Phishtank list download fail
-
@revengineer
Tried HTTPS? I was able to add the https://data.phishtank.com/data/online-valid.csv.bz2
from the pfB Feeds page and for the heck of it registered for an API key and added it to the link. Ran w/o error on Force/Reload and Cron. That's the same list, just a different format, right?
-
@provels Good point. I did not write but did indeed try many combinations. For the https case with .bz extension, I get
curl -v https://data.phishtank.com/data/<api_key>/online-valid.csv.bz2 * Trying 104.16.101.75:443... * TCP_NODELAY set * Connected to data.phishtank.com (104.16.101.75) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com * start date: Aug 17 00:00:00 2020 GMT * expire date: Aug 17 12:00:00 2021 GMT * subjectAltName: host "data.phishtank.com" matched cert's "*.phishtank.com" * issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x803abb800) > GET /data/<api_key>/online-valid.csv.bz2 HTTP/2 > Host: data.phishtank.com > user-agent: curl/7.68.0 > accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 256)! < HTTP/2 302 < date: Sat, 21 Nov 2020 13:26:33 GMT < content-type: text/html; charset=UTF-8 < set-cookie: __cfduid=de8c92bb34f744f36bf09f5cfa9c6a7c21605965193; expires=Mon, 21-Dec-20 13:26:33 GMT; path=/; domain=.phishtank.com; HttpOnly; SameSite=Lax; Secure < x-request-limit-interval: 10800 Seconds < x-request-limit: 12 < x-request-count: 1 < location: https://d1750zhbc38ec0.cloudfront.net/datadumps/verified_online.csv.bz2?Expires=1605965203&Signature=efXCsFqG1q8UlLtJihn7Nj6fXJRyjTjXVq96b2gvsnAhyOiM9Kfv4mpuCfY...[ABBREVIATED] < cf-cache-status: DYNAMIC < cf-request-id: 068c953aa400002acc66ad6000000001 < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < strict-transport-security: max-age=15552000 < server: cloudflare < cf-ray: 5f5abe3ddf3e2acc-IAD < * Connection #0 to host data.phishtank.com left intact -
I have tried downloading the feed from an Ubuntu server as well. The curl command fails in the same manner, wget command works.
@provels I think it may be time for me to contact the PhishTank folks. for comparison, can you post your "curl -v" output?
-
@revengineer said in Phishtank list download fail:
curl -v
curl -v https://data.phishtank.com/data/<api-key>/online-valid.csv.bz2 * Trying 2606:4700::6810:654b:443... * TCP_NODELAY set * Connected to data.phishtank.com (2606:4700::6810:654b) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com * start date: Aug 17 00:00:00 2020 GMT * expire date: Aug 17 12:00:00 2021 GMT * subjectAltName: host "data.phishtank.com" matched cert's "*.phishtank.com" * issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x803aba800) > GET /data/<api-key>/online-valid.csv.bz2 HTTP/2 > Host: data.phishtank.com > user-agent: curl/7.68.0 > accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 256)! < HTTP/2 302 < date: Sat, 21 Nov 2020 15:14:17 GMT < content-type: text/html; charset=UTF-8 < set-cookie: __cfduid=db5c57b87a118488312b7047180d6f9101605971657; expires=Mon, 21-Dec-20 15:14:17 GMT; path=/; domain=.phishtank.com; HttpOnly; SameSite=Lax; Secure < x-request-limit-interval: 10800 Seconds < x-request-limit: 12 < x-request-count: 1 < location: https://d1750zhbc38ec0.cloudfront.net/datadumps/verified_online.csv.bz2?Expires=1605971667&Signature=iUZaI4nsb9LNji0tMhiEsrZW9fryn751OzXVP ... ETC, ETC. < cf-cache-status: DYNAMIC < cf-request-id: 068cf7dc0900007f68c79e9000000001 < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < strict-transport-security: max-age=15552000 < server: cloudflare < cf-ray: 5f5b5c0cd90f7f68-ORD < * Connection #0 to host data.phishtank.com left intact -
@provels This looks similar to my output. And after this you have a file called online-valid.csv.bz2 in the directory you called the command from?
-
@revengineer said in Phishtank list download fail:
online-valid.csv.bz2
Well, um, no. Ran from /root, not there. Searched the tree, too. But like I said, worked OK using HTTPS from Force and Cron within pfB. Does curl actually do a GET? I'm no command line expert.
-
@provels I tried one more time using API key, https, and .bz2 ending and it's just not working. The log is below. A google search for "cloudflare 403 error" yields upwards of half a million hits, and the solution may be somewhere in there. I sent email to PhishTank but do not expect a response. Beyond that this seems like a waste of time to pursue as it seems to be specific to me.
CRON PROCESS START [ 11/21/20 13:44:12 ] [ BD_IPs ] Remote timestamp: Sat, 21 Nov 2020 18:32:31 GMT Local timestamp: Sat, 21 Nov 2020 17:32:30 GMT Update found [ FireHOL3_IPs ] Remote timestamp: Sat, 21 Nov 2020 18:33:37 GMT Local timestamp: Sat, 21 Nov 2020 17:18:10 GMT Update found [ PhishTank ] Previous download failed. Re-attempt download UPDATE PROCESS START [ 11/21/20 13:44:14 ] ===[ DNSBL Process ]================================================ [ EasyList ] exists. [ EasyPrivacy ] exists. [ Adaway ] exists. [ Cameleon ] exists. [ yoyo ] exists. [ MDS ] exists. [ MDL ] Downloading update .. 200 OK No Domains Found [ URLhaus ] exists. [ OpenPhish ] exists. [ 11/21/20 13:44:15 ] [ PhishingArmy ] exists. [ PhishTank ] Downloading update .. 403 Forbidden [ DNSBL_Phishing - PhishTank ] Download FAIL Firewall and/or IDS are not blocking download. [ oisd ] exists. [ DNSBL_IP ] Updating aliastable [ 11/21/20 13:44:20 ]... no changes. Total IP count = 307378 ===[ Continent Process ]============================================ [ pfB_Top_v4 ] exists. [ 11/21/20 13:44:21 ] [ pfB_Top_v6 ] exists. ===[ IPv4 Process ]================================================= [ BD_IPs ] Downloading update .. 200 OK. completed .. Reputation (Max=5) - Range(s) 182.138.158.|192.241.218.|192.241.219.|192.241.233.|192.241.234.|192.241.235.|192.241.236.|192.241.237.|192.241.238.|192.241.239.|124.235.138.|124.227.31.|196.52.43.|167.248.133.|92.118.161.|162.243.128.|87.251.70.|221.13.12.|81.161.63.|192.35.168.|170.130.187.|74.120.14.|185.202.1.|185.202.2.|104.140.188.|104.206.128.|102.165.30.|162.142.125.| Reputation -Max Stats ------------------------------ Blacklisted Match Ranges IPs Ranges IPs ------------------------------ 28 290 0 0 [ ET_Block_IPs ] exists. [ ET_Comp_IPs ] exists. [ FireHOL3_IPs ] Downloading update .. 200 OK. completed .. Reputation (Max=5) - Range(s) 124.156.50.|124.156.54.|124.156.55.|124.156.62.|124.156.64.|118.186.203.|194.187.19.|42.247.5.|59.177.77.|59.177.78.|59.177.79.|92.118.160.|92.118.161.|59.99.40.|23.129.64.|193.32.8.|49.51.160.|49.51.161.|170.130.187.|178.72.68.|178.72.69.|178.72.70.|178.72.71.|91.240.243.|199.195.251.|184.105.247.|103.52.216.|103.52.217.|164.52.24.|178.17.170.|89.33.193.|162.62.17.|162.62.26.|192.241.208.|5.45.207.|192.241.211.|192.241.212.|192.241.213.|192.241.214.|192.241.215.|192.241.216.|192.241.217.|192.241.218.|192.241.219.|192.241.220.|192.241.221.|192.241.222.|192.241.231.|192.241.232.|192.241.233.|192.241.236.|192.241.238.|37.9.13.|203.243.10.|121.169.34.|107.6.162.|107.6.168.|178.174.136.|178.174.137.|114.122.101.|114.122.107.|209.17.96.|209.17.97.|124.156.240.|124.156.241.|124.156.245.|45.113.70.|45.113.71.|185.191.171.|197.5.145.|49.51.8.|49.51.9.|170.106.36.|170.106.37.|170.106.38.|94.180.24.|94.180.25.|94.180.28.|170.106.76.|170.106.81.|89.46.223.|45.148.10.|192.35.168.|185.202.1.|178.175.132.|125.64.103.|200.73.128.|200.73.129.|104.206.128.|202.164.139.|102.165.30.|147.92.153.|109.188.125.|109.188.126.|65.49.20.|182.140.235.|202.114.176.|113.141.70.|213.180.203.|195.154.122.|195.154.123.|124.205.84.|192.42.116.|74.82.47.|121.147.227.|206.189.223.|114.119.128.|185.100.87.|114.119.135.|114.119.137.|114.119.158.|167.160.184.|176.212.104.|176.212.108.|87.236.208.|121.178.247.|199.249.230.|194.87.138.|91.192.103.|45.140.17.|150.109.167.|150.109.170.|150.109.180.|150.109.181.|150.109.182.|49.51.12.|162.247.74.|109.70.100.|58.216.176.|185.220.101.|185.220.102.|95.163.255.|218.89.77.|121.149.104.|172.172.26.|176.214.44.|172.172.30.|80.94.93.|192.99.175.|74.120.14.|104.140.188.|198.143.175.|13.66.139.|5.255.231.|162.142.125.| Reputation -Max Stats ------------------------------ Blacklisted Match Ranges IPs Ranges IPs ------------------------------ 145 1687 1 0 ===[ IPv6 Process ]================================================= ===[ Reputation - pMax ]====================================== Querying for repeat offenders ( pMax=50 ) [ 11/21/20 13:44:23 ] Reputation -pMax ( None ) ===[ Reputation - dMax ]====================================== Querying for repeat offenders ( dMax=5 ) [ 11/21/20 13:44:23 ] Classifying repeat offenders by GeoIP Processing [ Block ] IPs Removing [ Block ] IPs Removed the following IP ranges: 171.25.193.|216.83.57.|185.234.219.|164.52.24.|59.46.13.|193.169.252.|61.177.172.|222.192.88.|91.241.19.|184.105.247.|218.92.0.|192.241.209.|192.241.210.|192.241.215.|84.38.187.|205.185.127.|5.188.206.|45.87.43.|202.165.22.|213.202.233.|68.183.231.|2.57.122.|206.189.171.|209.141.54.|112.85.42.|118.244.128.|180.215.215.| Reputation - dMax Stats ------------------------------ Blacklisted Match Ranges IPs Ranges IPs ------------------------------ 27 25 1 0 ===[ Aliastables / Rules ]========================================== No changes to Firewall rules, skipping Filter Reload Updating: pfB_Top_v4 no changes. Updating: pfB_Top_v6 no changes. Updating: pfB_BinaryDefense 30 addresses added.37 addresses deleted. Updating: pfB_EmergingThreatsDShield 2 addresses added.3 addresses deleted. Updating: pfB_FireHOL3 10405 addresses added.57 addresses deleted. ===[ FINAL Processing ]===================================== [ Original IP count ] [ 64441 ] ===[ Deny List IP Counts ]=========================== 62227 total 22166 /var/db/pfblockerng/deny/FireHOL3_IPs.txt 19038 /var/db/pfblockerng/deny/pfB_Top_v4.txt 6944 /var/db/pfblockerng/deny/pfB_Top_v6.txt 6413 /var/db/pfblockerng/deny/ET_Comp_IPs.txt 5310 /var/db/pfblockerng/deny/BD_IPs.txt 2356 /var/db/pfblockerng/deny/ET_Block_IPs.txt ===[ DNSBL Domain/IP Counts ] =================================== 849719 total 378541 /var/db/pfblockerng/dnsbl/oisd.txt 307327 /var/db/pfblockerng/dnsbl/URLhaus.ip 91552 /var/db/pfblockerng/dnsbl/URLhaus.txt 25637 /var/db/pfblockerng/dnsbl/MDS.txt 17223 /var/db/pfblockerng/dnsbl/EasyList.txt 11980 /var/db/pfblockerng/dnsbl/PhishingArmy.txt 6712 /var/db/pfblockerng/dnsbl/Cameleon.txt 4093 /var/db/pfblockerng/dnsbl/EasyPrivacy.txt 2901 /var/db/pfblockerng/dnsbl/OpenPhish.txt 2003 /var/db/pfblockerng/dnsbl/Adaway.txt 1699 /var/db/pfblockerng/dnsbl/yoyo.txt 21 /var/db/pfblockerng/dnsbl/OpenPhish.ip 20 /var/db/pfblockerng/dnsbl/EasyList.ip 10 /var/db/pfblockerng/dnsbl/EasyPrivacy.ip 0 /var/db/pfblockerng/dnsbl/PhishTank.fail ====================[ Last Updated List Summary ]============== Nov 20 00:30 ET_Block_IPs Nov 20 00:30 ET_Comp_IPs Nov 21 09:00 pfB_Top_v4 Nov 21 09:00 pfB_Top_v6 Nov 21 13:32 BD_IPs Nov 21 13:33 FireHOL3_IPs IPv4 alias tables IP count ----------------------------- 362661 IPv6 alias tables IP count ----------------------------- 6944 Alias table IP Counts ----------------------------- 369605 total 307378 /var/db/aliastables/pfB_DNSBLIP.txt 22166 /var/db/aliastables/pfB_FireHOL3.txt 19038 /var/db/aliastables/pfB_Top_v4.txt 8769 /var/db/aliastables/pfB_EmergingThreatsDShield.txt 6944 /var/db/aliastables/pfB_Top_v6.txt 5310 /var/db/aliastables/pfB_BinaryDefense.txt pfSense Table Stats ------------------- table-entries hard limit 2000000 Table Usage Count 486768 UPDATE PROCESS ENDED [ 11/21/20 13:44:27 ] -
@revengineer
Yeah, short of a typo on the URL line or a mistake in the API key, that's all I have. Sorry. -
@provels No worries, I thank you for your time to help me chase this down as far as we could.
There is one more question: Which version of pfBockerNG are you using? The devel version, or the older one. I still use the older (non-devel) version and that could be a difference.
-
@revengineer
I've only used the devel. Never had issues (at least not self-inflicted). -
@provels Thanks, I may update the version. I know that the author recommends the devel version for a long time, but for me this always sounded too much like "beta". Cheers!
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.