~stylesheet # how to do? adserv # host start rule will add pagead.$~other,~object-subrequest # I don't know how to do this but isn't just blocking # the next two hosts enough? # pagead.googlesyndication.com # pagead2.googlesyndication.com # I don't know of any other pagead* hosts. 10. Action: Activated HITBOX rule for everybody From: BadNetworks[i++] = "64.154.80.0, 255.255.252.0"; // ALLMINE HITBOX - 2008-11-06 To: BadNetworks[i++] = "64.154.80.0, 255.255.252.0"; // YOUR CHOICE HITBOX - 2008-11-17 Reason: I realize it looks like it is premature, but it isn't. It is just that I have this feeling that after seeing many more hosts that are a.*.* (a.divinecaroline.com, a.spicetv.com, a.taunton.com, etc. AND OTHERS) that hitbox.com aliases are going to be pelting us now. We will just have to handle the false positives as we get them. I REALLY don't believe we are going to have any. I think they have this entire address space. If you need to, look at the Hitbox.txt file in the Hosts/Aliases folder as proof. I am adding scores of IP addresses to it, and they are ALL in this space. If I need to, I will regenerate this whole thing. 11. Action: Phorm.com ad network block (similar to NebuAd) Added: BadNetworks[i++] = "89.145.112.0, 255.255.254.0"; Phorm.com - 2008-11-19 Reason: Mentioned in the same breath with NebuAd? WHERE IN THE WORLD DOES THIS STUFF STOP? HERE! 12. Action: Removed lone "imrworldwide" IP rule. Removed: BadNetworks[i++] = "80.80.13.194, 255.255.255.240"; // imrworldwide Reason: I could have listed this as a "change" rule but there is more to it than that. I expanded this rule to match their given IP address space, but also added 13 more IP rules. 14. Action: Added the top 14 IP ranges for imrworldwide (Nielsen ratings) hosts. Added: BadNetworks[i++] = "61.129.48.64, 255.255.255.128"; // imrworldwide_04 - 2008-11-21 BadNetworks[i++] = "61.152.112.60, 255.255.255.128"; // imrworldwide_08 - 2008-11-21 BadNetworks[i++] = "61.213.156.128, 255.255.255.224"; // imrworldwide_10 - 2008-11-21 BadNetworks[i++] = "62.189.244.224, 255.255.255.224"; // imrworldwide_06 - 2008-11-21 BadNetworks[i++] = "69.80.200.192, 255.255.255.192"; // imrworldwide_11 - 2008-11-21 BadNetworks[i++] = "80.80.13.192, 255.255.255.192"; // imrworldwide_01 - 2008-11-21 BadNetworks[i++] = "203.21.27.0, 255.255.255.224"; // imrworldwide_12 - 2008-11-21 BadNetworks[i++] = "203.166.18.0, 255.255.255.0"; // imrworldwide_02 - 2008-11-21 BadNetworks[i++] = "203.166.110.160, 255.255.255.224"; // imrworldwide_07 - 2008-11-21 BadNetworks[i++] = "208.184.36.64, 255.255.255.224"; // imrworldwide_14 - 2008-11-21 BadNetworks[i++] = "210.51.186.0, 255.255.255.128"; // imrworldwide_09 - 2008-11-21 BadNetworks[i++] = "210.80.139.0, 255.255.255.0"; // imrworldwide_05 - 2008-11-21 BadNetworks[i++] = "210.80.177.0, 255.255.255.0"; // imrworldwide_03 - 2008-11-21 BadNetworks[i++] = "212.239.41.96, 255.255.255.224"; // imrworldwide_13 - 2008-11-21 Reason: To catch any aliases that they have. This will do it for both Northern Europe and the US. It may cover IT and FR as well. 15. Action: Second InstaContent Rule EXPANDED From: BadNetworks[i++] = "216.38.160.0, 255.255.248.0"; // instacontent_2 // BadNetworks[i++] = "216.38.160.0, 255.255.240.0"; // instacontent_2_ALT To: BadNetworks[i++] = "216.38.160.0, 255.255.240.0"; // instacontent_2 // BadNetworks[i++] = "216.38.160.0, 255.255.248.0"; // instacontent_2_ALT Reason: The 248 rule only gave an IP range of 216.38.160.0 to 216.38.167.255. I never had a problem with the extended rule and it goes from 216.38.160.0 to 216.38.175.255. Actually I don't care about anything after the 216.038.169.* hosts but at least the bigger rule handles them (with no false positives so far). 16. Action: *.*toolbar.com Added: // next rule - all *.*toolbar.com hosts redirect to hosting.conduit.com BadNetworks[i++] = "66.77.197.154, 255.255.255.255"; // 2008-11-24 BadDomains[i++] = "toolbar.com"; // DNSWCDs - *.*toolbar.com Reason: Rodney sent me stuff that had a load of these. Some of them are (hopefully will be were): *.communitytoolbars.com *.forumtoolbar.com *.greattoolbars.com *.loyaltytoolbar.com *.media-toolbar.com *.myblogtoolbar.com *.mycitytoolbar.com *.mycollegetoolbar.com *.myfamilytoolbar.com *.myforumtoolbar.com *.mylibrarytoolbar.com *.myradiotoolbar.com *.mystoretoolbar.com *.myteamtoolbar.com *.mytowntoolbar.com *.myuniversitytoolbar.com *.myxangatoolbar.com *.ourchurchtoolbar.com *.ourtoolbar.com They are ALL DNSWCDS (DNS WildCard Domains) that alias to hosting.conduit.com. You can't block them by just blocking this end host though. You have to block what is called. If people have badly set install perms on their browsers or aren't watching they will get a toolbar they don't want. MalWareDomain hasn't escalated it to the level of malware yet. I do. It is unwanted code that can be injected ON ALL PLATFORMS! That includes both Linux and Macs as well as Microsoft Windows. 17. Action: Added DNSWCD AdServer BLOCK Added: BadDomains[i++] = ".erasercash.com"; // DNSWCD AdServer - 2008-11-28 Reason: 268 of them in a list Rodney sent to me. Do they actually have a log of all these? I never see them. 18. Action: Added DNSWCD AdServer BLOCK Added: BadDomains[i++] = ".imgis.com"; // DNSWCD AdServer Reason: 162 of them in a file that Rodney sent me. 19. Action: "amateur" rule Added: BadURL_Parts[i++] = "amateur"; Reason: That is what we had and the count in the Malware Domain List's host file is: 15 end 25 start 43 total I have no idea why I removed it. It's count is quite high. There are some overlaps with some being in both start and end with all being in the total. Since it was a URL rule, it goes back in as a URL rule UNTIL WE HAVE A FALSE POSITIVE. When that happens, we drop back to the host level. 20. Action: New links in SPAM rule Added: BadNetworks[i++] = "128.168.144.0, 255.255.240.0"; // SPAM - 2008-11-26 Reason: A DNS lookup of the embeded link host durationcondemned.net gave IP address 128.168.144.002 (128.168.144.2). A whois of that IP address yielded Park Vista Media has allocated the IP address space 128.168.144.0 ... 128.168.159.255. 21. Action: Porn Malware IP rule Added: BadNetworks[i++] = "216.130.162.145, 255.255.255.255"; // PORN Malware - 2008-11-27 Reason: Rodney came up with them, but 216.130.162.145 primarily blocks the *.partie-privee.com domain. I did come up with one host that led to malware, but I couldn't find anything wrong with the host itself. I used one of the few that could make it through the present rule set: x-asiatiques-ejac.partie-privee.com All I came up with was a tracker: hyip-detective.com www.hyip-detective.com which I have added to my blocking hosts file. Everything else that I tried to find wrong turned up negative. IOW, I will be HAPPY to remove the 216.130.162.145 rule! The others are probably fine as long as they stay put. IS THIS ONE MISCLASSIFIED? 22. Action: "adult" rule demoted in proxy.txt / dbgproxy.txt From: BadURL_Parts[i++] = "adult"; To: BadHostParts[i++] = "adult"; Reason: www.browserdefender.com/res/images/threatexpert/adult.gif I am sure there are a lot more than this. I also had it at OpenDNS, etcetera. I told you this would happen. If I had false positives ... I was trying to look up information on *.saxodvd.com. It looks like there is enough in what I have found about saxodvd.com to block them all for exploits. More about that in the rule add. This rule change applies only proxy.txt /dbgproxy.txt. pornproxy.txt retains the block of this pattern at the URL level. 23. Action: Blocking Porn malware and FR-CARPE-DIEM exploits Added: BadNetworks[i++] = "193.110.146.68, 255.255.255.254"; // PORN MALWARE - 2008-11-30 BadNetworks[i++] = "193.110.146.70, 255.255.255.255"; // PORN MALWARE - 2008-11-30 Reason: In reality, there are multiple exploits throughout the carpediem.fr IP address space. Even MalwareDomainList have kit.carpediem.fr and media.carpediem.fr. If you don't like these rules, vote on them! I am confident if you start looking at the content of some of the hosts and the abusive JavaScripts you will come to the same conclusion - BLOCK them. Yes, some of it may be just innocent (okay - not flaming red guilty) porn sites, but the majority I looked at had one exploit after another - ENOUGH. 24. Action: A rule for rotator.adjuggler.com aliases Added: BadNetworks[i++] = "64.237.103.151, 255.255.255.255"; // adjuggler.com - 2008-11-30 Reason: Blocks aliases to rotator.adjuggler.com 25. Action: MORE SPAM Added: BadNetworks[i++] = "64.86.95.25, 255.255.255.255"; // SPAM - 2008-11-30 Reason: One oddball in my spam at comcast.net. They are still primarily using 128.168.144.2. Maybe this one was a feeler. X. Action: Added: Reason: X. Action: Removed: Reason: X. Action: From: To: Reason: 30 Novembre 2008 UNresolved False Positives (HHH) ------------------------------------------------- X. Pattern: Rules: Reason: 30 Novembre 2008 RESOLVED False Positives (HHH) ----------------------------------------------- X. Pattern: Rules: Reason: Solution: