[Adblock Plus 2.0] ! Title: 🛑 Enhanced website protection ! Description: To be used in conjunction with Dandelion Sprout's Anti-Malware List, this filter will warn users before making top-site navigations that use the TLDs below. This list focuses on top-site navigations, not sub-requests. Please report exceptions to legitimate sites. Many exceptions come from bestplayerbot. ! Homepage: https://github.com/yokoffing/filterlists ! Expires: 4 days (update frequency) ! Version: 18 June 2024 ! Syntax: AdBlock !!! Malicious TLDs ! Topical domains with wide use by bad actors and whose use for legitimate purposes is small ||buzz^$doc,from=~allthe.buzz|~awful.buzz|~cliq.buzz|~montpellier.buzz|~sideb.buzz|~williamsonday.buzz ||mov^$doc,from=~david.mov ||tk^$doc,from=~adistance.tk|~bloatcat.tk|~bonzibuddy.tk|~bryla.tk|~bstweaker.tk|~budterence.tk|~c-r-t.tk|~c0d3c.tk|~censurion.tk|~china996.tk|~cuso.tk|~devhonk.tk|~dlyang.tk|~google.tk|~goshujin.tk|~gotofap.tk|~graph.tk|~grazziecorp.tk|~handicapped.tk|~heggadrone.tk|~helene.tk|~kabi.tk|~lameni.tk|~leroymcqy.tk|~loveisgrief.tk|~msqtdn.tk|~pube.tk|~rainer-zufall.tk|~sironi.tk|~takiverse.tk|~tokelau-info.tk|~webdev189.tk|~xn--qubec-csa.tk|~zete.tk ||zip^$doc,from=~community.zip|~financialstatement.zip|~lemmy.zip|~redecanais.zip|~redecanaistv.zip|~url.zip !!! Likely abused TLDs ! https://w3techs.com/technologies/overview/top_level_domain ! https://www.spamhaus.org/statistics/tlds/ ||beauty^$doc,from=~homelab.beauty|~nic.beauty|~vipbj.beauty ||dad^$doc,from=~classic.dad|~daily.dad|~dear.dad|~rad.dad ||degree^$doc,from=~nic.degree|~opf.degree|~three60.degree ||esq^$doc,from=~erika.esq ||fit^$doc,from=~appetit.fit|~clubb.fit|~justget.fit|~nic.fit|~pridegym.fit|~thebene.fit|~tootally.fit|~union.fit ||foo^$doc,from=~helloworld.foo ||loans^$doc ||phd^$doc,from=~rafael.phd ||prof^$doc,from=~casey.prof ||quest^$doc,from=~0x00.quest|~amble.quest|~bookshelf.quest|~dice.quest|~dont-panic.quest|~epochal.quest|~federation.quest|~galaxy.quest|~mhn.quest|~mylegendary.quest|~nic.quest|~prometheus.quest|~squash.quest|~teacher.quest|~theculture.quest|~toot.quest ||surf^$doc,from=~bloom.surf|~fedi.surf|~glowing.surf|~kayaking.surf|~nic.surf|~quran.surf|~s-wings.surf|~surfstation.surf !!! Country-specific TLDs ! Contain malware domains that have nothing to do with the countries in question ! Mali ||ml^$doc,from=~aire.ml|~amap.ml|~beatbump.ml|~birdkey.ml|~debula.ml|~dmml.ml|~esparrec.ml|~exp0.ml|~fedi.ml|~fmhy.ml|~ghostcloud.ml|~google.ml|~guya.ml|~info-matin.ml|~kawauso.ml|~leam.ml|~lemmy.ml|~lemmygrad.ml|~lingva.ml|~loma.ml|~masto.ml|~mastodon.ml|~mastodonte.ml|~melody.ml|~nothingprivate.ml|~precure.ml|~prompt.ml|~stilic.ml|~sumanko.ml|~we-moon.ml ! Non-latin TLDs ! from https://github.com/hagezi/dns-blocklists/issues/143#issuecomment-1579896974 /(://|^)[a-z0-9.-]{2,}\.xn--[a-z0-9]{4,}($|/)/ ! Punycode URLs ! Protect yourself from fake sites ! Equivalent to network.IDN_show_punycode = false in Firefox ! https://www.reddit.com/r/firefox/comments/17p68i7/set_networkidn_show_punycodetrue_to_protect/ ||xn--$doc,frame !!! Scam sites ! https://github.com/yokoffing/filterlists/issues/147 ||service-rundfunkbeitrag.de !!! Credit for everything below goes to https://github.com/iam-py-test/my_filters_001/blob/main/enhanced_protection.txt /^https:\/\/[-0-9a-z]{12,19}\.(?:com|life)\/\?u=[0-9a-z]{7,}&o=[0-9a-z]{7,}&t=S1/$doc,domain=com|life ! very few legit things come in password-protected archives, and even fewer of them come in password protected archives with the password in the filename ! false positives: website scanning services, malware sharing sites (?) /\/Use_[a-zA-Z0-9]*_As_Passw0rdd\.rar$/$doc /\/Use_[a-zA-Z0-9]*_As_Password\.rar$/$doc /\/Passwords_2024_Setup_Full\.rar$/$doc ! test rule to detect possible malware hosted on MediaFire (i.e. https://app.any.run/tasks/d40fc871-4942-4acd-8d6a-d8f4baae1f32) ||mediafire.com/file/*/NewSetup_Use_2023_Password.rar/file^$doc ! https://www.virustotal.com/gui/url/4cbb55b62fe8bc2acdaa79d3c4fd3a6d33c0d5eed287bbe655fc117c6bdeb0a3/community .ltd/invoice/invoice.exe|$doc ! already blocked in MWB - discord nitro scam .xyz/nitrocodes/|$doc ! various URLHaus URLs ||transfer.sh/get/*/svchost.exe|$all ||cdn.discordapp.com/attachments/*/*/svchost.exe|$all ! https://www.virustotal.com/gui/url/51a5c613fa07f8301aa68fa16e7307dbf3bf0b0dcfa015632895d7ebf7ca36d3/community ! analysis: https://tria.ge/230918-nj1eqagh7x/behavioral1 ||bookingcomdetails.$doc /lnvoice__1541436948.js$doc,domain=blogspot.com