Primary Block Lists
Status: โ
Operational
Last Updated: 2026-07-03
Automation: Daily at 2 AM UTC
The upstream source monitoring system automatically fetches updates from trusted blocklist sources and creates pull requests with new domains. This keeps your lists current with the latest security threats without manual intervention.
config/lists.yml) - Defines upstream sourcesscripts/monitor_upstream.py) - Fetches and compares.github/workflows/upstream-monitor.yml) - Automationโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Daily Trigger (2 AM UTC) โ
โโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Load config/lists.yml โ
โ โข Find lists with upstream_sources โ
โ โข Get update frequency and trust settings โ
โโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ For each list with upstream sources: โ
โ 1. Fetch upstream data (with caching) โ
โ 2. Normalize domains based on format โ
โ 3. Compare with local list โ
โ 4. Identify new and removed domains โ
โโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ If changes found: โ
โ 1. Create git branch โ
โ 2. Add new domains to list โ
โ 3. Commit changes โ
โ 4. Generate PR description โ
โโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Create Pull Request: โ
โ โข Add labels (size:small/medium/large) โ
โ โข Mark auto-merge eligible if โค10 domains โ
โ โข Request review if >100 domains โ
โโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Create summary issue: โ
โ โข List all updated lists โ
โ โข Total new domains โ
โ โข Links to PRs โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
| List | Category | Sources | Frequency |
|---|---|---|---|
| abuse | Security | 2 | Daily |
| ads | Advertising | 3 | Daily/Weekly |
| crypto | Security | 2 | Daily/Weekly |
| fraud | Security | 1 | Daily |
| gambling | Content | 1 | Weekly |
| malware | Security | 3 | Daily |
| phishing | Security | 2 | Daily |
| porn | Content | 1 | Weekly |
| ransomware | Security | 2 | Daily |
| tracking | Privacy | 2 | Weekly |
Total: 23 upstream sources configured
Edit config/lists.yml and add to the appropriate list:
lists:
your_list:
description: "Description of your list"
category: security # or advertising, content, tracking, etc.
status: stable
upstream_sources:
- url: "https://example.com/blocklist.txt"
format: hosts # hosts, domains, adguard, or dnsmasq
trusted: true # true = auto-merge eligible, false = always review
update_frequency: daily # daily, weekly, hourly
filter_comments: true # Skip lines starting with #
max_domains: 1000 # Optional: limit to prevent huge merges
| Format | Example | Description |
|---|---|---|
hosts |
0.0.0.0 example.com |
Standard hosts file format |
domains |
example.com |
Plain domain list (one per line) |
adguard |
\|\|example.com^ |
AdGuard format |
dnsmasq |
server=/example.com/ |
dnsmasq format |
trusted: true - Auto-merge eligible if changes โค thresholdtrusted: false - Always requires manual reviewdaily - Checked every day at 2 AM UTCweekly - Checked once per weekhourly - Checked every hour (use sparingly!)# Check a specific list
python scripts/monitor_upstream.py --list ads
# Check all lists with upstream sources
python scripts/monitor_upstream.py --all
# Dry run (check only, don't create PRs)
python scripts/monitor_upstream.py --all --dry-run
# Force fresh fetch (ignore cache)
python scripts/monitor_upstream.py --all --no-cache
The workflow runs automatically via GitHub Actions:
.github/workflows/upstream-monitor.ymllist_name input (e.g., ads)list_name emptydry_run to truechore: update malware from upstream sources (+8 domains)
## ๐ค Automated Upstream Update: malware
This PR was automatically generated by the upstream monitoring system.
### ๐ Summary
- **List:** malware.txt
- **New domains:** 8
- **Removed domains:** 0
- **Sources checked:** 3
### ๐ก Source Details
#### Source 1: urlhaus-filter-hosts.txt
- **URL:** https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-hosts.txt
- **Upstream total:** 5,234 domains
- **New domains:** 8
**New domains:**
malicious-domain1.com malicious-domain2.com malicious-domain3.com โฆ
### โ
Validation
- [ ] New domains are relevant to the malware category
- [ ] No false positives identified
- [ ] Domains pass validation checks
- [ ] Build succeeds
### ๐ Merge Policy
โ
**Auto-merge eligible** - Changes are below threshold (โค10 domains)
automation - Automated PRupstream-update - From upstream monitoringsize:small - โค10 domainssize:medium - 11-100 domainssize:large - >100 domainsauto-merge-candidate - Eligible for auto-mergeneeds-review - Requires manual reviewbreaking-change - Large changes (>100 domains)Changes are eligible for automatic merge when ALL conditions are met:
โ
Source is trusted (trusted: true in config)
โ
Small changes (โค10 new domains)
โ
CI passes (all tests green)
โ
No conflicts (clean merge)
Manual review is required when ANY condition is met:
โ ๏ธ Source not trusted (trusted: false)
โ ๏ธ Medium changes (11-100 domains)
๐ด Large changes (>100 domains)
๐ด CI fails (tests or validation errors)
When reviewing a PR:
settings:
upstream:
enabled: true
check_frequency: daily
auto_merge_threshold: 10 # Auto-merge if changes โค this
require_review_threshold: 100 # Manual review if changes > this
cache_ttl: 86400 # 24 hours in seconds
upstream_sources:
- url: "..."
max_domains: 1000 # Limit to prevent huge merges
trusted: true # Auto-merge eligible
After each run, a summary issue is created with:
The weekly issue report (created by weekly-report.yml) includes:
Symptom: Workflow fails with โError fetching URLโ
Solution:
lists.ymlSymptom: PR marked as breaking-change with 1000+ domains
Solution:
max_domains limit to source configSymptom: Legitimate domains in PR
Solution:
trusted: false for manual reviewSymptom: Not detecting updates from upstream
Solution:
# Clear cache and force refresh
python scripts/monitor_upstream.py --all --no-cache
# Or delete cache files
rm -f /tmp/upstream_cache_*.txt
Symptom: No PRs created at scheduled time
Solution:
.github/workflows/upstream-monitor.ymlBefore adding a new upstream source:
--dry-run firsttrusted: false until proven reliableFor security-critical lists (ransomware, phishing):
trusted: false to always require reviewmax_domains to catch anomaliesdaily or hourly)lists:
ads:
upstream_sources:
- url: "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"
format: adguard
trusted: true
update_frequency: daily
max_domains: 5000
lists:
phishing:
upstream_sources:
- url: "https://example.com/new-phishing-list.txt"
format: domains
trusted: false # Require manual review
update_frequency: daily
max_domains: 500
lists:
malware:
upstream_sources:
- url: "https://urlhaus.abuse.ch/downloads/hostfile/"
format: hosts
trusted: true
update_frequency: daily
- url: "https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-hosts.txt"
format: hosts
trusted: true
update_frequency: daily
- url: "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt"
format: domains
trusted: false
update_frequency: weekly
max_domains: 1000
config/lists.ymlIf upstream monitoring is not working:
config/lists.yml--dry-runtrusted: false for new sourcesmax_domains limitscache_ttl: 86400)trusted: true immediatelyhourly frequency unless necessary.ip filesHave an idea? Open an issue with the feature-request label!
Last Updated: 2026-07-03
Version: 1.0
Maintainer: Block List Project Team