Phishing URL Blocklist

A blocklist of phishing websites, based on the PhishTank and OpenPhish lists. Blocklist is updated twice a day.

There are multiple formats available, refer to the appropriate section according to the program used:

uBlock Origin (uBO) -> URL-based section (recommended)
Pi-hole -> Domain-based or Hosts-based section
AdGuard Home -> Domain-based (AdGuard Home) or Hosts-based section
AdGuard browser extension -> URL-based (AdGuard)
Vivaldi -> URL-based (Vivaldi)
Hosts
Dnsmasq
BIND -> BIND zone or RPZ
Unbound
dnscrypt-proxy
Internet Explorer -> Tracking Protection List (IE)
Snort2
Snort3
Suricata

Not sure which format to choose? See Compatibility page.

Check out my other filters:

URL-based

Import the following URL into uBO to subscribe:

https://curben.gitlab.io/malware-filter/phishing-filter.txt

included by default in uBO >=1.39.0; to enable, head to "Filter lists" tab, expand "Malware domains" section and tick "Phishing URL Blocklist".

<details> <summary>Mirrors</summary>

</details>

AdGuard Home users should use this blocklist.

URL-based (AdGuard)

Import the following URL into AdGuard browser extension to subscribe:

https://curben.gitlab.io/malware-filter/phishing-filter-ag.txt

<details> <summary>Mirrors</summary>

</details>

URL-based (Vivaldi)

Requires Vivaldi Desktop/Android 3.3+, blocking level must be at least "Block Trackers"

Import the following URL into Vivaldi's Tracker Blocking Sources to subscribe:

https://curben.gitlab.io/malware-filter/phishing-filter-vivaldi.txt

<details> <summary>Mirrors</summary>

</details>

Domain-based

This blocklist includes domains and IP addresses.

https://curben.gitlab.io/malware-filter/phishing-filter-domains.txt

<details> <summary>Mirrors</summary>

</details>

Domain-based (AdGuard Home)

This AdGuard Home-compatible blocklist includes domains and IP addresses.

https://curben.gitlab.io/malware-filter/phishing-filter-agh.txt

<details> <summary>Mirrors</summary>

</details>

Hosts-based

This blocklist includes domains only.

https://curben.gitlab.io/malware-filter/phishing-filter-hosts.txt

<details> <summary>Mirrors</summary>

</details>

Dnsmasq

This blocklist includes domains only.

Install

# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/dnsmasq/

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-dnsmasq.conf" -o "/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf"\n' > /etc/cron.daily/phishing-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter

# Configure dnsmasq to use the blocklist
printf "\nconf-file=/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf\n" >> /etc/dnsmasq.conf

https://curben.gitlab.io/malware-filter/phishing-filter-dnsmasq.conf

<details> <summary>Mirrors</summary>

</details>

BIND

This blocklist includes domains only.

Install

# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/bind/

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-bind.conf" -o "/usr/local/etc/bind/phishing-filter-bind.conf"\n' > /etc/cron.daily/phishing-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter

# Configure BIND to use the blocklist
printf '\ninclude "/usr/local/etc/bind/phishing-filter-bind.conf";\n' >> /etc/bind/named.conf

Add this to "/etc/bind/null.zone.file" (skip this step if the file already exists):

$TTL    86400   ; one day
@       IN      SOA     ns.nullzone.loc. ns.nullzone.loc. (
               2017102203
                    28800
                     7200
                   864000
                    86400 )
                NS      ns.nullzone.loc.
                A       0.0.0.0
@       IN      A       0.0.0.0
*       IN      A       0.0.0.0

Zone file is derived from here.

https://curben.gitlab.io/malware-filter/phishing-filter-bind.conf

<details> <summary>Mirrors</summary>

</details>

Response Policy Zone

This blocklist includes domains only.

https://curben.gitlab.io/malware-filter/phishing-filter-rpz.conf

<details> <summary>Mirrors</summary>

</details>

Unbound

This blocklist includes domains only.

Install

# Create a new folder to store the blocklist
mkdir -p /usr/local/etc/unbound/

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-unbound.conf" -o "/usr/local/etc/unbound/phishing-filter-unbound.conf"\n' > /etc/cron.daily/phishing-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter

# Configure Unbound to use the blocklist
printf '\n  include: "/usr/local/etc/unbound/phishing-filter-unbound.conf"\n' >> /etc/unbound/unbound.conf

https://curben.gitlab.io/malware-filter/phishing-filter-unbound.conf

<details> <summary>Mirrors</summary>

</details>

dnscrypt-proxy

Install

# Create a new folder to store the blocklist
mkdir -p /etc/dnscrypt-proxy/

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-dnscrypt-blocked-names.txt" -o "/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-names.txt"\n' > /etc/cron.daily/phishing-filter
printf '\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-dnscrypt-blocked-ips.txt" -o "/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-ips.txt"\n' >> /etc/cron.daily/phishing-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter

Configure dnscrypt-proxy to use the blocklist:

[blocked_names]
+  blocked_names_file = '/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-names.txt'

[blocked_ips]
+  blocked_ips_file = '/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-ips.txt'

<details> <summary>Mirrors</summary>

Tracking Protection List (IE)

This blocklist includes domains only.

https://curben.gitlab.io/malware-filter/phishing-filter.tpl

<details> <summary>Mirrors</summary>

</details>

Snort2

This ruleset includes online URLs only. Not compatible with Snort3.

Install

# Download ruleset
curl -L "https://curben.gitlab.io/malware-filter/phishing-filter-snort2.rules" -o "/etc/snort/rules/phishing-filter-snort2.rules"

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-snort2.rules" -o "/etc/snort/rules/phishing-filter-snort2.rules"\n' > /etc/cron.daily/phishing-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter

# Configure Snort to use the ruleset
printf "\ninclude \$RULE_PATH/phishing-filter-snort2.rules\n" >> /etc/snort/snort.conf

https://curben.gitlab.io/malware-filter/phishing-filter-snort2.rules

<details> <summary>Mirrors</summary>

</details>

Snort3

This ruleset includes online URLs only. Not compatible with Snort2.

Install

# Download ruleset
curl -L "https://curben.gitlab.io/malware-filter/phishing-filter-snort3.rules" -o "/etc/snort/rules/phishing-filter-snort3.rules"

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-snort3.rules" -o "/etc/snort/rules/phishing-filter-snort3.rules"\n' > /etc/cron.daily/phishing-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter

Configure Snort to use the ruleset:

# /etc/snort/snort.lua
ips =
{
  variables = default_variables,
+  include = 'rules/phishing-filter-snort3.rules'
}

https://curben.gitlab.io/malware-filter/phishing-filter-snort3.rules

<details> <summary>Mirrors</summary>

</details>

Suricata

This ruleset includes online URLs only.

Install

# Download ruleset
curl -L "https://curben.gitlab.io/malware-filter/phishing-filter-suricata.rules" -o "/etc/suricata/rules/phishing-filter-suricata.rules"

# Create a new cron job for daily update
printf '#!/bin/sh\ncurl -L "https://curben.gitlab.io/malware-filter/phishing-filter-suricata.rules" -o "/etc/suricata/rules/phishing-filter-suricata.rules"\n' > /etc/cron.daily/phishing-filter

# cron job requires execution permission
chmod 755 /etc/cron.daily/phishing-filter

Configure Suricata to use the ruleset:

# /etc/suricata/suricata.yaml
rule-files:
  - local.rules
+  - phishing-filter-suricata.rules

https://curben.gitlab.io/malware-filter/phishing-filter-suricata.rules

<details> <summary>Mirrors</summary>

</details>

Issues

This blocklist operates by blocking the whole website, instead of specific webpages; exceptions are made on popular websites (e.g. https://docs.google.com/), in which webpages are specified instead (e.g. https://docs.google.com/phishing-page). Phishing webpages are only listed in URL-based filter, popular websites are excluded from other filters.

Popular websites are as listed in the Umbrella Popularity List (top 1M domains + subdomains), Tranco List (top 1M domains) and this custom list.

If you wish to exclude certain website(s) that you believe is sufficiently well-known, please create an issue or merge request.

This blocklist only accepts new phishing URLs from PhishTank and OpenPhish.

Please report new phishing URL to PhishTank or OpenPhish.

Cloning

Since the filter is updated frequently, cloning the repo would become slower over time as the revision grows.

Use shallow clone to get the recent revisions only. Getting the last five revisions should be sufficient for a valid MR.

git clone --depth 5 https://gitlab.com/curben/phishing-filter.git

License

src/: CC0

dist/: CC BY-SA 4.0

badge.sh & .gitlab/ contain badges that are licensed by Shields.io under CC0 1.0

PhishTank: Available free of charge by Cisco for commercial and non-commercial use.

PhishTank is either trademark or registered trademark of Cisco Systems, Inc.

OpenPhish: Available free of charge by OpenPhish

Tranco List: MIT License

Umbrella Popularity List: Available free of charge by Cisco Umbrella

csvquote: MIT License

This repository is not endorsed by PhishTank/OpenDNS and OpenPhish.

description	Phishing URL Blocklist
homepage URL	https://gitlab.com/curben/phishing-filter
repository URL	https://gitlab.com/curben/phishing-filter.git
owner	curben@users.noreply.repo.or.cz
last change	Fri, 25 Nov 2022 00:05:29 +0000 (25 00:05 +0000)
last refresh	Sat, 27 Apr 2024 06:36:29 +0000 (27 08:36 +0200)
mirror URL	git://repo.or.cz/phishing-filter.git
	https://repo.or.cz/phishing-filter.git
	ssh://git@repo.or.cz/phishing-filter.git
bundle info	phishing-filter.git downloadable bundles
content tags	add:

2022-11-25	curben-bot	Failed pipelinemaster	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-25	curben-bot	Success pipeline	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-25	curben-bot	Filter updated: Fri, 25 Nov 2022 00:03:59 +0000	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-24	curben-bot	Failed pipeline	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-24	curben-bot	Success pipeline	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-24	curben-bot	Filter updated: Thu, 24 Nov 2022 00:03:37 +0000	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-23	curben-bot	Failed pipeline	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-23	curben-bot	Success pipeline	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-23	curben-bot	Filter updated: Wed, 23 Nov 2022 00:04:31 +0000	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-22	curben-bot	Failed pipeline	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-22	curben-bot	Success pipeline	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-22	curben-bot	Filter updated: Tue, 22 Nov 2022 00:04:41 +0000	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-21	curben-bot	Failed pipeline	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-21	curben-bot	Success pipeline	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-21	curben-bot	Filter updated: Mon, 21 Nov 2022 00:04:37 +0000	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
2022-11-20	curben-bot	Failed pipeline	commit \| commitdiff \| tree \| snapshot (tar.gz zip)
...

2 weeks ago	main	log \| tree
17 months ago	master	log \| tree