[feature]: Source Suggestion: Jarelllama's Scam Blocklist

[jarelllama]

Contact Details

No response

What's your idea?

Hi, I'm the maintainer of Jarelllama's Scam Blocklist, a blocklist for newly created scam and phishing domains automatically retrieved daily using Google Search API, automated NRD detection, and other public sources.

This blocklist aims to be an alternative to blocking all newly registered domains (NRDs) seeing how many, but not all, NRDs are malicious. A variety of sources are integrated to detect new malicious domains within a short time span of their registration date.

Taken from my README, this is the current filtering process:

• The domains collated from all sources are filtered against an actively maintained whitelist (scam reporting sites, forums, vetted stores, etc.)
• The domains are checked against the Tranco Top Sites Ranking for potential false positives which are then vetted manually
• Common subdomains like 'www' are stripped to make use of wildcard matching for all other subdomains. The list of subdomains checked for can be viewed here: subdomains.txt
• Only domains are included in the blocklist; IP addresses are manually checked for resolving DNS records and URLs are stripped down to their domains
• Entries that require manual verification/intervention are sent in a Telegram notification for fast remediations

Dead domains and parked domains are automatically removed daily as well. More about the blocklist's retrieval and filtering process can be found in the README.

These are the formats I currently offer:	Format	Syntax
Adblock Plus	||scam.com^
Dnsmasq	local=/scam.com/
Unbound	local-zone: "scam.com." always_nxdomain
Wildcard Asterisk	*.scam.com
Wildcard Domains	scam.com

Please do let me know your thoughts!

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[T145]

Hey! This looks neat, and I'm actually surprised I haven't found it yet. I'll need some time to look over things thoroughly at some point. I'm using PhishStats already, and do something similar to what you are with my maintained version of the "Not on my Shift" blocklist.

My present thoughts since you asked:

• Rather than downloading data from a few third parties I'd go straight to the source for NRDs. NRD Downloader is great to use.
• With your ScamAdviser processing, I'm fairly certain you can just use URL globbing rather than using a URL array.
• You can use my Docker image if you'd like to have access to better CLI utilities: https://github.com/T145/black-mirror/blob/master/.github/workflows/publish_lists.yml#L18
• I would just assign execution_time once before your update methods are called rather than assigning it in every update method. To my understanding, you get the timestamp from the time the last update method is called rather than the first, which is a bug.
• When it comes to parallel downloads, I don't think many utilities beat Aria2.

I'll need time to check the list content but it looks good so far. I'd also be open to integrating your project's functionality into Black Mirror if you'd like to join on as a contributor. If the contributing documentation isn't helpful I'm happy to answer any questions.

[jarelllama]

Thanks @T145 for the code review. Your input is incredibly valuable seeing how I'm the single maintainer and doing my own code reviews is less effective than input from someone else.

Feel free to give feedback for any of the other scripts/workflows.

Regarding contributing, please do let me know in what other ways I could help contribute besides lending my blocklist as a source. If it's helpful I can begin a pull request for data/v2/manifest.json.

Thanks again!

[T145]

Sure, if you'd like to make a PR go for it.

My thoughts on contributing more to the project regard adding what you do w/ some sources directly to Black Mirror. This would mean making an entry in the manifest with the source URL in the mirrors field, then designating a filter in my scripts to process the text. This is what you're doing with many of your grep commands as reference. It's all in the contributing docs but if anything is confusing just ask.