Interesting anti-spyware campaign

[takebackour.net@gmail.com]

Get informed about PREVENTING spyware/adware BEFORE it happens - not
cleaning it up after it after-the-fact...

Visit http://www.takebackour.net to learn more. When we all do our
part, it becomes in-effective.

[David Arnstein]

This web page is simply an advertisement for a commercial software
product. I call SPAM.

What this product does, a pair of free products do as well. Google for
DNSKong and eDexter.
--
David Arnstein (00)
arnstein+usenet@pobox.com {{ }}
^^

[Borked Pseudo Mailed]

On 30 Dec 2006, wrote:
>Get informed about PREVENTING spyware/adware BEFORE it happens - not
>cleaning it up after it after-the-fact...
>
>Visit http

Free anti virus AVG (version 7.5):
http://free.grisoft.com/doc/5390/lng/us/tpl/v5

Free anti virus avast! (home edition version 4.6)
http://www.avast.com/eng/download-avast-home.html

Free anti spyware, etc.:
http://www.ccleaner.com
http://www.spybot.info/en/download/
http://www.javacoolsoftware.com/spywareblaster.html
http://www.winpatrol.com/download.html
http://www.superantispyware.com/down...NTISPYWAREFREE
http://www.spywarewarrior.com/uiuc/res/ie-spyad.zip
http://www.mvps.org/winhelp2002/hosts.zip
http://www.funkytoad.com/hoster.htm
http://www.lavasoft.de/software/adaware/
http://www.spywarewarrior.com/uiuc/resource.htm
http://www.siteadvisor.com/download/ie.html

Free news readers:
http://www.40tude.com/dialog/
http://xnews.newsguy.com/

Free news filters:
http://www.nfilter.org/
http://www.arcorhome.de/newshamster/...amster_de.html

Free public news servers:
http://www.newzbot.com/

---

Ckypp

[Vanguard]

"David Arnstein" <arnstein@panix.com> wrote in message
news:en6foa$8af$1@reader2.panix.com...
> This web page is simply an advertisement for a commercial software
> product. I call SPAM.
>
> What this product does, a pair of free products do as well. Google for
> DNSKong and eDexter.


From http://www.pyrenean.com (where are both DNSKong and eDexter):

"With DNSKong on duty no application can connect to a domain name that
matches your filter rules."

That presumes that the application making the connection or the HTML
code sent your browser uses IP *names* to point at the targets (for the
images). What would stop the app or HTML code from using IP
*addresses*? DNS only gets used if an IP name is used. If an IP
address is used, there is no DNS lookup so DNSKong which is a local DNS
server would get bypassed. This is also how a hosts file gets
circumvented. If the request goes to an IP address then there is NO
lookup. Guess you'll have to take care of those in your software
firewall's IP blocking feature but that is really only useful for static
IP addresses. An HTML web page could reference IP addresses (not IP
names) and those reference could change. In fact, they could change on
every retrieve of the web page provided the spammer has enough of them
to cycle through using a server-side script that compiles the web page
that gets profferred to your browser and which uses IP addresses instead
of IP names.

Blocking by DNS for IP names is flawed but it is probably mostly useful,
just not wholly useful. Also, it would be nice if DNSKong used regular
expressions instead of just matching on substrings. I might want to
block "*.\.admt\.com$" but not on "www.loadmt.com.nl" (which just
"admt.com" would end up blocking). There was no info at their site on
just what you specify in their named.txt file or how DNSKong uses those
entries (as exact match, as substrings, as anchored substrings on right
or left of parsing points, etc.).

One problem with blocking, say, ad images when visiting a web page is
their server may use them as web beacons. You are blocking the image
file from some other domain but that site may check if you downloaded
the image. If you don't download the ad image, they won't present their
web page. Fair enough. It's their web site. So just realize that
blocking images, like ads, may result in you not being to visit or view
a web site. In that case, you might as well block that site instead of
just the images. Also, many use follow-through links. The image comes
from the same domain, and maybe even the same host, as the rest of the
web page. Their server then gets the image from wherever is the ad
source. If you block the domain for the image, you've also blocked the
domain for the web page. Fair enough. It's their web site.

Rather than blocking the request to retrieve and image which could
render a web site unviewable or inaccessible is to block the image that
got yanked. That is, the server sees you yank the image but it is in
your block list so it simply doesn't get to the browser. Instead a
substitute image shows up, like "Image blocked by <productname>". This
is probably how you would use a proxy through which your browser would
connect. You don't block any requests for web content. You block what
web content ends up delivered to your browser (or whatever application
made the request). This is very similar to how I handle cookies.
Rather than block a domain from saving its .txt cookie files on my
computer which often results in a site refusing to load or function
correctly (i.e., you must have their cookie to use their site), I allow
ALL cookies but force them to be per-session cookies (i.e., they get
deleted after the browser session ends). For domains that are allowed
to leave their cookies, they get whitelisted. All other domains are
allowed to leave their cookies (I do still block 3rd party cookies,
however) so I don't have a problem while I'm at their site. When I
close my browser, all the non-whitelisted cookies get purged.
Similarly, I'd rather let a web site think it delivered all its content
so it functioned correctly and didn't know that some of its content got
filtered out so it never showed up in my browser. They haven't a clue
as to what I actually saw.

With DNS (or URL) blocking, they can figure out if I blocked their ads
simply because the IP address that connected to them doesn't send back
the requests for the image links. I'd rather be stealthy than obvious.
Anything available (preferrably free) like I describe? There are some
products that provide URL filtering (I have some) but they do blocking
of the request. The web site can detect that you aren't retrieving some
of their content (and can alter or refuse content). I don't want them
to know. I want to retrieve it so they think that I got it all but that
doesn't mean that I want to SEE it. In fact, while I may retrieve their
content (that is eventually blocked as downstream traffic rather than
preventing upstream traffic to request their content), there need be no
slow down for the browser since the proxy would be doing the yanking and
could even abort immediately after the retrieve starts.

[David Arnstein]

In article <GLqdnWAB_YnRoArYnZ2dnUVZ_smdnZ2d@comcast.com>,
Vanguard <vanguard.news@yahooNIX.com> wrote:
>That presumes that the application making the connection or the HTML
>code sent your browser uses IP *names* to point at the targets (for the
>images). What would stop the app or HTML code from using IP
>*addresses*? DNS only gets used if an IP name is used. If an IP
>address is used, there is no DNS lookup so DNSKong which is a local DNS
>server would get bypassed. This is also how a hosts file gets
>circumvented. If the request goes to an IP address then there is NO
>lookup. Guess you'll have to take care of those in your software
>firewall's IP blocking feature but that is really only useful for static
>IP addresses. An HTML web page could reference IP addresses (not IP
>names) and those reference could change. In fact, they could change on
>every retrieve of the web page provided the spammer has enough of them
>to cycle through using a server-side script that compiles the web page
>that gets profferred to your browser and which uses IP addresses instead
>of IP names.

You are right. The more robust blocking technique is to block (numeric)
IP addresses. I used to do this too, by typing out a long list of IP
addresses into the config file of my little Cisco router. The disadvantage
of IP address blocking is the amount of typing you have to do. I will
use doubleclick.net as my canonical example. Suppose that you wish to
deny access to all of doubleclick.net. You would have to do some research
to find out all of the IP address blocks that doubleclick.net claims as
its own. The list of address blocks will change week to week, so this
is quite a job. I know, I used to do this.

The alternative is blocking by domain name, and that is what DNSkong
does. Personally, I use a different program "dnrd." Personal preference.
With this approach, I can block (imperfectly, I admit) all of
doubleclick.net with a single line in my dnrd config file. I don't have
to do any maintenance on that line either. Whatever doubleclick does to
its server farm, it stays blocked.

What would be really great is if someone devised a way to *automatically*
list all of the address blocks owned by doubleclick.net. If a piece of
software could do that for me, I could run it every night, and write a
script to transform the output of this program into a router config
spec. I wish that I knew how to write such a program. Any suggestions?

Currently, I am blocking 541 domains with dnrd. These range from ajeeb.com,
to doubleclick.net, to zrap.zdnet.com. There is no way that I could
maintain lists of IP address blocks for all of these domains. It is just
too much work.

Coming back to the original (somewhat spammy) poster. I briefly looked
at the cited web page, and it seemed like the product he is pushing is
just another DNS relay program, like DNSkong or dnrd. If I am wrong
about that, please correct me.

Any other ideas on blocking unpleasant internet addresses? I am very
interested in this topic.
--
David Arnstein (00)
arnstein+usenet@pobox.com {{ }}
^^