badware

[terrorist96]

Sites that should be blocked in badware. I'm not making a PR because I don't know if they should be appended with ^, ^$document , or ^$all.

checkisreal.com
convertpdfpro.com
convertwordtopdf.co
convertfilenow.com
easyfileconvert.net
mysecurify.com
search.pdf2doc.co
11165151.searchiq.co
godabert-nap.com
viralupdatestoday.com
katie.trktnc.com
eleseems-insector.com
bigothesca.pro
predictionds.com
apposing.tk
trafyield.com
odysseus-nua.com
d16mywcv459m8e.cloudfront.net
certyvpn.com
mohini-ger.com
balda.pw
secretpursuit.com
privacysearching.com
bidr.trellian.com
imwinningtoday.com
sarah.trktnc.com

links that can reproduce the above sites:

thecontroversialfiles.net
voxtribune.com
rilenews.com
newsbreakshere.com
nephef.com
goneleft.com
endingthefed.com
embols.com
channel-7-news.com
anonnews.co
americanreviewer.com
americanoverlook.com

@adroitadorkhan this applies to your lists too.

[liamengland1]

||trktnc.com^ would work.

[mapx-]

I tested part of the pages in the first list, I get no obvious reasons for badware. In the second part some redirecting etc

If you can provide the reasons for all those sites or (for the second part) the starting pages pointing to that crap it would be much better. Closing now, you can reopen it providing the extra info.

[terrorist96]

If you load the sites in the second list they cause redirecting to the sites in the first list. Each time is different. Some are worse than others.

[krystian3w]

More badware:

/^https?:\/\/(\w.|)(apps?|best|competition|game|mobile|play|prize|reward|sweeps)[0-9]{2,8}\.[a-z-]{5,22}[0-9]{1,8}\.(agency|icu|life|live)\//$document,domain=agency|icu|life|live

fake free iPhone / Samsung S10 or alternative better as Tinder (NSFW).

[krystian3w]

If you load the sites in the second list they cause redirecting to the sites in the first list. Each time is different. Some are worse than others.

Also an IP unique who's never visited these domains before, most likely.

[liamengland1]

What is a ploughman??

[krystian3w]

ask deepl...

[krystian3w]

I suppose unique... but translator used "bull-s-hit". (And I'm not gonna try yandex.)

[terrorist96]

I think he means use a robot that hasn't been to those sites before to go to those sites and record what happens.

[krystian3w]

So send via mail into Malware Domain List?

(I don't send regex into Malware Domain List if they do banning per domain/subdomain. For me it's a bad method since the villains have a scheme with domains for fake iPhones, Samsung S10 and alternative to a Tinder with naked women.)

[terrorist96]

@krystian3w I don't think it would be fully in scope of those lists. These aren't sites that are directly infecting your PC, but they are redirect/scammy sites that would be a good candidate for this list. @mapx- did you try going to the links I posted in order to reproduce the sites that should be blocked? I spent a lot of time compiling that list and even provided you with a list of sites to reproduce on your own if you don't want to take my word for it.

[okiehsch]

How did you end up at the sites of the second "links that can reproduce the above sites" list?

[terrorist96]

From here: https://assets.windscribe.com/custom_blocklists/clickbait.txt Which I found here: https://github.com/EnergizedProtection/block/issues/248 Went through the list to make sure those sites weren't being blocked in Energized and some of those sites I guess expired or turned scammy.

[okiehsch]

Some of them are parked domains and all I tested have no content, their only purpose appears to be to redirect. Many of them are already neutered by the badware list. For example go to newsbreakshere.com. I think they can be added to the badware list.

[terrorist96]

newsbreakshere.com leads to different places each time I test, some blocked by badware but most not. See: (using History Trends Unlimited because Chrome's built-in history viewer doesn't capture all the redirects)

[terrorist96]

@okiehsch so why not block the resulting redirect sites? Those sites probably appear from redirects from other domains too.

[okiehsch]

newsbreakshere.com leads to different places each time I test, some blocked by badware but most not.

I have blocked it with my commit, so that issue should be solved.

About your first list, if for example the extension advertised at convertpdfpro.com is badware they should be added. I don't know if that is the case. If somebody wants to test that extension and share the results. 👍

[okiehsch]

Or http://secretpursuit.com any reason for it to blocked? It does not randomly redirect the user like the domains in your second list.

[terrorist96]

I get your point, but many of those sites are common redirects from the list of sites you blocked, especially checkisreal.com, mysecurify.com, and viralupdatestoday.com (see the screenshots in the original post for the latter two).

Here is an example for checkisreal.com: But going to that site on your own, it won't look like that.

As for secretpursuit.com, I can't reproduce it right now but when I was redirected there, it did not look like the basic search engine it appears to be when you go there yourself.

[okiehsch]

I get an access denied message at mysecurify.com and viralupdatestoday.com. mapx- can you access those sites and what do you think?

[okiehsch]

I do think that the landing pages should be blocked in a malware list, if they are malicious of course.

[okiehsch]

bidr.trellian.com for example looks to me like an ad-network and not anything that should be added to a badware list.

[mapx-]

viralupdatestoday access denied mysecurify.com => all fine, it seems a normal site, no redirects, no popups

[okiehsch]

I can also access mysecurify.com now, looks like it is basically the same as convertpdfpro.com.

[terrorist96]

all fine, it seems a normal site, no redirects, no popups

It's by design. Going to the site on your own will seem normal. But getting redirected to it from a scammy redirecting site will show its true colors. See the two screenshots in the OP for proof of constant redirects by these sites.

[krystian3w]

https://www.propdfconverter.com/index.jhtml https://www.televisionfanatic.com/index.jhtml

imo scam

[okiehsch]

Your screenshot in https://github.com/uBlockOrigin/uAssets/issues/6381#issuecomment-538824544 looks suspiciously similar to

So I will block checkisreal.com and mysecurify.com. I still think those landing pages should be reported and added to dedciated malware lists.

[liamengland1]

Sorry to hijack the issue, but these should be added to badware as well: https://www.wordfence.com/blog/2019/08/malicious-wordpress-redirect-campaign-attacking-several-plugins/

||greatinstagrampage.com^
||gabriellalovecats.com^
||jackielovedogs.com^
||tomorrowwillbehotmaybe.com^
||activeandbanflip.com^
||wiilberedmodels.com^
||developsincelock.com^

[terrorist96]

Some more:

https://securecloud-smart.com/?a=14527&c=174995&s1=1009&s2=cf7c9ghc8fya73y834
https://š427.biz/bd476u1y?key=e152946fbdf32a36ce5f8597438015cf&psid=3142758faaa00835004933cdf0567091f5920454
https://doctopdftech.com/1020982094?subid_short=695d3ac25b2bf90c1ec2a13148dbd0cc&placement=14920667&ssg=3&install_id=9648a91f-4185-48cc-825b-1234dd016f03
https://lp.searchdimension.com/12/?v=399#sdapp93

triggered via: https://www.google.com/url?sa=i&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwjGppTMm-_lAhVJq1kKHR7NB-EQjB16BAgBEAM&url=https%3A%2F%2Fforumaden.com%2Fimage-gallery%2Fhow-many-black-holes-have-been-discovered&psig=AOvVaw0JarTOygupU5X1u99KARWz&ust=1574010213410937 (though I can't get it to trigger anymore)

[krystian3w]

Welcome to forumaden.com This Web page is parked for FREE, courtesy of GoDaddy.com.

So dead site...

[krystian3w]

crap opened by š427.biz:

https://www.track-enable.com/click.php?key=7m1rl8hb3ibejwuh30s6&action=951fcb571bb1fdd92b1459664fe6ad57&placementid=14920667&bannerid=944601

https://palundrus.com/nlp/index.php?a=14527&c=174995&s1=1011&s2=45d1cghocmy1nfec4c&url_bnm_redirect=https://securecloud-smart.com/

https://www.giftdomain.site/send/iphone/pl/?city=Chandler&country=United%20States&os_name=Windows&os_version=10&clickid=203a0cidvejikbldef&trafficsource=14&lpkey=1519735f94ce230011&campaign=2575&uclick=cidvejikbl

https://best2019-games-web4.com/smutstone/pr1/index.html?p1=https%3A%2F%2Ftrack.hooligapps.com%2Fclick%3Fpid%3D13%26offer_id%3D20%26ref_id%3DVjN8MTQ4OTIyOTh8MTQxOTI1OHw3Mjk1NzY2fDE1NzM5NDIzMzh8MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwfDUuMTcyLjIzNy4yMTJ8NHxwc3ViPTE0OTIwNjY3fHNoPWVhOTBhODEzZTZlOTJkMjI3YzQzOTM1ZWMwYjUwZDk3MTgwZTVhMzE1ZTlkNTZlMmRkNjEyYTdmNzBiZDZhYzMwZDJkYzg2NGI3MDg5NmE4MjIzOTMwZGQ0NmQzNjgwMjQ3ZDQ0YmJmMDg3NGZjNjliMzM2N2YyZmU0OWE1YTIwMDQ0MDYzYzJlNzU0ZGNhOXwwMWVlYWRlOTMyNmEwYTM4NTZiYjM2NmQwZGQwMDA4ZA==%26sub1%3D14892298%26sub3%3Dpu_ss_desktop
https://best2019-games-web4.com/adultgames/land_ss_120319_en/index.html?p1=https%3A%2F%2Ftrack.hooligapps.com%2Fclick%3Fpid%3D13%26offer_id%3D20%26ref_id%3DVjN8MTQ5MjA2Njd8MTgwNzY3M3w3Mjk1NzY2fDE1NzM5NDI0MzB8MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwfDUuMTcyLjIzNy4yMTJ8NXxwc3ViPTMxNDI3NThmYWFhMDA4MzUwMDQ5MzNjZGYwNTY3MDkxZjU5MjA0NTR8c2g9NTZjZmZhNTM5MDRkZTkxMDg1ZWYzZTNiZTkxOWEwOWNmZjg3MWE2ZThlY2RhZmJlNGI1Y2RiMDcwZWNlNDIzMjA5ZDUwZmVmZjA5NWNlZGMzYjBiNjczNTk1MGEyOTk2OGJhYTg1MmUyYzZiZTQwYTkwNGJjNWQ2MDk5MDJmNjM4MTZjZDhmYTVjNDdmYmQxfDAxZWVhZGU5MzI2YTBhMzg1NmJiMzY2ZDBkZDAwMDhk%26sub1%3D14920667%26sub3%3Dpu_ss_desktop
https://best2019-games-web4.com/smutstone/new/land_ss_210318_4_en/index.html?p1=https%3A%2F%2Ftrack.hooligapps.com%2Fclick%3Fpid%3D13%26offer_id%3D20%26ref_id%3DVjN8MTQ5MjA2Njd8MTQ2ODMxM3w3Mjk1NzY2fDE1NzM5NDI0NzV8MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwfDUuMTcyLjIzNy4yMTJ8Nnxwc3ViPTMxNDI3NThmYWFhMDA4MzUwMDQ5MzNjZGYwNTY3MDkxZjU5MjA0NTR8c2g9YjAzZTFiMjI4NmE0NTVmOWFjYzVlYWIxODYzZTZmYmY0NDNmMWJkYzRiODI4OWFiMmFmMDA5Mjk2OWMyNjg3NDg3OTAyNDZmODEzYmIwNmRiOGI2MDZhMmNiZTljY2MxYzA5MmY5YjlmYmZlOTE2YmJkMWY1NDY4ZTQxYWVhODgyOGU3MTcxNDMyZTdmNGUwfDAxZWVhZGU5MzI2YTBhMzg1NmJiMzY2ZDBkZDAwMDhk%26sub1%3D14920667%26sub3%3Dpu_ss_desktop

[terrorist96]

(though I can't get it to trigger anymore)

I just tried and I got it to redirect to those crap sites.

[terrorist96]

https://install.convertmyvid.com/?pid=56572&subid=14920667&clickid=VjN8MTQ5MjA2Njd8MjA1Njc4Nnw3MzcwNTI2fDE1NzQ1MTkwMzd8MDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwfDE3My43OS4xNTQuMTI3fDF8cHN1Yj0zMTQyNzU4ZmFhYTAwODM1MDA0OTMzY2RmMDU2NzA5MWY1OTIwNDU0fHNoPTUzYWZiNjJkNDljY2JhYTkxNjVjMGFkY2ZkOWU1NmVhNDM4NTM3N2U1NzNkOTc3Zjg2Nzk5ZmU1MmQyYmI0OGYwYTJkMDlkM2ZlYzY0NGZiNTBmYWVlMzU3MjIxMmUyMWQwMzYzNWI3NmVjOTA3YzhiMjhlMThmNDE1MGY1YjlhY2E2NTUzMDBmMTJlODRmMDY0MzliMXw3MGNkM2M0NjAwOWE1NzZjMjkzMDM3ZjhjNTIwYTY0Nw==
http://sweeps2944.nonamereverse39.live/6340860287/?u=tpap60a&o=zlbwly0&f=1&fp=DIE6jqT9cBTazS1PmnxgbLplh5wM55e1IX%2B%2FAB%2Bu%2B40itb2ExwsQIgy5ayV0oGP3mWgVRfCm35CLp6la7CdlkrrKMLFu6LaEUmI82Dtvnfkhkrbio51RCk9IpE6yEoeXaN9Zq%2F9zU7jdio%2BbLJLaaO2G3NSZM%2FYsXcAly4yMWmh7pMk%2Bx4vL2krqnYX%2F8ca0EtM1AV6fhmXMKAhJHN06raZE88HOlyRsk2z4lz5SBNWTC8Dyz9cbckZDvoBtW7L5GSwji2gjnR5EL6A6N7IXyCBQJikvI2hK2fVJKZghJofRQIB%2B99NqfPjmVA%2Fcu7Z2UPkvzgYPpJ3%2BnXpo43iR3nZYtwPkKrFLCv6fmdSguvaov86qa2%2BEgVxfIsb3oIjSasjzlWEb2TsilbAIu5COdMGBxurhlJhmJSoAWTnagbtsD6PllU%2F2JsEFp66AiwOxvd2lG3sWysXlyycrSk7jtXDy6JuOa1xBBFrtspz%2FOoPLgBTDMKJ668qKSyYu6S%2FERJBuctPOU4RRh4ZhBzW8E8AMB9TfPRLJy%2BOFeKjtTP5icrbw305ShPIfuHCszNnxHDYzeiXFRoILJGjKsx9lXbgKc0q8s%2F6ABB3LudDNVFlvlY3e0xfXv%2Bqg63FYujXkvFlBtjcPAMc6o%2B8GN3NSHLkdFbMjVOYQFXloDfx93PECqjnrxcO03fJr%2BL1KzJJe&ft=nc6kd0tk6xptwscl
http://play1951.nonamereverse98.live/6046165567/?u=tpap60a&o=zlbwly0&f=1&fp=TcZSbSx6LWtnlqcko%2Fd8wafHUPY2%2BziPs%2FL2phMBB1hXiyjc7JM7GOHUR6cH9rGRF59g8sZus3g9JOsFrc07mvZwTHaCkDj62E7AuQkD9k0qOt%2BZcYjs6KmPdcv6mONhh2IGUR%2FfjrKXPKn%2FhWIE6vq94D%2Fl2Fp%2FCnjiyPJb4dzunocr4urQ%2BroduMKQvEf7vYZkvs9whXxAmE0pqxVflQVCH8wxxyPmlw0cgf0p%2FAEe1Y9%2F7FytT2slUnWbAzFxz3cNXUcR3244ThN9m6nIj70Vrf%2FLEB84SvRLVMaS%2F5ziy4y%2BkkuZbxH2SkaqoEoM0ODEOU8DWWcHUyzkRlyFs000L8wIEsDAiWLJ%2ByTeeWhgCLRQN6qxpd%2BZUUy%2FGuvgAPs75xrdRrU8P77bycn0z9KWOILJ7sQqEQwVFuh2tD3LLGSCfDbAmj7vwTJqRw2W6b4bwbFytGkKen1WPXywhMChsWzPsD215l%2BtvBTEz17BvGWNT6DRuHXjL6%2FyHnJB43rIOpaU5QQNxLYYS76S44l7lonTIB6y%2B7CMInH76xd91KEqJdW%2BZFvDOikMYjyaZuYGMjRL665Pbvx6uuxA4rzdEeQd%2FbIgtM2q2KQ2PTtn4lOZduVbsgyeLR6hYxznkPdTZxQRm05FDmkcGhYytqxeD2ZxV0nG5yRuNn1sCDQf1fQCp3UY3qBP8RpQUPT6&ft=gn6l7rz5x76dq5u2
https://check-best-prizes-here.life/?u=tpap60a&o=zlbwly0

[mapx-]

added