How to set optimum settings in ZA Pro?

ZA Question:

I just looked at my ZoneAlarm log and noticed an entry that C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe successfully accessed destination IP 216.73.86.152:53 -- which points to annymegaadvip2.doubleclick.net

The comments section states:

Description: Zone Labs Client requested permission to access the internet
Rating: High

Why would my ZoneAlarm client be hitting a DoubleClick ad server?

Operating System: Windows XP Home Edition
Product Name: ZoneAlarm (Free)

Why indeed, for some years ZA has been tagged with the phone home issues. The vendor is somewhat less than transparent on this matter.

I have personally found unwanted calls to sites that had zip to do with maintaining the product in spite of heated posts from the ZA advocates which inhabit these regions. Thanks for the extra IP I will add it to my growing list of computers to block. But I fear it is futile like the myth of the little boy trying to plug holes in the dam.

Now you know the value of doing trials with software before laying out real $.

if you are staying with ZA free be aware it has the whole package KAV and all waiting to be activated and it will nag you to buy buy buy.

My advice would be look at this thread post by post from # 1
change all your setting in program control to ask and in the case of the internet zone set all of them to a red X if free will allow that. I can't remember.

 

Hi!
ZA is not designed to block itself but to control third party software installed on your system and when you start to work with blocking it via IP lock it will simply behave oddly. Also try to limit the entries in the firewall tab and use more the program control tab to monitor outgoing packets.

Unless you leave ZA free to work, you will see confused reporting about zlclient.exe or other ZA system files trying to communicate with SS, WEB, whatever programs are installed.

In this specific case it looks like a DNS lookup while you were browsing the net (probably some advertising within a web page).

The only way to understand the origin of packets leaving your system (with ZA set to block itself) is to install other sniffer software, like, for example, the one suggested by Cold Pizza.

Hope this helps.
Fax

 

FYI, this was a deleted question and answer from the "other" forum

 

You mean you are not interested anymore on the answer?
Sorry I can't follow...

Fax

 

Further observations , the full site name is report.bitdefender.com, ip is 80.86.106.67 (the site name got bleeped out at ZA user forum)

Recommend ALL ZA Pro users to add this ip to blocked sites in FW zones ASAP. Since I blocked it after 1 attempt by zlclient then 5 attempts in rapid order with a switch to winlog as access program. All Alerts continues to be turned off on any change in settings or on reboots.

My ASW, product updates and SmartDefense on manual all work fine with selected blocks and "optimized" settings.

I am now going to ask BD support if they own the site using their product name.

Will report back later.

 

You are acting like a virus... in fact many viruses add "report.bitdefender.com" to the HOST file in order to block BD functionality...

report.bitdefender.com is legit...

But that IP does not correspond to report.bitdefender.com but to:

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to '80.86.106.0 - 80.86.106.255'

inetnum: 80.86.106.0 - 80.86.106.255
netname: INES-DATACENTER-NET
descr: iNES Group SRL
descr: Virgil Madgearu 2-4
descr: Bucharest
country: RO
admin-c: INES-RIPE
tech-c: INES-RIPE
status: ASSIGNED PA
notify: hostmaster@ines.ro
mnt-by: AS12310-MNT
changed: tbb@ines.ro 20030616
source: RIPE

role: iNES Internet NOC
address: 2-6 Virgil Madgearu st.
address: sector 1
address: Bucharest / ROMANIA
phone: +40 21 232 2112
fax-no: +40 21 232 3461
e-mail: hostmaster@ines.ro
admin-c: INES-RIPE
tech-c: TU790-RIPE
tech-c: DC1119-RIPE
tech-c: AG5625-RIPE
tech-c: BP1868-RIPE
tech-c: BC2200-RIPE
nic-hdl: INES-RIPE
remarks: -------------------------------
remarks: abuse reports: abuse@ines.ro
remarks: NOC Phone 24x7: +40 21 232 2112
remarks: NOC E-mail: support@ines.ro
remarks: -------------------------------
notify: hostmaster@ines.ro
mnt-by: AS12310-MNT
changed: tbb@ines.ro 20030314
changed: tbb@ines.ro 20031126
changed: tbb@ines.ro 20051015
changed: adi@ines.ro 20060519
source: RIPE

% Information related to '80.86.96.0/20AS12310'

route: 80.86.96.0/20
descr: iNES Group
descr: ro.ines local registry
origin: AS12310
mnt-by: AS12310-MNT
changed: hostmaster@ines.ro 20030801
source: RIPE

And as said previously you can't use ZA logs to base your analysis since ZA is not functioning properly... (I am not surprised)

Fax

 

As promised I am reporting back:

Here is the latest information I have on this:

1) As Chris suggested I turned off the "Send virus reports and Enable BitDefender Outbreak Detection" options in BD setup. The repeated connections to 80.86.106.67 continue unabated.
2) I ran a Whois Server Version 1.3 here is the result.

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for domain "REPORT.BITDEFENDER.COM".

Conclusion, it is another case of phone home by ZA.

Recommendation: Everybody should block this site and the ip ASAP.

 

Did a whois and reverse dns and got the information that the site 80.86.106.67 is in Bucherest , Romania. No firm listed. Data base indicates whole country as having a high fraud profile. Great.

ip range for Romania 80.86.96.0 to 80.86.127.255.

I'm done with this but loading the blocker sites where ever I can.

Someone else should work on this as well.

More damn questions than answers.

What I would like is a way of saying which sites to connect to and EXCLUDE all other sites.

 

Looks normal to me....
Complete dossier for report.bitdefender.com

Cheers,
Fax

--------------------------
canonical name report.bitdefender.com.
aliases
addresses 80.86.106.67


Domain Whois record
Queried whois.internic.net with "dom bitdefender.com"...

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: BITDEFENDER.COM
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: http://www.register.com
Name Server: NS.BITDEFENDER.COM
Name Server: HORIZON.BITDEFENDER.RO
Status: clientTransferProhibited
Updated Date: 13-feb-2007
Creation Date: 08-jun-2001
Expiration Date: 08-jun-2012


>>> Last update of whois database: Tue, 29 May 2007 21:45:50 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Queried whois.register.com with "bitdefender.com"...

The data in Register.com's WHOIS database is provided to you by
Register.com for information purposes only, that is, to assist you in
obtaining information about or related to a domain name registration
record. Register.com makes this information available "as is," and
does not guarantee its accuracy. By submitting a WHOIS query, you
agree that you will use this data only for lawful purposes and that,
under no circumstances will you use this data to: (1) allow, enable,
or otherwise support the transmission of mass unsolicited, commercial
advertising or solicitations via direct mail, electronic mail, or by
telephone; or (2) enable high volume, automated, electronic processes
that apply to Register.com (or its systems). The compilation,
repackaging, dissemination or other use of this data is expressly
prohibited without the prior written consent of Register.com.
Register.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by these terms.

Registrant:
SOFTWIN SRL
Mihai Radu
5 Fabrica de Glucoza
Bucharest, 3 020331
RO
Email: aanescu@bitdefender.com

Registrar Name....: REGISTER.COM, INC.
Registrar Whois...: whois.register.com
Registrar Homepage: www.register.com

Domain Name: bitdefender.com

Created on..............: Fri, Jun 08, 2001
Expires on..............: Fri, Jun 08, 2012
Record last updated on..: Tue, Feb 13, 2007

Administrative Contact:
SOFTWIN SRL
Razvan DITA
5 Fabrica de Glucoza
Bucharest, 3 72322
RO
Phone: +40 21 233 07 80
Email: domains-admin@bitdefender.com

Technical Contact:
SOFTWIN SRL
Razvan DITA
5 Fabrica de Glucoza
Bucharest, 3 72322
RO
Phone: +40 21 233 07 80
Email: domains-admin@bitdefender.com

DNS Servers:

ns.bitdefender.com
horizon.bitdefender.ro


Visit AboutUs.org for more information about bitdefender.com

<A HREF="http://www.aboutus.org/bitdefender.com">AboutUs: bitdefender.com</A>

Register your domain name at http://www.register.com


Network Whois record
Queried whois.ripe.net with "-B 80.86.106.67"...

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to '80.86.106.0 - 80.86.106.255'

inetnum: 80.86.106.0 - 80.86.106.255
netname: INES-DATACENTER-NET
descr: iNES Group SRL
descr: Virgil Madgearu 2-4
descr: Bucharest
country: RO
admin-c: INES-RIPE
tech-c: INES-RIPE
status: ASSIGNED PA
notify: hostmaster@ines.ro
mnt-by: AS12310-MNT
changed: tbb@ines.ro 20030616
source: RIPE

role: iNES Internet NOC
address: 2-6 Virgil Madgearu st.
address: sector 1
address: Bucharest / ROMANIA
phone: +40 21 232 2112
fax-no: +40 21 232 3461
e-mail: hostmaster@ines.ro
admin-c: INES-RIPE
tech-c: TU790-RIPE
tech-c: DC1119-RIPE
tech-c: AG5625-RIPE
tech-c: BP1868-RIPE
tech-c: BC2200-RIPE
nic-hdl: INES-RIPE
remarks: -------------------------------
remarks: abuse reports: abuse@ines.ro
remarks: NOC Phone 24x7: +40 21 232 2112
remarks: NOC E-mail: support@ines.ro
remarks: -------------------------------
notify: hostmaster@ines.ro
mnt-by: AS12310-MNT
changed: tbb@ines.ro 20030314
changed: tbb@ines.ro 20031126
changed: tbb@ines.ro 20051015
changed: adi@ines.ro 20060519
source: RIPE

% Information related to '80.86.96.0/20AS12310'

route: 80.86.96.0/20
descr: iNES Group
descr: ro.ines local registry
origin: AS12310
mnt-by: AS12310-MNT
changed: hostmaster@ines.ro 20030801
source: RIPE



DNS records
DNS query for 67.106.86.80.in-addr.arpa returned an error from the server: NameError

name class type data time to live
report.bitdefender.com IN A 80.86.106.67 3600s (01:00:00)
bitdefender.com IN SOA server: ns.bitdefender.com
email: gvoicu.bitdefender.com
serial: 2007041700
refresh: 28800
retry: 900
expire: 604800
minimum ttl: 1800
86400s (1.00:00:00)
bitdefender.com IN NS nemesis.bitdefender.com 3600s (01:00:00)
bitdefender.com IN NS ns.bitdefender.com 3600s (01:00:00)
bitdefender.com IN NS horizon.bitdefender.ro 3600s (01:00:00)
bitdefender.com IN MX preference: 10
exchange: mail.bitdefender.com
3600s (01:00:00)
bitdefender.com IN MX preference: 20
exchange: horizon.bitdefender.ro
3600s (01:00:00)
bitdefender.com IN A 66.223.50.102 3600s (01:00:00)

-- end --

 

I have confirmed from 2 BD sources that report.bitdefender.com is in fact a BD server. The database sources are poorly documented causing FUD. It is used by their virus and spam outbreak control service. It is also used in their mobile device AV service.

What I'm still working on is why BD "phone home" accesses still try to access when the user turns off these BD10 options.

Apart from the one log entry I got from zlclient trying to access this BD site it no longer does that. So ZA is not doing now on my PC this as far as I can tell.

So it seems that BD 10 also ignores user options, and I'm going with that assumption for now. It may be a bug. They responded to questions in hours and were very helpful.

I'm leaving the site blocked since I can still update the product with hourly AV updates and in principal I don't want unsolciated outgoing packets leave the PC.

If I get more I will report back.

 

I'm following advice now to ignore some posts.
Blocking the sources works well and avoids being diverted from forum/ thread work !

1st and this is important, backup the ZA settings to a flash memory or cd daily. When you mess with settings as I have you get some surprises and need to revert back a level. So if you start using some of the finding here back up your current settings now!

For the members here, I have attached my current FW page showing blocked ip's and sites of doubtful purposes, more than you would ever have believed!

Note that my router/ Lan is set to internet NOT TRUSTED and the PC works fine. This point has been shown correct by Stem and others so that matter is over for me.

For ZA Pro users who want to try tighter settings (at their own risk of course) I have also attached my ZA Pro program settings.

Set SmartDefenseAdvisor to medium, you get the advice BUT you decide what is best setting for your PC with that application. Don't join the share setting league on install.

AntiSpyware turn off, doesn't fit with a FW, UNLESS you don't have any ASW from top group, then use ZA's.

Leave spysite blocking on, does no harm, only site it ever found for me was pcflanktest which provides evaluations of ZA and other tools

AV monitor leave off unless it accepts your AV, it doesn't recognize BD 10 among others. So I leave it off.

Email, leave it off, it is not the job IMO of a FW to scan email. BD10 does that for me. UNLESS you have no email in/out scanner then turn ZA's on.

Privacy: This one I am not finished with but here is my status

Clean cache daily, don't use auto.

id protection, block ebay and paypal if you don't use them
put nothing in trusted sites, except perhaps your own online bank.

MyVault: Well it is quite a misnomer, I had some fun by putting my legal ZA license number in the vault, plus BD 10. On ZA product updates ZA blocked the license # from being sent. Updates worked fine anyway. On ASW updates it doesn't ask for license #, inconsistent logic. Why ask for data not needed?

With BD 10 on updates it doesn't ask for license #, so that not an issue for them.

There are bugs/issues with Alerts and logs set on High. ZA keeps turning mine off. When you ask? If I add a block site, it immediately turns it off! I turn it on and guess what? it logs 5 rapid order attempts to connect to the new blocked site! As to why? Well it can't be a bug can it?

zlclient and BD both tried to send packets from my PC to the site called report.bitdefender.com. This is in Romania. I contacted BD and they told me it was their world wide collection site for spam and data from users on malware outbreaks. It is not their site for product updates. So I promptly blocked it and the rest of that country. My BD updates continue to work fine because BD told me all their update sites lie outside Romania.

That's it guys, I'm done with this thread (unless someone wants to ask me a question)

 

I know this is an old thread, but I do have some questions for you, if you don't mind answering them?

Did you ever have Bit Defender installed on your computer? If not, why would ZA be trying to send packets from your PC to the site called report.bitdefender.com? Something is very strange here!

Have a nice day!

 

If you read the post again and look at my signature you will see BD is active on my PC.

BitDefender confirmed that report.bitdefender.com is their collection site worldwide for collection of data on spam and virus outbreaks.
They also told me that if I was worried about security I could block that site as the support and update sites are outside of Romania. At least they were honest about it!

I have the auto send off for bitdefender but it continued to try to send packets anyway. The turn off features for sending information are NOT reliable.

On ZA, I had one reported connect to report.bitdefender.com but that is one too many right?

As to why? I could only speculate and that would just add fuel to the great conspiracy theory !

But ask Fax, 12fw (Oldsod at ZA), or gre87y (Greb49er at ZA) to explain it either here or over at their forum.

I have now got dozens of collection sites blocked and more on the way.
There is the one from BD, others from ZA and from M$.

If posters doubt any or all of this put the sites in your own block lists and track the attempts.

 

Already explained above somewhere... most of them where DNS:53 calls... with all the blocking on ZA that Escalader did, I think ZA was not correctly reporting "who did what"...

A simple sniffer could have been useful to clarify origin/destination of the connections...

Cheers,
Fax

 

Cold Pizza (=?Fax) never on line at same time! Fax answers for Cold Pizza

But anyway, wrong again.

Thread learners

Stem already dealt with these hardcoded call homes in ZA in the past. So that matter is over. He did all the sniffing work for us.

The issue for ZA Pro users is to block its hard coded collection sites.
ZA does it sure, no news there, but BD was news but they were honest and said go ahead an block that site so I did. That ZA also trys to send there is well, what to say... interesting

For anyone who wants to KNOW put my blocks in your own set up, updates all work fine as does Smart advice.... qed

Privacy: This one I was not finished with but here is was the status

Clean cache daily, don't use auto.

id protection, block ebay and paypal if you don't use them
put nothing in trusted sites, except perhaps your own online bank.

MyVault: Well it is quite a misnomer, I had some fun by putting my legal ZA license number in the vault, plus BD 10. On ZA product updates ZA blocked the license # from being sent. Updates worked fine anyway. On ASW updates it doesn't ask for license #, inconsistent logic. Why ask for data not needed?

With BD 10 on updates it doesn't ask for license #, so that not an issue for them.

There are bugs/issues with Alerts and logs set on High. ZA keeps turning mine off. When you ask? If I add a block site, it immediately turns it off! I turn it on and guess what? it logs 5 rapid order attempts to connect to the new blocked site! As to why? Well it can't be a bug can it?

zlclient and BD both tried to send packets from my PC to the site called report.bitdefender.com. This is in Romania. I contacted BD and they told me it was their world wide collection site for spam and data from users on malware outbreaks. It is not their site for product updates. So I promptly blocked it and the rest of that country. My BD updates continue to work fine because BD told me all their update sites lie outside Romania.

 

Sorry but I am not like you ArrowPilot
Ever thought about Time Zones and different continents?

Fax

 

By the way, if I remember well Stem couldn't really replicate your persistent 'call home' in his setup...
To be fair to ZA, you should at least state that the ZA call home was "in your set-up"!

Cheers,
Fax

 

Stem speaks for himself as do I.

Suggesting words for others to speak is silly.

Of course ZA call homes were in my setup

All users have to do is make the blocks and log.

 

I see we are on this kick again about calling home. Well, IMO any type of Security Software Program will call home. No matter what you can try to do to prevent it, some way it will get through. Before attacking the program maker of any type of Security Software Program, perhaps we should look at who is REALLY behind all of this, Big Brother. This has been going on for sometime and now with all the latest events in the world, it has become more intense. You can either do two things IMO, try to block them at your firewall or reach down, pull the plug out of the wall outlet, box up your computer, and find some other way to communicate with the rest of the world.

Thank you for your time and have a Great Day!

 

This sounds better...

Cheers,
Fax

 

You to Berge01, wondered where you had gone!

Well, assuming we are not going to pull the plug, and that Big Brother is the cause and forcing these program makers to hard code call home to gathering sites I choose block them as you put it "at the FW".

So where's the list of sites to block? I'll key every dang one of them in!

 

That is correct, the only outbound I could not find reason for, was for the HTTPS connection after installation.

Hello Escalader,
You keep mentioning BD outbound, have you found the application making these attempts? (and please advise, is "Task Schedular" active on your sysytem? (in windows services))

 

I don't believe the list I post here would make the Forum Moderators very happy, besides some of the members may not agree, causing more hostile posts, and besides your Firewall can only hold so many Blocks to be effective.

 

Stem:

Here is the Q and A posted on the BitDefender forum a few weeks back when I was still running ZA Pro. The application was zlclient first, then when blocked switched to WINLOGON.exe. The spam gathering site is in Romania 80.86.96.0 to 80.86.127.255. The site was report.bitdefender.com.

post 1..... Since I blocked it after 1 attempt by zlclient then 5 attempts in rapid order with a switch to winlog as access program. All Alerts continues to be turned off on any change in settings or on reboots.

My ASW, product updates and SmartDefense on manual all work fine with selected blocks and "optimized" settings.

post 2
Hi Escalader,

I might be wrong, but that could be BitDefender trying to send/receive data about viruses as a result of the options Send virus reports and Enable BitDefender Outbreak Detection (General -> Settings)

Try to disable these options, and see if you have any more attempts.

.


Hi :

I will try your idea, what puzzled me was I didn't change any BD options lately and it was zlclient that connected first. Now it is WINLOGON.exe that is attempting the connect. I have it blocked until I know what's happening here.

post 3

Here is the latest information I have on this:

1) As ... suggested I turned off the "Send virus reports and Enable BitDefender Outbreak Detection" options in BD setup. The repeated connections to 80.86.106.67 continue unabated.
2) I ran a Whois Server Version 1.3 here is the result.

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for domain "REPORT.BITDEFENDER.COM".

post 4

Did a reverse DNS and the ip comes up as Bucerest Romania. No information on organization owning it.

The whois data base lists this country with a high fraud profile?

post 5
Hello,
Nobody except Bitdefender can register sub-domains of BitDefender.com ,the Head Quarters of BitDefender are in Romania. Once you own a Domain name you can register as many sub-domains as you want for free, that can be done just by the main owner of the domain.The report.bitdefender.com could be a server in the HQ so it's not dangerous at all.

post 6

Just to be clear I trust BitDefender or I wouldn't use the product.

But the way this came to light was very strange.
First as mentioned a few posts back zlclient was the program that first accessed report.bitdefender.com.

Next the id of the program attempting access switched to WINLOGON.exe.

Is report.bitdefender.com a server in HQ? The city and country are right but the whois data base don't confirm BD's ownership of this site.

Could be a server is not the same as is a server.

I'm not trying to be difficult, I just want clarity.

post 7

The owner you see there is INES , that is one of our Internet Providers. The connection is leading to our internal server.Over this connection are virus and spam statistics send.

Real Time Virus Report (RTVR) & Real Time Spam Report (RTSR)

RTVR/RTSR is a system included in BitDefender products deployed all over the Internet that reports virus and spam activity to the BitDefender Labs(report.bitdefender.com) to help isolate and prevent the spreading of malware and spam in an efficient and timely manner.
So it is our server.


Hi ...:

Thank you very much for tracking this down for me. Best to be clear!

I currently have followed the following idea:

"....turned off the "Send virus reports and Enable BitDefender Outbreak Detection" options in BD setup"

The repeated connections attempts to 80.86.106.67 continue anyway.

This seems to me to mean that the RTVR and RTSR connects occur even if the options are turned off.

In my set up I have the address blocked, yet updates of the product continue ok as do the attempts to send reports back.

So updates must use one server and reports on virus and spam must use another?

Have I described all this correctly?

Post 8

The update servers are different from the one with statistic reports. Why?
Beacuse we need to have good connection to all the users from the World. That's why you will have servers scattered all over the World and only one server that gathers information about viruses and spam in Romania.

If you are concerned about your security just block report.bitdefender.com although is our server and everything is secured.

Since I then knew the site was a gatherer, I blocked the whole country.
BD updates continue unimpeded.

I checked scheduler and found 2 old McAfee entries. I haven;t had it for 2 years! Should have cleaned it out but didn't. Gone now. Thanks.
The only scheduled tasks are SpySweeper scans.

The attempted connects to report.bitdefender.com no longer occur.

The difference? ZA Pro uninstalled, CFW is installed.

Observation it wasn't BD continuing to attempt connects but ZA Pro.

 

Good heavens what to do?

I guess I'll just max out my FW or just block whole country's.

Can you post the country ranges to block?

Then when a valid ip pops up I'll allow it! one by one! Can't be any more than 5 or 6 safe sites left!

It is a real challenge. Time for Mrk to enter this thread he always has unnique ideas!

What I really need is a leak proof vault then I could put all my secrets in it and scrap the FW completely!