ligatus not blocked

Discussion in 'Missed Ads' started by Dolfi, Dec 20, 2014.

  1. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
  2. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,947
    There's a filter in EasyList (and in English filter also):
    Code:
    ||ligatus.com^$popup,third-party
    
    It blocks all requests to ligatus.com.
     
  3. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    Until now I stick with/to the AG filters (bc. AG warns to become slow when choosing more and the proxy server is a slow machine).
    These (still) do not filter the above link. I know that bc my browser shows "[Blocked by Ad Muncher]" when clicking it (or an ad, when disabling AM and clicking).

    Regards,
    Dolfi


    P.S. Neither do EL and EL Germany block above link over here, if enabled. AG itself working according to your test page.

    ---------- Post added at 05:45 AM ---------- Previous post was at 05:19 AM ----------

    detailled filter when clicking the ad:
    Code:
    Address: http://de.webfail.com/img/lrhtlx6LB_CB0.gifTime: 12/21/2014 05:36:53
    Status: Request processed
    Request details:
    
    
    The request was sent from the following web page:
    http://de.webfail.com/770cce05512
    
    
    Bytes received: 449
    Bytes sent: 603
    Code:
    Address: http://r.ligatus.com/?z=9szAxfu93zZn9iAc5Hi73VflZ6rQEE0qHwaI3LRZd9gmWSKfzg05V-gBHMEwzuBKDRlSR3m7WpSkRbUCNGwP4F7LDy6y8xFeHC4995Ochgxf58qj9jRrbdYggPZLGuYdAs-vh5rJ_pM-bbZxfL26iev-9yb7D7zmUURqTime: 12/21/2014 05:36:54
    Status: Request processed
    Request details:
    
    
    The request was sent from the following web page:
    http://de.webfail.com/770cce05512
    
    
    Bytes received: 176
    Bytes sent: 588
    HTH,
    Dolfi
     
  4. fanboy

    fanboy Member

    Joined:
    Oct 3, 2014
    Messages:
    110
    From both sample pages I didn't see any requests from ligatus.com
     
  5. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    Would you please rephrase "didn't see any requests from ligatus.com"?
    Because I click that link and a site http://52weine.de opens. You might also want to disable all lists except EL and EL Germany before testing, so we talk about the same.
    Code:
    Address: http://52weine.de/rotweine/kennenlern-paket-rot.html
    Time: 12/21/2014 09:12:24
    Status: The page has been filtered
    Request details:
    
    The request was sent from the following web page:
    http://r.ligatus.com/?z=zUdwCig6f_pxHBC_0zFRA62CU-pLoXJ-zLqdsNT9IwZp5znXo8TTBotLz_Pm5crQLnx6csRdHWcLd6h5MdsIkFCl61d0kYzf0SDnHlDercta7oYSE1bFcKPvg3DevG887fyDmUdvjJ0yfRKw_4L6dmOzQLVTPKD0Hl1m
    
    New element hiding rules have been added to the page
    Popup blocking code has been added to the page
    
    The following elements have been removed from the page:
    
    
    <script type='text/javascript' src='http://s7.addthis.com/js/250/addthis_widget.js#pubid=xa-4fce36935105cb6e'> (||addthis.com/js/*/addthis_widget.js$third-party,domain=~tscan.mg|~imgur.com|~civilization.com)
    <iframe src='//ad2.adc-serv.net/retargeting.php?customer=52weine_de&method=visit&hash=977a68bdc2e1bd974ca91ae9b8f5bbcd&value=visit' frameborder='0' scrolling='no' style='width:1px;height:1px;float: left;'> (||adc-serv.net^$third-party)
    
    Bytes received: 16396
    Bytes sent: 600

    EDIT:
    It might not be your code/list but sth. AG does 'wrong'.
    When defining a custom filter "*ligatus.com*" and then opening the link from 1st post this is in detailled log:
    Code:
    Address: http://r.ligatus.com/?z=zUdwCig6f_pxHBC_0zFRA62CU-pLoXJ-zLqdsNT9IwZp5znXo8TTBotLz_Pm5crQLnx6csRdHWcLd6h5MdsIkFCl61d0kYzf0SDnHlDercta7oYSE1bFcKPvg3DevG887fyDmUdvjJ0yfRKw_4L6dmOzQLVTPKD0Hl1m
    Time: 12/21/2014 10:04:41
    Status: Request blocked
    Request details:
    
    The request was blocked by the following filtering rule:
    
    *ligatus.com*
    Code:
    Address: http://52weine.de/rotweine/kennenlern-paket-rot.html
    Time: 12/21/2014 10:04:47
    Status: The page has been filtered
    Request details:
    
    The request was sent from the following web page:
    http://r.ligatus.com/?z=zUdwCig6f_pxHBC_0zFRA62CU-pLoXJ-zLqdsNT9IwZp5znXo8TTBotLz_Pm5crQLnx6csRdHWcLd6h5MdsIkFCl61d0kYzf0SDnHlDercta7oYSE1bFcKPvg3DevG887fyDmUdvjJ0yfRKw_4L6dmOzQLVTPKD0Hl1m
    
    New element hiding rules have been added to the page
    Popup blocking code has been added to the page
    
    The following elements have been removed from the page:
    
    
    <script type='text/javascript' src='http://s7.addthis.com/js/250/addthis_widget.js#pubid=xa-4fce36935105cb6e'> (||addthis.com/js/*/addthis_widget.js$third-party,domain=~tscan.mg|~imgur.com|~civilization.com)
    <iframe src='//ad2.adc-serv.net/retargeting.php?customer=52weine_de&method=visit&hash=977a68bdc2e1bd974ca91ae9b8f5bbcd&value=visit' frameborder='0' scrolling='no' style='width:1px;height:1px;float: left;'> (||adc-serv.net^$third-party)
    
    Bytes received: 16397
    Bytes sent: 501
    So even though AG says to have blocked it obviously hasn't
     
    Last edited by a moderator: Dec 21, 2014
  6. fanboy

    fanboy Member

    Joined:
    Oct 3, 2014
    Messages:
    110
    Even with my German VPN, I don't see it. I'm gathering you may have a malware infection which is injecting these requests...
     
  7. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    :) yeah, that's always the easiest way: blame the bloody user...
    Unfortunately (for you) I have
    - a variety of systems and browsers (see sig)
    - (virtually) endless clean systems (VMWare templates ready for cloning)
    - verified this on already 4 different OSes and browsers. Including linux life CD w/o persistence (i.e. uninfectable - except forum.adguard.com contains malware able to infect 4 systems).
    - verified it using and not using local install vs. builtin HTTP proxy vs external SOCKS5 proxy
    edit:
    - just now verified on a fresh clone /w plain Win7x64SP1* (fresh off the DVD, not even security updates) and fresh local install of AG - same issue
    edit-end
    So it might not work with this issue to blame my system(s). I am sorry.

    edit:
    Besides:
    - on the W7x64 machine no other executable accessed the network (according to a port monitor)
    - on LiveLinux and an XP-Test there is no default route but a single dedicated route to the proxy server
    So if there was malware re-injecting the request then the request had to loop as it had to be filtered by AG (denied/rejected) again and again and again.
    But according to wireshark there is a single HTTP GET request which is answered by the adserver with a tiny redirect page - even though AG says to have "blocked".


    P.S. @avatar: in one packet capture I saw a "cookie: __adguard_adblock_whitelisted" in the GET request. Whats that? Can that be a reason that you built a 'backdoor' into the product that websites can use to circumvent AGs config/protection which is used?!

    * never before tested AG running on x64 and/or >XP/2k3
     
    Last edited by a moderator: Dec 21, 2014
  8. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    next point (which is why I am going to open a bug report):
    If I replace ligatus by [whatever] the same happens.
    user filter: *.ibm.com* , URL opens instead of being blocked. Tell me which malware did this...
     
  9. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,947
    We do not block URLs if they opened in the window (not frame).
    That's also the reason you see this cookie - it's temporary cookie allowing us to unblock request in this case.

    ---------- Post added at 09:32 PM ---------- Previous post was at 09:29 PM ----------

    I don't see it also. @Dolfi, could you please give me the working example?

    ---------- Post added at 09:40 PM ---------- Previous post was at 09:32 PM ----------

    Aaa, I got it. If you refresh the page and wait you'll see random banner ads on the page.
    Clicking these banners goes through ligatus.com.

    ---------- Post added at 09:46 PM ---------- Previous post was at 09:40 PM ----------

    Ok, looks like I've understand the cause of this.

    There's a difference between processing of $popup rules in Adguard and in ABP.
    We apply $popup rules to all requests. But for ABP, $popup is like one more content type restriction.

    Because of this they have two rules in EasyList:
    Code:
    ||ligatus.com^$popup,third-party
    ||ligatus.com^$third-party,domain=~bfmtv.com
    
    First for blocking popups, second for all other requests.
    Adguard uses only one of them (the first it get).
    So, in your case Adguard use the second filter only.

    I have fixed English filter now, we now have one rule only.

    Also we should fix it for all other filter pairs in EasyList.
     
  10. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,947
    One more update from me.

    We've changed transformation script we use for EasyList filters.
    So now we remove these duplicate filters in Adguard-compatible EasyList.
     
  11. Dolfi

    Dolfi Banned

    Joined:
    Nov 21, 2014
    Messages:
    218
    Dunno if that cookie is a good idea. Don't like the effort to learn web page programmimg just to show you but AFAIR a webpage can set random cookies. If that was true any website can set that AG-blocking cookie, can't it?
    edit: also dunno if not blocking non-popups is a good idea as that is exactly what that banner ad does: opening the ad in the same window.

    if you still need/want to: any of my systems. I even could give you a dedicated system to play with (if you promise not to abuse it or spy around)


    edit2: That might be the issue with fanboy too: He didn't get that there is no popup and so that no popup rule will ever help.
     
    Last edited by a moderator: Dec 22, 2014
  12. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,947
    Yeah, it's possible, but we can handle it if any website decide to do it.

    Also we'll make this cookie name random in the next version.
     
    Gass likes this.