Author Topic: False Positives - Innocents  (Read 12544 times)

0 Members and 1 Guest are viewing this topic.

December 10, 2008, 04:12:46 am
Read 12544 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
As I said in another post, my hosts file is tied to yours for the malware.  Imagine my surprise when I was going to test whether a host blocked Yahoo's groups that I accidentally went to Google's groups and got blocked.  It turned out my statement about getting blocked at Yahoo if you block a certain host was correct.  But these hosts here blocked me from going into Google's groups.  I suggest we keep this thread to suggest hosts to remove that somehow got into your hosts file (kind of like *.blogspot.com - not all of them are bad) that you may want to remove.  Here are the two hosts I suggest you may want to remove:

127.0.0.1  groups-beta.google.com
127.0.0.1  groups.google.com

They have joined my NoBlock list to make sure they don't inadvertently get back into my hosts files.  OTOH, you do have them in your list.  That means you are fully in your rights to keep them!  My PAC filter rules would have stopped all of the URLs at the first and all the URLs but the last one of the second.  That would make Google's groups safer for people.  You need to understand I dropped all of the porn rules that didn't reach a certain threshold in patterns among your bad hosts. But I did keep the ones that went over that threshold with host names in your hosts file and Airelle's hosts.rsk file. Well, all but one stopped isn't bad.  If they used some sort of JavaScript exploit to shove that turkey onto your machine, privoxy would very likely have stopped it. I highly recommend privoxy - or you can go the full route with NoScript, but only if you use Firefox.  It's your choice.  I am frequently using Opera for the language shift (most of the European languages are available as opposed to Firefox) and most people use IE so anything I look at takes those factors into consideration.

 ???

December 10, 2008, 07:57:36 am
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
127.0.0.1  groups-beta.google.com
127.0.0.1  groups.google.com

Both hosts have been removed from list.
Ruining the bad guy's day

December 14, 2008, 08:23:49 am
Reply #2

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
127.0.0.1  groups-beta.google.com
127.0.0.1  groups.google.com

Both hosts have been removed from list.

I have some more:

br.geocities.com
geocities.com
it.geocities.com
# make sure you don't inadvertently remove  visit.geocities.com - it is a GIF tracker.  I should know.
# Their server tacks it onto the end of my HTML files.  I MUST block anything I can use to track you!

I was thinking that you are actually technically correct if one of their pages still leads to somebody's machine getting infected.  If you have the time I would put out the hosts file with the block and why you are blocking it in comments.  At the same time point out the problem to their tech people.  The instant they cleared up the problem I would shove out a new hosts file (sin bloque).  That is a double edged sword - it may turn off your users to block their hosts.  And you have to have the time - I don't.  That was what I was thinking about when I put the original post out.  I will have my updated hosts file out in just a few days - you will probably want to look at the header for some possible removals, but since you mostly block malware there may be nothing of interest.  I did completely block NPR.org's music files.  They are using an ad service to supply their files now!  I don't block it any more  (u.npr.org  aka  npr.adbureau.net).  But since I am a long-hair, maybe I should.  Oh, I like folk music too - especially Bluegrass music.  I just don't like it as much as Pyotr Ilyich Tchaikovsky (my favorite composer).  I also love Opera - my favorite opera is Rossini's Il Barbiere Di Siviglia with Maria Callas.

If you are interested in the Omniture / 2o7.net tracking service blocks I can provide you with the aliases.  My PAC filter rules have stopped them cold (which doesn't explain the threatening phone calls I have been getting - have I made the Russian crackers mad at us?).  IOW, I don't care what Omniture's host names are for their DNSWCD *.2o7.net names since my BadDomains rule stops all of them.  Their aliases are stopped by the IP rules (and the *.2o7.net names too since the IP rule comes first in blocking - the BadDomains rule is just a failure point in case the IP rules become invalid).  It is those IP rules that are generating my alias lists.  At least you know when the aliases go out of DNS!  Not so for the *.2o7.net hosts.  I wrote a script for Rodney and Airelle to detect if the Google Blog hostname that was bad was still alive or not:

http://www.securemecca.com/MalwareDomainList/BlogSpotRodney.7z

I am giving it to you since you DO have some DNSWCDs (DNS WildCard Domains) in your lists and AFAIK, this is the only way to detect when they are gone.  You cannot use a DNS lookup since  like *.2o7.net, blogspot.com is also a DNSWCD.  A DNS lookup of AnythingIWant.blogspot.com is going to give you BlogSpot's IP address.  You would be amazed at how outlandish of a name you can pick and it turns out there is a valid blog by that name already!  For example, this one exists!  Well, how about 4Cs-GodsCountry.blogspot.com? That one doesn't exist but it has an IP address. I used a wget failure to let me know when the bloggers Airelle was blocking were gone.  All you need to do is create your own input file and feed that to the script for any of the DNSWCDs you have.

Speaking of BlogSpot.com, I am proposing a standardized renaming of our (my?) PAC filter files:

http://securemecca.blogspot.com/

After all, I DO use the Franšais version of the filter regularly.  IOW, I am already using these modified names to keep from running over myself. It became a little embarassing when Rodney pointed out that I made both the Anglais and Franšais version of the file itself Franšais on both hostsfile.org and securemecca.com.  I didn't see a problem with it but I imagine the 5-10 English users (I joke about it since I have no way of knowing how many people are using our PAC filter - I do not monitor who visits my web-site out of principle) using the Anglais version of the PAC filter may have objected.  Then again maybe they liked it "en Franšais". I will probably make the name changes over Christmas if nobody objects and so far nobody has objected.  After all, certainly (that word comes from French) the French won't complain. The English using people need to know that I think the other languages are just as important as English.  Using another language modifies your thinking in positive ways.  Well, it does if you use the good words.  I use the good words most of the time - unless I get angry.  That word (angry) has a very complex etymology. It twists and turns all the back through Flemish to German (related to angst I believe) to Latin and then to Greek (if I am not mistaken).  Look up the noun "anger" rather than the adjective "angry".  What I am pointing out is that I am NOT anti-Russian!  I AM anti-malware!  I don't care where the malware, browser abuses, or tracking comes from.  They are all bad.  So are some ads - I don't need male enhancement medication that didn't exist five years ago and doesn't work anyway.  What I need is more sleep.  Bonne nuit.

Привет

December 18, 2008, 07:36:47 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
br.geocities.com
geocities.com
it.geocities.com

I was thinking that you are actually technically correct if one of their pages still leads to somebody's machine getting infected.

And that's the reason why I don't remove them from list. I agree - it's a doubled edged sword.


Quote
  If you have the time I would put out the hosts file with the block and why you are blocking it in comments.  At the same time point out the problem to their tech people.  The instant they cleared up the problem I would shove out a new hosts file (sin bloque).

Let's start a discussion with our members and see what they prefer.

Ruining the bad guy's day

October 10, 2009, 12:53:38 am
Reply #4

atma.es

  • Newbie

  • Offline
  • *

  • 2
Hi!

This is my first post here. Once I had emailed the owner about my blocklist in http://www.atma.es and now I have decided to register.

I've been reading about some trouble... well, I wish long life to MDL and the owner keep on doing this wonderful work.

The main reason for getting registered is that I'd like to tell that I suspect that you are recently listed some innocent sites, notably rapidshare 74.54.130.18

I always check each single IP before adding it to my list, so If I am right, perhaps I could warn about future false-p˛sitives, thus giving back my 2 cents to MDL. Please tell in which subforum should I do it.

Best.

October 10, 2009, 01:06:07 am
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Rapidshare isn't a false positive. We list malicious urls. If someone reports a malicious file hosted at rapidshare,
then this url will be verified and listed. The blocklist is generated from the list of all urls, so rapidshare will be added to blocklist.
As long as this malicious urls exists, it will be listed and stays in blocklist.

I verify each url manually, before I add it to list. So usually false positives can't occur.
If you think that you have found one, then please send me a PM and will review it.

Thanks
Ruining the bad guy's day

October 10, 2009, 01:52:24 am
Reply #6

atma.es

  • Newbie

  • Offline
  • *

  • 2
Sorry for the false warning. At first it seemed to me a little radical to list Rapidshare, but it really makes sense. Perhaps I'm a bit paranoid these days cause I'm getting so many false positives lately... even I've been scanned by 2 IPs by Avast and I was about to include it!

Thnak you for your quick response.

November 10, 2009, 06:17:16 am
Reply #7

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Over 50% of the hits our 70,000+ users have against rapidshare is malware. We email abuse@rapidshare.com the links to the URLs and they are generally very quick to respond and take it down. If you see one, let them know!