Building a Resilient Domain Whitelist to Enhance Phishing Blacklist Accuracy.

Phishing attacks constitute a significant threat to Internet users. One strategy for mitigating this threat involves the use of blocklists by Internet Service Providers (ISPs), companies, and organizations to block potentially malicious traffic. Phishing blocklists offer protection by continuously publishing a multitude of malicious URLs. However, community-supported and automated methods for constructing these blocklists may occasionally result in false positives, erroneously flagging benign domains or URLs as malicious. This paper addresses the challenge of reducing false positives in blocklists by proposing a robust scheme for constructing a domain whitelist containing domain names that are highly unlikely to be involved in malicious activities. We mitigate the risk of false negatives, referring to instances where malicious domains or URLs are inaccurately labeled as benign within the whitelist. Our approach is grounded on two key principles: i) the selection of meticulously curated seed domain names encompassing high-profile domains and ii) a careful procedure for validating disputed and defensively registered domains, ensuring their inclusion in the whitelist meets rigorous criteria. The scheme uses four methods for including a domain in the whitelist based on several publicly available data sources: i) reports published by approved dispute resolution service providers, ii) the information on shared in-bailiwick name servers, iii) the domain name WHOIS information, and iv) the information in TLS certificates. We evaluate the quality of our scheme by applying the constructed whitelist to various blocklists to detect false positives.