New ad system on ZeroHedge - how to block


#1

ZeroHedge.com seems to have put up some new ads that really slow page loading down and make scrolling jerky.

Adding this regex to the blacklist is stopping them today but looking at the domain name this may turn into a game of Whack-A-Mole if they have a pile of throw-away domains to play with in addition to the multiple sub-domains they are using now. I saw about 15 variants on the 1nthp4i. sub but all with the fxdqgxfynma.com base

https://1nthp4i.fxdqgxfynma.com

(^|.)fxdqgxfynma.com$

Anyone have a better idea for blocking this kind of thing?


#2

I’m not seeing ads or this behavior.

DNSThingy shows the following domains loaded when opening that site:

Here is what I see on the page:


#3

If I remove the blacklist and turn off my browser blocking I get a page full of ads and a page exit pop-up.

zh%20pb%20Screenshot_20190105_001712

I don’t have DNS Thingie, any other tool available that doesn’t require a subscription?


#4

DNSThingy is a Chrome browser extension. No subscription that I am aware of.

I keep a clean copy of Chrome available just for testing items such as this. I have uBlock available on it, but disabled.

I ran this again and I’m not seeing any of the fynma domains being requested, either in DNSThingy or showing in the tail of the Pi-Hole log.

Perhaps this is location based, subscription based? Weird.


#5

I had the same issue and had success by blocking ads.investingchannel.com and a regex entry for fxdqgxfynma.com.


#6

I tried this again using Chromium browser on the Pi (so the requests would be isolated to localhost in the logs, and easier to separate from other traffic on my Mac that uses that Pi-Hole). Same results.

I’m not seeing any requests for fynma.com or any subdomains of that. DNSThingy output below after going to several of the links on the page. I do have blocks for a few gvt1.com domains that were driven by regex, perhaps that is the difference.

zerohedge.com
www.zerohedge.com
cdn.jsdelivr.net
abd.investingchannel.com
imasdk.googleapis.com
ads.investingchannel.com
static.doubleclick.net
pagead2.googlesyndication.com
www.reddit.com
trends.revcontent.com
redirector.gvt1.com
68.106.66.195
ajax.googleapis.com

From the pihole-FTL.log (with REGEX debugging enabled):

[2019-01-05 10:20:37.280] DEBUG: Regex in line 4 "^(.+[-_.])??ad[sxv]?[0-9]*[-_.]" matches "ads.investingchannel.com"

[2019-01-05 10:24:03.053] DEBUG: Regex in line 2 "(^r[[:digit:]]+(\-+|\.+)[a-z]+\-+[[:alnum:]]+\-+[[:alnum:]]+\.)(googlevideo|gvt1)\.com$" matches "r1---sn-bvvbax-hjpe.gvt1.com"

#7

Ah! more than one DNS Thingie, one I found was: https://www.dnsthingy.com/get-dnsthingy that installs on a router. Off to the Chrome extensions to see if I can find the one you use.

It could be location based, also because it is new or new to me as I had no issues there earlier in the week a phased roll-out. Hopefully they will work on it as it makes the site about unusable as things load and move about and the browser stalls and jerks.


#8

They may tie this to cookies. Worth a deletion of all their cookies and downloaded content.


#9

Found DNSThingie Assistant, only one .fxdqgxfynma.com there this morning. Tagged -----

* ml314.com
* tps11024.doubleverify.com
* tps11011.doubleverify.com
* beacon-nf.rubiconproject.com
* px.moatads.com
* t.lkqd.net
* events.bouncex.net
* tps11017.doubleverify.com
* www.zerohedge.com
* tps11032.doubleverify.com
* pagead2.googlesyndication.com
* abd.investingchannel.com
* maxcdn.bootstrapcdn.com
* imasdk.googleapis.com
* ads.investingchannel.com
* secure.statcounter.com
* www.googletagservices.com
* dggaenaawxe8z.cloudfront.net
* js-sec.indexww.com
* www.google-analytics.com
* certify.alexametrics.com
* c.statcounter.com
* rules.quantcount.com
* securepubads.g.doubleclick.net
* s3.amazonaws.com
* ecdn.firstimpression.io
* pixel.adsafeprotected.com
* ad.wsod.com
* gads.pubmatic.com
* as-sec.casalemedia.com
* c.deployads.com
* ib.adnxs.com
* fastlane.rubiconproject.com
* pixel.quantserve.com
* sb.scorecardresearch.com
* us-u.openx.net
* in.ml314.com
* bidder.criteo.com
* sync.1rx.io
* px.owneriq.net
* 195aid0.fxdqgxfynma.com
* load77.exelator.com
* tpc.googlesyndication.com
* googleads.g.doubleclick.net
* stags.bluekai.com
* ib.3lift.com
* cdn.doubleverify.com
* assets.bounceexchange.com
* openx2-match.dotomi.com
* www.google.com
* tags.bluekai.com
* cm.g.doubleclick.net
* googleads4.g.doubleclick.net
* pixel.advertising.com
* image6.pubmatic.com
* api.bounceexchange.com
* cdn.firstimpression.io
* tlx.3lift.com
* ad.doubleclick.net
* a1798.casalemedia.com
* tps70.doubleverify.com
* ad.360yield.com
* cdn3.doubleverify.com
* stas.outbrain.com
* match.adsrvr.org
* s0.2mdn.net
* dsum-sec.casalemedia.com
* dsum.casalemedia.com
* dt.adsafeprotected.com
* ad.atdmt.com
* www.dianomi.com
* static.criteo.net
* data.dianomi.com
* trends.revcontent.com
* encrypted-tbn1.gstatic.com
* fonts.gstatic.com
* ads.pubmatic.com
* x.bidswitch.net
* acuityplatform.com
* labs.powr.com
* tps11036.doubleverify.com
* s.thebrighttag.com
* tracking.m6r.eu
* pixel.rubiconproject.com
* d.turn.com
* a.tribalfusion.com
* b1sync.zemanta.com
* tps11002.doubleverify.com
* media.powr.com
* tt3.zedo.com
* tps11016.doubleverify.com
* tps11029.doubleverify.com
* tps11022.doubleverify.com
* eb2.3lift.com
* sync.nationalmediaconnection.com
* tps11003.doubleverify.com
* tps11031.doubleverify.com
* tps11018.doubleverify.com
* tps11027.doubleverify.com
* tps.doubleverify.com

* ml314.com
* tps11024.doubleverify.com
* tps11011.doubleverify.com
* beacon-nf.rubiconproject.com
* px.moatads.com
* t.lkqd.net
* events.bouncex.net
* tps11017.doubleverify.com
* www.zerohedge.com
* tps11032.doubleverify.com
* pagead2.googlesyndication.com
* abd.investingchannel.com
* maxcdn.bootstrapcdn.com
* imasdk.googleapis.com
* ads.investingchannel.com
* secure.statcounter.com
* www.googletagservices.com
* dggaenaawxe8z.cloudfront.net
* js-sec.indexww.com
* www.google-analytics.com
* certify.alexametrics.com
* c.statcounter.com
* rules.quantcount.com
* securepubads.g.doubleclick.net
* s3.amazonaws.com
* ecdn.firstimpression.io
* pixel.adsafeprotected.com
* ad.wsod.com
* gads.pubmatic.com
* as-sec.casalemedia.com
* c.deployads.com
* ib.adnxs.com
* fastlane.rubiconproject.com
* pixel.quantserve.com
* sb.scorecardresearch.com
* us-u.openx.net
* in.ml314.com
* bidder.criteo.com
* sync.1rx.io
* px.owneriq.net
* 195aid0.fxdqgxfynma.com   --------------------
* load77.exelator.com
* tpc.googlesyndication.com
* googleads.g.doubleclick.net
* stags.bluekai.com
* ib.3lift.com
* cdn.doubleverify.com
* assets.bounceexchange.com
* openx2-match.dotomi.com
* www.google.com
* tags.bluekai.com
* cm.g.doubleclick.net
* googleads4.g.doubleclick.net
* pixel.advertising.com
* image6.pubmatic.com
* api.bounceexchange.com
* cdn.firstimpression.io
* tlx.3lift.com
* ad.doubleclick.net
* a1798.casalemedia.com
* tps70.doubleverify.com
* ad.360yield.com
* cdn3.doubleverify.com
* stas.outbrain.com
* match.adsrvr.org
* s0.2mdn.net
* dsum-sec.casalemedia.com
* dsum.casalemedia.com
* dt.adsafeprotected.com
* ad.atdmt.com
* www.dianomi.com
* static.criteo.net
* data.dianomi.com
* trends.revcontent.com
* encrypted-tbn1.gstatic.com
* fonts.gstatic.com
* ads.pubmatic.com
* x.bidswitch.net
* acuityplatform.com
* labs.powr.com
* tps11036.doubleverify.com
* s.thebrighttag.com
* tracking.m6r.eu
* pixel.rubiconproject.com
* d.turn.com
* a.tribalfusion.com
* b1sync.zemanta.com
* tps11002.doubleverify.com
* media.powr.com
* tt3.zedo.com
* tps11016.doubleverify.com
* tps11029.doubleverify.com
* tps11022.doubleverify.com
* eb2.3lift.com
* sync.nationalmediaconnection.com
* tps11003.doubleverify.com
* tps11031.doubleverify.com
* tps11018.doubleverify.com
* tps11027.doubleverify.com
* tps.doubleverify.com