Author Topic: Your pruned hosts file is ready for download.  (Read 7830 times)

0 Members and 1 Guest are viewing this topic.

December 16, 2008, 04:59:04 am
Read 7830 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
JohnC & rest:

I carried through on my threat.  I did have some duplicates in the previous hosts file so I "unduped" it, and I also took the hosts you have added from 2008-11-19 ... 2008-12-10 and ran them through DNS and added the ones that were not dead (yes, some of them have already died) to the previous hosts file I had for you.   They are all up in the following folder on my server:

http://www.securemecca.com/MalwareDomainList/

I have the following files that have your hosts.txt file in them (pick your own ZIP poison):

222145 Dec 15 20:39 2008_11_19_MalwareDomainList.7z
   280 Dec 15 20:39 2008_11_19_MalwareDomainList.7z.sig
336506 Dec 15 20:39 2008_11_19_MalwareDomainList.zip
   280 Dec 15 20:39 2008_11_19_MalwareDomainList.zip.sig
 53437 Dec 15 20:39 2008_12_10_MalwareDomainList.7z
   280 Dec 15 20:39 2008_12_10_MalwareDomainList.7z.sig
 63258 Dec 15 20:40 2008_12_10_MalwareDomainList.zip
   280 Dec 15 20:40 2008_12_10_MalwareDomainList.zip.sig

I have signed them with my OpenDNS key and the hosts.txt and README.txt files in each folder have also been signed.  Now, back to work adding what you previously added and pruning 1200 hosts more (something fishy is going on - I have removed over 2000 hosts in less than 3 weeks which is extremely abnormal).  I will provide you with another update and maybe one more but no more - no time.  That should put us in sync - well, sort of.  I have lots of stuff I give Airelle and he has lots of stuff I take from him (actually more than from you).

Au Revoir

PS  Do NOT block  u.npr.org (npr.adbureau.net).  Instead of being an ad server it is their major (only?) music downloader.

December 24, 2008, 06:05:43 pm
Reply #1

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
I had to add a few hosts that I had some problems with.  I put the new files with the new hosts in them up on the server.  In addition, I put the list of hosts I was removing up on the servers and some stuff in them on all the DNS servers you had:

http://www.securemecca.com/MalwareDomainList/MWDL_Rms.7z
http://www.securemecca.com/MalwareDomainList/MWDL_Rms.7z.sig
http://www.securemecca.com/MalwareDomainList/MWDL_Rms.zip
http://www.securemecca.com/MalwareDomainList/MWDL_Rms.zip.sig

I didn't completely understand why you were blocking what I took to be DNS servers.  I thought that they were filter-pass-through DNS servers that would give their IP address rather than the real one for  hosts like the Symantec, McAfee, TrendMicro, et al, download servers, and also would have up-to-date messages when you sent the update request off to the false update server.  But most of them didn't give me an IP address for ANY host name.  Thus I dug out the trusty-rusty nsping from O'Reilly and nspinged all of the hosts that started their names with the following:

dns.
dns0.
dns1.
dns2.
ns.
ns#.

(where # ran from 1 ... 7 I believe).  If there is some other reason other than what I am thinking for blocking these hosts, please let me know what it is!  By that, I mean post the reason here and give me an email on why I should block it.

Oh yes, I did remove one host named  bonoes.com  because it no longer had the exploit you mentioned and it looked okay.  I could be wrong though - and if I am it won't be the first time!  That is why we have these discussions so we can have a double check on what is being done.

HHH