True to my promise, I have pruned your hosts.txt file of 2008-11-19. I will take a brief period to update my hosts file from the additions you had back to the time I previously used your hosts.txt file (it looks like that was Oct. 27 and your additions from then until 19 Nov are in this hosts.txt file if they are still alive and not parked) to look for things I think I need to add to my hosts file. Rest assured of one thing - if the host leads to malware it leads to a block by me. Where I run into problems is when the link you had to the problem disappears but the host is not dead or parked and especially if it doesn't have a ~/index.html worth anything. Usually I continue to block it since where there was one there will be another until the host is either dead or parked. Here is where you can pull down the hosts file from that point in time
(this is THE MAJOR snap point!) :
http://www.securemecca.com/MalwareDomainList/2008_11_19_MalwareDomainList.7zhttp://www.securemecca.com/MalwareDomainList/2008_11_19_MalwareDomainList.zipPick your poison of zip format. I also pruned the one duplicate you have and took out the three hosts that had port numbers after them since even with the extensions made in DNS in the RFCs to allow any amount of underscore ( _ ) characters, it still doesn't include the colon character. The colon character is only used to specify a port number and is thus not a part of the host name. There is no way I know of to remap any given port to another port (e.g. to 80) since the stuff that is going back and forth isn't the same on the different ports. If you don't have something listening on port 8080 (or the killer - 443), then you just have to live with the delay. The colon is only a host / port separator and it doesn't belong in a hosts file. You are of course free to add them back in if you desire. These entries are in the Dupes.txt file. I use my ckdupe.c program to both check for duplicates and spit out the list of hosts you have that are aliases to localhost.
I will follow up in a day or so with much the same as in the folder above, but any of the stuff involving the IP addresses will be only the ones you add from this snap point going forward. I will give any removals you have in a remove list (usually out_YY_MM_DD.txt) and the additions will just be given with same files as here, with the additional hosts that are still alive and not parked just being added to this hosts.txt file with the header changed. That means that particular hosts.txt file will be a snap point for that point in time.
BUT THE MAJOR SNAP DATE IS 19 NOVEMBRE 2008. I had to pick something and this is what it is. It is sort of like the NeXT computer's snap point for its date actually being into the future rather than 1970 for start of time. Actually, it's YYYY-MM-DD zero point is now in the past. So is the NeXT machine. Well, not really - the Mac OS-X is the successor. I had to pick something though.
I am only going to do this for a little while. It is too much work with everything else I have to do. For example, I am still considering the "tube" pattern for a block in the PAC filter - there are just too many of them and most of them lead to malware, or at least it seems that way. I will warn you that Mike Burgess (MVPHosts) and myself remove / add around 800-1000 hosts per month. hpHosts and the other larger files are worse (and need more people). I have no idea how Airelle (the largest workable version) does it except to say that without the help of Rodney (Domain Analysis) and some observations from me he probably couldn't do it. My hosts file exists not as a major contributor (although I discover a lot) but as an accoutrement to the PAC filter which can reduce the size of the hosts blocks considerably (with the unavoidable false positives). But this download gives you a good indication of the volatility you are facing.
I will wait until your next update that doesn't precede me by several days (the one I am looking at right now is already already three days old : Wed, 10 Dec 08 13:14:53 +0000) and work on the adds from this point in time to that point in time and just remove (without checks) anything you remove. By that I mean I will wait until I notice it is updated that very day. That will give me a day or so to process the removals / additions. I will NOT just add what you have added! They can be neither dead nor parked for me to add them. You gain nothing by doing that other than a huge hosts file that becomes unmanageable and eventually blocks fewer and fewer threats. I would log your additions some place so you can take that file and just add it in to what ever I give to you with the additions from that minor snap point going forward. The way I see it, you won't need me in just a few iterations of this. I will also give you what I am removing vis-a-vis from Mike Burgess removals (which I may have already removed with what I did here). Some you won't even have since it will be a browser exploit, a tracker or something else that isn't malware. I cannot understand him removing hosts that still lead to malware just because the browser exploit he focuses on is no longer there. I guess he feels the AV packages will catch it. Most of the stuff I catch that look interesting takes weeks, months, or even over a year (my record is 1-1/2 years) before the AV vendors finally detect them. I am sorry - no copyright? Your exe file is now guilty until proven innocent. But Mike also blocks things like pics.ztomy.com and images.ztomy.com just because they have some 1x1 tracking GIFs. There is nothing wrong with that - so do I. But he doesn't block js.ztomy.com. I had too much to do until now, but I just noticed it has a pop-under. Yes, this popunder is controllable by the pop controls in most browsers (as long as the idiot user has turned on pop controls). I cannot count on any given user to do that so this host was just added to both of my hosts files. You can't catch everything though - but we try.
Well, back to work looking at your additions you made back in November. I will look at your new file when ever it becomes available. The one you have now is already three days old and I don't know how many entries you have added / removed since then. I will just wait until I get a fresh new (well within the past 24 hours) copy of your hosts.txt file comes out to work on it. This one won't take as long since I will only look at the
changes. I cannot be responsible for the current live hosts not going dead or being parked.
If you catch a parker that I don't control (some are nasty but I block them either with an IP rule or an appropriate hosts block), properly or a park IP address that has turned active I will make a donation of $100 to MalwareDomainList. How does that sound? I checked all of yours fairly carefully and everything I looked at
is parked. Like I said, I believe I have the more cantankerous ones contained / restricted.
Ciao
Topic: Hosts File Block Lists (Read 203693 times)
