ligatus not blocked

avatar

Administrator
Staff member
Administrator
There's a filter in EasyList (and in English filter also):
Code:
||ligatus.com^$popup,third-party
It blocks all requests to ligatus.com.
 

Dolfi

Banned
Until now I stick with/to the AG filters (bc. AG warns to become slow when choosing more and the proxy server is a slow machine).
These (still) do not filter the above link. I know that bc my browser shows "[Blocked by Ad Muncher]" when clicking it (or an ad, when disabling AM and clicking).

Regards,
Dolfi


P.S. Neither do EL and EL Germany block above link over here, if enabled. AG itself working according to your test page.

---------- Post added at 05:45 AM ---------- Previous post was at 05:19 AM ----------

detailled filter when clicking the ad:
Code:
Address: http://de.webfail.com/img/lrhtlx6LB_CB0.gifTime: 12/21/2014 05:36:53
Status: Request processed
Request details:


The request was sent from the following web page:
http://de.webfail.com/770cce05512


Bytes received: 449
Bytes sent: 603
Code:
Address: http://r.ligatus.com/?z=9szAxfu93zZn9iAc5Hi73VflZ6rQEE0qHwaI3LRZd9gmWSKfzg05V-gBHMEwzuBKDRlSR3m7WpSkRbUCNGwP4F7LDy6y8xFeHC4995Ochgxf58qj9jRrbdYggPZLGuYdAs-vh5rJ_pM-bbZxfL26iev-9yb7D7zmUURqTime: 12/21/2014 05:36:54
Status: Request processed
Request details:


The request was sent from the following web page:
http://de.webfail.com/770cce05512


Bytes received: 176
Bytes sent: 588
HTH,
Dolfi
 

Dolfi

Banned
From both sample pages I didn't see any requests from ligatus.com
Would you please rephrase "didn't see any requests from ligatus.com"?
Because I click that link and a site http://52weine.de opens. You might also want to disable all lists except EL and EL Germany before testing, so we talk about the same.
Code:
Address: http://52weine.de/rotweine/kennenlern-paket-rot.html
Time: 12/21/2014 09:12:24
Status: The page has been filtered
Request details:

The request was sent from the following web page:
http://r.ligatus.com/?z=zUdwCig6f_pxHBC_0zFRA62CU-pLoXJ-zLqdsNT9IwZp5znXo8TTBotLz_Pm5crQLnx6csRdHWcLd6h5MdsIkFCl61d0kYzf0SDnHlDercta7oYSE1bFcKPvg3DevG887fyDmUdvjJ0yfRKw_4L6dmOzQLVTPKD0Hl1m

New element hiding rules have been added to the page
Popup blocking code has been added to the page

The following elements have been removed from the page:


<script type='text/javascript' src='http://s7.addthis.com/js/250/addthis_widget.js#pubid=xa-4fce36935105cb6e'> (||addthis.com/js/*/addthis_widget.js$third-party,domain=~tscan.mg|~imgur.com|~civilization.com)
<iframe src='//ad2.adc-serv.net/retargeting.php?customer=52weine_de&method=visit&hash=977a68bdc2e1bd974ca91ae9b8f5bbcd&value=visit' frameborder='0' scrolling='no' style='width:1px;height:1px;float: left;'> (||adc-serv.net^$third-party)

Bytes received: 16396
Bytes sent: 600

EDIT:
It might not be your code/list but sth. AG does 'wrong'.
When defining a custom filter "*ligatus.com*" and then opening the link from 1st post this is in detailled log:
Code:
Address: http://r.ligatus.com/?z=zUdwCig6f_pxHBC_0zFRA62CU-pLoXJ-zLqdsNT9IwZp5znXo8TTBotLz_Pm5crQLnx6csRdHWcLd6h5MdsIkFCl61d0kYzf0SDnHlDercta7oYSE1bFcKPvg3DevG887fyDmUdvjJ0yfRKw_4L6dmOzQLVTPKD0Hl1m
Time: 12/21/2014 10:04:41
Status: Request blocked
Request details:

The request was blocked by the following filtering rule:

*ligatus.com*
Code:
Address: http://52weine.de/rotweine/kennenlern-paket-rot.html
Time: 12/21/2014 10:04:47
Status: The page has been filtered
Request details:

The request was sent from the following web page:
http://r.ligatus.com/?z=zUdwCig6f_pxHBC_0zFRA62CU-pLoXJ-zLqdsNT9IwZp5znXo8TTBotLz_Pm5crQLnx6csRdHWcLd6h5MdsIkFCl61d0kYzf0SDnHlDercta7oYSE1bFcKPvg3DevG887fyDmUdvjJ0yfRKw_4L6dmOzQLVTPKD0Hl1m

New element hiding rules have been added to the page
Popup blocking code has been added to the page

The following elements have been removed from the page:


<script type='text/javascript' src='http://s7.addthis.com/js/250/addthis_widget.js#pubid=xa-4fce36935105cb6e'> (||addthis.com/js/*/addthis_widget.js$third-party,domain=~tscan.mg|~imgur.com|~civilization.com)
<iframe src='//ad2.adc-serv.net/retargeting.php?customer=52weine_de&method=visit&hash=977a68bdc2e1bd974ca91ae9b8f5bbcd&value=visit' frameborder='0' scrolling='no' style='width:1px;height:1px;float: left;'> (||adc-serv.net^$third-party)

Bytes received: 16397
Bytes sent: 501
So even though AG says to have blocked it obviously hasn't
 
Last edited by a moderator:

fanboy

Member
Even with my German VPN, I don't see it. I'm gathering you may have a malware infection which is injecting these requests...
 

Dolfi

Banned
Even with my German VPN, I don't see it. I'm gathering you may have a malware infection which is injecting these requests...
:) yeah, that's always the easiest way: blame the bloody user...
Unfortunately (for you) I have
- a variety of systems and browsers (see sig)
- (virtually) endless clean systems (VMWare templates ready for cloning)
- verified this on already 4 different OSes and browsers. Including linux life CD w/o persistence (i.e. uninfectable - except forum.adguard.com contains malware able to infect 4 systems).
- verified it using and not using local install vs. builtin HTTP proxy vs external SOCKS5 proxy
edit:
- just now verified on a fresh clone /w plain Win7x64SP1* (fresh off the DVD, not even security updates) and fresh local install of AG - same issue
edit-end
So it might not work with this issue to blame my system(s). I am sorry.

edit:
Besides:
- on the W7x64 machine no other executable accessed the network (according to a port monitor)
- on LiveLinux and an XP-Test there is no default route but a single dedicated route to the proxy server
So if there was malware re-injecting the request then the request had to loop as it had to be filtered by AG (denied/rejected) again and again and again.
But according to wireshark there is a single HTTP GET request which is answered by the adserver with a tiny redirect page - even though AG says to have "blocked".


P.S. @avatar: in one packet capture I saw a "cookie: __adguard_adblock_whitelisted" in the GET request. Whats that? Can that be a reason that you built a 'backdoor' into the product that websites can use to circumvent AGs config/protection which is used?!

* never before tested AG running on x64 and/or >XP/2k3
 
Last edited by a moderator:

Dolfi

Banned
next point (which is why I am going to open a bug report):
If I replace ligatus by [whatever] the same happens.
user filter: *.ibm.com* , URL opens instead of being blocked. Tell me which malware did this...
 

avatar

Administrator
Staff member
Administrator
next point (which is why I am going to open a bug report):
If I replace ligatus by [whatever] the same happens.
user filter: *.ibm.com* , URL opens instead of being blocked. Tell me which malware did this...
We do not block URLs if they opened in the window (not frame).
That's also the reason you see this cookie - it's temporary cookie allowing us to unblock request in this case.

---------- Post added at 09:32 PM ---------- Previous post was at 09:29 PM ----------

Even with my German VPN, I don't see it. I'm gathering you may have a malware infection which is injecting these requests...
I don't see it also. @Dolfi, could you please give me the working example?

---------- Post added at 09:40 PM ---------- Previous post was at 09:32 PM ----------

From both sample pages I didn't see any requests from ligatus.com
Aaa, I got it. If you refresh the page and wait you'll see random banner ads on the page.
Clicking these banners goes through ligatus.com.

---------- Post added at 09:46 PM ---------- Previous post was at 09:40 PM ----------

Ok, looks like I've understand the cause of this.

There's a difference between processing of $popup rules in Adguard and in ABP.
We apply $popup rules to all requests. But for ABP, $popup is like one more content type restriction.

Because of this they have two rules in EasyList:
Code:
||ligatus.com^$popup,third-party
||ligatus.com^$third-party,domain=~bfmtv.com
First for blocking popups, second for all other requests.
Adguard uses only one of them (the first it get).
So, in your case Adguard use the second filter only.

I have fixed English filter now, we now have one rule only.

Also we should fix it for all other filter pairs in EasyList.
 

avatar

Administrator
Staff member
Administrator
One more update from me.

We've changed transformation script we use for EasyList filters.
So now we remove these duplicate filters in Adguard-compatible EasyList.
 

Dolfi

Banned
We do not block URLs if they opened in the window (not frame).
That's also the reason you see this cookie - it's temporary cookie allowing us to unblock request in this case.
Dunno if that cookie is a good idea. Don't like the effort to learn web page programmimg just to show you but AFAIR a webpage can set random cookies. If that was true any website can set that AG-blocking cookie, can't it?
edit: also dunno if not blocking non-popups is a good idea as that is exactly what that banner ad does: opening the ad in the same window.

I don't see it also. @Dolfi, could you please give me the working example?
if you still need/want to: any of my systems. I even could give you a dedicated system to play with (if you promise not to abuse it or spy around)


edit2: That might be the issue with fanboy too: He didn't get that there is no popup and so that no popup rule will ever help.
 
Last edited by a moderator:

avatar

Administrator
Staff member
Administrator
Dunno if that cookie is a good idea. Don't like the effort to learn web page programmimg just to show you but AFAIR a webpage can set random cookies. If that was true any website can set that AG-blocking cookie, can't it?
edit: also dunno if not blocking non-popups is a good idea as that is exactly what that banner ad does: opening the ad in the same window.
Yeah, it's possible, but we can handle it if any website decide to do it.

Also we'll make this cookie name random in the next version.
 
Top