ccris02
3a339c593b
I’ve been working on adding sites to https://polkadot.js.org/phishing/. And this month I was able to add 369 websites. I have automated the parts of the process but the most time I spend is actually adding sites to the GitHub repository (formatting URL and placing them in alphabetical order). And that process is getting harder since we have more and more reported URLs. I was wondering if there could be a better way to block phishing sites. 1. Pull phishing URL’s from some phishing site databases. I have found this site https://pastebin.com/u/spamreports 2. User reportable Suspicious sites. Let’s say a user goes to a site and it looks and feels suspicions user then can click on the polkadot.js extension and mark it as “Suspicious” site gets added to “Suspicious List” next user would get a warning but would be able to go to the site if you get 10 users marking the site as “Suspicious” site gets added to list and it is blocked You could have moderators if they think the site is Phishing, they can verify it and it gets added to the blocked list. 3. If the user goes to a site that has specific keywords in the URL worn user about Phishing Sites, like do not paster Seed keys to URL’s t
@polkadot/phishing
A curated list of potentially less-than-honest sites inclusive of a simple JS utility function to check any host against this list.
Additions
To add a new site, edit all.json and add any new entries, single or multiples is allowed per edit.
To add a new scam address (typically per site), edit address.json and add it in the correct section (which is keyed by the site providing them).
Availability
Making additions to the list will be reflected on merge at polkadot.js.org/phishing/all.json & polkadot.js.org/phishing/address.json. These can be consumed via @polkadot/phishing and other tools capable of parsing JSON.
The {address, all}.json files are also published to IPFS, via ipns/phishing.dotapps.io. Libraries can also consume from here for a decentralized approach.
Integration
Since the lists are published as JSON, integration for any non-JS wallets (only a JS library that is provided) should be simple - retrieve the applicable list, parse the JSON and do the required checks either on host or address as per the requirements. The Javascript library does have some features that may be worth thinking about for other integrations -
- instead of retrieving the list each time a request is made, a local copy is cached for 45 mins and then re-retrieved when the timer expires (as a request is made)
- for address checks the check is done on the decoded ss58 address to ensure that network-jumps with the same keys are avoided (so addresses does not have to be re-added for other networks, a single entry will cover all)
Contributing
This lists are intended to be maintained with active input from the community, so contributions are welcome, either via a pull request (edit above as described in additions) or by logging an issue.