GithubFollow/Surge_by_SukkaW
1
0
Fork 0
mirror of https://github.com/SukkaW/Surge.git synced 2025-12-12 01:00:34 +08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
Surge_by_SukkaW/Build/lib/get-phishing-domains.ts
SukkaW 02bff12245 Perf: simplify white suffix dedupe
2024-05-26 01:02:29 +08:00

199 lines
3.9 KiB
TypeScript
Raw Blame History

import { getGorhillPublicSuffixPromise } from './get-gorhill-publicsuffix';
import { processDomainLists } from './parse-filter';
import * as tldts from 'tldts';
import { TTL } from './cache-filesystem';
import { add as SetAdd } from 'mnemonist/set';
import type { Span } from '../trace';
const BLACK_TLD = new Set([
'accountant',
'autos',
'bar',
'bid',
'biz',
'bond',
'business',
'buzz',
'cc',
'cf',
'cfd',
'click',
'cloud',
'club',
'cn',
'codes',
'co.uk',
'co.in',
'com.br',
'com.cn',
'com.pl',
'com.vn',
'cool',
'cricket',
'cyou',
'date',
'download',
'faith',
'fit',
'fun',
'ga',
'gd',
'gq',
'group',
'host',
'icu',
'id',
'info',
'ink',
'life',
'live',
'link',
'loan',
'ltd',
'men',
'ml',
'mobi',
'net.pl',
'one',
'online',
'party',
'pro',
'pl',
'pw',
'racing',
'rest',
'review',
'rf.gd',
'sa.com',
'sbs',
'science',
'shop',
'site',
'space',
'store',
'stream',
'tech',
'tk',
'tokyo',
'top',
'trade',
'vip',
'vn',
'webcam',
'website',
'win',
'xyz',
'za.com',
'lat',
'design'
]);
export const getPhishingDomains = (parentSpan: Span) => parentSpan.traceChild('get phishing domains').traceAsyncFn(async (span) => {
const gorhill = await getGorhillPublicSuffixPromise();
const domainSet = await span.traceChildAsync('download/parse/merge phishing domains', async (curSpan) => {
const [domainSet, domainSet2] = await Promise.all([
processDomainLists(curSpan, 'https://curbengh.github.io/phishing-filter/phishing-filter-domains.txt', true, TTL.THREE_HOURS()),
processDomainLists(curSpan, 'https://phishing.army/download/phishing_army_blocklist.txt', true, TTL.THREE_HOURS())
]);
SetAdd(domainSet, domainSet2);
return domainSet;
});
const domainCountMap: Record<string, number> = {};
span.traceChildSync('process phishing domain set', () => {
const domainArr = Array.from(domainSet);
for (let i = 0, len = domainArr.length; i < len; i++) {
const line = domainArr[i];
const safeGorhillLine = line[0] === '.' ? line.slice(1) : line;
const apexDomain = gorhill.getDomain(safeGorhillLine);
if (!apexDomain) {
continue;
}
const tld = gorhill.getPublicSuffix(safeGorhillLine);
if (!tld || !BLACK_TLD.has(tld)) continue;
domainCountMap[apexDomain] ||= 0;
domainCountMap[apexDomain] += calcDomainAbuseScore(line);
}
});
const results = span.traceChildSync('get final phishing results', () => {
const res: string[] = [];
for (const domain in domainCountMap) {
if (domainCountMap[domain] >= 8) {
res.push(`.${domain}`);
}
}
return res;
});
return [results, domainSet] as const;
});
export function calcDomainAbuseScore(line: string) {
let weight = 1;
const isPhishingDomainMockingCoJp = line.includes('-co-jp');
if (isPhishingDomainMockingCoJp) {
weight += 0.5;
}
if (line.startsWith('.amaz')) {
weight += 0.5;
if (line.startsWith('.amazon-')) {
weight += 4.5;
}
if (isPhishingDomainMockingCoJp) {
weight += 4;
}
} else if (line.includes('.customer')) {
weight += 0.25;
}
const lineLen = line.length;
if (lineLen > 19) {
// Add more weight if the domain is long enough
if (lineLen > 44) {
weight += 3.5;
} else if (lineLen > 34) {
weight += 2.5;
} else if (lineLen > 29) {
weight += 1.5;
} else if (lineLen > 24) {
weight += 0.75;
} else {
weight += 0.25;
}
}
const subdomain = tldts.getSubdomain(line, { detectIp: false });
if (subdomain) {
if (subdomain.slice(1).includes('.')) {
weight += 1;
}
if (subdomain.length > 40) {
weight += 3;
} else if (subdomain.length > 30) {
weight += 1.5;
} else if (subdomain.length > 20) {
weight += 1;
} else if (subdomain.length > 10) {
weight += 0.1;
}
}
return weight;
}
Reference in New Issue View Git Blame Copy Permalink