20 KiB
Phishing URL Blocklist
A blocklist of phishing websites, curated from PhishTank, OpenPhish, phishunt.io. Blocklist is updated twice a day.
There are multiple formats available, refer to the appropriate section according to the program used:
- uBlock Origin (uBO) -> URL-based section (recommended)
- Pi-hole -> Domain-based or Hosts-based section
- AdGuard Home -> Domain-based (AdGuard Home) or Hosts-based section
- AdGuard browser extension -> URL-based (AdGuard)
- Vivaldi -> URL-based (Vivaldi)
- Hosts
- Dnsmasq
- BIND -> BIND zone or RPZ
- Unbound
- dnscrypt-proxy
- Internet Explorer -> Tracking Protection List (IE)
- Snort2
- Snort3
- Suricata
- Splunk
For other programs, see Compatibility page in the wiki.
Check out my other filters:
URL-based
Import the following URL into uBO to subscribe:
included by default in uBO >=1.39.0; to enable, head to "Filter lists" tab, expand "Malware domains" section and tick "Phishing URL Blocklist".
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter.txt
- https://curbengh.github.io/phishing-filter/phishing-filter.txt
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter.txt
- https://malware-filter.pages.dev/phishing-filter.txt
- https://phishing-filter.pages.dev/phishing-filter.txt
AdGuard Home users should use this blocklist.
URL-based (AdGuard)
Import the following URL into AdGuard browser extension to subscribe:
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter-ag.txt
- https://curbengh.github.io/phishing-filter/phishing-filter-ag.txt
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter-ag.txt
- https://malware-filter.pages.dev/phishing-filter-ag.txt
- https://phishing-filter.pages.dev/phishing-filter-ag.txt
URL-based (Vivaldi)
Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"
Import the following URL into Vivaldi's Tracker Blocking Sources to subscribe:
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter-vivaldi.txt
- https://curbengh.github.io/phishing-filter/phishing-filter-vivaldi.txt
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter-vivaldi.txt
- https://malware-filter.pages.dev/phishing-filter-vivaldi.txt
- https://phishing-filter.pages.dev/phishing-filter-vivaldi.txt
Domain-based
This blocklist includes domains and IP addresses.
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter-domains.txt
- https://curbengh.github.io/phishing-filter/phishing-filter-domains.txt
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter-domains.txt
- https://malware-filter.pages.dev/phishing-filter-domains.txt
- https://phishing-filter.pages.dev/phishing-filter-domains.txt
Domain-based (AdGuard Home)
This AdGuard Home-compatible blocklist includes domains and IP addresses.
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter-agh.txt
- https://curbengh.github.io/phishing-filter/phishing-filter-agh.txt
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter-agh.txt
- https://malware-filter.pages.dev/phishing-filter-agh.txt
- https://phishing-filter.pages.dev/phishing-filter-agh.txt
Hosts-based
This blocklist includes domains only.
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter-hosts.txt
- https://curbengh.github.io/phishing-filter/phishing-filter-hosts.txt
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter-hosts.txt
- https://malware-filter.pages.dev/phishing-filter-hosts.txt
- https://phishing-filter.pages.dev/phishing-filter-hosts.txt
Dnsmasq
This blocklist includes domains only.
Install
# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/dnsmasq/
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-dnsmasq.conf" -o "/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf"\n' > /etc/cron.daily/phishing-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
# Configure dnsmasq to use the blocklist
printf "\nconf-file=/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf\n" >> /etc/dnsmasq.conf
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter-dnsmasq.conf
- https://curbengh.github.io/phishing-filter/phishing-filter-dnsmasq.conf
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter-dnsmasq.conf
- https://malware-filter.pages.dev/phishing-filter-dnsmasq.conf
- https://phishing-filter.pages.dev/phishing-filter-dnsmasq.conf
BIND
This blocklist includes domains only.
Install
# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/bind/
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-bind.conf" -o "/usr/local/etc/bind/phishing-filter-bind.conf"\n' > /etc/cron.daily/phishing-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
# Configure BIND to use the blocklist
printf '\ninclude "/usr/local/etc/bind/phishing-filter-bind.conf";\n' >> /etc/bind/named.conf
Add this to "/etc/bind/null.zone.file" (skip this step if the file already exists):
$TTL 86400 ; one day
@ IN SOA ns.nullzone.loc. ns.nullzone.loc. (
2017102203
28800
7200
864000
86400 )
NS ns.nullzone.loc.
A 0.0.0.0
@ IN A 0.0.0.0
* IN A 0.0.0.0
Zone file is derived from here.
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter-bind.conf
- https://curbengh.github.io/phishing-filter/phishing-filter-bind.conf
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter-bind.conf
- https://malware-filter.pages.dev/phishing-filter-bind.conf
- https://phishing-filter.pages.dev/phishing-filter-bind.conf
Response Policy Zone
This blocklist includes domains only.
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter-rpz.conf
- https://curbengh.github.io/phishing-filter/phishing-filter-rpz.conf
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter-rpz.conf
- https://malware-filter.pages.dev/phishing-filter-rpz.conf
- https://phishing-filter.pages.dev/phishing-filter-rpz.conf
Unbound
This blocklist includes domains only.
Install
# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/unbound/
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-unbound.conf" -o "/usr/local/etc/unbound/phishing-filter-unbound.conf"\n' > /etc/cron.daily/phishing-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
# Configure Unbound to use the blocklist
printf '\n include: "/usr/local/etc/unbound/phishing-filter-unbound.conf"\n' >> /etc/unbound/unbound.conf
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter-unbound.conf
- https://curbengh.github.io/phishing-filter/phishing-filter-unbound.conf
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter-unbound.conf
- https://malware-filter.pages.dev/phishing-filter-unbound.conf
- https://phishing-filter.pages.dev/phishing-filter-unbound.conf
dnscrypt-proxy
Install
# Create a new folder to store the blocklist
mkdir -p /etc/dnscrypt-proxy/
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-dnscrypt-blocked-names.txt" -o "/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-names.txt"\n' > /etc/cron.daily/phishing-filter
printf '\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-dnscrypt-blocked-ips.txt" -o "/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-ips.txt"\n' >> /etc/cron.daily/phishing-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
Configure dnscrypt-proxy to use the blocklist:
[blocked_names]
+ blocked_names_file = '/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-names.txt'
[blocked_ips]
+ blocked_ips_file = '/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-ips.txt'
- https://malware-filter.gitlab.io/malware-filter/phishing-filter-dnscrypt-blocked-names.txt
- https://malware-filter.gitlab.io/malware-filter/phishing-filter-dnscrypt-blocked-ips.txt
Mirrors
-
https://curbengh.github.io/malware-filter/phishing-filter-dnscrypt-blocked-names.txt
-
https://curbengh.github.io/phishing-filter/phishing-filter-dnscrypt-blocked-names.txt
-
https://malware-filter.gitlab.io/phishing-filter/phishing-filter-dnscrypt-blocked-names.txt
-
https://malware-filter.pages.dev/phishing-filter-dnscrypt-blocked-names.txt
-
https://phishing-filter.pages.dev/phishing-filter-dnscrypt-blocked-names.txt
-
https://curbengh.github.io/malware-filter/phishing-filter-dnscrypt-blocked-ips.txt
-
https://curbengh.github.io/phishing-filter/phishing-filter-dnscrypt-blocked-ips.txt
-
https://malware-filter.gitlab.io/phishing-filter/phishing-filter-dnscrypt-blocked-ips.txt
-
https://malware-filter.pages.dev/phishing-filter-dnscrypt-blocked-ips.txt
-
https://phishing-filter.pages.dev/phishing-filter-dnscrypt-blocked-ips.txt
Tracking Protection List (IE)
This blocklist includes domains only.
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter.tpl
- https://curbengh.github.io/phishing-filter/phishing-filter.tpl
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter.tpl
- https://malware-filter.pages.dev/phishing-filter.tpl
- https://phishing-filter.pages.dev/phishing-filter.tpl
Snort2
This ruleset includes online URLs only. Not compatible with Snort3.
Install
# Download ruleset
curl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-snort2.rules" -o "/etc/snort/rules/phishing-filter-snort2.rules"
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-snort2.rules" -o "/etc/snort/rules/phishing-filter-snort2.rules"\n' > /etc/cron.daily/phishing-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
# Configure Snort to use the ruleset
printf "\ninclude \$RULE_PATH/phishing-filter-snort2.rules\n" >> /etc/snort/snort.conf
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter-snort2.rules
- https://curbengh.github.io/phishing-filter/phishing-filter-snort2.rules
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter-snort2.rules
- https://malware-filter.pages.dev/phishing-filter-snort2.rules
- https://phishing-filter.pages.dev/phishing-filter-snort2.rules
Snort3
This ruleset includes online URLs only. Not compatible with Snort2.
Install
# Download ruleset
curl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-snort3.rules" -o "/etc/snort/rules/phishing-filter-snort3.rules"
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-snort3.rules" -o "/etc/snort/rules/phishing-filter-snort3.rules"\n' > /etc/cron.daily/phishing-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
Configure Snort to use the ruleset:
# /etc/snort/snort.lua
ips =
{
variables = default_variables,
+ include = 'rules/phishing-filter-snort3.rules'
}
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter-snort3.rules
- https://curbengh.github.io/phishing-filter/phishing-filter-snort3.rules
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter-snort3.rules
- https://malware-filter.pages.dev/phishing-filter-snort3.rules
- https://phishing-filter.pages.dev/phishing-filter-snort3.rules
Suricata
This ruleset includes online URLs only.
Install
# Download ruleset
curl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-suricata.rules" -o "/etc/suricata/rules/phishing-filter-suricata.rules"
# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-suricata.rules" -o "/etc/suricata/rules/phishing-filter-suricata.rules"\n' > /etc/cron.daily/phishing-filter
# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter
Configure Suricata to use the ruleset:
# /etc/suricata/suricata.yaml
rule-files:
- local.rules
+ - phishing-filter-suricata.rules
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter-suricata.rules
- https://curbengh.github.io/phishing-filter/phishing-filter-suricata.rules
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter-suricata.rules
- https://malware-filter.pages.dev/phishing-filter-suricata.rules
- https://phishing-filter.pages.dev/phishing-filter-suricata.rules
Splunk
A CSV file for Splunk lookup. This ruleset includes online URLs only.
Mirrors
- https://curbengh.github.io/malware-filter/phishing-filter-splunk.csv
- https://curbengh.github.io/phishing-filter/phishing-filter-splunk.csv
- https://malware-filter.gitlab.io/phishing-filter/phishing-filter-splunk.csv
- https://malware-filter.pages.dev/phishing-filter-splunk.csv
- https://phishing-filter.pages.dev/phishing-filter-splunk.csv
Compressed version
All filters are also available as gzip- and brotli-compressed.
- Gzip: https://malware-filter.gitlab.io/malware-filter/phishing-filter.txt.gz
- Brotli: https://malware-filter.gitlab.io/malware-filter/phishing-filter.txt.br
Snort 2 rule is only available in compressed format in pages.dev due to the platform's 25MB file size limit
Issues
This blocklist operates by blocking the whole website, instead of specific webpages; exceptions are made on popular websites (e.g. https://docs.google.com/
), in which webpages are specified instead (e.g. https://docs.google.com/phishing-page
). Phishing webpages are only listed in URL-based filter, popular websites are excluded from other filters.
Popular websites are as listed in the Umbrella Popularity List (top 1M domains + subdomains), Tranco List (top 1M domains), Cloudflare Radar (top 1M domains) and this custom list.
If you wish to exclude certain website(s) that you believe is sufficiently well-known, please create an issue or merge request.
This blocklist only accepts new phishing URLs from PhishTank and OpenPhish.
Please report new phishing URL to PhishTank or OpenPhish.
See also
Phishing Army by Andrea Draghetti is available in domain-based format and utilises more sources. Its exclusion methods are not up-to-date though: Anudeep's whitelist was lasted updated in Dec 2021 and Alexa was deprecated in May 2022.
FAQ and Guides
See wiki
CI Variables
Optional variables:
PHISHTANK_API
: Recommended if you intend to run script.sh >5 times daily. Register an account at phishtank.org to generate an application key.CLOUDFLARE_BUILD_HOOK
: Deploy to Cloudflare Pages.NETLIFY_SITE_ID
: Deploy to Netlify.CF_API
: Include Cloudflare Radar domains ranking. Guide to create an API token.
License
filters: CC BY-SA 4.0
PhishTank: Available free of charge by Cisco for commercial and non-commercial use.
PhishTank is either trademark or registered trademark of Cisco Systems, Inc.
OpenPhish: Available free of charge by OpenPhish
Umbrella Popularity List: Available free of charge by Cisco Umbrella
csvquote: MIT License
phishunt.io: All rights reserved by Daniel López
Cloudflare Radar: Available to free Cloudflare account
This repository is not endorsed by PhishTank/OpenDNS and OpenPhish.