This is the central repository for adding or removing domains, links, and IPs from the Phishing.Database project.
Since pushing to the main repository is prohibited, this repository serves as an area for anyone to submit changes to the Phishing Database.
Caution
The files in the top-level directories have been migrated to the new structure and are now deleted. For all future contributions and downloads, please use the new directory structure.
We now categorize contributions into three main directories:
additions/: Contains files for adding phishing domains, links, and IPs.falsepositives/: Contains files for whitelisting false positives.bypasses/: Contains files for bypassing any whitelisting rules from the project's very own engine or any external resources of false positive.
Within these directories, we categorize contributions further into 2 timeframes:
permanent/: For contributions that are expected to remain valid indefinitely.temporary/: For contributions that are expected to be valid for a short period of time. Please be aware that the content of the files in this directory will be removed at the beginning of each month.
Within the above directories, you can find the files listed bellow.
| Filename | Description |
|---|---|
additions/**/domains.list |
Container a list of domains to be added to the Phishing.Database. |
additions/**/domains.wildcard.list |
Contains a list of domains to be added and considered as wildcards - as we meet them overtime. |
| Filename | Description |
|---|---|
additions/**/links.list |
Contains a list of links / URLs to be added to the Phishing.Database. |
| Filename | Description |
|---|---|
additions/**/ips.list |
Contains a list of IPs to be added to the Phishing.Database. |
additions/**/ips.cidr.list |
Contains a list of IPs to be added to the Phishing.Database in CIDR notation. (cf: RFC-5737) |
additions/**/ips.arpa.list |
Contains a list of IPs to be added to the Phishing.Database in ARPA/PTR format. (cf: RFC-5737) |
additions/**/ips.cidr.arpa.list |
Contains a list of IPs to be added to the Phishing.Database in CIDR notation in ARPA format. (cf: RFC-5737) |
Note
The Phishing.Database project uses the Givilsta project to process any files in the falsepositives/ directory against the main repository. Please keep that in mind when you are tented to add huge lists of domains, links, or IPs.
| Filename | Description |
|---|---|
falsepositives/**/domains.list |
Contains a list of domains to be whitelisted as false positives. This is a 1:1 match. |
falsepositives/**/domains.all.list |
Contains a list of domains to be whitelisted as false positives. Any entry in this file will be prefixed with Givilsta's ALL flag (cf: see Givilsta's readme). |
falsepositives/**/domains.reg.list |
Contains a list of domains to be whitelisted as false positives. Any entry in this file will be prefixed with Givilsta's REG flag (cf: see Givilsta's readme). |
falsepositives/**/domains.rzdb.list |
Contains a list of domains to be whitelisted as false positives. Any entry in this file will be prefixed with Givilsta's RZDB flag (cf: see Givilsta's readme). |
| Filename | Description |
|---|---|
falsepositives/**/links.list |
Contains a list of links to be whitelisted as false positives. This is a 1:1 match. |
| Filename | Description |
|---|---|
falsepositives/**/ips.list |
Contains a list of IPs to be whitelisted as false positives. This is a 1:1 match. |
falsepositives/**/ips.cidr.list |
Contains a list of IPs to be whitelisted as false positives in CIDR notation. (cf: RFC-5737) |
falsepositives/**/ips.arpa.list |
Contains a list of IPs to be whitelisted as false positives in ARPA/PTR format. (cf: RFC-5737) |
falsepositives/**/ips.cidr.arpa.list |
Contains a list of IPs to be whitelisted as false positives in CIDR notation in ARPA format. (cf: RFC-5737) |
In addition to the false positives, a set of bypass rules are available to allow discussions and bypasses of any false positive that may come from the project's very own engine or any external resources of false positive.
Note
The Phishing.Database project uses the Givilsta project to process any files in the bypass/ directory against the main repository. Please keep that in mind when you are tented to add huge lists of domains, links, or IPs.
| Filename | Description |
|---|---|
bypasses/**/domains.list |
Contains a list of domains to be bypassed when processing false positives. This is a 1:1 match. |
bypasses/**/domains.all.list |
Contains a list of domains to be bypassed when processing false positives. Any entry in this file will be prefixed with Givilsta's ALL flag (cf: see Givilsta's readme). |
bypasses/**/domains.reg.list |
Contains a list of domains to be bypassed when processing false positives. Any entry in this file will be prefixed with Givilsta's REG flag (cf: see Givilsta's readme). |
bypasses/**/domains.rzdb.list |
Contains a list of domains to be bypassed when processing false positives. Any entry in this file will be prefixed with Givilsta's RZDB flag (cf: see Givilsta's readme). |
| Filename | Description |
|---|---|
bypasses/**/links.list |
Contains a list of links to be bypassed when processing false positives. This is a 1:1 match. |
| Filename | Description |
|---|---|
bypasses/**/ips.list |
Contains a list of IPs to be bypassed when processing false positives. This is a 1:1 match. |
bypasses/**/ips.cidr.list |
Contains a list of IPs to be bypassed when processing false positives in CIDR notation. (cf: RFC-5737) |
bypasses/**/ips.arpa.list |
Contains a list of IPs to be bypassed when processing false positives in ARPA/PTR format. (cf: RFC-5737) |
bypasses/**/ips.cidr.arpa.list |
Contains a list of IPs to be bypassed when processing false positives in CIDR notation in ARPA format. (cf: RFC-5737) |
In addition to the false-positive files listed above, we also integrate external resources that are used for false positives. These resources are not directly part of the Phishing.Database project but are used to enhance the accuracy of our false-positive detection.
| Project | Used Resource | Integration |
|---|---|---|
| PeterDaveHello/url-shorteners | url-shorteners | false positive list |
The state of the master branch will be automatically fetched every few hours and integrated into
the next update of the main repository. The latest state of the fetched data will
be reflected in the frozen-dataset repository.
TL;DR: The bypasses/ directory is used to bypass any false positive that may come from the
project's very own engine or any external resources of false positive.
Let's assume that example.me is a domain that is listed in one of our external-resources,
which is being used as a source for false positives. Being listed there means that example.me will be whitelisted and no
example.me links will be integrated into the Phishing.Database project.
What if example.me is now a threat? In this case, we would want to ensure that it is not whitelisted and that any links
containing example.me are processed as phishing links.
That's where bypasses come in. Since we assume that the source list is a simple list of domains with
no extra rules, we can add
example.me to the bypasses/{timeframe}/domains.list file.
Once the change is merged and pushed, our engine will download the file and effectively disable example.me from being
whitelisted. This means that any time one of our sources lists a link from example.me, it will be kept and handled accordingly.
