T145 / black-mirror

🌓 Reflection | 💿 Redundancy | ✅ Reliability

---

Automatically maintained malicious host blacklists and false-positive whitelists.

---

🛡️ Privacy Protectors

• Test your browser's tracking resilience with CoverYourTracks!
• Support LetsBlockIt to consolidate and simplify uBlock filters!
• Explore PrivacyGuides and Prism Break to discover services that respect your privacy!
• Use BypassPaywalls to access restricted and useful information, such as the WSJ's Facebook Files.
• Skip over URL shortener links by using FastForward, which is a better alternative to outright domain blocking.

🖋️ Manifesto

Defines the logic behind why a host is permitted or blocked. Please report any hosts that are wrongly blocked or sources that do not wholly align in an issue. Reference the contribution guidelines.

📋 Attributes

1. Produced in domain-only, IPv4-only, IPv4-CIDR-only, and IPv6-only builds.
2. Updates at 1:27 AM & PM UTC.
3. No excess or trailing whitespace.
4. No lingering webscraper garbage.
5. Lines are terminated with lf.
6. No blank lines.
7. No comments.

🚚 Deliverables

⚓ Hyperlinks

🧮 Checksum Evaluation

cat black_domain.txt | sha256sum -c black_domain.checksums --status && echo $?

A return code of 0 means the check was successful. The specific checksum command can be any of the following:

• md5sum
• b2sum
• sha1sum
• sha224sum
• sha256sum
• sha384sum
• sha512sum

🐙 Fetching GitHub Releases

Provided below are some examples to fetch release artifacts leveraging the GitHub API.

Get all build artifacts

curl --proto '=https' --tlsv1.3 -H 'Accept: application/vnd.github.v3+json' -sSf https://api.github.com/repos/T145/black-mirror/releases/latest | jq -r '.assets[].browser_download_url'

Get a build artifact & its checksum

curl --proto '=https' --tlsv1.3 -H 'Accept: application/vnd.github.v3+json' -sSf https://api.github.com/repos/T145/black-mirror/releases/latest | jq -r '.assets[] | select(.name | startswith("black_domain")).browser_download_url'

Get a single build artifact

curl --proto '=https' --tlsv1.3 -H 'Accept: application/vnd.github.v3+json' -sSf https://api.github.com/repos/T145/black-mirror/releases/latest | jq -r '.assets[] | select(.name | startswith("black_domain")) | select(.name | endswith(".txt")).browser_download_url'

🛠️ Usage

Desktop OS Hosts File

mawk '{print "0.0.0.0 " $0}' black_domain.txt >>hosts
# mawk '{print ":: " $0}' black_domain.txt >>hosts
mawk '{print "0.0.0.0 " $0}' black_ipv4.txt >>hosts
mawk '{print ":: " $0}' black_ipv6.txt >>hosts

dnsmasq

Many popular platforms such as OpenWRT, DDWRT, and Pihole use DNSmasq as their choice TCP powerhouse. After inspecting many domain blocklists you'll inevitably run across a list in the dnsmasq.conf format. This list doesn't support it because you can use the addn-hosts parameter to add hosts in the list. Target a file that has the hosts in a format similar to the Desktop OS Hosts File format.

If you're using the RADVD daemon, prepend any listed hosts with ::. Otherwise, even if you have IPv6 support set up, prepend hosts with 0.0.0.0.

This has been tested across all the mentioned platforms using dig{6} on a small sample size and had each host null-routed successfully. DNSmasq's man page discusses configuration further, and DDWRT's ad blocking wiki page provides some examples.

Amazon EC2 DNS Resolver

Follow this guide to create a DNS server on a Amazon EC2 instance.

pihole

If you'd like to update when some sources do or not extract a production build, just use the single-line list sources.pihole. Note that this list only contains Pihole-compatible sources, and not every handled source. Some manual configuration may also be required.

unbound

Similar to dnsmasq, but requires more manual configuration. Name any products as a *.conf file. Then follow Steffinstanly's instructions on how to apply blocklists.

personalDNSfilter

Use the domain list.

📚 Sources

Please report any redundant sources in an issue!

⬛ Blacklists

• Perflyst
  • android-tracking
  • AmazonFireTV
  • SessionReplay
  • SmartTV
• anti_ad
• kodopenguin
  • Main-Template
  • Gaming-Full-Template
  • Android-Full-Template
• notracking
• oisd_full
• oisd_extra
• openphish
• phishing_army
• easylist_finnish
• easylist_indonesian
• List-KR
• KADhosts
• polish-ads-filter
  • hole_cert_pl
  • hostfile
• Frellwits-filter-lists
• wally3k
• Energized Xtreme Extension
• AnudeepND
• WindowsSpyBlocker
• Sinfonietta
• The Block List Project
• Blackbird for Windows
• FireHOL Level 4
• blocklist_de
• geoffrey_frogeye
• threatcrowd
• antisocialengineer
• windscribe
• not_on_my_shift
• lightswitch05|developerdan
• resecure_me
• kriskintel
• filtri_dns
• mailscanner
• binarydefense
• digitalside
• matomo_spam
• Abuse.ch
  • feodotracker
  • sslbl
  • urlhaus
  • threatfox (domains only)
• 360_netlab
• cybercrime
• taz_spam
• bruteforceblocker
• myip_full_blacklist
• myip_webcrawlers
• 4skinSkywalker Anti Porn
• ios-trackers
• apple-telemetry
• ISC Sans/DShield
  • adscore
  • alphastrike
  • arbor
  • blindferret
  • censys
  • ciarmy
  • cybergreen
  • erratasec
  • internetcensus
  • ipip
  • netsystems
  • onyphe
  • rapid7sonar
  • recyber
  • scorecard
  • shadowserver
  • shodan
  • stretchoid
  • (Skipping tldns and tor since they're "other" lists and not especially malicious)
    • Whitelist TLD Name Servers and Tor Exit Nodes from Tor Project?
  • univmichigan
  • univsydney
• cinsscore
• Rutgers University Attack Log
• threatsourcing
• maltrail
• darklist
• cryptolaemus
• alienvault
• turris
• spamhaus
• voipbl
• botvrij
• malsilo|raw-data
• The Quantum Ad-List
  • Last updated nearly a year ago and may need to be deprecated, though most hosts seem to be up.
• Airelle's Hosts
• someonewhocares
• FutaFilter
• betterfyi
• ayashige
• yoyo
• winhelp2002
• ddgtrackerradar
• Exodus trackers
• npc hosts
• fanboy
• CoinBlockerLists
• ShadowWhisperer
• OpenDBL/talos
• azorult tracker
• Project Honey Pot
• viriback
• PhishStats
• dandelionsprout
  • antimalware
  • norwegian
• Certego Intel
• Mirai Tracker
• Cyber Cure
• IPsum
  • Gets IPs from maltrail
• Benkow_
• malware-discoverer
• mobiletrackers
• Kaspersky TinyCheck
• stalkerware-indicators
• Additional (Undesired) Hosts
• UCEPROTECT
  • Level 1
  • Level 2
  • Level 3
  • Backscatterer
• Exodus Privacy
• DShield
• NoTrack
• NoTrack Tracker Radar
• 1Hosts Includes
• Disconnect.
• StevenBlack
• adblock-nocoin-list
• Adguard (more to come)
  • cname-trackers
• durablenapkin
  • luminati
  • streaming
  • tvstream
  • avast
  • scam
• Phishing Database
  • Active domains & IPs only.
• GoodbyeAds
• xfiles
• RPiList
  • Corona-Blacklist
  • Fake-Science
  • MS-Office-Telemetry
  • Phishing-Angriffe
  • Win10Telemetry
  • child-protection
  • notserious
• infinitytec
• shady-hosts
• DataPlane
• C2IntelFeeds
• joewein's custom list
• SecurityResearch
• Sunshine
  • Webradio (Germans know how to party: be nice!)
• bjornstar
• CyberSaiyan
• d3ward

⬜ Whitelists

Applied to generated blacklists.

• Energized Unblock
• AnudeepND False Positives
• AnudeepND Whitelist
• hipo_universities
• public_dns
• tor_bulkexitlist
• dan_me_uk
• CoinBlockerWhiteList
• ShadowWhisperer's Filter
• 1Hosts Excludes
• Team Cymru
• C2Intel Nord VPN IPs

🥢 Duplicates

Sources that contain duplicate and potentially deprecated data.

• andryou
• adfree
  • Save as "adfree.gz," and run "gunzip adfree.gz"
• canihazprivacy
• ftpmorph pastebin
• mypdns
• gnuzilla
  • In update.sh:

    wget https://easylist-downloads.adblockplus.org/easyprivacy.txt -q
    wget https://easylist-downloads.adblockplus.org/easylist.txt -q
    #wget https://easylist-downloads.adblockplus.org/antiadblockfilters.txt -q
    #wget https://easylist-downloads.adblockplus.org/fanboy-annoyance.txt -q
    wget https://easylist-downloads.adblockplus.org/fanboy-social.txt -q

• sebsauvage
• EmergingThreats
  • Pulls from abuse.ch, spamhaus, and dshield, which are all in use.
• mobile-hosts
• potentialTrackers
• UsefulLinuxShellScripts
  • Active but references sources from iBlocklist.
• hosts.extra
• blackbook
• mischosts
  • Only TikTok list; WhiteOps is should be double-checked.
• ut-capitole
  • Has a lot of deprecated data.
• joewein's base list
  • Likely draws from other sources.
• shallalist
  • Similar to ut-capitole.
• malware-filter
• AdlistTXTS
• socialblocklists

🧟 Zombies

Sources that are dead or deprecated and not included but may be worth mentioning.

• Squidguard Archive
  • Found individually a while back
  • Contains some obvious placeholder/garbage domains
• BarbBlock
• NSABlocklist
• Wael
• Sblam
• St. Dominic's Priory College Droplists
• URLVir
• unit42
  • Select Go to file, then search using the term "domains"
• fireeye
• aptnotes
• malware-indicators
• da667
• malware-ioc
• malwaredomains
• multiproxy
• malwaredomainlist
• malware-traffic-analysis
• nothink
• targetedthreats
• policeman-rulesets
• malwaremustdie
• threatfeeds
  • Some HTTP-200 sources updated a long time ago
• yourcmc
  • Last-Modified: Wed, 04 Jul 2012 21:04:35 GMT
• iblocklist
• malc0de
  • MALC0DE'S RSS FEED CONTAINS SHADE RANSOMWARE! YOU HAVE BEEN WARNED.
• cameleon
• hexxium
• malfeed
• carl.net
  • last-modified: Sun, 01 Sep 2002 16:05:00 GMT
• BadHosts
  • Last updated in 2018
• gjtech
• ethanr dns-blacklists
• keweonDNS up2date
• deathbybandaid
• Ransomware Overview
• fanboy
  • vietnam
  • japanese
  • polish
• ryanbr
• Princeton Webcensus
• UnrealSecurity
  • Takes too long to respond; likely offline.
• ipspamlist
  • Last updated in 2020.
• neohosts
• android-stalkerware
• stalkerware-urls
  • Presently archived.
• h3x
  • Feeds are empty.
• Minimal-Hosts-Blocker
• blacklist-named
  • Does not update automatically.
• sophos-xg-block-lists
• piholeparser
• IsraelList
• niecko
• DontPushMe
• pfbng
• NanoFilters
• dnsbl-dfed
• nopelist
• DisconnectMe AWS
  • simple_ad (Last-Modified: Fri, 31 Jul 2015 19:01:02 GMT)
  • simple_tracking (Last-Modified: Sat, 01 Feb 2020 02:37:09 GMT)
  • shavar-prod-lists
• ad-wars
• phishing_hosts
• antipopads
• romanian-media-propaganda-adblock-list
• cosmonotes
  • Mediafire links are still good.
• Gift-Card-Killer
• crypto-scams-fr
• GetAdmiral
• nolovia
  • Active but references many dead sources.
• spammerslapper
• Badd-Boyz-Hosts
• The-Big-List-of-Hacked-Malware-Web-Sites
• AdmiraList
• dns-zone-blacklist
• List-KR
• uBlock-Filters-Plus
• uBOPa
• iploggerfilter
• thai-ads-filter
• jaka's domains
• Cryptojacking-campaign-list
  • Active but draws from inactive Google Sheets.
  • https://dehakkelaar.nl/lists/
• yhosts
• easylistczechandslovak
• Andrew's Settings
• dupontjean
• jmdugan
• void-gr-filters
• pdns-recreator
• adblock.gardar
• TR-PhishingList
• Spam404
• bgpranking
• vxvault
  • Offline since last check.
• anti-pr0n
• Evil Domains
• AdBlock Rules
• Clickbait Blocklist
• Hello, Goodbye
• 0131 blocklist
• international-list
• nothingblock
• Andromeda uBlock
• uBlock Filters Plus
• I don't care about cookies
• Netlab's Mirai Scanner
• cyberthreat
  • Service has ended.
• Haruko
  • Offline since last check.
• Charles B. Haley
  • Offline since last check.
• Clefspeare13
  • GitHub's Dirty Dancing
• Zonefiles
  • Offline since last check.

🕵🏻 Lamers Unwelcome

• cybercrime-tracker
  • EMV
• MalwareBazaar
• virusbay
• malpedia
• manalyzer
• malshare
• ecrimelabs

📦 Big Data Lists

Typically used by other blacklist projects as whitelists.

🌐 IP Block Providers

Simply provide IP blocks for entire geographic regions.

• openportstats
• ipdeny
• IPverse

🎶 Notes

R Language

Docker installs

RUN apt-get -y install r-base

# install libarchive manually since libarchive-dev is at version 3.4.3
# https://github.com/libarchive/libarchive/wiki/BuildInstructions#using-configure-for-building-from-the-command-line-on-linux-freebsd-solaris-cygwin-aix-interix-mac-os-x-and-other-unix-like-systems
# https://www.zhouchun.net/blog/show/439 (run all commands together to prevent spawning subcontainers)
RUN aria2c https://github.com/libarchive/libarchive/releases/download/v3.5.2/libarchive-3.5.2.tar.gz \
&& tar xzf libarchive-3.5.2.tar.gz \
&& cd libarchive-3.5.2 \
&& ./configure \
&& make \
&& make check \
&& make install \
&& cd .. \
&& rm libarchive-3.5.2.tar.gz

# install R libarchive bindings
# https://github.com/r-lib/archive
RUN echo 'install.packages("archive", repos="https://cloud.r-project.org/")' | R --vanilla \
&& echo 'install.packages("data.table", repos="https://cloud.r-project.org/")' | R --vanilla

Boosting speeds

• http://adv-r.had.co.nz/Performance.html
• http://www.pqr-project.org/
• https://github.com/bedatadriven/renjin
• http://www.dartistics.com/fast-r-code.html
• https://datascienceplus.com/strategies-to-speedup-r-code/

Need for speed

References

• https://fossies.org/linux/parallel/src/parsort
• https://unix.stackexchange.com/questions/579251/how-to-use-parallel-to-speed-up-sort-for-big-files-fitting-in-ram#579252
• https://askubuntu.com/questions/1006377/check-the-max-allowed-threads-count-for-sure#1006384
• https://stackoverflow.com/questions/9066609/fastest-possible-grep