Update phishing infra

Build/lib/get-phishing-domains.ts

@@ -29,7 +29,7 @@ const BLACK_TLD = new Set([
   'one', 'online',
   'party', 'pro', 'pl', 'pw',
   'racing', 'rest', 'review', 'rf.gd',
-  'sa.com', 'sbs', 'science', 'shop', 'site', 'skin', 'space', 'store', 'stream', 'surf',
+  'sa.com', 'sbs', 'science', 'shop', 'site', 'skin', 'space', 'store', 'stream', 'su', 'surf',
   'tech', 'tk', 'tokyo', 'top', 'trade',
   'vip', 'vn',
   'webcam', 'website', 'win',
@@ -51,26 +51,17 @@ const WHITELIST_MAIN_DOMAINS = new Set([
 ]);
 
 const sensitiveKeywords = createKeywordFilter([
-  '-roblox',
   '.amazon-',
   '-amazon',
   'fb-com',
-  'facebook.',
-  'facebook-',
   'facebook-com',
-  '.facebook',
   '-facebook',
-  'coinbase',
+  'facebook-',
   'metamask-',
   '-metamask',
-  'virus-',
-  'icloud-',
-  'apple-',
   'www.apple',
   '-coinbase',
   'coinbase-',
-  'lcloud.',
-  'lcloud-',
   'booking-com',
   'booking.com-',
   'booking-eu',
@@ -81,6 +72,16 @@ const sensitiveKeywords = createKeywordFilter([
   'google.com-'
 ]);
 const lowKeywords = createKeywordFilter([
+  'transactions-',
+  'payment-',
+  '-transactions',
+  '-payment',
+  '-faceb', // facebook fake
+  '.faceb', // facebook fake
+  'virus-',
+  'icloud-',
+  'apple-',
+  '-roblox',
   '-co-jp',
   'customer.',
   'customer-',
@@ -154,12 +155,6 @@ async function processPhihsingDomains(domainArr: string[]) {
           } else if (tld.length > 6) {
             domainScoreMap[apexDomain] += 2;
           }
-
-          if (sensitiveKeywords(apexDomain)) {
-            domainScoreMap[apexDomain] += 4;
-          } else if (lowKeywords(apexDomain)) {
-            domainScoreMap[apexDomain] += 2;
-          }
         }
         if (
           subdomain
@@ -203,12 +198,12 @@ export function calcDomainAbuseScore(subdomain: string, fullDomain: string) {
   const sensitiveKeywordsHit = sensitiveKeywords(fullDomain);
 
   if (sensitiveKeywordsHit) {
-    weight += 8;
+    weight += 9;
     if (hitLowKeywords) {
-      weight += 4;
+      weight += 5;
     }
   } else if (hitLowKeywords) {
-    weight += 1;
+    weight += 1.5;
   }
 
   const subdomainLength = subdomain.length;

Source/domainset/cdn.conf

@@ -580,6 +580,7 @@ interactive-examples.mdn.mozilla.net
 .hubspotusercontent30.net
 .cdn2.hubspot.net
 .js.hubspot.com
+.js-eu1.hubspot.com
 .js.hubspotfeedback.com
 .js.usemessages.com
 .hsappstatic.net

Source/domainset/reject_sukka.conf

@@ -49,6 +49,10 @@ optimus-ads.amap.com
 .zampdsp.com
 .zhugeio.com
 .telemetry.coder.com
+.tlsens.pl
+.moseasia.com
+.trytoku.com
+.yinzcam.com
 # fake pirate bay
 .thepiratebay3.com
 
@@ -309,6 +313,18 @@ inst.360safe.com
 .xsph.ru
 .ipv4dns.com
 .ipxx.pro
+.goonline-bnpparibas-pl.xyz
+# Poland Hosting dhosting.pl's free subdomain
+.you2.pl
+# NameCheap's WordPress hosting easywp.com subdomain, full of phishing
+.ingress-earth.ewp.live
+.ingress-erytho.ewp.live
+.ingress-daribow.ewp.live
+.ingress-haven.ewp.live
+.ingress-bonde.ewp.live
+.ingress-florina.ewp.live
+.ingress-comporellon.ewp.live
+.ingress-baronn.ewp.live
 
 .temp.swtest.ru
 .tw1.ru