First, I'm assuming your using one of the Spyware Blocklists from this site. If you didn't get it here, you might have somebody's modified version. These are in no particular order so look around for a situation that fits yours.

I try to visit a site but I get a blank screen.

The site you are trying to visit, or part of it's name, is being blocked by DNSKong. For example, there is an entry to block anything with "ads" in its names. So, www.ads.com would be blocked. So would www.ads.net and ads.doubleclick.net, and mysite.ads. But www.adsfree.com or adsadsads.com would not be.
If it is indeed being blocked, it is probably being blocked for a good reason. Nevertheless, if you want to visit the site anyway, you have two options:
Option 1: Right click DNSKong and select Modify Named.txt (in version 1.39, select Filters then the same.) Find the offending entry (you can use the Search option from along the top) and remove it. Save this and then reload it by right-clicking DNSKong and click Load Filters. You will now have to completely exit out of and restart your browser. You will still have the protection of the other DNSKong filters.
Option 2: Right click DNSKong and select Stop. Then completely close out and restart your browser. You will not be protected by DNSKong until you select Start in the DNSKong menu. Make sure to restart DNSKong when you are done!
On some systems you may have to wait up to 15 minutes for the new settings to take effect. That's very rare but it can happen.

I can't visit a specific site. When I try, I see a new alert in Kerio's alert window telling me something was blocked.

That site is probably blocked intentionally. It is probably a site affiliated with spyware or is on the same chunk of hosting space as a spyware service.
Solution: If the firewall is blocking a site, you should get a pop-up alert window telling you the rule that's doing it. If there's more than one warning in this alert window, the most recent alert is at the bottom. Click it to highlight it and it'll tell you which rule stopped it. If you want to risk going to that site, just go into Kerio's rules menu (How?) and find the offending rule. (Don't use the square arrows to navigate at the far right, use the regular Windows arrows or slider.) Uncheck the rule to disable it. If you just want to stop the pop-up, see below.
Make sure to reactivate the rule you turned off later in order to receive the best possible protection.

How do I turn off the firewall alert window?

The Spyware Blocklist is set to pop-up alerts whenever a spyware site, some ad sites, or other blocked site is attempting to be accessed by you or is attempting to access your computer some other way. This is done for a very good reason: sometimes the only warning you will get to a new strain of parasite is the pop-up warning.
Solution: If you want to stop the pop-up, simply go into Kerio's rule list (How?) and Edit the rule (How?). Now, find the box on this menu called Display Alert box when this rule matches and uncheck it. Click Ok. Then click Apply on the rule list menu to have your change take effect.

I get an alert window saying something like TCP Connection from 172.184.91.86:3436 was blocked by rule 'Block All'

Most of this is normal background "noise". If you've used Zone Alarm, you are probably very familar with this. It is rarely a bona fide hacking attempt. The most common cause is either a trojan running on someone else's machine or is because somebody who had your IP address before you logged onto the Internet was using a file-sharing program (P2P, like KaZaa, Napster, BearShare, etc.) What happens is other people had files they wanted to download from the previous user who had your IP, but the previous user logged off or got booted before you logged on. Your ISP then assigned you his or her old address when you signed on. Now, those other people's KaZaa or whatever still have the old user's files in queue and therefore think that other person is still on, so they are trying to start downloads.
In any case, it is rarely a problem. Maybe a little annoying, but rarely a problem.

What type of sites does the Spyware Blocklist block out?

They are categorized into four groups:
Ad sites - Many of these are affiliated with spyware or are just plain annoying. Some do data collection, like Doubleclick.
Microsoft - There are four rules, Microsoft 1 through 4, that block Microsoft because all versions of Windows do a lot of "phoning home". This may cause problems for MSN users, for those using automatic Windows updates, or for accessing Passport or other Microsoft-owned services. If you need to deactivate these it is recommended that you try only deactivating Microsoft 1-3 first and see how that goes. Deactivate Microsoft 4 only if it's really necessary to get the job done.
Spyware filters - These block the spyware and adware "home sites" themselves.
Other Sites - These are additional filters blocking mostly "inappropriate" sites and spam-hosting services. This was mainly intended for business users and people with children. Deactivate these rules if you like.

Remember, any of these can be unblocked by simply unchecking the appropriate rule. You may also need to temporarily disable DNSKong and close and restart your browser if the site you are trying to access still can't be accessed. That's because really bad sites are blocked by both giving you double protection.

Why can't I access Excite?

Excite is blocked by the rule called Aornum. You can disable (How?) this rule in the rule list menu. Make sure to click Apply when done. You will not be protected against Aornum until you reactivate this rule.

I can't access some Mail.com services.

Some parts of Mail.com is blocked by the rule covering BargainBuddy, although the basic mail service currently works just fine. It has the number 205.158.62.128 after it. Disable (How?) this rule and everything should work fine. You will lose some protection against the BargainBuddy parasite if you become infected by it. Most of the "features" blocked by this rule are related to generally undesirable marketing and ad mechanisms.

I can't visit an adult site.

Many of these are blocked by the "Other Sites" rules following the spyware rules. Adult sites also tend to be advertised in spam and also may be inapproprate for the business or family environment. Plus, many also silently install "dialer" trojans on your system that call 900 numbers, racking up huge phone bills. If you need to go to a site, disable (How?) the rule that shows in the alert window when you attempt to access the site.

DNSKong doesn't seem to be blocking anything.

1. Check to see if it's started. In the system tray (lower right section of your screen), look for DNSKong's "boxers", a rectange over top of two squares. If the rectangle isn't green, it's been stopped. Right-click the icon and select Start. Some users have reported that they need to reboot after DNSKong is started.
2. If that isn't the problem, do you use a cable/DSL router or firewall? If so, you'll have to tell your firewall to use 127.0.0.1 as a DNS server (and also a WINS server) and have DNSKong do DNS. Consult your cable/DSL router/firewall's documentation on how to set in a DNS server. On the Linksys routers, open a new browser window and enter 192.168.1.1 into the address bar. Enter your password in the password box (and username if you created one; take this opportunity to change your password if you never changed it from the default.) Select DHCP along the top. In the screen that comes up, enter 127.0.0.1 in the first DNS server line and also the WINS server line, using the TAB key to skip between columns. Click Apply when done.
Next, right-click DNSKong's tray icon and select Proxy DNS... and enter your ISP's DNS servers, one in each line. If you do not know your ISP's DNS servers (some are conscientious enough to tell you this, some are not), click here to to a WHOIS at Samspade.org. Enter the name of your ISP (as it appears to the right of the '@' sign in your email address) in the top line and click GO! In the screen that comes up, look towards the middle or bottom for items called "domain servers", "DNS servers", or "Nameservers". Jot down the IP address which looks like four numbers separated by dots. (e.g. 123.45.6.78). If no IP addresses are shown, write down the names of the DNS servers (they usually have 'NS' or 'DNS' in their names, e.g. NS1.AOl.COM). Then, hit the back button on your browser window to go back to Samspade's opening page, and enter one DNS server name into the top line of Samspade and hit GO!. It will tell you something like "NS1.WHOEVER.COM resolves to xxx.xxx.xxx.xxx", write down that IP address and repeat for any other DNS server names. Then plug each IP address into a line of DNSKong's Proxy DNS... field. DNSKong allows you to specify up to five IP addresses, but most ISP's only have two or three.
3. If the two steps above do not work, make sure that your firewall is allowing DNSKong to talk to the Internet. Technically, DNSKong doesn't need to be able to talk to the Internet unless you use the Proxy DNS... feature. If you are using the Kerio rulesets from this site, go into Kerio's Advanced menu rulelist (How?) and look at the Permit DNSKong to 127.0.0.1 rule. Make sure you see DNSKong's icon on the left side of the menu; if you see just a rectangle or folder, Edit the rule. Select Application, then use the Browse button to find DNSKong. Under the Remote Enpoint field, select ANY from the picklist. Click Ok and verify that DNSkong's icon appears along the left side of the rulelist menu and that the check box is checked. Click Apply.
Open a new browser window (try clicking the Samspade link above) and type in a few web addresses you haven't visited recently in the address bar. If all seems okay, you can quit while you're ahead or you can try securing your system a little better. If you feel adventurous (and since we're already playing around with Kerio now), Edit the Permit DNSKong to 127.0.0.1 and set the Remote Endpoint field back to Single IP and enter 127.0.0.1 into the field at appears; you're just changing this rule back to the way it was before.
If you entered your ISP's DNS servers into the Proxy DNS.. field of DNSKong, also Edit the rules below it called DNS to DNS Server x (six are provided, although you probably won't need them all - delete any unused rules). In the Remote Endpoint field, select Single IP and enter the one of your ISP's DNS servers into the line that appears (and, if necessary, also modify the location of the DNSKong application like you did in step 3, above). Click Ok, then make sure the DNSKong icon appears at left and that the box next to each rule you just edited is checked. Click Apply when done. Open op a browser window (try clicking on the Samspade link, above, so you do not accidentally leave this page) and type in a few web addresses. If all seems okay, then go back to Kerio's rulelist memu and find the rule called Block All DNS and check it, and click Apply. Then try typing in a few different web addresses again in another browser window.
By the way, if your connection stops working or you get frequent "Host not found" messages after having modified the various DNS to DNS Server x rules, you can correct the situation by simply Editing the Permit DNSKong to 127.0.0.1 like you did before; namely, set the Remote Endpoint field to ANY and delete the DNS Server to Server X rules and the Block All DNS rule below them. If you ever change ISPs, you may have ot change the DNS Server to Server rules as well as the IP addresses in DNSKong's Proxy DNS... menu to accomodate your new service provider. Of course, now that you've done it once, it shouldn't be too hard...:)

I keep getting a pop-up window or seeing alerts every minute or so! What gives?

You mean the Kerio alert window that tells you that a connection was blocked? This is covered above in the item "I get an alert window saying something like TCP Connection...". Almost always, this is caused because you got the address of someone who was running KaZaa or the like and other people had downloads from him or her in queue. Sometimes it could be a trojan or worm trying to find other victims. Occasionally it could be a genuine hack attempt, but you really have to know what to look for to be able to tell.
If it really bugs you just leave the window open to keep it from popping up again, or you can go into the Kerio rules menu (How?), find the rule called Block All near or at the bottom of the list (if it is enabled...if not, forget this). Click the Block All rule, select Edit, and uncheck the box called "Display alert box when this rule matches" and then click Ok, then Apply when you're bakc in the rule list. Repeat this if necessary for the other rules.

I can't download on my file-sharing program (KaZaa, Limewire, etc.)

First, try going into the Kerio rule list (How?) and find the program you use. It will be towards the bottom of the list. Do not use the square arrows to scroll up and down at the far right, use the regular windows scroll arrows and slider closer in.
Click the rule with your file-sharing program's icon and now click the square up arrow to move that rule's place in the list. Generally, it must be above the rule called Block All.

Alternatively or in addition:

You may need to configure it to use a specific port. Usually as follows:
KaZaa, KaZaalite, BearShare, Grokster, eDonkey, Sharezza - Port 1214
Limewire - Port 6346
WinMX - Port 6699
With the newer versions of these programs, you can use any other port. With older versions, you must stick to those ports listed above.
Then you need to configure Kerio to use that remote port too. Go into the rules menu (How?) and scroll down (How?). Find a pair of rules called Port Block All. Insert a rule (How?) above them using the following guideline:

Rule Name: Allow P2P
Protocol: TCP & UDP
Direction: INCOMING
Local Port: ANY
Application: (select "Only selected below" and then find the P2P application you use)
Remote Address: ANY
Remote Port: (use above list)
Action: PERMIT

Click Ok when done and click Apply in the rule list menu.
Note to KaZaaLite users: In order to set KazaaLite up, create a rule and under "Application", find a file called kazaalite.kpp. This is the file that needs to connect, not a file that ends in .EXE, like most other programs use.

I just got a pop-up alert from Kerio asking if I want to let a program access the Internet. I let it, but now it doesn't work.

Explanation: the most likely problem is that you are using the Type 2 or 3 ruleset. When a new program that Kerio hasn't met before tries to connect, it gets put at the bottom of the rule list, and rules are processed in the order they are on the list, past some rules that block everything not otherwise allowed.
Solution: First, when a program wants to connect, make sure you check the box in the pop-up wimdow that says" Create a rule and don't ask me again." You can shut down the program and restart it if you missed the chance before. Then, simply go into Kerio's rule list (How?). Find the rule at or near the bottom regarding the application you allowed to connect. Move (How?) it by clicking it to highlight it, and now use the square arrow key to move it above the two rules called Port Block - All.
If you don't get the window asking you permission to let the program talk to the Internet, you need to either create a rule for it, or temporarily disable the Block All rules (How?) and allow it to connect to create the rule for you. Then, make sure the Block All rules are re-enabled (checked) and move (How?) the new rule for your program above the Block All rules.

My program doesn't connect to the net. I have the Type 3 ruleset.

Go into Kerio's rule list (How?) and scroll down (How?) to the bottom. See if your program's icon is there. If not, Create a rule (How?) for it if necessary and move (How?) your new rule above the Block All rule.

How do I use Kerio on a home network or LAN? (Also Appendix A)

Set up Kerio as per the instructions in the How-To section. With Kerio running, go into the rule list (How?) and select the Microsoft Networking tab along the top. Here is an example of what your settings will look like. The key here is what's in your Trusted Address Group box, which we'll get to in a second. First, check the box called For Microsoft Networking use These Rules Instead of the Filter Rules. Also make sure the boxes called Allow Microsoft Network Name Resolution and From Trusted Addresses Only are both checked as they are in the screenshot.
If you wish to allow other networked computers to share files and printing with yours, also check Allow Other Users to Access my Shared Files/Printers and also check From Trusted Addresses Only, again, just like in the example. Checking Ask Me for Each Access to My Shared Folder provides you with notification of each access, but can get annoying very quickly.
Now click Add from the lower right and you will be presented with a box like this one asking for the IP address or range you would like to consider "trusted". You may select Any, a Single IP, Network/Mask, or Range. Usually, selecting a few single IPs is best if you have a small network. Likewise, use this for routers and hardware firewalls like Linksys or Netgear. Use Network/Mask if you have many computers on contiguous IP addresses. Never, ever use the Any option!.
The Range option allows you to specify a range of IP addresses. Whenever possible, it's usually preferable to use the Network/Mask option instead. However, Range can be useful if your IP addresses don't start on a proper boundary or if you aren't good at figuring out subnet masks.
When done configuring, click Apply Then Ok.

How do I use Kerio with a router or firewall, like Linksys or a DSL router?

See the explanation on comfiguring Kerio for a home network, above. If your computer is the only one connected to the router, you only need to enter a single IP address into the Trusted Address Group, which is the IP used by your router. Consult your router's documentation or configuration setting to get it if you don't know it.

How do I use Kerio on a gateway or Internet Connection Sharing?
Can I use one copy of Kerio to protect all the computers on my network?

Yes, although you lose the application detection ability if it is not running on every individual machine. However, using one router-based copy of Kerio is still very good at stopping spyware if you using the Spyware Blocklist filters from the Updates Page.
Your network needs to be configured so the computer being guarded by Kerio is the gateway or proxy and all the others connect to the Internet through it. All you need to do to get Kerio's protection is to go into Kerio's Advanced menu and click the tab along the top called Miscellaneous (this is NOT the same "Miscellaneous" menu you use to import rulesets!) Click the box called Is running in Internet gateway and click Ok.

DNSKong is eating up a lot of memory.

If ever DNSKong doesn't work, try another version. First exit the program. If you used the version carried on this site (1.06), try out version 1.39 instead. Don't forget to come back here. If you are using 1.39, use this site's version instead.
The newer version of DNSKong, 1.39, seems to work slightly better on Windows 2000 and XP systems. The older version, 1.06 (the one carried on this site), seems to work best on all other versions of Windows. However, I've received reports from Win2k and XP users who have no problem with 1.06, and I've used 1.39 with Win 98SE for months with no complaints. Eh, go figure.

How do I get DNSKong to work with Windows 2000 and XP?

Visit Pyrenean, DNSKong's manufacturer and follow the instructions there. Basically, you have to download their loopback adapter. You have to point your primary adapter's DNS to the loopback one, and let your real DNS be set in the loopback. Another, perhaps clearer, set of instructions is available from one of DNSKong's co-developers, at this link.
It is recommended that you disable Win2k's or XP's optional feature that allows you to run DNS as a service. If you don't know how to access that, the Windows help feature is pretty good at helping you find things.

What's the difference between the Spyware Blocklists (Type 1, 2, 3, and 4)?

Well, let's start with the most secure one of all, the Type 3 list. The Type 2 and 3 lists are all identical except how the very last rule, the "Block All" rule, is handled. This rule is actually the most important of all of them, as it blocks any traffic not permitted or blocked by the rules located above it.
In the Kerio Type 3 list, the "Block All" blocks all traffic, incoming and outgoing, that isn't permitted or denied by the rules above it (mainly, the rules permitting your browser(s) and email program(s) from talking to the Internet). Any data not requested by your browser, email program, or whatever gets blocked. Also, if there are any trojans or worms running on your machine, they will also be stopped*. The one major downside to Blocking All in both directions is that if you try to run any new program that needs to talk to the net, and it's not already on Kerio's list of allowed programs, it will be blocked from talking to the net and you will not get a pop-up window asking you if you want to give it permission to connect to the Internet. In order to allow a new program to access the net, you must manually insert a new rule (How?) directly above the "Block All" rule. If you do this, make absolutely sure you do not allow "ANY" to appear in the "Application" field of the new rule; make sure it is set to "Only selected below" and then click Browse or use the list to find the name of the program you want to allow to connect.
The Type 2 ruleset eliminates that headache by allowing you to use Kerio's "learning mode", by making the "Block All" rule apply to incoming traffic only. So, any data coming into your computer that is not allowed or blocked by previous rules will still be blocked by Block All. However, data originating from your computer from a new application (at least, one that's not already on the Kerio list as downloaded from this site) will cause Kerio to throw a warning at you asking you if you want to allow that new program to access the net.
The difference between the Type 3 and Type 2 as it affects most people is this: if you are in a home or business and can't be sure your family members or employees won't accidentally click "Yes" and allow a possibly malicious program to talk to the Internet, you are better off using the Type 3 ruleset. If you are confident that your family members or employees can be trusted to never allow a program they do not trust to talk, you can get away using the Type 2. (Although I recommend explaining this to them clearly, and in no uncertain terms.) Putting it another way, the main difference is that the Type 3 is more goof-proof than the Type 2.
The Type 1 ruleset is a basic set containing any-spyware and ad-filters only. It's mainly used for those who want to develop their own rulesets, or who want to use these rulesets with the newer versions of Kerio, version 4.x.
The Type 4 ruleset is basically just a smaller, lightweight version of the Type 3. All the same applies. The difference is that it doesn't block all the spyware, ad, and adult/spam/seedy sites that the Type 3 does, so its protection isn't as complete. Basically, it just blocks the ad and spyware sites I consider to be very common or really, really bad. On a slow computer with a fast Internet connection, using the smaller Type 4 can speed up your web browsing quite a bit, but if you have a nice, fast, reasonably modern computer, it doesn't make much of a difference and you're better off with the Type 3.

*This only applies to certain, mostly older trojans and worms, like SubSeven. The good news is that these are still by far the most common. The bad news is that there are newer trojans and worms which, to grossly oversimplify things, operate as part of your browser or email program, and are much harder to defeat by a firewall alone. This is why people buy anti-virus software and is also part of the reason why I recommend doing all the items in the How-To section.

Is DNSKong available for Linux or UNIX?

Unfortunately, no. A HOSTS file is still the best approach to blocking unwanted sites on Linux or UNIX clients. It is possible to achieve similar efficiency and results to set up a local DNS server with unwanted sites pre-resolved to a null address for network-wide filtering. Simply set A records (and MX, if so desired) to point to 127.0.0.1 (or, better yet, to the DNS server itself and have a an HTTP server running, serving a small 1-pixel GIF). BIND 9.22 and up accomodates wildcarded subdomains, so you can block any domain regardless of subdomain in this manner. This may also work with the vastly more secure djbdns.

How do I block spyware and adware on Linux?

At present there are very few adware/spyware programs that run on Linux or UNIX: RedSheriff (since it's Java-based), versions of RealNetworks/ProgressiveNetworks products (RealPlayer, etc.), and Netscape's SmartDownload (unconfirmed) are the only known products which may have that capability. However, if you wish to do this, there are two routes you can go. This works especially well on a network firewall or a proxy. The first is to use Jerome Nokin's IPTables which contains an auto-update script to update the anti-parasite filters from this site. Alternatively, you can use snort_inline, which combines IDS features with dynamic IPTables rules. This has the advantage of IDS, but the disadvantage of not having auto-updating features. Use my Parasite Detection System if you go this route. If you are using snort_inline only with the PDS, run snortconfig with the -config drop option. If, on the other hand, you are using IDS content-matching rules with the stream4 and fragmentation reassembly processors, use the -config replace_or_drop option.






Copyright: All the works on this page are the property of the owner, Sponge. The lists may be freely circulated for the purposes of protection against spyware provided they are not altered. The author would appreciate if some credit could be given.

Disclaimer: All the sites, IP ranges, associations, etc. are provided to the best of my knowledge and are based on various traces and linkings by registration information, company affiliations, media reports, and other publicly-available websites and resources. No guarantee as to the accuracy of this information is assumed nor is any harm intended toward any corporation(s) or individual(s) on, affected by (directly or indirecly) by the use or misuse of these list or files. By reading or using this information you agree to indemnify and hold harmless the author, provider, poster, sender, or contributors to these lists and files harmless, as well as any service provider used in the transmision of this list, for any damages, loss of service, loss of reputation, or any other injury. This information is not intended to be used to violate the Terms of Service or End User Licensing Agreement between a user and any vendor, website, or spyware, adware, or advertising manufacturer or their affiliates. Please post corrections, updates, or commentary to alt.privacy.spyware or email me at yospongeP@yahoo.comP. Remove the two uppercase letter P's to email me.

Spyware and adware is defined as any program, applet, ActiveX control, Browser Helper Object, or other code, script, or website which transmits data to a client's computer without explicit knowledge or permission, or a service which meets one or more of the following criteria:

1. Is installed without a user's explicit knowledge or explicit consent.

2. Uploads information without a user's explicit knowledge or explicit consent.

3. Uploads, associates, or appears to or is readily capable of associating uploaded information with personally-identifiable information, such as registration information or data collected from third-party sources, without a user's explicit knowledge or explicit consent.

The "user" is defined as any person or entity who may use a particular computer on which the alleged spyware, adware, surveillance tool, or code is installed.

Make sure to back up your system before making any changes! It's a good idea to backup your system periodically anyway!