Security Hero Rotating Header Image

Host file black lists , (Wed, May 27th)

Host file black lists , (Wed, May 27th)

Henry Hertz Hobbit who maintains a black list of bad hosts wrote in today with some host file links

and comments on them. I have included most of his comments with very little editing

(I removed a few names and comments about other list maintainers and corrected a bit of the grammer).

I have NOT verified all of the lists than Henry discusses below. Our users should be warned that

I have seen poorly maintained lists block legitimate sites in the past.

We have had some less attentive or overly aggressive list maintainers use our hosts

list as a block list even though it clearly states DO NOT USE AS A BLOCK LIST

and then blame isc.sans.org for the listing, isc.sans.org/ipsascii.html.

Other handlers have written some excellent diaries about blacklists addressing issues

such as Spam blocking by RBLs, Blacklists and politics,

and making the right choice in black list selection:

isc.sans.org/diary.html?storyid=3194 />

isc.sans.org/diary.html?storyid=3042 />

isc.sans.org/diary.html?storyid=1309 />

For more information on host based blocking this site has a good descriptions,

some lists that are on Henrys lists and some additional lists didnt include in his set.

www.malwarehelp.org/how-to-effectively-prevent-malware-hosts-file.html />

>From Henry Hertz Hobbit:

Two old venerable lists are MVPHosts and hpHosts.

www.mvps.org/winhelp2002/hosts.htm />

hosts-file.net/ />

MalwareDomainList is here with their lists and they block ONLY sites with malicious

content (no ads or trackers / spies):

www.malwaredomainlist.com/hostslist/hosts.txt />

www.malwaredomainlist.com/ />

www.malwaredomainlist.com/mdl.php />

The French connection consists of what I would call the MVPHosts file with a Franais twist

(there are some trackers that are quite prevalent if France that don’t exist any place else):

sysctl.org/cameleon/hosts />

sysctl.org/cameleon/ />

Another list that has the most comprehensive lists that may need some pruning:

rlwpx.free.fr/WPFF/hosts.htm />

This list primarily don’t belong on the desktop but into something like this:

www.peereboom.us/adsuck/ />

And then there is my list which includes many of the hosts that MalwareDomainList lists.

www.SecureMecca.com/hosts.html />

www.HostsFile.org/hosts.html />

But I provide something far more powerful called a PAC (Proxy Auto Configuration) filter

that blocks unknown threats:

www.SecureMecca.com/pac.html />

www.HostsFile.org/pac.html />

www.SecureMecca.com/Downloads/ />

Now I have heard you need an IQ of 130 plus or higher to use the PAC filter.

If that is a problem so be it. But consider the following points.

1. hpHosts (hosts-file.net) blocks approximately 3700 typo hosts.

I block them with just two hosts in the hosts file (ownbox.com and www.ownbox.com)

and these two rules in the PAC filter:

// OWNBOX FE TYPO

BadNetworks[i++] = 216.65.41.185, 255.255.255.255

BadNetworks[i++] = 216.65.41.188, 255.255.255.255

Now that cuts it down to size, doesn’t it? There is a lot of other power reducers and

falling through the cracks rules in there! Otherwise my file would be almost as large

as the list at rlwpx.free.fr/WPFF/hosts.htm.

2. If you enable the PAC filter on Windows in IE you will have your eyes opened.

I had full debug on that way once and found the PAC filter was even working at the level

of tellimg me I sent a print-out to the network printer! But debug really should only

be used in Firefox with debug mode set to debugNormal. Do not turn debug on in Opera or

Safari (they kill it), or IE (you will have pop-up nightmares).

3. The REGEXPs are precompiled for speed. It is faster in debug mode than John LoVerso’s

original was without any debug. But then I noticed some of his ad patterns are pretty convoluted.

But if you have to interpret them every time …

4. I notice patterns that occur frequently enough that I block yet to be discovered

hosts with patterns like these:

BadHostParts[i++] = antispy // VOTRE CHOIX

BadHostParts[i++] = antivir // VOTRE CHOIX

There are of course some white-list rules to counteract the bad rules

(and now you are back to blocking in the hosts file):

GoodDomains[i++] = antispamfilterblocker.com

GoodDomains[i++] = antivirusyellowpages.com

GoodDomains[i++] = pcantivirusreviews.com

5. Even if hosts make it past the rules for the hosts and there is no host block,

for some of the malware there are patterns and I block them as I discover and

mentally count them and consider the count high enough to go into panic mode

(and I think a lot of people are already there now):

BadURL_Parts[i++] = av2008

BadURL_Parts[i++] = av2009

BadURL_Parts[i++] = sms.exe

BadURL_Parts[i++] = smsreader

Oh yes, HostsMan is available here:

www.abelhadigital.com/

URL: http://isc.sans.org/diary.php?storyid=6469&rss

Leave a Reply

Powered by WP Hashcash

Spam Protection by WP-SpamFree

Bad Behavior has blocked 385 access attempts in the last 7 days.