Automated phishing domain detection targeting Bulgarian courier services
Detectopod is an automated threat intelligence system that monitors the web for phishing domains impersonating Bulgarian courier and logistics companies like Econt, Speedy, and BulgariaPost. The system runs continuously via GitHub Actions and maintains a public threat feed.
Detectopod identifies phishing domains that:
- Impersonate Bulgarian courier brands (Econt, Speedy, BulgariaPost, etc.)
- Use suspicious TLDs (
.cfd,.tk,.ml,.ga, etc.) - Deploy on free hosting platforms (Cloudflare Pages, Firebase, Heroku, Netlify, Vercel)
- Exhibit classic phishing patterns (e.g.,
speedy.bg-pk.cfd,econt-paydelivery.cfd)
- Multi-Source Detection: Queries URLScan.io, Google CT logs, and Cloudflare CT logs
- Automated Scanning: Runs hourly via GitHub Actions
- Smart Scoring: ML-enhanced scoring system (0-100) based on domain patterns
- LLM Analysis: Daily AI-powered review using Llama 3.3 70B to reduce false positives
- Public Threat Feed: JSON feed of detected domains updated in real-time
- Zero Infrastructure: Fully serverless using GitHub Actions
Total Domains Detected: 96
Last Scan: 2026-01-29 18:59:28 UTC
Domains Processed: 1,817
Detection Rate: 5.3%
βββββββββββββββββββ
β URLScan.io API ββββ
βββββββββββββββββββ β
β
βββββββββββββββββββ β ββββββββββββββββββββ
β Google CT Logs ββββΌβββββΆβ detectopod.py β
βββββββββββββββββββ β β (Main Scanner) β
β ββββββββββββββββββββ
βββββββββββββββββββ β β
β Cloudflare CT ββββ β
βββββββββββββββββββ β
βΌ
ββββββββββββββββββββ
β Scoring Engine β
β - Keyword match β
β - Pattern detect β
β - TLD analysis β
ββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββ
β LLM Analyzer β
β (Llama 3.3 70B) β
| (Claude S. 4.5) |
ββββββββββββββββββββ
β
βΌ
βββββββββββββββββββ β
β Threat Feed β
β phishing_feed.jsonβ
βββββββββββββββββββ β
- Python 3.10+
- URLScan.io API key (free tier available)
- OpenRouter API key (for LLM analysis, optional)
-
Clone the repository
git clone https://github.com/yourusername/detectopod.git cd detectopod -
Install dependencies
pip install -r detection/requirements.txt pip install cryptography # For CT log support -
Set environment variables
export URLSCAN_API_KEY="your_urlscan_api_key" export OPENROUTER_API_KEY="your_openrouter_key" # Optional
-
Run the scanner
# Quick scan (URLScan.io only) python detection/detectopod.py --sources urlscan # Full scan (all sources) python detection/detectopod.py --sources urlscan google cloudflare # Time-limited scan python detection/detectopod.py --duration 300 # 5 minutes
# Scan using URLScan.io only (recommended for quick tests)
python detection/detectopod.py --sources urlscan
# Comprehensive scan using all sources
python detection/detectopod.py --sources urlscan google cloudflare
# Run for specific duration
python detection/detectopod.py --duration 600 --sources urlscan# Analyze last 24 hours of detections
python detection/llm_analyzer.py --days 1 --max-analyze 50
# Analyze with custom threshold
python detection/llm_analyzer.py --min-score 80 --max-analyze 100The threat feed is automatically updated at feed/phishing_feed.json:
[
{
"domain": "speedy.bg-pk.cfd",
"score": 100,
"detected_at": "2026-01-29T18:11:25.161773",
"source": "urlscan.io-.cfd"
}
]- Frequency: Every hour
- Sources: URLScan.io + Google CT + Cloudflare CT
- Timeout: 20 minutes
- Auto-commit: Updates feed automatically
- Frequency: Daily at 2 AM UTC
- Model: Llama 3.3 70B via OpenRouter
- Purpose: Validate detections and remove false positives
- Max domains: 50 per run
| Factor | Weight | Example |
|---|---|---|
| Bulgarian courier brand presence | +35 | speedy, econt, bgpost |
| Geographic indicator | +15 | .bg, bulgaria, bg- |
| Suspicious TLD | +30 | .cfd, .tk, .ml |
| Free hosting platform | +25 | .pages.dev, .web.app |
| Brand + Geo + Suspicious TLD | +45 | speedy.bg-pk.cfd |
| Brand + Free hosting | +40 | speedy-37a.pages.dev |
| Multiple hyphens (with brand) | +8 each | speedy-trans-bg |
| Random alphanumeric patterns | +12 | g63829, 37a |
| Phishing keywords | +15 | payment, verify, secure |
Threshold: Domains scoring β₯80 are added to the feed.
Suspicious TLDs:
.cfd, .tk, .ml, .ga, .gq, .cf, .top, .xyz, .club, .online, .site, .space, .click, .link, .live, .icu
Free Hosting:
Firebase (.web.app, .firebaseapp.com), Cloudflare Pages (.pages.dev), Heroku (.herokuapp.com), Netlify (.netlify.app), Vercel (.vercel.app), Render, GitHub Pages, and more.
Primary (Bulgarian couriers):
econt, speedy, bulgariapost, bgpost, samedaybg, boxnowbg, cityexpressbg, expressonebg, dhl
Secondary (generic logistics):
tracking, delivery, shipment, parcel, payment, tax, fee, customer-center
SCORE_THRESHOLD = 80 # Minimum score for feed inclusionRecent scan statistics:
- Domains scanned: ~1,800 per hour
- Processing time: ~18 seconds
- Detection rate: ~5% (96 phishing domains found)
- False positive rate: <10% (with LLM validation)
- All API keys stored as GitHub Secrets
- No sensitive data in repository
- Read-only feeds (public access)
- Automated threat intelligence sharing
Contributions welcome! Areas for improvement:
- New detection patterns: Suggest additional phishing indicators
- Expanded coverage: Add more courier brands or regions
- Performance optimization: Improve scanning efficiency
- False positive reduction: Enhance scoring algorithms
# Fork and clone
git clone https://github.com/yourusername/detectopod.git
# Create feature branch
git checkout -b feature/new-detection-pattern
# Make changes and test
python detection/detectopod.py --sources urlscan
# Submit PRMIT License - see LICENSE file for details.
- URLScan.io - Primary data source
- Certificate Transparency - CT log infrastructure
- OpenRouter - LLM analysis API
- Bulgarian cybersecurity community
- Issues: GitHub Issues
- Discussions: GitHub Discussions
This tool is for educational and defensive security purposes only. The threat feed is provided as-is without warranty. Always verify domains before taking action.
Status: π’ Active | Last Updated: 2026-01-29 | Version: 1.0