Threat Level: green Handler on Duty: Richard Porter

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Host file black lists

Published: 2009-05-27
Last Updated: 2009-05-27 19:47:59 UTC
by donald smith (Version: 1)
0 comment(s)

Henry Hertz Hobbit who maintains a black list of "bad hosts" wrote in today with some host file links
and comments on them. I have included most of his comments with very little editing
(I removed a few names and comments about other list maintainers and corrected a bit of the grammer).
I have NOT verified all of the lists than Henry discusses below. Our users should be warned that
I have seen poorly maintained lists block legitimate sites in the past.
We have had some less attentive or overly aggressive list maintainers use our hosts
list as a block list even though it clearly states  "DO NOT USE AS A BLOCK LIST"
and then blame for the listing,
Other handlers have written some excellent diaries about blacklists addressing issues
such as Spam blocking by RBLs, Blacklists and politics,
and making the right choice in black list selection:

For more information on host based blocking this site has a good descriptions,
some lists that are on Henry’s lists and some additional lists didn’t include in his set.

From Henry Hertz Hobbit:
"Two old venerable lists are MVPHosts and hpHosts.

MalwareDomainList is here with their lists and they block ONLY sites with malicious
content (no ads or trackers / spies):

The French connection consists of what I would call the MVPHosts file with a Français twist
(there are some trackers that are quite prevalent if France that don't exist any place else):

Another list that has the most comprehensive lists that may need some pruning:

This list primarily don't belong on the desktop but into something like this:

And then there is my list which includes many of the hosts that MalwareDomainList lists.

But I provide something far more powerful called a PAC (Proxy Auto Configuration) filter
that blocks unknown threats:

Now I have heard you need an IQ of 130 plus or higher to use the PAC filter. 
If that is a problem so be it.  But consider the following points.

1. hpHosts ( blocks approximately 3700 typo hosts. 
I block them with just two hosts in the hosts file ( and
and these two rules in the PAC filter:

BadNetworks[i++] = ",";
BadNetworks[i++] = ",";

Now that cuts it down to size, doesn't it?  There is a lot of other power reducers and
falling through the cracks rules in there!  Otherwise my file would be almost as large
as the list at

2. If you enable the PAC filter on Windows in IE you will have your eyes opened.
I had full debug on that way once and found the PAC filter was even working at the level
of tellimg me I sent a print-out to the network printer!  But debug really should only
be used in Firefox with debug mode set to debugNormal.  Do not turn debug on in Opera or
Safari (they kill it), or IE (you will have pop-up nightmares).

3. The REGEXPs are precompiled for speed.  It is faster in debug mode than John LoVerso's
original was without any debug.  But then I noticed some of his ad patterns are pretty convoluted. 
But if you have to interpret them every time ...

4. I notice patterns that occur frequently enough that I block yet to be discovered
hosts with patterns like these:
BadHostParts[i++] = "antispy";  // VOTRE CHOIX
BadHostParts[i++] = "antivir";  // VOTRE CHOIX

There are of course some white-list rules to counteract the bad rules
(and now you are back to blocking in the hosts file):
GoodDomains[i++] = "";
GoodDomains[i++] = "";
GoodDomains[i++] = "";

5.  Even if hosts make it past the rules for the hosts and there is no host block,
for some of the malware there are patterns and I block them as I discover and
mentally count them and consider the count high enough to go into panic mode
(and I think a lot of people are already there now):

BadURL_Parts[i++] = "av2008";
BadURL_Parts[i++] = "av2009";
BadURL_Parts[i++] = "sms.exe";
BadURL_Parts[i++] = "smsreader";

Oh yes, HostsMan is available here: "

UPDATE: Steven, another blacklist maintainer, pointed out this article he wrote about blacklists, host files and PAC files.

0 comment(s)

WebDAV write-up

Published: 2009-05-27
Last Updated: 2009-05-27 17:50:15 UTC
by donald smith (Version: 1)
0 comment(s)

SusanB wrote in today to tell us about a really good write-up on understanding Microsoft’s KB971492 IIS5/IIS6 WebDAV vulnerability by Steve Friedl of is available here.
This was written because Steve and some of others at found Microsoft’s "guidance confusing for users who were not IIS experts".  This includes a very good flowchart that should assist anyone who is confused, detailed descriptions of WebDAV, remediation ideas, and links to other WebDAV references.

0 comment(s)
Diary Archives