curben
/
phishing-filter
mirror of https://gitlab.com/malware-filter/phishing-filter
1
0
Fork 0
Code Issues Releases Wiki Activity
1,264 Commits 2 Branches 0 Tags 682 MiB
Shell 84.2%
JavaScript 15.8%
Go to file
MDLeom 1542baf603
ci(ga): add Cloudflare Radar 		2022-12-25 05:47:21 +00:00
.github/workflows ci(ga): add Cloudflare Radar 2022-12-25 05:47:21 +00:00
src style(sed): avoid backslash in insert option 2022-12-17 00:19:11 +00:00
utils Initial commit 2020-07-05 11:53:13 +01:00
.gitignore chore(gitignore): node_modules 2022-01-08 05:58:00 +00:00
.gitlab-ci.yml feat: add Cloudflare Radar top 1m domains dataset 2022-11-25 07:19:20 +00:00
.nvmrc ci: downgrade to node 16 2022-11-01 06:55:55 +00:00
LICENSE.md Initial commit 2020-07-05 11:53:13 +01:00
README.md docs(splunk): list csv columns 2022-12-21 07:35:03 +00:00
package.json refactor: deploy filters to gitlab pages 2022-01-08 03:01:41 +00:00

README.md

Phishing URL Blocklist

A blocklist of phishing websites, curated from PhishTank, OpenPhish, phishunt.io. Blocklist is updated twice a day.

There are multiple formats available, refer to the appropriate section according to the program used:

For other programs, see Compatibility page in the wiki.

Check out my other filters:

URL-based

Import the following URL into uBO to subscribe:

included by default in uBO >=1.39.0; to enable, head to "Filter lists" tab, expand "Malware domains" section and tick "Phishing URL Blocklist".

Mirrors

AdGuard Home users should use this blocklist.

URL-based (AdGuard)

Import the following URL into AdGuard browser extension to subscribe:

Mirrors

URL-based (Vivaldi)

Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"

Import the following URL into Vivaldi's Tracker Blocking Sources to subscribe:

Mirrors

Domain-based

This blocklist includes domains and IP addresses.

Mirrors

Domain-based (AdGuard Home)

This AdGuard Home-compatible blocklist includes domains and IP addresses.

Mirrors

Hosts-based

This blocklist includes domains only.

Mirrors

Dnsmasq

This blocklist includes domains only.

Save the ruleset to "/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf". Refer to this guide for auto-update.

Configure dnsmasq to use the blocklist:

printf "\nconf-file=/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf\n" >> /etc/dnsmasq.conf

Mirrors

BIND

This blocklist includes domains only.

Save the ruleset to "/usr/local/etc/bind/phishing-filter-bind.conf". Refer to this guide for auto-update.

Configure BIND to use the blocklist:

printf '\ninclude "/usr/local/etc/bind/phishing-filter-bind.conf";\n' >> /etc/bind/named.conf

Add this to "/etc/bind/null.zone.file" (skip this step if the file already exists):

$TTL    86400   ; one day
@       IN      SOA     ns.nullzone.loc. ns.nullzone.loc. (
               2017102203
                    28800
                     7200
                   864000
                    86400 )
                NS      ns.nullzone.loc.
                A       0.0.0.0
@       IN      A       0.0.0.0
*       IN      A       0.0.0.0

Zone file is derived from here.

Mirrors

Response Policy Zone

This blocklist includes domains only.

Mirrors

Unbound

This blocklist includes domains only.

Save the rulesets to "/usr/local/etc/unbound/phishing-filter-unbound.conf". Refer to this guide for auto-update.

Configure Unbound to use the blocklist:

printf '\n include: "/usr/local/etc/unbound/phishing-filter-unbound.conf"\n' >> /etc/unbound/unbound.conf

Mirrors

dnscrypt-proxy

Save the rulesets to "/etc/dnscrypt-proxy/". Refer to this guide for auto-update.

Configure dnscrypt-proxy to use the blocklist:

[blocked_names]
+  blocked_names_file = '/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-names.txt'

[blocked_ips]
+  blocked_ips_file = '/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-ips.txt'
Mirrors

Tracking Protection List (IE)

This blocklist includes domains only.

Mirrors

Snort2

This ruleset includes online URLs only. Not compatible with Snort3.

Save the ruleset to "/etc/snort/rules/phishing-filter-snort2.rules". Refer to this guide for auto-update.

Configure Snort to use the ruleset:

printf "\ninclude \$RULE_PATH/phishing-filter-snort2.rules\n" >> /etc/snort/snort.conf

Mirrors

Snort3

This ruleset includes online URLs only. Not compatible with Snort2.

Save the ruleset to "/etc/snort/rules/phishing-filter-snort3.rules". Refer to this guide for auto-update.

Configure Snort to use the ruleset:

# /etc/snort/snort.lua
ips =
{
  variables = default_variables,
+  include = 'rules/phishing-filter-snort3.rules'
}
Mirrors

Suricata

This ruleset includes online URLs only.

Save the ruleset to "/etc/suricata/rules/phishing-filter-suricata.rules". Refer to this guide for auto-update.

Configure Suricata to use the ruleset:

# /etc/suricata/suricata.yaml
rule-files:
  - local.rules
+  - phishing-filter-suricata.rules
Mirrors

Splunk

A CSV file for Splunk lookup. This ruleset includes online URLs only.

Either upload the file via GUI or save the file in $SPLUNK_HOME/Splunk/etc/system/lookups or app-specific $SPLUNK_HOME/etc/YourApp/apps/search/lookups. Refer to this guide or Getwatchlist app for auto-update.

Columns:

host path message updated
example.com phishing-filter phishing website detected 2022-12-21T12:34:56Z
example2.com /some-path phishing-filter phishing website detected 2022-12-21T12:34:56Z
Mirrors

Compressed version

All filters are also available as gzip- and brotli-compressed.

Snort 2 rule is only available in compressed format in pages.dev due to the platform's 25MB file size limit

Issues

This blocklist operates by blocking the whole website, instead of specific webpages; exceptions are made on popular websites (e.g. https://docs.google.com/), in which webpages are specified instead (e.g. https://docs.google.com/phishing-page). Phishing webpages are only listed in URL-based filter, popular websites are excluded from other filters.

Popular websites are as listed in the Umbrella Popularity List (top 1M domains + subdomains), Tranco List (top 1M domains), Cloudflare Radar (top 1M domains) and this custom list.

If you wish to exclude certain website(s) that you believe is sufficiently well-known, please create an issue or merge request.

This blocklist only accepts new phishing URLs from PhishTank and OpenPhish.

Please report new phishing URL to PhishTank or OpenPhish.

See also

Phishing Army by Andrea Draghetti is available in domain-based format and utilises more sources. Its exclusion methods are not up-to-date though: Anudeep's whitelist was lasted updated in Dec 2021 and Alexa was deprecated in May 2022.

FAQ and Guides

See wiki

CI Variables

Optional variables:

  • PHISHTANK_API: Recommended if you intend to run script.sh >5 times daily. Register an account at phishtank.org to generate an application key.
  • CLOUDFLARE_BUILD_HOOK: Deploy to Cloudflare Pages.
  • NETLIFY_SITE_ID: Deploy to Netlify.
  • CF_API: Include Cloudflare Radar domains ranking. Guide to create an API token.

License

src/: CC0

filters: CC BY-SA 4.0

PhishTank: Available free of charge by Cisco for commercial and non-commercial use.

PhishTank is either trademark or registered trademark of Cisco Systems, Inc.

OpenPhish: Available free of charge by OpenPhish

Tranco List: MIT License

Umbrella Popularity List: Available free of charge by Cisco Umbrella

csvquote: MIT License

phishunt.io: All rights reserved by Daniel López

Cloudflare Radar: Available to free Cloudflare account

This repository is not endorsed by PhishTank/OpenDNS and OpenPhish.