Site Related > Readme First / FAQ

Hosts File Block Lists

<< < (2/4) > >>

Just a note that disappeared some time ago and hasn't been since :(

Probably worth nothing that some of the sites in that list are likely compromised 'credible' sites, and may have been repaired since having been reported to MDL. Thus, you may end up blocking (some) legitimate content.


Malware Patrol


--- Quote from: redwolfe_98 on February 19, 2008, 06:25:36 am ---john, i wish you would provide a HOSTS file with all of the malware-links that are listed at "malware domain list"..

--- End quote ---

My hosts files (that is plural) are a super-set of this file here which JohnC quoted as authoritative:

These hosts are used as a partial inclusion (Airelle provides most of the other stuff I need) in my hosts files.  Note that is plural.  There are additional hosts that go into the file for Windows that don't go into the one for Unix (but those hosts are provided as additions you can just tack on). I am sorry, but I have switched to 7-Zip as my default format because it has much better compression than zip or gzip, and is usually better than bzip2.  I also got tired of all the different formats.  Wait until you put all that stuff up and you begin to understand.  Here is where my hosts files are available and they are identical on both servers (one is mine, the other one belongs to Eric Phelps):

There is more to it than that though.  There are several reasons I am volunteering to help by running your hosts through DNS and providing an altered hosts file with other stuff for you.  First, you have enough to do.  But one reason for helping is you cannot block an IP address in a hosts file.  You can block an IP address in a PAC filter (or a proxy).  But remember that the perps change their IP addresses CONSTANTLY.  Hosts come and go - the volatility is what they are counting on to keep us off guard.  But the IP addresses I am generating for you do go into consideration for inclusion in my PAC (Proxy Auto Configuration) block lists (in fact the hosts here are number one for being considered of all IP addresses after the spies who are usually much more stable).  Here is where the PAC filters are at:

When I say consideration there are some problems.  Are the IP addresses the hosts map to stable?  Usually, they aren't.  Rodney is swamped with what he is doing to help Airelle in France.  You should talk to him but I do know he is using the following tools on Windows to do his DNS work (I wish he understood not to regenerate all the time).  I would have swore that Excel could let you exclude to a given range on the IP addresses and then save that to a new file.

1. HostTool
2. DNSLint
3. CIP500 (for the exceptions)

He gives me XLS files, but being the clever monkey I am I just extract them with strings on Linux (much safer place to make blocks for this stuff - just blow your browser config away, regenerate and go again) into my ASCII text files.  But his lists are usually too big for what I am doing and the sources he has are frequently questionable.  It goes without question however that the stuff at MalwareDomainList is or at least was a significant threat.  I still take a dim view of IP addresses though.  You are better off using patterns instead since they only change when "chicken" goes out of fashion and "tube" comes into fashion.  Yes, I am considering that as a new host block pattern and chicken went out of fashion years ago. Now you know what I do.  Believe it or not, most of your hosts that are bad here do show a pattern and it is pornography (country insensitive and yes I know the words in all the Romance languages - severe problems with Deutsch and Nederlander).  Fortunately I also know a lot of the good words in the Romance languages as well.  In fact I can usually read in them.  I am quickly picking up Espanol (Castillian dialect) in spoken form.  It is interesting to learn languages in reverse.  Usually you learn how to hear / speak it before learning how to read  it.

Rest assured of one thing - the hosts file of MalwareDomainList will be a featured inclusion of my hosts file as long as MalwareDomainList continues to exist.  I have noticed that Mike Burgess (MVPHosts) also frequently includes hosts you discover.  Airelle includes everybody with some goading from me to see that something he is doing is wrong to prune it down.  Sometimes I wonder if he is the Américain and I am the Français! For example, you usually don't want to block Akamai servers since a block by host name needs to be the actual name of the host being used (frequently a CNAME / alias) rather than what it is aliased to.

Does this answer your question?

True to my promise, I have pruned your hosts.txt file of 2008-11-19.  I will take a brief period to update my hosts file from the additions you had back to the time I previously used your hosts.txt file (it looks like that was Oct. 27 and your additions from then until 19 Nov are in this hosts.txt file if they are still alive and not parked) to look for things I think I need to add to my hosts file.  Rest assured of one thing - if the host leads to malware it leads to a block by me.  Where I run into problems is when the link you had to the problem disappears but the host is not dead or parked and especially if it doesn't have a ~/index.html worth anything. Usually I continue to block it since where there was one there will be another until the host is either dead or parked.  Here is where you can pull down the hosts file from that point in time (this is THE MAJOR snap point!) :

Pick your poison of zip format.  I also pruned the one duplicate you have and took out the three hosts that had port numbers after them since even with the extensions made in DNS in the RFCs to allow any amount of underscore ( _ ) characters, it still doesn't include the colon character.  The colon character is only used to specify a port number and is thus not a part of the host name. There is no way I know of to remap any given port to another port (e.g. to 80) since the stuff that is going back and forth isn't the same on the different ports. If you don't have something listening on port 8080 (or the killer - 443), then you just have to live with the delay. The colon is only a host / port separator and it doesn't belong in a hosts file.  You are of course free to add them back in if you desire.  These entries are in the Dupes.txt file.  I use my ckdupe.c program to both check for duplicates and spit out the list of hosts you have that are aliases to localhost.

I will follow up in a day or so with much the same as in the folder above, but any of the stuff involving the IP addresses will be only the ones you add from this snap point going forward.  I will give any removals you have in a remove list (usually out_YY_MM_DD.txt) and the additions will just be given with same files as here, with the additional hosts that are still alive and not parked just being added to this hosts.txt file with the header changed.  That means that particular hosts.txt file will be a snap point for that point in time.  BUT THE MAJOR SNAP DATE IS 19 NOVEMBRE 2008. I had to pick something and this is what it is.  It is sort of like the NeXT computer's snap point for its date actually being into the future rather than 1970 for start of time.  Actually, it's YYYY-MM-DD zero point is now in the past. So is the NeXT machine.  Well, not really - the Mac OS-X is the successor.  I had to pick something though.

I am only going to do this for a little while.  It is too much work with everything else I have to do.  For example, I am still considering the "tube" pattern for a block in the PAC filter - there are just too many of them and most of them lead to malware, or at least it seems that way. I will warn you that Mike Burgess (MVPHosts) and myself remove / add around 800-1000 hosts per month.  hpHosts and the other larger files are worse (and need more people).  I have no idea how Airelle (the largest workable version) does it except to say that without the help of Rodney (Domain Analysis) and some observations from me he probably couldn't do it.  My hosts file exists not as a major contributor (although I discover a lot) but as an accoutrement to the PAC filter which can reduce the size of the hosts blocks considerably (with the unavoidable false positives).  But this download gives you a good indication of the volatility you are facing.  I will wait until your next update that doesn't precede me by several days (the one I am looking at right now is already already three days old :  Wed, 10 Dec 08 13:14:53 +0000) and work on the adds from this point in time to that point in time and just remove (without checks) anything you remove.  By that I mean I will wait until I notice it is updated that very day.  That will give me a day or so to process the removals / additions.  I will NOT just add what you have added!  They can be neither dead nor parked for me to add them.  You gain nothing by doing that other than a huge hosts file that becomes unmanageable and eventually blocks fewer and fewer threats.  I would log your additions some place so you can take that file and just add it in to what ever I give to you with the additions from that minor snap point going forward. The way I see it, you won't need me in just a few iterations of this.  I will also give you what I am removing vis-a-vis from Mike Burgess removals (which I may have already removed with what I did here).  Some you won't even have since it will be a browser exploit, a tracker or something else that isn't malware.  I cannot understand him removing hosts that still lead to malware just because the browser exploit he focuses on is no longer there.  I guess he feels the AV packages will catch it.  Most of the stuff I catch that look interesting takes weeks, months, or even over a year (my record is 1-1/2 years) before the AV vendors finally detect them.  I am sorry - no copyright?  Your exe file is now guilty until proven innocent. But Mike also blocks things like and just because they have some 1x1 tracking GIFs.  There is nothing wrong with that - so do I.  But he doesn't block  I had too much to do until now, but I just noticed it has a pop-under.  Yes, this popunder is controllable by the pop controls in most browsers (as long as the idiot user has turned on pop controls).  I cannot count on any given user to do that so this host was just added to both of my hosts files.  You can't catch everything though - but we try.

Well, back to work looking at your additions you made back in November.  I will look at your new file when ever it becomes available.  The one you have now is already three days old and I don't know how many entries you have added / removed since then.  I will just wait until I get a fresh new  (well within the past 24 hours) copy of your hosts.txt file comes out to work on it.  This one won't take as long since I will only look at the changes.  I cannot be responsible for the current live hosts not going dead or being parked.

If you catch a parker that I don't control (some are nasty but I block them either with an IP rule or an appropriate hosts block), properly or a park IP address that has turned active I will make a donation of $100 to MalwareDomainList.  How does that sound?  I checked all of yours fairly carefully and everything I looked at is parked.  Like I said, I believe I have the more cantankerous ones contained / restricted.



[0] Message Index

[#] Next page

[*] Previous page

Go to full version