search

MetaMask / eth-phishing-detect

Utility for detecting phishing domains targeting Web3 users
Other
1.09k stars 947 forks source link

www.trinity.art #5119

Closed doschott closed 2 years ago

doschott commented 3 years ago

When I visit my new website https://www.Trinity.art , the browser page "Ethereum Phishing Detection" comes up.

This is a new website that has no known issues and is simply a Global Christian Art Marketplace. Why is this site included in a phishing list? How can this be corrected? I accept crypto so I don't want all of the browsers with metamask to get this message when visiting www.trinity.art

Thank You, Daniel Schott

trn1ty commented 3 years ago

We're in the same boat. You can check why your site is blocked here and both trinity.moe (my domain) and trinity.art (yours) are blocked for "similarity to dfinity.org, a historical phishing target". I think it's that all three sites match the regex ..inity\.* or something.

trn1ty commented 3 years ago

Checking this out (as you can probably see from all my comments on related issues). Looks like dfinity.org was added to a list of domains for which to fuzzy-match to detect phishing in commit 045b1c5f569d6f5b35cb898d221e7f4618980830 from 2018.

This fuzzy matching works by stripping 'www.' from the domain being visited, removing the top-level domain, and calculating the Levenshtein distance between it and any of the domains on the "fuzzylist". The default tolerance is a Levenshtein distance of 3, so when sites are under the threshold PhishingDetector.check will return { type: 'fuzzy', result: true, match }.

The issue with dfinity.org being added to the fuzzylist is that a number of words have a Levenshtein distance equal to or less than 3 from dfinity. Just check a Scrabble word finder for any words that end in inity and then look at the words at or under 8 characters. Not to mention words that don't yet exist that use the suffix -inity.

Some issues that currently deal with this specific problem, besides the ones in which I commented a link to this issue, are:

But I'm sure there are many more.

gravelcycles commented 3 years ago

commenting here in case it will speed up your process: we are processing PRs faster than we are processing Issues. If you'd like to streamline getting your domains on the allowlist, a PR will go a long ways :)

cc @devenblake

trn1ty commented 3 years ago

I'll submit a PR sometime soon, when I have time. However further action should be taken as there are so many false positives for dfinity.

trn1ty commented 2 years ago

Continued in #6720.