-
Notifications
You must be signed in to change notification settings - Fork 9
/
enhanced_protection.txt
61 lines (48 loc) · 2.92 KB
/
enhanced_protection.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
! Title: Enhanced website protection (beta)
! Homepage: https://github.com/iam-py-test/my_filters_001
! Description: This listed aimed to block previously unknown malicious websites, however, it is poorly thought out and is rarely updated. Use at your own risk!
! Warning: This list will have MANY false positives and is not updated very often
! Issues url: https://github.com/iam-py-test/my_filters_001/issues
! GitLab issues url (not checked as often): https://gitlab.com/iam-py-test/my_filters_001/-/issues
! Expires: 1 day
! Last updated: 2023-9-18
! Abused TLDs
||win^$document
||bid^$document
||ooo^$document
||loan^$document
||agency^$document
||fun^$document
||cricket^$document
! Fake flash players targeting Android devices (i.e. https://www.virustotal.com/gui/file/368afeda7af69f329e896dc86e9e4187a59d2007e0e4b47af30a1c117da0d792/community)
||.link/Flash_Player.apk$document
! Copied over from https://github.com/DandelionSprout/adfilt/commit/260f840b773b04d7397c6c40d86cf7e2887768d8
||free-discordnitro.$all
||dotagift*.xyz^$all
! Fake Discord websites
/^https?:\/\/discord(nitro|gift)[a-zA-Z0-9]*\.[a-zA-Z0-9]*/$document,domain=ru|xyz|online|top
/^https?:\/\/discrod(nitro|gift)[a-zA-Z0-9]*\.[a-zA-Z0-9]*/$document,domain=ru|xyz|online|top
/^https?:\/\/dlscord(nitro|gift)[a-zA-Z0-9]*\.[a-zA-Z0-9]*/$document,domain=ru|xyz|online|top
! Scam websites - https://github.com/DandelionSprout/adfilt/issues/63#issuecomment-927183223
! Credit to https://github.com/spirillen and https://github.com/Yuki2718 for the RegExp and https://github.com/krystian3w for the report
/^https:\/\/[-0-9a-z]{12,19}\.(?:com|life)\/\?u=[0-9a-z]{7,}&o=[0-9a-z]{7,}&t=S1/$document,domain=com|life
! very few legit things come in password-protected archives, and even fewer of them come in password protected archives with the password in the filename
! false positives: website scanning services, malware sharing sites (?)
/\/Use_[a-zA-Z0-9]*_As_Passw0rdd\.rar$/$document
/\/Use_[a-zA-Z0-9]*_As_Password\.rar$/$document
/\/Passwords_2024_Setup_Full\.rar$/$document
! test rule to detect possible malware hosted on MediaFire (i.e. https://app.any.run/tasks/d40fc871-4942-4acd-8d6a-d8f4baae1f32)
||mediafire.com/file/*/NewSetup_Use_2023_Password.rar/file^$document
! https://www.virustotal.com/gui/url/4cbb55b62fe8bc2acdaa79d3c4fd3a6d33c0d5eed287bbe655fc117c6bdeb0a3/community
.ltd/invoice/invoice.exe|$document
! already blocked in MWB - discord nitro scam
.xyz/nitrocodes/|$document
! various URLHaus URLs
||transfer.sh/get/*/svchost.exe|$all
||cdn.discordapp.com/attachments/*/*/svchost.exe|$all
! https://www.virustotal.com/gui/url/51a5c613fa07f8301aa68fa16e7307dbf3bf0b0dcfa015632895d7ebf7ca36d3/community
! my analysis: https://tria.ge/230918-nj1eqagh7x/behavioral1
||bookingcomdetails.$document
/lnvoice__1541436948.js$document,domain=blogspot.com
! https://urlhaus.abuse.ch/url/2748897/
/browserdatasavedforvideotocreatesoitswillbebeautifulforentireprocesstowatchfromtrue.Doc|$document