DEV.co
Open-Source Security · phishdestroy

destroylist

Destroylist is a real-time, crowd-sourced blocklist of 170k+ phishing and scam domains, available in multiple DNS-compatible formats (hosts, dnsmasq, RPZ, etc.) and via free API. It combines curated primary threats with community submissions, updated hourly to daily, and integrates directly into Pi-hole, AdGuard Home, and other DNS filtering systems.

Source: GitHub — github.com/phishdestroy/destroylist
1.1k
GitHub stars
215
Forks
HTML
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryphishdestroy/destroylist
Ownerphishdestroy
Primary languageHTML
LicenseMIT — OSI-approved
Stars1.1k
Forks215
Open issues6
Latest releasev1.0.0 (2025-11-08)
Last updated2026-07-08
Sourcehttps://github.com/phishdestroy/destroylist

What destroylist is

A GitHub-hosted threat intelligence feed that publishes domain blocklists in JSON, TXT, and DNS-format variants (hosts, dnsmasq, unbound, RPZ), with active DNS verification (24h cadence) and optional HTTP content validation. CI/CD workflows automate list updates, DNS resolution checks, and format generation; served raw via GitHub Pages.

Quickstart

Get the destroylist source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/phishdestroy/destroylist.gitcd destroylist# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

DNS-level phishing & scam blocking

Drop malicious domains before client-side access via Pi-hole, AdGuard Home, or unbound DNS servers using ready-made hosts/dnsmasq/RPZ formats.

Threat intelligence for SIEM/SOC

Ingest JSON feeds into security monitoring stacks to enrich logs, trigger alerts on domain interactions, and build threat dashboards.

Web3/crypto fraud prevention

Use community or primary lists to block known token-drainer contracts, malicious dApps, and phishing landing pages targeting decentralized applications.

Implementation considerations

  • Choose feed variant (primary vs. community, live DNS-verified vs. full list, content-verified vs. DNS-only) based on false-positive tolerance and update latency needs.
  • Monitor update frequency (real-time, 2h, 12h, 24h depending on variant) and rate-limit requests if polling feed directly; consider GitHub raw CDN caching behavior.
  • Plan appeals/remediation workflow for false positives; README references appeals process but implementation details are not fully documented.
  • Validate JSON schema and domain format (FQDN, wildcard handling) before parsing into downstream DNS or security tools.
  • Test allowlist integration (allowlist.json) to suppress known false positives; no API endpoint mentioned for dynamic allowlist queries.

When to avoid it — and what to weigh

  • Require guaranteed SLA or uptime commitment — This is a free, volunteer-maintained GitHub project with no formal availability guarantees or commercial support.
  • Need proprietary whitelisting/tuning for your domain — While an allowlist exists, direct support for custom false-positive handling is not clearly documented; appeals process is basic.
  • Expect localized or industry-specific threat curation — List focuses on global phishing/scam domains; no region, vertical, or sector-specific variants are apparent from data.
  • Require audited data provenance or legal indemnification — Community entries come from 13+ aggregated sources with no formal chain-of-custody, vetting process, or liability structure disclosed.

License & commercial use

MIT License: permits commercial use, modification, and distribution with attribution and no liability. No restrictions on use for paid products or services.

MIT explicitly allows commercial use. However, list data is aggregated from community and third-party sources (13+ providers); verify that you hold rights to redistribute or are compliant with those sources' licenses. No commercial support, warranty, or indemnification provided.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

List curates phishing/scam domains but does not guarantee zero false positives or false negatives. Community aggregation introduces supply-chain risk: verify upstream sources comply with your threat model. No cryptographic signing or integrity verification (DNSSEC-style) of feed data is documented. Consider layering with other threat feeds. Allowlist mechanism exists for remediation but process lacks formality.

Alternatives to consider

Spamhaus DROP / EDROP

Industry-standard botnet/spam blocklists with formal processes, SLA, and commercial support; narrower scope than Destroylist but higher trust.

PhishTank + OpenPhish

Specialized phishing feeds with structured submissions, higher validation bar, and community vetting; larger operator bases but smaller domain counts.

URLhaus / Abuse.ch threat feeds

Malware distribution and phishing URLs with forensic metadata; broader threat coverage but requires parsing/integration effort.

Software development agency

Build on destroylist with DEV.co software developers

Evaluate Destroylist for DNS filtering or SIEM integration. Verify community sources align with your compliance requirements and test false-positive rates in staging before production rollout.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

destroylist FAQ

How often is the list updated?
Update cadence varies by feed: Primary (real-time), Primary Live (24h), Community (2h), Community Live (24h), Primary Content (12h), Community Content (24h). Check the Data Feeds table for your use case.
Can I use this for commercial products?
Yes, MIT license permits commercial use. However, verify compliance with upstream threat sources (13+ community providers) whose licenses may impose restrictions.
What if a domain is incorrectly blocked?
README references an appeals process; exact mechanics are not fully detailed, but false positives can be submitted. Review the allowlist.json for known exceptions.
Is there an API with authentication?
No formal API documented. Data is served as static JSON/TXT files via GitHub raw URLs; no rate-limiting, quotas, or API keys are mentioned.

Software development & web development with DEV.co

From first prototype to production, DEV.co delivers software development services around tools like destroylist. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Need a production-grade threat blocklist?

Evaluate Destroylist for DNS filtering or SIEM integration. Verify community sources align with your compliance requirements and test false-positive rates in staging before production rollout.