With the help of telecommunications operators, we are starting a war against phishing sites that target personal data, banking information and social media accounts. In response to the growing number of phishing incidents related to the coronavirus pandemic, we are launching a list of malicious domains targeting Polish users. It will be free to use for everyone. Additionally, operators that are a part of the agreement will block access to websites that have been identified and marked as dangerous.

Phishing websites are a widespread occurrence that targets many groups of internet users in Poland. Links are sent using various channels like SMS, email or social media. The websites are registered in huge amounts and used promptly to be replaced by brand new ones. This is why quick identification, reporting and information sharing is key.

Each website submission will be verified by at least two human operators from the CERT Polska team. In the event of an unfortunate mistake, the block will be reverted as quickly as possible and the domain removed from the list. We want to emphasise that as of this moment, the list consists of domains only used for phishing attacks and not fraud or malware. The primary target is to share information about malicious websites with all interested entities and protect Polish users.

Cooperation with telecommunications operators relies on the agreement between the Minister of Digitalization, Director of NASK PIB, President of the Office of Electronic Communications and Orange Polska S.A., Polkomtel Sp. z o.o., P4 Sp. z o.o., T-Mobile Polska S.A. The text of the agreement was published on the website of the Office of Electronic Communications. Participation in the agreement is voluntary, and any party is allowed to terminate the contract at any time.

Reporting malicious websites

Anyone can report a website that tries to steal personal data, account information or banking data using the form on https://incydent.cert.pl/domena#!/lang=en.

Reporting suspicious SMS messages

Suspicious SMS messages can be forwarded to the phone number 8080 using the "forward" or "share" option. The submission will be delivered directly to our analysts, who will decide whether to add it to the list or not. You're allowed to report at most three messages within a 4-hour window. Remember that this number should be used only for reporting messages containing URLs that lead to phishing pages or malicious applications - we don't handle premium SMS messages.

List of malicious domains

The list is available in following file formats:

• text format, only active domains, one domain per each line: https://hole.cert.pl/domains/domains.txt
• TSV format (tab-separated values): https://hole.cert.pl/domains/domains.csv
• JSON format: https://hole.cert.pl/domains/domains.json
• XML format: https://hole.cert.pl/domains/domains.xml
• format compatible with browser extensions: Adblock Plus, uBlock Origin, Adguard: https://hole.cert.pl/domains/domains_adblock.txt
• hosts format: https://hole.cert.pl/domains/domains_hosts.txt
• .rsc format, truncated to 4096 bytes, for MikroTik/RouterOS systems: https://hole.cert.pl/domains/domains_mikrotik.rsc

Files are updated every 5 minutes. The full API specification can be downloaded from here.

FAQ

Do I have to pay for anything? How can I enable the list on my network?
The list can be used by Internet service providers to protect users that use their network. The provider shouldn't demand any additional charges.

Which operators use the list to block malicious websites?
The providers mentioned in the original agreement are Orange, Polkomtel (Plus), P4 (Play), and T-Mobile. Participation of each operator in the program is voluntary.

How can I check whether my ISP uses the list to block domains?
You can check that by going to a special service designed for that purpose at lista.cert.pl

Do you plan to censor the Polish Internet?
We only care about protecting Polish users from malicious websites. The list is only a recommendation, and we don't force the providers to use it.

How exactly are reports reviewed, and who decides to block a domain? Who takes responsibility for the incorrect classification?
Each submission will be verified by at least two human operators from the CERT Polska team experienced in identifying malicious websites targeting Polish users. After the domain is added to the list, access is blocked by telecommunications operators on the domain name resolution level. We do not make any changes to the domain registry or contents of the servers hosting malicious websites.

How is the block implemented?
Telecommunications operators change the address of the malicious domain in their DNS cache system. Instead of pointing users to a malicious website, they are redirected to the warning site provided by the particular operator or CERT Polska (which looks like this).

A domain is present on the list, but I can still access it without any warnings. Why?
Because our solution is based on changing the IP address returned by the DNS server, the domain can still be accessible from some devices despite being present on the list.
Possible reasons are as follows:

• Your internet provider or administrator is not using our list.
• Your device uses alternative DNS servers (e.g. 8.8.8.8)
• Old DNS record is still present in DNS cache

I am the owner of a wrongly blocked site (e.g. my website was taken over by criminals). How can I appeal?
Please contact us at [email protected].

How long will it take to consider my appeal and make my website accessible again?
We make our best effort to ensure that the whole process takes as little time as possible. However, it may take some time to restore correct domain name resolution by telecommunications operators.

Can someone (e.g. a rival company) fraudulently submit my domain as malicious?
Each report is verified with the utmost care and caution. There is no need to worry if your website is not used for malicious purposes.

How can I protect my domain from a false takedown?
All submissions are manually analysed and verified by CERT Polska analysts. False submissions will be rejected. If you have any doubts about domains put on the list, please let us know by emailing us at [email protected].

I am the owner of *.pl domain. Will I get notified before my domain appears on the list?
No. The block is performed by operators freely, not as a part of the .pl registry and its terms of conditions.

How often is the malicious domains list updated?
New domains will appear on the list within 5 minutes after being identified as malicious.

Will this solution be used to fight disinformation, fake news or pornography?
No. The list only includes domains that target personal data, banking information and social media accounts.

For how long will a domain be present on the list?
The domain can be removed from the list if the reasons for its presence are no longer valid. If this is the case, telecommunications operators should immediately revoke the block. Operators can also make independent decisions to allow access to the domain despite its presence on the list.

We are a company, and we receive lots of unwanted messages – can we automatically report malicious domains using API?
No. Please submit pre-verified domains using the form available at https://incydent.cert.pl/phishing.

Is the list permanent? Will it be updated indefinitely?
As of this moment, the agreement with operators assumes cooperation during states of emergency, epidemic or epidemic threats. Participation of operators in the agreement is voluntary, and we do not rule out the possibility of maintaining it in other periods.

How long will it take to verify the website I reported and add it to the list?
We make our best effort to ensure that the whole process takes as little time as possible.

Can I automatically download the list and use it to protect my employees?
Yes, you can.

Is the list used by any public DNS resolvers?
Yes, it is used by Quad9. Keep in mind that any resolver can use the list to protect their users without notifying our team.