mirror
/
SukkaSurge
镜像自地址 https://github.com/SukkaW/Surge.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254
							import { processDomainLists } from './parse-filter';
import * as tldts from 'tldts-experimental';

import type { Span } from '../trace';
import { appendArrayInPlaceCurried } from './append-array-in-place';
import { PHISHING_DOMAIN_LISTS_EXTRA } from '../constants/reject-data-source';
import { loosTldOptWithPrivateDomains } from '../constants/loose-tldts-opt';
import picocolors from 'picocolors';
import createKeywordFilter from './aho-corasick';
import { createCacheKey } from './cache-filesystem';

const BLACK_TLD = new Set([
  'accountant',
  'autos',
  'bar',
  'bid',
  'biz',
  'bond',
  'business',
  'buzz',
  'cc',
  'cf',
  'cfd',
  'click',
  'cloud',
  'club',
  'cn',
  'codes',
  'co.uk',
  'co.in',
  'com.br',
  'com.cn',
  'com.pl',
  'com.vn',
  'cool',
  'cricket',
  'cyou',
  'date',
  'digital',
  'download',
  'faith',
  'fit',
  'fun',
  'ga',
  'gd',
  'gives',
  'gq',
  'group',
  'host',
  'icu',
  'id',
  'info',
  'ink',
  'life',
  'live',
  'link',
  'loan',
  'ltd',
  'men',
  'ml',
  'mobi',
  'net.pl',
  'one',
  'online',
  'party',
  'pro',
  'pl',
  'pw',
  'racing',
  'rest',
  'review',
  'rf.gd',
  'sa.com',
  'sbs',
  'science',
  'shop',
  'site',
  'space',
  'store',
  'stream',
  'surf',
  'tech',
  'tk',
  'tokyo',
  'top',
  'trade',
  'vip',
  'vn',
  'webcam',
  'website',
  'win',
  'xyz',
  'za.com',
  'lat',
  'design'
]);

const WHITELIST_MAIN_DOMAINS = new Set([
  'w3s.link', // ipfs gateway
  // 'dweb.link', // ipfs gateway
  // 'nftstorage.link', // ipfs gateway
  'fleek.cool', // ipfs gateway
  'business.site', // Drag'n'Drop site building platform
  'page.link', // Firebase URL Shortener
  // 'notion.site',
  // 'vercel.app',
  'gitbook.io'
]);

const sensitiveKeywords = createKeywordFilter([
  '-roblox',
  '.amazon-',
  '-amazon',
  'fb-com',
  'facebook.',
  'facebook-',
  '.facebook',
  '-facebook',
  'coinbase',
  'metamask-',
  '-metamask',
  'virus-',
  'icloud-',
  'apple-',
  'www.apple.',
  '-coinbase',
  'coinbase-',
  'lcloud.',
  'lcloud-'
]);
const lowKeywords = createKeywordFilter([
  '-co-jp',
  'customer.',
  'customer-',
  '.www-',
  'instagram'
]);

const cacheKey = createCacheKey(__filename);

export const getPhishingDomains = (parentSpan: Span) => parentSpan.traceChild('get phishing domains').traceAsyncFn(async (span) => {
  const domainArr = await span.traceChildAsync('download/parse/merge phishing domains', async (curSpan) => {
    const domainArr: string[] = [];

    (await Promise.all(PHISHING_DOMAIN_LISTS_EXTRA.map(entry => processDomainLists(curSpan, ...entry, cacheKey))))
      .forEach(appendArrayInPlaceCurried(domainArr));

    return domainArr;
  });

  const domainCountMap: Record<string, number> = {};
  const domainScoreMap: Record<string, number> = {};

  span.traceChildSync('process phishing domain set', () => {
    for (let i = 0, len = domainArr.length; i < len; i++) {
      const line = domainArr[i];

      const {
        publicSuffix: tld,
        domain: apexDomain,
        subdomain,
        isPrivate
      } = tldts.parse(line, loosTldOptWithPrivateDomains);

      if (isPrivate) {
        continue;
      }

      if (!tld) {
        console.log(picocolors.yellow('[phishing domains] E0001'), 'missing tld', { line, tld });
        continue;
      }
      if (!apexDomain) {
        console.log(picocolors.yellow('[phishing domains] E0002'), 'missing domain', { line, apexDomain });
        continue;
      }

      domainCountMap[apexDomain] ||= 0;
      domainCountMap[apexDomain] += 1;

      if (!(apexDomain in domainScoreMap)) {
        domainScoreMap[apexDomain] = 0;
        if (BLACK_TLD.has(tld)) {
          domainScoreMap[apexDomain] += 4;
        } else if (tld.length > 6) {
          domainScoreMap[apexDomain] += 2;
        }
      }
      domainScoreMap[apexDomain] += calcDomainAbuseScore(subdomain);
    }
  });

  for (const domain in domainCountMap) {
    if (
      !WHITELIST_MAIN_DOMAINS.has(domain)
      && (
        domainScoreMap[domain] >= 12
        || (domainScoreMap[domain] >= 5 && domainCountMap[domain] >= 4)
      )
    ) {
      console.log({ domain });
      domainArr.push(`.${domain}`);
    }
  }

  return domainArr;
});

export function calcDomainAbuseScore(subdomain: string | null) {
  let weight = 0;

  if (subdomain) {
    const hitLowKeywords = lowKeywords(subdomain);
    const sensitiveKeywordsHit = sensitiveKeywords(subdomain);

    if (sensitiveKeywordsHit) {
      weight += 8;
      if (hitLowKeywords) {
        weight += 4;
      }
    } else if (hitLowKeywords) {
      weight += 1;
    }

    const subdomainLength = subdomain.length;

    if (subdomainLength > 4) {
      weight += 0.5;
      if (subdomainLength > 10) {
        weight += 0.5;
        if (subdomainLength > 20) {
          weight += 1;
          if (subdomainLength > 30) {
            weight += 2;
            if (subdomainLength > 40) {
              weight += 4;
            }
          }
        }
      }

      if (subdomain.startsWith('www.')) {
        weight += 4;
      } else if (subdomain.slice(1).includes('.')) {
        weight += 1;
        if (subdomain.includes('www.')) {
          weight += 4;
        }
      }
    }
  }

  return weight;
}