-
-
Notifications
You must be signed in to change notification settings - Fork 36
/
enhanced_site_protection.txt
75 lines (62 loc) · 4.5 KB
/
enhanced_site_protection.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
[Adblock Plus 2.0]
! Title: 🛑 Enhanced website protection
! Description: To be used in conjunction with Dandelion Sprout's Anti-Malware List, this filter will warn users before making top-site navigations that use the TLDs below. This list focuses on top-site navigations, not sub-requests. Please report exceptions to legitimate sites. Many exceptions come from bestplayerbot.
! Homepage: https://github.com/yokoffing/filterlists
! Expires: 4 days (update frequency)
! Version: 18 June 2024
! Syntax: AdBlock
!!! Malicious TLDs
! Topical domains with wide use by bad actors and whose use for legitimate purposes is small
||buzz^$doc,from=~allthe.buzz|~awful.buzz|~cliq.buzz|~montpellier.buzz|~sideb.buzz|~williamsonday.buzz
||mov^$doc,from=~david.mov
||tk^$doc,from=~adistance.tk|~bloatcat.tk|~bonzibuddy.tk|~bryla.tk|~bstweaker.tk|~budterence.tk|~c-r-t.tk|~c0d3c.tk|~censurion.tk|~china996.tk|~cuso.tk|~devhonk.tk|~dlyang.tk|~google.tk|~goshujin.tk|~gotofap.tk|~graph.tk|~grazziecorp.tk|~handicapped.tk|~heggadrone.tk|~helene.tk|~kabi.tk|~lameni.tk|~leroymcqy.tk|~loveisgrief.tk|~msqtdn.tk|~pube.tk|~rainer-zufall.tk|~sironi.tk|~takiverse.tk|~tokelau-info.tk|~webdev189.tk|~xn--qubec-csa.tk|~zete.tk
||zip^$doc,from=~community.zip|~financialstatement.zip|~lemmy.zip|~redecanais.zip|~redecanaistv.zip|~url.zip
!!! Likely abused TLDs
! https://w3techs.com/technologies/overview/top_level_domain
! https://www.spamhaus.org/statistics/tlds/
||beauty^$doc,from=~homelab.beauty|~nic.beauty|~vipbj.beauty
||dad^$doc,from=~classic.dad|~daily.dad|~dear.dad|~rad.dad
||degree^$doc,from=~nic.degree|~opf.degree|~three60.degree
||esq^$doc,from=~erika.esq
||fit^$doc,from=~appetit.fit|~clubb.fit|~justget.fit|~nic.fit|~pridegym.fit|~thebene.fit|~tootally.fit|~union.fit
||foo^$doc,from=~helloworld.foo
||loans^$doc
||phd^$doc,from=~rafael.phd
||prof^$doc,from=~casey.prof
||quest^$doc,from=~0x00.quest|~amble.quest|~bookshelf.quest|~dice.quest|~dont-panic.quest|~epochal.quest|~federation.quest|~galaxy.quest|~mhn.quest|~mylegendary.quest|~nic.quest|~prometheus.quest|~squash.quest|~teacher.quest|~theculture.quest|~toot.quest
||surf^$doc,from=~bloom.surf|~fedi.surf|~glowing.surf|~kayaking.surf|~nic.surf|~quran.surf|~s-wings.surf|~surfstation.surf
!!! Country-specific TLDs
! Contain malware domains that have nothing to do with the countries in question
! Mali
||ml^$doc,from=~aire.ml|~amap.ml|~beatbump.ml|~birdkey.ml|~debula.ml|~dmml.ml|~esparrec.ml|~exp0.ml|~fedi.ml|~fmhy.ml|~ghostcloud.ml|~google.ml|~guya.ml|~info-matin.ml|~kawauso.ml|~leam.ml|~lemmy.ml|~lemmygrad.ml|~lingva.ml|~loma.ml|~masto.ml|~mastodon.ml|~mastodonte.ml|~melody.ml|~nothingprivate.ml|~precure.ml|~prompt.ml|~stilic.ml|~sumanko.ml|~we-moon.ml
! Non-latin TLDs
! from https://github.com/hagezi/dns-blocklists/issues/143#issuecomment-1579896974
/(://|^)[a-z0-9.-]{2,}\.xn--[a-z0-9]{4,}($|/)/
! Punycode URLs
! Protect yourself from fake sites
! Equivalent to network.IDN_show_punycode = false in Firefox
! https://www.reddit.com/r/firefox/comments/17p68i7/set_networkidn_show_punycodetrue_to_protect/
||xn--$doc,frame
!!! Scam sites
! https://github.com/yokoffing/filterlists/issues/147
||service-rundfunkbeitrag.de
!!! Credit for everything below goes to https://github.com/iam-py-test/my_filters_001/blob/main/enhanced_protection.txt
/^https:\/\/[-0-9a-z]{12,19}\.(?:com|life)\/\?u=[0-9a-z]{7,}&o=[0-9a-z]{7,}&t=S1/$doc,domain=com|life
! very few legit things come in password-protected archives, and even fewer of them come in password protected archives with the password in the filename
! false positives: website scanning services, malware sharing sites (?)
/\/Use_[a-zA-Z0-9]*_As_Passw0rdd\.rar$/$doc
/\/Use_[a-zA-Z0-9]*_As_Password\.rar$/$doc
/\/Passwords_2024_Setup_Full\.rar$/$doc
! test rule to detect possible malware hosted on MediaFire (i.e. https://app.any.run/tasks/d40fc871-4942-4acd-8d6a-d8f4baae1f32)
||mediafire.com/file/*/NewSetup_Use_2023_Password.rar/file^$doc
! https://www.virustotal.com/gui/url/4cbb55b62fe8bc2acdaa79d3c4fd3a6d33c0d5eed287bbe655fc117c6bdeb0a3/community
.ltd/invoice/invoice.exe|$doc
! already blocked in MWB - discord nitro scam
.xyz/nitrocodes/|$doc
! various URLHaus URLs
||transfer.sh/get/*/svchost.exe|$all
||cdn.discordapp.com/attachments/*/*/svchost.exe|$all
! https://www.virustotal.com/gui/url/51a5c613fa07f8301aa68fa16e7307dbf3bf0b0dcfa015632895d7ebf7ca36d3/community
! analysis: https://tria.ge/230918-nj1eqagh7x/behavioral1
||bookingcomdetails.$doc
/lnvoice__1541436948.js$doc,domain=blogspot.com