Whitelisting whole site with all referenced domains?

Ask for help about NoScript, no registration needed to post
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Whitelisting whole site with all referenced domains?

Post by Tom T. »

Anakunda wrote:I mean whitelisting ofcourse , it was mistype, sorry. And about the sample link, it's no matter what it is, the site doesnot make any platform specific decisions, it's just hosting files that someone uploads there. Here's another test link: http://letitbit.net/download/97843.950caacb19297ed080e3d79d57cf/Elantech_Touchpad_10.6.9.9.rar.html
I had to allow many other scripts. Temporary whitelist:

Code: Select all

am10.ru
am11.ru
ilivid.com
letitbet.net
and nothing showed until I temp-allowed two Flash objects that I thought were advertisements. They had "ads" in their object name/URL.

It seems as though the am*.ru are the key to success, both the scripts and the Flash objects. Do you not get these in NS menu?

Do you not also get Flash placeholders, or do your settings allow Flash at trusted sites?
(Or do you not block Flash at all?)

Once allowed, I was redirected through a couple of Javascipt links.
If you can zoom in on the left-most tab, you'll see the JS link,

Code: Select all

http://bidbig.ru/images/c/1/i/852/h/0b785020fb312a191864b468e4e79e35/v/ 
after which I finally reached a download page.

Image

It did the countdown as you said, but then it allowed me to download it with no captcha.

And at no time was there a 78. domain involved. I think this is because it (quite logically) chooses the closest available download location.
Note the "mirror links" box for North America, South America, Europe, Asia.
For me, that would be in the US. For you, it chooses a 78. domain. This makes sense. Yes, it is frustrating to have different results every time, and from different locations.

This still doesn't explain why the wildcard of the third or fourth octet doesn't work.
Perhaps you can find another web site that uses numerical IP, and see if the NoScript whitelist wildcard works there. I will try to find one also.
Again, I'll be back in 24 hours or less.
Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0
Anakunda
Junior Member
Posts: 20
Joined: Sun Sep 26, 2010 8:57 am

Re: Whitelisting whole site with all referenced domains?

Post by Anakunda »

Hmm I'm not sure why that's not working to you. Maybe someone other can try one of the test links to confirm the behaviour I described?
Or try to test the link I provided in safe mode (Help->Restart with Add-ons disabled), or with another browser that uses no content filtering to see if it's being blocked by Firefox self or if that's some country specific blocking (I'm only having blocked adv.letitbit.net and advstat.letitbit.net by AdBlock Plus, which seems to be OK for passing to the download except the mentioned unwanted NS blocking)
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:11.0) Gecko/20120313 Firefox/11.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Whitelisting whole site with all referenced domains?

Post by Tom T. »

Anakunda wrote:Or try to test the link I provided in safe mode (Help->Restart with Add-ons disabled), or with another browser that uses no content filtering to see if it's being blocked by Firefox self or if that's some country specific blocking (I'm only having blocked adv.letitbit.net and advstat.letitbit.net by AdBlock Plus,
There you go. Disable ABP and see what happens. As said, I had to *allow* two Flash objects that had something similar to -- wait, I'll get the name.

Did you allow am10 and am11.ru? Also allow ad.propellerads.com, though that is probably US-specific. Allow whatever Flash objects appear.
The IFRAME was from am10.ru.

Strange -- once I temporarily allow these, I can then revoke all temporary permissions, and the download works well.
Maybe someone other can try one of the test links to confirm the behaviour I described?
Yes, I was already thinking that if the above doesn't work for you, I will ask Giorgio to look into this. Perhaps being on the same continent (in Italy) will help. Also, I believe he has at least one proxy elsewhere in Europe - I don't know about Asia or east of the Urals -- so maybe he can appear to be "closer" to you.

Also, my fellow Moderator and good friend GµårÐïåñ maintains at least one European proxy, for just such purposes. (I do not).
So I may ask him to try, also.

But first, please try the above permissions and let us know what happens, thanks.
************************************************************************

As for the NoScript wildcard issue:

It took some searching, but I found a site that uses only numerical IP scripting.
Please add the following, copy/paste exactly to NoScript whitelist:

Code: Select all

199.241
click Allow > OK.

Then please go to

Code: Select all

http://199.241.8.115/oncoreweb/search.aspx
If the wildcard of 3 and 4 octet work for you as they did for me, a Search box should appear, where you can enter Name, Date Range, etc.
And the NoScript logo will be all blue and white (no red), meaning: Nothing blocked; all allowed.

Also, NS menu will offer option to forbid:

Code: Select all

Forbid http://199.241.8.115/oncoreweb/search.aspx
Then forbid this and reload the page. The Search box should disappear, proving that it was the script (allowed by wildcard) that powered the Search box.

To test the 4th octet only, remove the 199.241.8.115 from the Untrusted ("Forbidden") list by "Temporarily allow" it. Then navigate away from the site and remove this temporary permission from the whitelist manually. NoScript > Options > Whitelist > Select this site. It will be in italics. Click "Remove selected sites" > OK.

Then add

Code: Select all

199.241.8
to NS Whitelist > Allow > OK.

Now, revisit the site. It works for me.

But wildcarding by first octet only does *not*, as said before.

Can you reproduce this successful wildcard?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Anakunda
Junior Member
Posts: 20
Joined: Sun Sep 26, 2010 8:57 am

Re: Whitelisting whole site with all referenced domains?

Post by Anakunda »

I have tested your site sucecssfully

Whitelisting 199.241.8 works as well as 199.241 so that should be clear that the wildcarding works in Noscript as it should

But for letitbit it doesnot work,

I tested another download link at letitbit.net with 78.108 and 78.140 whitelisted again, and confirmed that whitelisting is not working here since NS asks for permission to http://78.140.184.139 which is the only blocked address at the page.

So there's some unexpected NoScript behaviour at letitbit.net
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:11.0) Gecko/20120313 Firefox/11.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Whitelisting whole site with all referenced domains?

Post by Tom T. »

Anakunda wrote:I have tested your site sucecssfully

Whitelisting 199.241.8 works as well as 199.241 so that should be clear that the wildcarding works in Noscript as it should
Good, thanks. I am glad that we have shown that NoScript wildcarding does indeed work as specified.
One issue resolved.
Anakunda wrote:But for letitbit it doesnot work,

I tested another download link at letitbit.net with 78.108 and 78.140 whitelisted again, and confirmed that whitelisting is not working here since NS asks for permission to http://78.140.184.139 which is the only blocked address at the page.

So there's some unexpected NoScript behaviour at letitbit.net
NoScript may be doing you a favor.

I use a HOSTS file service that provides a blocking Hosts file, with about 15,000 reported malware, adware, and spyware sites, all of which are internally mapped to a non-existent destination (0), thus preventing the browser, or any site, from connecting to them.

Your 78.140 sites fall within the blocked range:

Code: Select all

# [WebaZilla / Nl-webazilla][AS35415][78.140.128.0 - 78.140.191.255
as does one of the domains there, which I may have seen during this investigation:

Code: Select all

traffic.ru
Webazilla has a poor reputation in MyWot:
http://www.mywot.com/en/scorecard/webazilla.com
and see the first comment from "Andrei", who appears to have investigated this thoroughly:
# Andrei_i 12/05/2009

Ethical issues

Prefered host for Russian pharma spammers`s fraudulent online pharmacies, malware distributors and phishers. Ilegal pharmacies affiliations promoted by forum spam, are controled by IPs adresses hosted on webazilla servers on IPs like:
208.94.233.40
78.140.132.26 - controler for pharma name servers; hostnames sharing ip with a-records:
*.consult-rus.ru
[[long list of drug sites and other scam sites; I do not want to give them publicity]]
Webazilla has definitely links with lawbreakers gangs from RBN http://en.wikipedia.org/wiki/Russian_Business_Network "
The linked article at Wikipedia makes "Russian Business Network" sound like very bad people.

Your 78.108 range has extensive blocking also, including your recent test case:

Code: Select all

# [Hiskyhost][AS43355][78.108.177.0 - 78.108.177.255]
# [Upl-net-customers][AS43355][78.108.180.0 - 78.108.183.255]
# [Upl-net-customers][AS43355][78.108.184.0 - 78.108.184.255]  >>>>> THIS ONE.
# [Host-system-net][AS43355][78.108.185.0 - 78.108.185.255]
When I try your test case, I get a blank page with only a single word,
"Welcome!"
and source

Code: Select all

<html><head>Welcome!</head><body></body></html>
I assume that the rest of the content is blocked.

I searched letitbit.net on mywot, and it has a very poor reputation, even among your own countrymen.

http://www.mywot.com/en/scorecard/letitbit.net

General notes:
hpHosts Engaged in the selling, distribution or provision of warez (including but not limited to keygens, serials etc.).
DNS-BH Appeared on malware domain blocklist.
There are 26 pages of comments. The first two pages were all severe warnings of viruses and other malware.
The "good" reviews on the last page were probably posted by the company itself, or those working for it.

I may not be able to post the comments themselves. Unfortunately, we had to ban the use of Cyrillic at this forum because of a few evil users. All posts in Cyrillic were found to be spam, and the board language is English anyway. An online translator gave this for the first comment:
People, do not be conducted on this! Money it does not pay out, and under the guise its programs, load [troyany], which steal information!!! "
("Trojans" = trojan horse viruses -- Tom T.)

I'll see if I can post the rest; perhaps Moderators may be exempt from that rule, although it's probably hard-coded in the forum software.
If so, you may translate the rest for us, should you like, or not.

In any event, I strongly urge you to avoid this site, and to thank NoScript for preventing infection of your computer.

To use the site, you apparently must disable NoScript , and I advise most strongly against this.

Thank you for exposing these sites as evil.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Whitelisting whole site with all referenced domains?

Post by Tom T. »

Online translators do not work well, but I get the point: Viruses, trojans, pop-ups, adware, spyware, etc.
Formerly only on IE, but now on Firefox.
ОПЛАТА пишут одно,а берут в10 раз больше!!! "
PAYMENT they write one, and is taken [v]10 of times more!!!

Раньше качалось лишь из впод IE (ибо трояны), сейчас - и из под ФФ. Тем не менее, рекламы много, очень много, а файло там лежит чисто для накрутки деньгов. Стремная история у этого файлообменнника
It earlier rocked only from [vpod] IE (since [troyany]), now - and from under [FF]. Nevertheless, advertisement much, very much, and file there lies purely for winding [dengov]. [Stremnaya] history in this [fayloobmennnika
OK, Moderators are exempt from the ban. But please do not reply in any Cyrillic, as you will receive a stern message, and possibly be banned automatically.

I am sorry that we had to do this because of a few evil ones, but otherwise, there is no reason to pust in Russian at an English-language forum.
I am sure that you understand.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Anakunda
Junior Member
Posts: 20
Joined: Sun Sep 26, 2010 8:57 am

Re: Whitelisting whole site with all referenced domains?

Post by Anakunda »

Okey thanks for exhaustive research, as for site rating this is expectable as it`s public file hosting service with no content filtering and except that such a kind sites are usually tightly linked with spam and advertising sites. so the goal is to bypass the rating in this case and block all harmful references while keeping the download functionality only with putting attention on downloaded content self and trustworthiness of sources providing links to letitbit.net rather than avoiding letitbit.net as whole (the problem is that the site except malicious content hosts trustworthy content also which makes outright rating impossible). If the whitelisting I defined is then trumped by some online site advisor, can I turn off the domain blacklisting? I don't have 78.140 nor 78.108 blocked in hosts service, though the wildcarding is not possible for letitbit.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:11.0) Gecko/20120313 Firefox/11.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Whitelisting whole site with all referenced domains?

Post by Tom T. »

Anakunda wrote:... so the goal is to bypass the rating in this case and block all harmful references while keeping the download functionality only with putting attention on downloaded content self and trustworthiness of sources providing links to letitbit.net rather than avoiding letitbit.net as whole (the problem is that the site except malicious content hosts trustworthy content also which makes outright rating impossible).
Understood. It may link to legitimate sites as well as to harmful sites. There seemed to be some concern that letitbit itself may host malware -- it wasn't clear to me, because I do not speak the language of most of the comments; online translators are not perfect; and most of the comments were not specific.
If the whitelisting I defined is then trumped by some online site advisor, can I turn off the domain blacklisting?
NoScript itself does not automatically obey any third-party site advisor, nor blacklist any domains on its own. Some have requested that it do so, but this case is a perfect example of why that is ill-advised: Opinions differ, and good sites may be blocked along with bad ones. Or bad ones may slip through.

You may recall that earlier, I successfully downloaded from the wxdownloadmanager site, whereas you could not. We never did find out why.
However, I had to click through many javascript links and redirections to get there.

The only other thing I could do, with proper additional safety precautions (including a full-disk-image backup immediately before proceeding), is to remove the Hosts block file and replace with the default Hosts file. Then I could try to follow your various links, and see what happens.

Before I expend that time, could you please say whether you tried the previous advice, and if so, what were the results?
Tom T. wrote:
Anakunda wrote:.... (I'm only having blocked adv.letitbit.net and advstat.letitbit.net by AdBlock Plus,
There you go. Disable ABP and see what happens. As said, I had to *allow* two Flash objects that had something similar to -- wait, I'll get the name.

Did you allow am10 and am11.ru? Also allow ad.propellerads.com, though that is probably US-specific. Allow whatever Flash objects appear.
The IFRAME was from am10.ru.
So, please try disabling AdBlockPlus, allowing (perhaps temporarily) am10.ru and am11.ru, and also temporarily allow advertising script, Flash objects, and <IFRAME> objects -- assuming that you are willing to accept the risk involved. I run my browser in a sandbox, especially for such research. If you have a sandbox or virtual machine (VM), I would strongly recommend the same, since we don't know what may happen. But I did successfully download your earlier test case by temporarily allowing these things. (Look back through the thread).

And I did *not* remove the Hosts blocking. So those were downloads that were hosted at sites not reported as evil to that provider.

If you wish to try using the HOSTS file service to protect you from the reported bad sites while still allowing those that have not been reported as malicious, the (free) service I have used for many years is http://www.mvps.org/winhelp2002/hosts.htm. There are many others out there, and I am not guaranteeing that this one or any other one can protect you from all malicious sites, of course.

I use Sandboxie for added browser protection. There is a free 30-day trial, then you must either pay a fee, or use a "nagware" version which pops up a screen when the browser is first opened. There are many other sandboxing and virtualization services, such as VMware Player, which also offers a free trial download. I have not investigated that one or any others. And of course, since I can't control those products, also cannot guarantee them or be responsible for them.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Post Reply