- Oct 1, 2019
- 1,120
Hi, because I am using Kees1958 Top500 blocklist (link) I started to follow him on GitHub and came across a discussion on Giithub between GorHill and Kees1958 where an interesting idea of is posted (link) on combining internet zone's with different uBlockOrigin block modes.
People using uBlockOrigin advanced mode always turn into advocates of using the advanced blocking options of uBlockOrigin
At the moment the idea discussed between GorHill and Kees1958 is partly possible, it requires manual configuration of both static My Filters and dynamic My Rules. It would be nice when this idea of applying different block modes for different zones would be guided and partly automated by uBlockOrigin.
IDEA OUTLINE:
Before posting the details I want to apologize to members from outside West Europe and North America for making this how-to from the western world perspective. I want to explicitly apologize for blocking some country code TLD's with high abuse/malware. I just searched for malicious / most abused Top Level Domains and copied the TLD's, I have no bias, political agenda or negative views on the listed country domains.
1. BLOCK ALL ON MUCH ABUSED GENERIC TOP LEVEL DOMAINS IN MY FILTERS
Generic Top Level Domains are domains with a generic fancy suffix. Some of these suffixes are very cheap and therefor often used by malware writers to limit costs.
!
! Block all on much abused generic TLD's. The TLD is between ||* and ^$, e.g. ||*.BID^$
!
||*.bid^$all
||*.buzz^$all
||*.club^$all
||*.country^$all
||*.date^$all
||*.download^$all
||*.gdn^$all
||*.host^$all
||*.icu^$all
||*.jetz^$all
||*.kim^$all
||*.loan^$all
||*.men^$all
||*.mobi^$all
||*.mom^$all
||*.party^$all
||*.pics^$all
||*.racing^$all
||*.ren^$all
||*.rest^$all
||*.review^$all
||*.ryukyu^$all
||*.science^$all
||*.shop^$all
||*.site^$all
||*.stream^$all
||*.top^$all
||*.trade^$all
||*.vip^$all
||*.wang^$all
||*.win^$all
||*.work^$all
||*.xin^$all
2. BLOCK ALL ON MUCH ABUSED COUNTRY CODE TOP LEVEL DOMAINS IN MY FILTERS
Some countries have loose legislation on cyber crime or no prisoner exchange ruling with the US, making them popular with malware writers. This is probably why they rank high in Spamhouse and yearly reports of security and DNS suppliers. Again apologize when your country is mentioned here.
!
! Block all on much abused country code TLD's. The TLD is between ||* and ^$, e.g. ||*.AM^$
!
||*.am^$all
||*.cc^$all
||*.cf^$all
||*.cn^$all
||*.fm^$all
||*.ga^$all
||*.gg^$all
||*.ki^$all
||*.kp^$all
||*.la^$all
||*.ml^$all
||*.pw^$all
||*.ru^$all
||*.tk^$all
||*.ua^$all
||*.ug^$all
||*.vn^$all
3. ONLY ALLOW PASSIVE THIRD-PARTY CONTENT ALL HTTP (UN-ENCRYPTED) WEBSITES IN MY FILTERS
HTTP are called insecure websites, because they do not use the HTTPS protocol, so the data you retrieve and send to these websites is unecrypted. Most commercial websites in West Europe and North America have a secure HTTPS website. This does not mean that HTTPS is safe, but only ensures that the data is encrypted and depending on the certificate and domain operator (DV), owner (OV) and legal entity (EV) is checked. Because you need to pass a check to get an certificate for a HTTPS website, most malware / phishing websites launch as HTTP website (often they are only active for a few days/weeks). So adding just one (1) rule in my filters reduces the attack surface a lot.
!
! Only allow third-party passive content on HTTP-websites
!
HTTP://*$third-party,~stylesheet,~image,~media
4. BLOCK SCRIPTS AND FRAMES TO THIRD-PARTY TOP LEVEL DOMAINS YOU NORMALLY WOULD NOT VISIT IN MY RULES
Enable advanced option in Settings tab of the Dashboard and create your own easy-medium mode blocking rules. When you are a member from Germany and also read English, this could be the dynamic rules you might add the following rules in MY RULES to block third-party scripts and frames (medium mode) globally. You should tailor the NOOP-rules below to your browsing habits (e.g. languages which you read).
A. Apply medium mode blocking (block active content on third-party websites)
* * 3p-frame block
* * 3p-script block
B. Next add noop exceptions (NO-OPERAND) for some generic Top Level Domains. This has as effect that all websites in those NOOP-ed Top level Domains the blocking mode is lowered to easy mode.
* biz * noop
* com * noop
* gov * noop
* inf * noop
* info * noop
* io * noop
* net * noop
* org * noop
C. Also allow exceptions (ignore or NO-OPERAND) for country codes of the languages you read. As an example, lets say you are from Germany and also read English. You could add noop-rules for German (Germany, Austria, Switzerland) and English (UK, US, Canada, Ireland, South Africa, Australia and New Zealand) and the EU. You should always tailor this to your needs.
* de * noop
* at * noop
* ch * noop
* uk * noop
* us * noop
* ca * noop
* ie * noop
* sa * noop
* au * noop
* nz * noop
GorHill on Github said:
People using uBlockOrigin advanced mode always turn into advocates of using the advanced blocking options of uBlockOrigin
Oldschool on MT said:
At the moment the idea discussed between GorHill and Kees1958 is partly possible, it requires manual configuration of both static My Filters and dynamic My Rules. It would be nice when this idea of applying different block modes for different zones would be guided and partly automated by uBlockOrigin.
IDEA OUTLINE:
- Block all websites traffic from generic and country Top Level Domains known to have a large percentage of malware.
It is stricter than the mode GorHill calls 'nightmare' mode (link). Normally you would not visit these TLD's so blacklisting them would only rarely lead to website breakage. You need to disable strict blocking to access a website within a blacklisted TLD. This warning can't be missed. It is explained at point 1 and 2 below.
- Allow only (safe) passive third-party content from (unencrypted/insecure) HTTP websites.
Because HTTP websites don't require a certificate they are easier to launch (owner is not checked), making them popular with malware writers. As illustrated on VX-Vault URL's 90% of the malware comes from HTTP websites, while 99% of legitimate websites are HTTPS websites. The allow passive content is a bit stricter than medium mode blocking, but more usable than hard mode blocking (because 3p-stylesheets are allowed),. In most cases HTTP website should still display (safe) passive content (like text and images). It is explained at 3 below.
- Apply medium mode blocking on all TLD's outside your language scope (and apply easy mode to websites which language you read).
This is the idea posted earlier by Kees1958/Windows_Security and is a sticky on this forum (link). This W_S tweak applies medium mode blocking for all remaining websites, except for the third-party TLD's you explicitly noop. For websites in the NOOP-ed third-party TLD's you apply easy mode blocking (because first-party is allowed by default). This is explained in 4.
Before posting the details I want to apologize to members from outside West Europe and North America for making this how-to from the western world perspective. I want to explicitly apologize for blocking some country code TLD's with high abuse/malware. I just searched for malicious / most abused Top Level Domains and copied the TLD's, I have no bias, political agenda or negative views on the listed country domains.
1. BLOCK ALL ON MUCH ABUSED GENERIC TOP LEVEL DOMAINS IN MY FILTERS
Generic Top Level Domains are domains with a generic fancy suffix. Some of these suffixes are very cheap and therefor often used by malware writers to limit costs.
!
! Block all on much abused generic TLD's. The TLD is between ||* and ^$, e.g. ||*.BID^$
!
||*.bid^$all
||*.buzz^$all
||*.club^$all
||*.country^$all
||*.date^$all
||*.download^$all
||*.gdn^$all
||*.host^$all
||*.icu^$all
||*.jetz^$all
||*.kim^$all
||*.loan^$all
||*.men^$all
||*.mobi^$all
||*.mom^$all
||*.party^$all
||*.pics^$all
||*.racing^$all
||*.ren^$all
||*.rest^$all
||*.review^$all
||*.ryukyu^$all
||*.science^$all
||*.shop^$all
||*.site^$all
||*.stream^$all
||*.top^$all
||*.trade^$all
||*.vip^$all
||*.wang^$all
||*.win^$all
||*.work^$all
||*.xin^$all
2. BLOCK ALL ON MUCH ABUSED COUNTRY CODE TOP LEVEL DOMAINS IN MY FILTERS
Some countries have loose legislation on cyber crime or no prisoner exchange ruling with the US, making them popular with malware writers. This is probably why they rank high in Spamhouse and yearly reports of security and DNS suppliers. Again apologize when your country is mentioned here.
!
! Block all on much abused country code TLD's. The TLD is between ||* and ^$, e.g. ||*.AM^$
!
||*.am^$all
||*.cc^$all
||*.cf^$all
||*.cn^$all
||*.fm^$all
||*.ga^$all
||*.gg^$all
||*.ki^$all
||*.kp^$all
||*.la^$all
||*.ml^$all
||*.pw^$all
||*.ru^$all
||*.tk^$all
||*.ua^$all
||*.ug^$all
||*.vn^$all
3. ONLY ALLOW PASSIVE THIRD-PARTY CONTENT ALL HTTP (UN-ENCRYPTED) WEBSITES IN MY FILTERS
HTTP are called insecure websites, because they do not use the HTTPS protocol, so the data you retrieve and send to these websites is unecrypted. Most commercial websites in West Europe and North America have a secure HTTPS website. This does not mean that HTTPS is safe, but only ensures that the data is encrypted and depending on the certificate and domain operator (DV), owner (OV) and legal entity (EV) is checked. Because you need to pass a check to get an certificate for a HTTPS website, most malware / phishing websites launch as HTTP website (often they are only active for a few days/weeks). So adding just one (1) rule in my filters reduces the attack surface a lot.
!
! Only allow third-party passive content on HTTP-websites
!
HTTP://*$third-party,~stylesheet,~image,~media
4. BLOCK SCRIPTS AND FRAMES TO THIRD-PARTY TOP LEVEL DOMAINS YOU NORMALLY WOULD NOT VISIT IN MY RULES
Enable advanced option in Settings tab of the Dashboard and create your own easy-medium mode blocking rules. When you are a member from Germany and also read English, this could be the dynamic rules you might add the following rules in MY RULES to block third-party scripts and frames (medium mode) globally. You should tailor the NOOP-rules below to your browsing habits (e.g. languages which you read).
A. Apply medium mode blocking (block active content on third-party websites)
* * 3p-frame block
* * 3p-script block
B. Next add noop exceptions (NO-OPERAND) for some generic Top Level Domains. This has as effect that all websites in those NOOP-ed Top level Domains the blocking mode is lowered to easy mode.
* biz * noop
* com * noop
* gov * noop
* inf * noop
* info * noop
* io * noop
* net * noop
* org * noop
C. Also allow exceptions (ignore or NO-OPERAND) for country codes of the languages you read. As an example, lets say you are from Germany and also read English. You could add noop-rules for German (Germany, Austria, Switzerland) and English (UK, US, Canada, Ireland, South Africa, Australia and New Zealand) and the EU. You should always tailor this to your needs.
* de * noop
* at * noop
* ch * noop
* uk * noop
* us * noop
* ca * noop
* ie * noop
* sa * noop
* au * noop
* nz * noop
Last edited:
