Go to file
curben-bot 02e73156ad Filter updated: Mon, 13 Jul 2020 00:06:08 UTC 2020-07-13 00:06:08 +00:00
.gitlab Initial commit 2020-07-05 11:53:13 +01:00
dist Filter updated: Mon, 13 Jul 2020 00:06:08 UTC 2020-07-13 00:06:08 +00:00
src feat: add OpenPhish data 2020-07-12 08:16:27 +01:00
utils Initial commit 2020-07-05 11:53:13 +01:00
.gitignore Initial commit 2020-07-05 11:53:13 +01:00
.gitlab-ci.yml ci: enable commit push 2020-07-05 12:08:52 +01:00
LICENSE.md Initial commit 2020-07-05 11:53:13 +01:00
README.md feat: add OpenPhish data 2020-07-12 08:16:27 +01:00

README.md

Phishing URL Blocklist

A blocklist of phishing websites, based on the PhishTank and OpenPhish lists. Blocklist is updated twice a day.

There are multiple formats available, refer to the appropriate section according to the program used:

Not sure which format to choose? See Compatibility page.

URL-based

Import the following URL into uBO to subscribe:

Mirrors

Domain-based

This blocklist includes domains and IP addresses.

Mirrors

Hosts-based

This blocklist includes domains only.

Mirrors

Dnsmasq

This blocklist includes domains only.

Install

# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/dnsmasq/

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://gitlab.com/curben/phishing-filter/raw/master/dist/phishing-filter-dnsmasq.conf" -o "/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf"\n' > /etc/cron.daily/phishing-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter

# Configure dnsmasq to use the blocklist
printf "\nconf-file=/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf\n" >> /etc/dnsmasq.conf
Mirrors

BIND

This blocklist includes domains only.

Install

# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/bind/

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://gitlab.com/curben/phishing-filter/raw/master/dist/phishing-filter-bind.conf" -o "/usr/local/etc/bind/phishing-filter-bind.conf"\n' > /etc/cron.daily/phishing-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter

# Configure BIND to use the blocklist
printf '\ninclude "/usr/local/etc/bind/phishing-filter-bind.conf";\n' >> /etc/bind/named.conf

Add this to "/etc/bind/null.zone.file" (skip this step if the file already exists):

$TTL    86400   ; one day
@       IN      SOA     ns.nullzone.loc. ns.nullzone.loc. (
               2017102203
                    28800
                     7200
                   864000
                    86400 )
                NS      ns.nullzone.loc.
                A       0.0.0.0
@       IN      A       0.0.0.0
*       IN      A       0.0.0.0

Zone file is derived from here.

Mirrors

Unbound

This blocklist includes domains only.

Install

# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/unbound/

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://gitlab.com/curben/phishing-filter/raw/master/dist/phishing-filter-unbound.conf" -o "/usr/local/etc/unbound/phishing-filter-unbound.conf"\n' > /etc/cron.daily/phishing-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter

# Configure Unbound to use the blocklist
printf '\n  include: "/usr/local/etc/unbound/phishing-filter-unbound.conf"\n' >> /etc/unbound/unbound.conf
Mirrors

Issues

This blocklist operates by blocking the whole website, instead of specific webpages; exceptions are made on popular websites (e.g. https://docs.google.com/), in which webpages are specified instead (e.g. https://docs.google.com/phishing-page). Phishing webpages are only listed in URL-based filter, popular websites are excluded from other filters.

Popular websites are as listed in the Umbrella Popularity List (top 1M domains + subdomains), Tranco List (top 1M domains) and this custom list.

If you wish to exclude certain website(s) that you believe is sufficiently well-known, please create an issue or merge request.

This blocklist only accepts new phishing URLs from PhishTank and OpenPhish.

Please report new phishing URL to PhishTank or OpenPhish.

Cloning

Since the filter is updated frequently, cloning the repo would become slower over time as the revision grows.

Use shallow clone to get the recent revisions only. Getting the last five revisions should be sufficient for a valid MR.

git clone --depth 5 https://gitlab.com/curben/phishing-filter.git

License

Creative Commons Zero v1.0 Universal

PhishTank: CC BY-SA 2.5

PhishTank is either trademark or registered trademark of OpenDNS, LLC.

OpenPhish: Available free of charge by OpenPhish

Tranco List: MIT License

Umbrella Popularity List: Available free of charge by Cisco Umbrella

csvquote: MIT License

This repository is not endorsed by PhishTank/OpenDNS and OpenPhish.