I've provided alternative Full-Hostiles versions. 1. Hostiles with full Japanese Block: BearShare - Hostiles Blocklist 2012 . . 2. Hostiles with just standard Japanese fien spam client Block: BearShare - Hostiles Blocklist 2012-NoJapBlocks

Sorry if it sounds confusing. No longer separate installer for the Beta and regular BearShare (finally figured out how lol), just separate installer for either of the (1) or (2) options above. Or alternatively the Hostiles.txt file as a zip if you prefer to place the file yourself: 1. Hostiles_2012 or 2. Hostiles_2012_NoJapBlocks (which means just standard Japanese fien client blocks.) Sorry for the silly name but needed something to distinguish them.

The Full-Japanese Block is not a true 100% Japanese block, it blocks about 85-90% of their ip ranges. The non-Japanese blocklist is a much larger file as you might imagine because it includes many of their individual and small range blocks.

Fresh hosts added. I will not be updating these files as often as I have been over past couple of months which was every 1-2 weeks. I've been working on LimeWire blocklists and now there's simply too many lists to maintain.

The reason for the Japanese block: Several people contacted me in regards to (a) reducing the options for connecting mostly only to Japanese hosts, (b) Finding material through hosts that are more regionally or more culturally-similar to share with. (c) reducing Japanese spam.

The reason for the non-Japanese block: I feel there should be a choice for users.
Over the years I have personally downloaded a lot of Japanese music and video and shared material back. It's only been the past 18 + months that the Japanese anti-file-sharing companies have become somewhat over-bearing and very high in numbers.
There is a large 'genuine' file-sharing community in Japan. It is not their fault both the Japanese government and business is sponsoring anti-file-sharing companies to cause problems on the Gnutella network. The Japanese file-sharing community should not be left out in the cold for that reason alone.

Edit: as of two days ago: Edit February 2013: a single installer is now inclusive of both options and for either standard BearShare or the BearShare 5.1 Beta Test version.

Edit 13 March 2013: added a small Japanese range that was in the LW equivalent list but missing in BSHostiles list. Will now work the files on XP instead of Win 7 after finding processing errors, which did not affect using the file however. The blank lines only showed on XP. On 2000 simply a marker. And Win 7 did not show any issue.
If there is an error in the hostiles, BearShare will do either of the following as soon as it opens: 1. Delete almost all (over 99%) of the contents of the file. 2. Remove all contents after a point somewhere near the error. 3. Will ignore the host listings which have errors.

If anybody is interested ...

I think I might have discovered a new network set-up to spam and DDoS based in France. All the host addresses are within two small adjoining sub-ranges of each other. I have not seen any of these host addresses on any other blocklist. Something to keep in mind is some hosts do not attack the client program directly, but once they know your address they will periodically DDoS you. The affect of this a is drop in search results, possible loss of upload and download connections or loss in speed or consistency in either activity, and possible loss of connections with hosts, and at worst loss of internet connection. Those are their purposes. That is why I do strongly recommend blocking the worst of them via your firewall at least. And also to take the weight off your program taking all the hits when they are directed at it but not actually attempting to download or anything (ie: DDoS'ing your program client.) If anybody wants a list of the worst DDoS hosts then just ask.

Anyway update to the blocklist will be coming soon.

For LimeWire users, I have figured a way for both LW 4 and LW 5 versions to read a blocklist file in similar fashion to BearShare and FrostWire. Except these blocklists for LW use CIDR format which I was told start of year is more memory friendly than the older format BearShare uses. Also, the size of the Heavy/Strong Blocklist is 25% smaller than the original BearShare Blocklist and 10% smaller than the FrostWire blocklist. But is no less powerful. I will post a release on this in a few days time. Still doing last updates to the blocklist which is a very slow process when I have several lists to update. :eek: The LW blocklist version has been tested with 4.14 to 5.6.2. I have not yet tested earlier versions. Results have been seconded by a second person.
If you want me to test earlier versions of LW then bump the 'like' this post/thread and give your reason for testing earlier LW versions and it will be done. :D

DDos Attacks and Other Dodgy Stuff
 

Hi LOTR

You, like I, probably suspect that these attacks are sponsored by the RIAA and with tacit approval of of the US Government, even though what is being done to your computer is illegal in most western countries.

Plus, while you as an Australian citizen are likely to enjoy the protection of your government, and the sanctity of your laws, in the UK I would have no such protection if I continued to use P2P software.

Therefore, while you can continue to use P2P software, because you have broken no Australian law, while I, if accused by the US of doing something against one of their laws, the UK government would virtually say "come and get him, he is all yours".

Now, you could call me paranoid because there is nothing tangible I can point to in order to support my position. However, there is enough experiential observations to show that unless a poor unfortunate UK citizen has public support the maxim seems to be "What the US wants the US gets".

While you could go to the authorities and complain that your computer is under attack, if I was in your position I would be laughed out of the police station, i.e. if you are hacked or electronically attacked in the UK you can only report it to the police.

The way I see things going is that sooner or later the last bastion of individual freedom (Australia) will be sold out to the US, just like the UK has, and there will be concerted pressure to discourage the use of P2P apps, just as it now is in the UK.

So, because of the various things happening to discouraged P2P usage, e.g your ISP, various UK government backed campaigns, possible US sanctioned attacks, etc. I no longer use P2P software and the reason why I would not advise anyone else to use it either.



UK (Paranoid) Bob

Finally finished a LimeWire version: Security packages for LimeWire (help block out the spam and evil hosts). Intended for use with both LimeWire 4 and 5 versions. It works fine without memory issues for LW 5. I could have called the actual security file anything, including just security file. :D

In the March 13 update over half of the new listings are the port 27016 spam clients. So that will take 128 away from the chance to spam you. Others added were spam hosts, DDoS and BOT browsers (ie: 2 kinds; (a) browse you as soon as and every time you log onto the network, (b) browse you robotically every 10-15 minutes. One of these browsed me 5 times over 20 minutes. I was only sharing 500 files which is a fraction of my usual shares.)

Don't forget there is also an installer which caters for both BearShare 5.1 beta and other BearShares and choice of which hostiles to install.

If anybody wishes to volunteer their services for taking on the updating of the Hostiles, I would love to hear from you.
I do not know if there is another equivalent hosted elsewhere that is being updated. AW's old one had not been updated since June 2011 or earlier.

As it is, since the LW users do not seem that interested in their updates, I will probably be slowing down my updates for that package or stopping altogether since their 4 lists take considerable time to update. Not many download the updates. But their situation is different. They can ban hosts manually. Whereas BearShare has no other protection choice other than the Hostiles being loaded as it opens. So I do feel as though there is a demand for the BS Hostiles.

Received UDP OOB Hits Announcement for GUID: PSXHDKDY(edit) to proxy to Leaf in 7*.1**.*.*** ("BearShare Lite 5.2.0.1" WinXP 2904 msgs) from 188.142.66.5:27016, but the query is stopped. - I wonder what that means? Too much spam being transmitted by Mr. 188.142.66.5:27016 ? :D

I have not heard from the Phex dev for a very long time So I am making my own call here.

If you see any Phex version Phex 3.2.0.102 then boot it off your connection list. I have seen far too many of these over very recent past. Absolutely no reason for anybody to be using such an old Phex version below 3.4, so to see so many of them with identical version reminds me of these: Spam sample 1, . . Spam sample 2, . . Spam sample 3, . . Spam sample 4

Example of these Phex BOTs are listed in post #78 below, scroll down to 195.50.2.185. Another range they use is 192.155.80.0 - 192.155.95.255. When I blocked this in Phex, the block count increases by about 31 per minute.

Browse-BOT obvservation
 

Past two days (after I deciding to use the less stringent on Japanese hosts hostiles), found a handful of Japanese Browse-BOTs that browsed me as soon as I connected to the network (all within 5-10 seconds.) These ones browse repeatedly over a period of time. Here's an example of one today over a 70 minute period:
ID: 59.147.135.13:50652-Tokyo So-net Entertainment Corporation. <- (List, name & shame!)
You'll notice where I was attempted to be browsed up to 7 and 8 times over a minute. Even after banning the host. I am obviously not the only host this BOT is attempting to constantly browse. Also this is not the only browse-BOT. So if you can imagine several hundred of these browse-BOTs, it starts to become a semi-DDoS.

LW 4 usually shows each occasion a person is browsed. LW 5 / LPE do not. If the Browse listing is still up in the upload window, it will not repeat itself even if you have been browsed several times over a period of time. Only if you clear it from the Upload window will it re-list itself.

The example above was of a new BOT I found today. I checked my firewall log via console & realised the others I found yesterday had also been attempting to browse at a similar rate. Again, up to 8 times a particular minute. Over a period of time the others with slightly greater occurrences than the new BOT today.

Japan BOTs are notorious for deliberately causing heavy traffic. But from my experience, Taiwan BOT's seem to be designed purely for DDoS purposes. ie: not attempting to connect, browse, or download. Simply pinging the program (the firewall console verifies this, example: Allow LimeWire connecting from 1.*.*.*:51768 to port *****)

My answer for helping to prevent the actual program from being pinged into lagginess & eventual crashing is to block various known ip pingers in the firewall. Particularly the Taiwan DDoS BOTs. MS Windows 7 & higher, and some 3rd party firewalls have the ability to block ip's. MacOSX can only achieve it via using 3rd party apps. Personally I use WaterRoof which adds abilities to the OSX built-in firewall, but this app is slow & tedious to add ip's one by one, especially if there's a large list already there. This app should have ability to add a block of ip's at once like Windows firewall does. (1-2 mins between each addition when a large list already exists. Not a well thought out design.)

So you wonder, why is it these Japanese BOTs are browsing everyone & why once is not enough? And why certain BOTs from other parts of the world browse everyone as soon as they can after you first connect to the network?

Edit: Attachment 6515 connected to my Phex on 11 May 2014. I added this Washington address to the hostiles 16 March 2013, stated reason was DDoS @ LW & BearShare. I noted it again 19 April for same reason.

Some BOT samples
 

Just thought I'd give a few simple examples of BOTs on the network from a couple days ago:

Even for these examples, I'm not pretending this is all of them within those ranges, just the ones detected over a period of about 30 mins (which is how fast the console log pages were refreshing at the time.) But it does give an idea about how they spread themselves. Either using same address with different ports or even the same address & port. Or buying up lots of addresses for their mass purposes. I believe several of these listed above had multiple ports in use but for simplicity I removed the multiples of same ip address.
This example is simply a recent capture of them via the firewall console (with a few exceptions such as the 2007 version Phex ones from March - blood suckers.)

This snapshot is from 29 June 2016. It shows a mass of LW 4.14 Download-BOTs in the upload window of Phex. LW 4.14 was my favorite LW 4 version (and then 4.16). But there is some doubt these really are LW 4.14 or modified 4.14 versions. It's been known for about a decade that some BOTs can change program ID on the fly.

Some of the BOTs have same ip address but different port and some are downloading the exact same file. Amazon ip range; generally a professional proxy service to hide and protect the original business's source.
54.187.25.79
54.187.186.48
54.187.240.221
54.187.246.227
54.191.73.20
54.200.31.26
54.200.95.239
54.201.11.100

All Amazon.com ip ranges. Hostname .us-west-2.compute.amazonaws.com

Interestingly just 7 days earlier via a GWC I came across 54.201.11.100:4396 Gnucleus 2.0.9.0 (GnucDNA 1.1.1.4) which is most likely what all of these so-called LW 4.14's are actually using.
Same probably applies to the LW 4.12 Download-BOTs discussed elsewhere.

Download BOTs
 

I'm one of those rare people that keeps an eye on their uploads (& network as a whole.) Last night whilst using WireShare I was surprised to see my upload window full before noticing the pseudo-name SmilingPig beside many of them and with different identifying addresses.

One alarm bell was that the host was identifying itself as LimeZilla/1.8 (if it really was LimeZilla), but this version is ancient. LimeZilla is up to using version 4 nowadays. Two of the uploads SmilingPig was downloading/queued to download were the same two files; thus 4 upload/queue slots for two files. Surprised it was not sapping the entire upload bandwidth made available to WireShare however.

ISP: NFOrce Entertainment B.V. Netherlands; Netname: Amsterdam_Residential_Television_and_Internet_Netw ork. Services: Network sharing device or proxy server.

IP addresses blocked:
212.92.108.24
212.92.108.34
212.92.108.44
212.92.108.84
212.92.108.224
212.92.111.192
212.92.112.81
212.92.112.101
212.92.112.181
212.92.114.178
212.92.115.67
212.92.117.65
212.92.117.155
212.92.119.143
212.92.121.97
212.92.123.116
212.92.124.91
212.92.124.211
212.92.124.221

Upload window: (WireShare's display of total upload bandwidth had not yet caught up at the moment of this snapshot)
Attachment 6912
After blocking several, more showed up:
Attachment 6913

Then another attack a day later with 16 fresh addresses within the same sub-ranges. It also browsed me.
212.92.104.85
212.92.105.147
212.92.108.54
212.92.109.34
212.92.115.77
212.92.115.107
212.92.116.246
212.92.117.75
212.92.118.94
212.92.120.208
212.92.120.218
212.92.121.167
212.92.122.136
212.92.122.206
212.92.123.65
212.92.123.75

If you look carefully among the two lists you will notice the same sub-ranges using the same last number. ;) Example: all those in the 212.92.115.* range use 7 as the last number, all those in the .108.* range using 4 as the last number, etc. Although the .123.* range shows a variance.

Edit 2018-04-29: Discovered this from a GWebCache:
212.92.122.146:50903 (u:23:18:29) 2018-01-04.
212.92.123.162:50903 (u:23:18:05) 2018-01-04.
Host using WireShare or identifies itself as WireShare. Not sure this WireShare host could be trusted.