e02ed129d5 | ||
---|---|---|
.github/workflows | ||
src | ||
.gitignore | ||
.gitlab-ci.yml | ||
.nvmrc | ||
LICENSE | ||
LICENSE-CC0.md | ||
README.md | ||
package.json |
README.md
Phishing URL Blocklist
A blocklist of phishing websites, curated from OpenPhish and mitchellkrogza/Phishing.Database. Blocklist is updated twice a day.
Client | mirror 1 | mirror 2 | mirror 3 | mirror 4 | mirror 5 | mirror 6 |
---|---|---|---|---|---|---|
uBlock Origin, IP-based | link | link | link | link | link | link |
Pi-hole | link | link | link | link | link | link |
AdGuard Home | link | link | link | link | link | link |
AdGuard (browser extension) | link | link | link | link | link | link |
Vivaldi | link | link | link | link | link | link |
Hosts | link | link | link | link | link | link |
Dnsmasq | link | link | link | link | link | link |
BIND zone | link | link | link | link | link | link |
BIND RPZ | link | link | link | link | link | link |
dnscrypt-proxy | names.txt, ips.txt | names.txt, ips.txt | names.txt, ips.txt | names.txt, ips.txt | names.txt, ips.txt | names.txt, ips.txt |
Internet Explorer | link | link | link | link | link | link |
Snort2 | link | link | link | link | br/gz | link |
Snort3 | link | link | link | link | br/gz | link |
Suricata | link | link | link | link | br/gz | link |
Splunk | link | link | link | link | link | link |
For other programs, see Compatibility page in the wiki.
Check out my other filters:
URL-based
Import the link into uBO's filter list to subscribe.
included by default in uBO >=1.39.0; to enable, head to "Filter lists" tab, expand "Malware domains" section and tick "Phishing URL Blocklist".
AdGuard Home users should use this blocklist.
URL-based (AdGuard)
Import the link into AdGuard browser extension to subscribe
URL-based (Vivaldi)
Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"
Import the following link into Vivaldi's Tracker Blocking Sources to subscribe.
Domain-based
This blocklist includes domains and IP addresses.
Domain-based (AdGuard Home)
This AdGuard Home-compatible blocklist includes domains and IP addresses.
Hosts-based
This blocklist includes domains only.
Dnsmasq
This blocklist includes domains only.
Save the ruleset to "/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf". Refer to this guide for auto-update.
Configure dnsmasq to use the blocklist:
printf "\nconf-file=/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf\n" >> /etc/dnsmasq.conf
BIND
This blocklist includes domains only.
Save the ruleset to "/usr/local/etc/bind/phishing-filter-bind.conf". Refer to this guide for auto-update.
Configure BIND to use the blocklist:
printf '\ninclude "/usr/local/etc/bind/phishing-filter-bind.conf";\n' >> /etc/bind/named.conf
Add this to "/etc/bind/null.zone.file" (skip this step if the file already exists):
$TTL 86400 ; one day
@ IN SOA ns.nullzone.loc. ns.nullzone.loc. (
2017102203
28800
7200
864000
86400 )
NS ns.nullzone.loc.
A 0.0.0.0
@ IN A 0.0.0.0
* IN A 0.0.0.0
Zone file is derived from here.
Response Policy Zone
This blocklist includes domains only.
Unbound
This blocklist includes domains only.
Save the rulesets to "/usr/local/etc/unbound/phishing-filter-unbound.conf". Refer to this guide for auto-update.
Configure Unbound to use the blocklist:
printf '\n include: "/usr/local/etc/unbound/phishing-filter-unbound.conf"\n' >> /etc/unbound/unbound.conf
dnscrypt-proxy
Save the rulesets to "/etc/dnscrypt-proxy/". Refer to this guide for auto-update.
Configure dnscrypt-proxy to use the blocklist:
[blocked_names]
+ blocked_names_file = '/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-names.txt'
[blocked_ips]
+ blocked_ips_file = '/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-ips.txt'
Tracking Protection List (IE)
This blocklist includes domains only.
Snort2
This ruleset includes online URLs only. Not compatible with Snort3.
Save the ruleset to "/etc/snort/rules/phishing-filter-snort2.rules". Refer to this guide for auto-update.
Configure Snort to use the ruleset:
printf "\ninclude \$RULE_PATH/phishing-filter-snort2.rules\n" >> /etc/snort/snort.conf
Snort3
This ruleset includes online URLs only. Not compatible with Snort2.
Save the ruleset to "/etc/snort/rules/phishing-filter-snort3.rules". Refer to this guide for auto-update.
Configure Snort to use the ruleset:
# /etc/snort/snort.lua
ips =
{
variables = default_variables,
+ include = 'rules/phishing-filter-snort3.rules'
}
Suricata
This ruleset includes online URLs only.
Save the ruleset to "/etc/suricata/rules/phishing-filter-suricata.rules". Refer to this guide for auto-update.
Configure Suricata to use the ruleset:
# /etc/suricata/suricata.yaml
rule-files:
- local.rules
+ - phishing-filter-suricata.rules
Splunk
A CSV file for Splunk lookup.
Either upload the file via GUI or save the file in $SPLUNK_HOME/Splunk/etc/system/lookups
or app-specific $SPLUNK_HOME/etc/YourApp/apps/search/lookups
.
Or use malware-filter add-on to install this lookup and optionally auto-update it.
Columns:
host | path | message | updated |
---|---|---|---|
example.com | phishing-filter phishing website detected | 2022-12-21T12:34:56Z | |
example2.com | /some-path | phishing-filter phishing website detected | 2022-12-21T12:34:56Z |
Compressed version
All filters are also available as gzip- and brotli-compressed.
- Gzip: https://malware-filter.gitlab.io/malware-filter/phishing-filter.txt.gz
- Brotli: https://malware-filter.gitlab.io/malware-filter/phishing-filter.txt.br
Snort 2 rule is only available in compressed format in pages.dev due to the platform's 25MB file size limit
Issues
This blocklist operates by blocking the whole website, instead of specific webpages; exceptions are made on popular websites (e.g. https://docs.google.com/
), in which webpages are specified instead (e.g. https://docs.google.com/phishing-page
). Phishing webpages are only listed in URL-based filter, popular websites are excluded from other filters.
Popular websites are as listed in the Umbrella Popularity List (top 1M domains + subdomains), Tranco List (top 1M domains), Cloudflare Radar (top 1M domains) and this custom list.
If you wish to exclude certain website(s) that you believe is sufficiently well-known, please create an issue or merge request.
This blocklist only accepts new phishing URLs from OpenPhish and mitchellkrogza/Phishing.Database.
Please report new phishing URL to OpenPhish or mitchellkrogza/Phishing.Database.
See also
Phishing Army by Andrea Draghetti is available in domain-based format and utilises more sources. Its exclusion methods are not up-to-date though: Anudeep's whitelist was lasted updated in Dec 2021 and Alexa was deprecated in May 2022.
FAQ and Guides
See wiki
CI Variables
Optional variables:
CLOUDFLARE_BUILD_HOOK
: Deploy to Cloudflare Pages.NETLIFY_SITE_ID
: Deploy to Netlify.CF_API
: Include Cloudflare Radar domains ranking. Guide to create an API token.
Repository Mirrors
https://gitlab.com/curben/blog#repository-mirrors
License
src/: Creative Commons Zero v1.0 Universal and MIT License
filters: CC BY-SA 4.0
OpenPhish: Available free of charge by OpenPhish
mitchellkrogza/Phishing.Database: MIT License
Umbrella Popularity List: Available free of charge by Cisco Umbrella
csvquote: MIT License
Cloudflare Radar: Available to free Cloudflare account
This repository is not endorsed by OpenPhish.