phishing-filter/README.md

521 lines
19 KiB
Markdown
Raw Normal View History

2020-07-05 10:46:19 +00:00
# Phishing URL Blocklist
> Edit 2021/01/08: the default branch has changed to **main**.
A blocklist of phishing websites, based on the [PhishTank](https://www.phishtank.com/) and [OpenPhish](https://openphish.com/) lists. Blocklist is updated twice a day.
2020-07-05 10:46:19 +00:00
There are multiple formats available, refer to the appropriate section according to the program used:
- uBlock Origin (uBO) -> [URL-based](#url-based) section (recommended)
- Pi-hole -> [Domain-based](#domain-based) or [Hosts-based](#hosts-based) section
- AdGuard Home -> [Domain-based (AdGuard Home)](#domain-based-adguard-home) or [Hosts-based](#hosts-based) section
- AdGuard browser extension -> [URL-based (AdGuard)](#url-based-adguard)
- Vivaldi -> [URL-based (Vivaldi)](#url-based-vivaldi)
- [Hosts](#hosts-based)
- [Dnsmasq](#dnsmasq)
- BIND -> BIND [zone](#bind) or [RPZ](#response-policy-zone)
- [Unbound](#unbound)
- [dnscrypt-proxy](#dnscrypt-proxy)
- Internet Explorer -> [Tracking Protection List (IE)](#tracking-protection-list-ie)
2021-03-18 17:44:15 +00:00
- [Snort2](#snort2)
2021-03-19 19:03:25 +00:00
- [Snort3](#snort3)
2021-03-18 17:44:15 +00:00
- [Suricata](#suricata)
2020-07-05 10:46:19 +00:00
Not sure which format to choose? See [Compatibility](https://gitlab.com/curben/urlhaus-filter/wikis/compatibility) page.
2021-06-01 10:03:40 +00:00
Check out my other filters:
- [urlhaus-filter](https://gitlab.com/curben/urlhaus-filter)
- [pup-filter](https://gitlab.com/curben/pup-filter)
2022-01-02 02:31:21 +00:00
- [tracking-filter](https://gitlab.com/curben/tracking-filter)
2020-12-17 03:31:18 +00:00
2020-07-05 10:46:19 +00:00
## URL-based
Import the following URL into uBO to subscribe:
- https://curben.gitlab.io/malware-filter/phishing-filter.txt
2020-07-05 10:46:19 +00:00
_included by default in uBO >=[1.39.0](https://github.com/gorhill/uBlock/releases/tag/1.39.0); to enable, head to "Filter lists" tab, expand "Malware domains" section and tick "Phishing URL Blocklist"._
2020-07-05 10:46:19 +00:00
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter.txt
- https://curbengh.github.io/phishing-filter/phishing-filter.txt
- https://curben.gitlab.io/phishing-filter/phishing-filter.txt
- https://malware-filter.pages.dev/phishing-filter.txt
- https://phishing-filter.pages.dev/phishing-filter.txt
- https://malware-filter.netlify.app/phishing-filter.txt
- https://phishing-filter.netlify.app/phishing-filter.txt
2020-07-05 10:46:19 +00:00
</details>
**AdGuard Home** users should use [this blocklist](#domain-based-adguard-home).
## URL-based (AdGuard)
Import the following URL into AdGuard browser extension to subscribe:
- https://curben.gitlab.io/malware-filter/phishing-filter-ag.txt
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter-ag.txt
- https://curbengh.github.io/phishing-filter/phishing-filter-ag.txt
- https://curben.gitlab.io/phishing-filter/phishing-filter-ag.txt
- https://malware-filter.pages.dev/phishing-filter-ag.txt
- https://phishing-filter.pages.dev/phishing-filter-ag.txt
- https://malware-filter.netlify.app/phishing-filter-ag.txt
- https://phishing-filter.netlify.app/phishing-filter-ag.txt
2020-07-05 10:46:19 +00:00
</details>
## URL-based (Vivaldi)
_Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"_
Import the following URL into Vivaldi's **Tracker Blocking Sources** to subscribe:
- https://curben.gitlab.io/malware-filter/phishing-filter-vivaldi.txt
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter-vivaldi.txt
- https://curbengh.github.io/phishing-filter/phishing-filter-vivaldi.txt
- https://curben.gitlab.io/phishing-filter/phishing-filter-vivaldi.txt
- https://malware-filter.pages.dev/phishing-filter-vivaldi.txt
- https://phishing-filter.pages.dev/phishing-filter-vivaldi.txt
- https://malware-filter.netlify.app/phishing-filter-vivaldi.txt
- https://phishing-filter.netlify.app/phishing-filter-vivaldi.txt
</details>
2020-07-05 10:46:19 +00:00
## Domain-based
This blocklist includes domains and IP addresses.
- https://curben.gitlab.io/malware-filter/phishing-filter-domains.txt
2020-07-05 10:46:19 +00:00
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter-domains.txt
- https://curbengh.github.io/phishing-filter/phishing-filter-domains.txt
- https://curben.gitlab.io/phishing-filter/phishing-filter-domains.txt
- https://malware-filter.pages.dev/phishing-filter-domains.txt
- https://phishing-filter.pages.dev/phishing-filter-domains.txt
- https://malware-filter.netlify.app/phishing-filter-domains.txt
- https://phishing-filter.netlify.app/phishing-filter-domains.txt
2020-07-05 10:46:19 +00:00
</details>
## Domain-based (AdGuard Home)
This AdGuard Home-compatible blocklist includes domains and IP addresses.
- https://curben.gitlab.io/malware-filter/phishing-filter-agh.txt
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter-agh.txt
- https://curbengh.github.io/phishing-filter/phishing-filter-agh.txt
- https://curben.gitlab.io/phishing-filter/phishing-filter-agh.txt
- https://malware-filter.pages.dev/phishing-filter-agh.txt
- https://phishing-filter.pages.dev/phishing-filter-agh.txt
- https://malware-filter.netlify.app/phishing-filter-agh.txt
- https://phishing-filter.netlify.app/phishing-filter-agh.txt
</details>
2020-07-05 10:46:19 +00:00
## Hosts-based
This blocklist includes domains only.
- https://curben.gitlab.io/malware-filter/phishing-filter-hosts.txt
2020-07-05 10:46:19 +00:00
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter-hosts.txt
- https://curbengh.github.io/phishing-filter/phishing-filter-hosts.txt
- https://curben.gitlab.io/phishing-filter/phishing-filter-hosts.txt
- https://malware-filter.pages.dev/phishing-filter-hosts.txt
- https://phishing-filter.pages.dev/phishing-filter-hosts.txt
- https://malware-filter.netlify.app/phishing-filter-hosts.txt
- https://phishing-filter.netlify.app/phishing-filter-hosts.txt
2020-07-05 10:46:19 +00:00
</details>
## Dnsmasq
This blocklist includes domains only.
### Install
```
# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/dnsmasq/
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-dnsmasq.conf" -o "/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf"\n' > /etc/cron.daily/phishing-filter
2020-07-05 10:46:19 +00:00
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
# Configure dnsmasq to use the blocklist
2020-07-06 03:46:32 +00:00
printf "\nconf-file=/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf\n" >> /etc/dnsmasq.conf
2020-07-05 10:46:19 +00:00
```
- https://curben.gitlab.io/malware-filter/phishing-filter-dnsmasq.conf
2020-08-28 03:16:31 +00:00
2020-07-05 10:46:19 +00:00
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter-dnsmasq.conf
- https://curbengh.github.io/phishing-filter/phishing-filter-dnsmasq.conf
- https://curben.gitlab.io/phishing-filter/phishing-filter-dnsmasq.conf
- https://malware-filter.pages.dev/phishing-filter-dnsmasq.conf
- https://phishing-filter.pages.dev/phishing-filter-dnsmasq.conf
- https://malware-filter.netlify.app/phishing-filter-dnsmasq.conf
- https://phishing-filter.netlify.app/phishing-filter-dnsmasq.conf
2020-07-05 10:46:19 +00:00
</details>
## BIND
This blocklist includes domains only.
### Install
```
# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/bind/
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-bind.conf" -o "/usr/local/etc/bind/phishing-filter-bind.conf"\n' > /etc/cron.daily/phishing-filter
2020-07-05 10:46:19 +00:00
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
# Configure BIND to use the blocklist
2020-07-06 03:46:32 +00:00
printf '\ninclude "/usr/local/etc/bind/phishing-filter-bind.conf";\n' >> /etc/bind/named.conf
2020-07-05 10:46:19 +00:00
```
Add this to "/etc/bind/null.zone.file" (skip this step if the file already exists):
```
$TTL 86400 ; one day
@ IN SOA ns.nullzone.loc. ns.nullzone.loc. (
2017102203
28800
7200
864000
86400 )
NS ns.nullzone.loc.
A 0.0.0.0
@ IN A 0.0.0.0
* IN A 0.0.0.0
```
Zone file is derived from [here](https://github.com/tomzuu/blacklist-named/blob/master/null.zone.file).
- https://curben.gitlab.io/malware-filter/phishing-filter-bind.conf
2020-08-28 03:16:31 +00:00
2020-07-05 10:46:19 +00:00
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter-bind.conf
- https://curbengh.github.io/phishing-filter/phishing-filter-bind.conf
- https://curben.gitlab.io/phishing-filter/phishing-filter-bind.conf
- https://malware-filter.pages.dev/phishing-filter-bind.conf
- https://phishing-filter.pages.dev/phishing-filter-bind.conf
- https://malware-filter.netlify.app/phishing-filter-bind.conf
- https://phishing-filter.netlify.app/phishing-filter-bind.conf
2020-07-05 10:46:19 +00:00
</details>
## Response Policy Zone
This blocklist includes domains only.
- https://curben.gitlab.io/malware-filter/phishing-filter-rpz.conf
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter-rpz.conf
- https://curbengh.github.io/phishing-filter/phishing-filter-rpz.conf
- https://curben.gitlab.io/phishing-filter/phishing-filter-rpz.conf
- https://malware-filter.pages.dev/phishing-filter-rpz.conf
- https://phishing-filter.pages.dev/phishing-filter-rpz.conf
- https://malware-filter.netlify.app/phishing-filter-rpz.conf
- https://phishing-filter.netlify.app/phishing-filter-rpz.conf
</details>
2020-07-05 10:46:19 +00:00
## Unbound
This blocklist includes domains only.
### Install
```
# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/unbound/
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-unbound.conf" -o "/usr/local/etc/unbound/phishing-filter-unbound.conf"\n' > /etc/cron.daily/phishing-filter
2020-07-05 10:46:19 +00:00
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
# Configure Unbound to use the blocklist
2020-07-06 03:46:32 +00:00
printf '\n include: "/usr/local/etc/unbound/phishing-filter-unbound.conf"\n' >> /etc/unbound/unbound.conf
2020-07-05 10:46:19 +00:00
```
- https://curben.gitlab.io/malware-filter/phishing-filter-unbound.conf
2020-08-28 03:16:31 +00:00
2020-07-05 10:46:19 +00:00
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter-unbound.conf
- https://curbengh.github.io/phishing-filter/phishing-filter-unbound.conf
- https://curben.gitlab.io/phishing-filter/phishing-filter-unbound.conf
- https://malware-filter.pages.dev/phishing-filter-unbound.conf
- https://phishing-filter.pages.dev/phishing-filter-unbound.conf
- https://malware-filter.netlify.app/phishing-filter-unbound.conf
- https://phishing-filter.netlify.app/phishing-filter-unbound.conf
2020-07-05 10:46:19 +00:00
</details>
## dnscrypt-proxy
### Install
```
# Create a new folder to store the blocklist
mkdir -p /etc/dnscrypt-proxy/
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-dnscrypt-blocked-names.txt" -o "/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-names.txt"\n' > /etc/cron.daily/phishing-filter
printf '\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-dnscrypt-blocked-ips.txt" -o "/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-ips.txt"\n' >> /etc/cron.daily/phishing-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
```
Configure dnscrypt-proxy to use the blocklist:
``` diff
[blocked_names]
+ blocked_names_file = '/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-names.txt'
[blocked_ips]
+ blocked_ips_file = '/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-ips.txt'
```
- https://curben.gitlab.io/malware-filter/phishing-filter-dnscrypt-blocked-names.txt
- https://curben.gitlab.io/malware-filter/phishing-filter-dnscrypt-blocked-ips.txt
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter-dnscrypt-blocked-names.txt
- https://curbengh.github.io/phishing-filter/phishing-filter-dnscrypt-blocked-names.txt
- https://curben.gitlab.io/phishing-filter/phishing-filter-dnscrypt-blocked-names.txt
- https://malware-filter.pages.dev/phishing-filter-dnscrypt-blocked-names.txt
- https://phishing-filter.pages.dev/phishing-filter-dnscrypt-blocked-names.txt
- https://malware-filter.netlify.app/phishing-filter-dnscrypt-blocked-names.txt
- https://phishing-filter.netlify.app/phishing-filter-dnscrypt-blocked-names.txt
- https://curbengh.github.io/malware-filter/phishing-filter-dnscrypt-blocked-ips.txt
- https://curbengh.github.io/phishing-filter/phishing-filter-dnscrypt-blocked-ips.txt
- https://curben.gitlab.io/phishing-filter/phishing-filter-dnscrypt-blocked-ips.txt
- https://malware-filter.pages.dev/phishing-filter-dnscrypt-blocked-ips.txt
- https://phishing-filter.pages.dev/phishing-filter-dnscrypt-blocked-ips.txt
- https://malware-filter.netlify.app/phishing-filter-dnscrypt-blocked-ips.txt
- https://phishing-filter.netlify.app/phishing-filter-dnscrypt-blocked-ips.txt
</details>
## Tracking Protection List (IE)
This blocklist includes domains only.
- https://curben.gitlab.io/malware-filter/phishing-filter.tpl
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter.tpl
- https://curbengh.github.io/phishing-filter/phishing-filter.tpl
- https://curben.gitlab.io/phishing-filter/phishing-filter.tpl
- https://malware-filter.pages.dev/phishing-filter.tpl
- https://phishing-filter.pages.dev/phishing-filter.tpl
- https://malware-filter.netlify.app/phishing-filter.tpl
- https://phishing-filter.netlify.app/phishing-filter.tpl
</details>
2021-03-18 17:44:15 +00:00
## Snort2
2021-03-19 19:03:25 +00:00
This ruleset includes online URLs only. Not compatible with [Snort3](#snort3).
2021-03-18 17:44:15 +00:00
### Install
```
# Download ruleset
curl -L "https://curben.gitlab.io/malware-filter/phishing-filter-snort2.rules" -o "/etc/snort/rules/phishing-filter-snort2.rules"
2021-03-18 17:44:15 +00:00
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-snort2.rules" -o "/etc/snort/rules/phishing-filter-snort2.rules"\n' > /etc/cron.daily/phishing-filter
2021-03-18 17:44:15 +00:00
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
# Configure Snort to use the ruleset
printf "\ninclude \$RULE_PATH/phishing-filter-snort2.rules\n" >> /etc/snort/snort.conf
```
- https://curben.gitlab.io/malware-filter/phishing-filter-snort2.rules
2021-03-18 17:44:15 +00:00
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter-snort2.rules
- https://curbengh.github.io/phishing-filter/phishing-filter-snort2.rules
- https://curben.gitlab.io/phishing-filter/phishing-filter-snort2.rules
- https://malware-filter.pages.dev/phishing-filter-snort2.rules
- https://phishing-filter.pages.dev/phishing-filter-snort2.rules
- https://malware-filter.netlify.app/phishing-filter-snort2.rules
- https://phishing-filter.netlify.app/phishing-filter-snort2.rules
2021-03-18 17:44:15 +00:00
</details>
2021-03-19 19:03:25 +00:00
## Snort3
This ruleset includes online URLs only. Not compatible with [Snort2](#snort2).
### Install
```
# Download ruleset
curl -L "https://curben.gitlab.io/malware-filter/phishing-filter-snort3.rules" -o "/etc/snort/rules/phishing-filter-snort3.rules"
2021-03-19 19:03:25 +00:00
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-snort3.rules" -o "/etc/snort/rules/phishing-filter-snort3.rules"\n' > /etc/cron.daily/phishing-filter
2021-03-19 19:03:25 +00:00
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
```
Configure Snort to use the ruleset:
``` diff
# /etc/snort/snort.lua
ips =
{
variables = default_variables,
2021-03-22 09:39:13 +00:00
+ include = 'rules/phishing-filter-snort3.rules'
2021-03-19 19:03:25 +00:00
}
```
- https://curben.gitlab.io/malware-filter/phishing-filter-snort3.rules
2021-03-19 19:03:25 +00:00
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter-snort3.rules
- https://curbengh.github.io/phishing-filter/phishing-filter-snort3.rules
- https://curben.gitlab.io/phishing-filter/phishing-filter-snort3.rules
- https://malware-filter.pages.dev/phishing-filter-snort3.rules
- https://phishing-filter.pages.dev/phishing-filter-snort3.rules
- https://malware-filter.netlify.app/phishing-filter-snort3.rules
- https://phishing-filter.netlify.app/phishing-filter-snort3.rules
2021-03-19 19:03:25 +00:00
</details>
2021-03-18 17:44:15 +00:00
## Suricata
This ruleset includes online URLs only.
### Install
```
# Download ruleset
curl -L "https://curben.gitlab.io/malware-filter/phishing-filter-suricata.rules" -o "/etc/suricata/rules/phishing-filter-suricata.rules"
2021-03-18 17:44:15 +00:00
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-suricata.rules" -o "/etc/suricata/rules/phishing-filter-suricata.rules"\n' > /etc/cron.daily/phishing-filter
2021-03-18 17:44:15 +00:00
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
```
Configure Suricata to use the ruleset:
``` diff
# /etc/suricata/suricata.yaml
rule-files:
- local.rules
+ - phishing-filter-suricata.rules
```
- https://curben.gitlab.io/malware-filter/phishing-filter-suricata.rules
2021-03-18 17:44:15 +00:00
<details>
<summary>Mirrors</summary>
- https://curbengh.github.io/malware-filter/phishing-filter-suricata.rules
- https://curbengh.github.io/phishing-filter/phishing-filter-suricata.rules
- https://curben.gitlab.io/phishing-filter/phishing-filter-suricata.rules
- https://malware-filter.pages.dev/phishing-filter-suricata.rules
- https://phishing-filter.pages.dev/phishing-filter-suricata.rules
- https://malware-filter.netlify.app/phishing-filter-suricata.rules
- https://phishing-filter.netlify.app/phishing-filter-suricata.rules
2021-03-18 17:44:15 +00:00
</details>
2020-07-05 10:46:19 +00:00
## Issues
This blocklist operates by blocking the **whole** website, instead of specific webpages; exceptions are made on popular websites (e.g. `https://docs.google.com/`), in which webpages are specified instead (e.g. `https://docs.google.com/phishing-page`). Phishing webpages are only listed in [URL-based](#url-based) filter, popular websites are excluded from other filters.
2020-07-05 11:40:32 +00:00
*Popular* websites are as listed in the [Umbrella Popularity List](https://s3-us-west-1.amazonaws.com/umbrella-static/index.html) (top 1M domains + subdomains), [Tranco List](https://tranco-list.eu/) (top 1M domains) and this [custom list](src/exclude.txt).
2020-07-05 10:46:19 +00:00
If you wish to exclude certain website(s) that you believe is sufficiently well-known, please create an [issue](https://gitlab.com/curben/phishing-filter/issues) or [merge request](https://gitlab.com/curben/phishing-filter/merge_requests).
This blocklist **only** accepts new phishing URLs from [PhishTank](https://www.phishtank.com/) and [OpenPhish](https://openphish.com/).
2020-07-05 10:46:19 +00:00
Please report new phishing URL to [PhishTank](https://www.phishtank.com/add_web_phish.php) or [OpenPhish](https://openphish.com/faq.html).
2020-07-05 10:46:19 +00:00
## Cloning
Since the filter is updated frequently, cloning the repo would become slower over time as the revision grows.
Use shallow clone to get the recent revisions only. Getting the last five revisions should be sufficient for a valid MR.
`git clone --depth 5 https://gitlab.com/curben/phishing-filter.git`
## License
[src/](src/): [CC0](LICENSE.md)
filters: [CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/)
2020-07-19 09:19:39 +00:00
[PhishTank](https://www.phishtank.com/): Available [free of charge](https://www.phishtank.com/faq.php#isitoktousetheapifor) by Cisco for commercial and non-commercial use.
_PhishTank is either trademark or registered trademark of Cisco Systems, Inc._
[OpenPhish](https://openphish.com/): Available [free of charge](https://openphish.com/terms.html) by OpenPhish
2020-07-05 11:27:41 +00:00
[Tranco List](https://tranco-list.eu/): MIT License
2020-07-05 10:46:19 +00:00
[Umbrella Popularity List](https://s3-us-west-1.amazonaws.com/umbrella-static/index.html): Available free of charge by Cisco Umbrella
[csvquote](https://github.com/dbro/csvquote): [MIT License](https://choosealicense.com/licenses/mit/)
2020-07-06 03:50:52 +00:00
This repository is not endorsed by PhishTank/OpenDNS and OpenPhish.