Add Botvrij.eu domain blocklist source

Downloads the Botvrij.eu public IOC domain list (no API key required), caches it in-process with a 6h TTL, and flags any registered domain that appears directly or as a parent of a feed entry.
2026-05-15 18:56:05 +08:00 · 2026-05-15 18:56:05 +08:00 · 9916ab0732
commit 9916ab0732
parent 6b1d2e2540
3 changed files with 286 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -17,6 +17,7 @@ widely-used reputation systems.
 | abuse.ch URLhaus      | HTTPS lookup    | free Auth-Key (admin) | user (default on) |
 | abuse.ch ThreatFox    | HTTPS lookup    | free Auth-Key (admin) | user (default on) |
 | abuse.ch MalwareBazaar| HTTPS lookup    | free Auth-Key (admin) | user (default on) |
+| Botvrij.eu            | downloaded list | no             | user (default on) |
 | VirusTotal v3         | HTTPS lookup    | yes (admin)    | admin |

 ### Obtaining API keys
--- a/checker/botvrij.go
+++ b/checker/botvrij.go
@ -0,0 +1,191 @@
+package checker
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+const (
+	botvrijFeedURL     = "https://www.botvrij.eu/data/ioclist.domain.simple"
+	botvrijDefaultTTL  = 6 * time.Hour
+	botvrijFailBackoff = 1 * time.Minute
+)
+
+func init() {
+	Register(&botvrijSource{
+		cache: newBotvrijCache(botvrijFeedURL),
+	})
+}
+
+type botvrijSource struct {
+	cache *botvrijCache
+}
+
+func (*botvrijSource) ID() string   { return "botvrij" }
+func (*botvrijSource) Name() string { return "Botvrij.eu domain blocklist" }
+
+func (*botvrijSource) Options() SourceOptions {
+	return SourceOptions{
+		User: []sdk.CheckerOptionField{
+			{
+				Id:          "enable_botvrij",
+				Type:        "bool",
+				Label:       "Use Botvrij.eu domain blocklist",
+				Description: "Download the Botvrij.eu public domain blocklist (refreshed every 6h) and check the domain against it.",
+				Default:     true,
+			},
+		},
+	}
+}
+
+func (s *botvrijSource) Query(ctx context.Context, domain, registered string, opts sdk.CheckerOptions) []SourceResult {
+	if !sdk.GetBoolOption(opts, "enable_botvrij", true) || registered == "" {
+		return disabledResult(s.ID(), s.Name())
+	}
+
+	matched, size, fetched, err := s.cache.lookup(ctx, registered)
+	res := SourceResult{
+		SourceID: s.ID(), SourceName: s.Name(), Enabled: true,
+		Reference: "https://botvrij.eu/",
+		Details:   mustJSON(map[string]any{"feed_size": size, "fetched_at": fetched}),
+	}
+	if err != nil {
+		res.Error = err.Error()
+	}
+	if len(matched) > 0 {
+		res.Reasons = []string{"Malicious domain"}
+		for _, d := range matched {
+			res.Evidence = append(res.Evidence, Evidence{Label: "Domain", Value: d})
+		}
+	}
+	return []SourceResult{res}
+}
+
+func (*botvrijSource) Evaluate(r SourceResult) (bool, string) {
+	return evidenceEval(r, SeverityCrit)
+}
+
+func (*botvrijSource) Diagnose(res SourceResult) Diagnosis {
+	domains := make([]string, 0, len(res.Evidence))
+	for _, e := range res.Evidence {
+		domains = append(domains, e.Value)
+	}
+	previewN := min(len(domains), 5)
+	return Diagnosis{
+		Severity: SeverityCrit,
+		Title:    "Listed in the Botvrij.eu domain blocklist",
+		Detail: fmt.Sprintf(
+			"%d domain(s) matching this registered domain appear in the Botvrij.eu IOC list; examples: %s. Botvrij.eu tracks domains associated with malware C2, exploit kits, and other malicious infrastructure. Investigate recent DNS changes and hosted content.",
+			len(domains), joinNonEmpty(domains[:previewN], ", "),
+		),
+		Fix:      "https://botvrij.eu/",
+		FixIsURL: true,
+	}
+}
+
+// ---------- cache ----------
+
+type botvrijCache struct {
+	mu            sync.Mutex
+	domains       []string            // all domains in feed
+	byDomain      map[string]struct{} // set for O(1) exact-match test
+	fetchedAt     time.Time
+	lastAttemptAt time.Time
+	refreshing    bool
+	ttl           time.Duration
+	failBackoff   time.Duration
+	feedURL       string
+}
+
+func newBotvrijCache(feedURL string) *botvrijCache {
+	return &botvrijCache{
+		ttl:         botvrijDefaultTTL,
+		failBackoff: botvrijFailBackoff,
+		feedURL:     feedURL,
+	}
+}
+
+func (c *botvrijCache) lookup(ctx context.Context, registered string) (matched []string, size int, fetchedAt time.Time, err error) {
+	registered = strings.ToLower(strings.TrimSuffix(registered, "."))
+
+	c.mu.Lock()
+	stale := c.byDomain == nil || time.Since(c.fetchedAt) > c.ttl
+	doRefresh := stale && !c.refreshing && time.Since(c.lastAttemptAt) > c.failBackoff
+	if doRefresh {
+		c.refreshing = true
+	}
+	c.mu.Unlock()
+
+	if doRefresh {
+		newDomains, newByDomain, ferr := c.fetch(ctx)
+		c.mu.Lock()
+		c.refreshing = false
+		c.lastAttemptAt = time.Now()
+		if ferr == nil {
+			c.domains = newDomains
+			c.byDomain = newByDomain
+			c.fetchedAt = c.lastAttemptAt
+		} else {
+			err = ferr
+		}
+		c.mu.Unlock()
+	}
+
+	c.mu.Lock()
+	suffix := "." + registered
+	for d := range c.byDomain {
+		if d == registered || strings.HasSuffix(d, suffix) {
+			matched = append(matched, d)
+		}
+	}
+	size = len(c.domains)
+	fetchedAt = c.fetchedAt
+	c.mu.Unlock()
+	return matched, size, fetchedAt, err
+}
+
+func (c *botvrijCache) fetch(ctx context.Context) ([]string, map[string]struct{}, error) {
+	reqCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(reqCtx, http.MethodGet, c.feedURL, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	req.Header.Set("User-Agent", "happydomain-checker-blacklist/1.0")
+
+	resp, err := sharedHTTPClient.Do(req)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, nil, fmt.Errorf("botvrij HTTP %d", resp.StatusCode)
+	}
+
+	domains := make([]string, 0, 4096)
+	byDomain := make(map[string]struct{}, 4096)
+	scanner := bufio.NewScanner(io.LimitReader(resp.Body, 16<<20))
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+		if line == "" || strings.HasPrefix(line, "#") {
+			continue
+		}
+		d := strings.ToLower(line)
+		domains = append(domains, d)
+		byDomain[d] = struct{}{}
+	}
+	if err := scanner.Err(); err != nil {
+		return nil, nil, err
+	}
+	return domains, byDomain, nil
+}
--- a/checker/botvrij_test.go
+++ b/checker/botvrij_test.go
@ -0,0 +1,94 @@
+package checker
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	sdk "git.happydns.org/checker-sdk-go/checker"
+)
+
+const botvrijFakeFeed = `# Botvrij.eu IOC list - domains
+# comment line
+evil.com
+malware.example.org
+c2.badactor.net
+`
+
+func TestBotvrijSource_Listed_ExactMatch(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		_, _ = w.Write([]byte(botvrijFakeFeed))
+	}))
+	defer srv.Close()
+
+	s := &botvrijSource{cache: newBotvrijCache(srv.URL)}
+	r := s.Query(context.Background(), "evil.com", "evil.com", sdk.CheckerOptions{"enable_botvrij": true})[0]
+
+	if !r.Enabled || r.Error != "" {
+		t.Fatalf("expected enabled and no error, got %+v", r)
+	}
+	if len(r.Evidence) != 1 || r.Evidence[0].Value != "evil.com" {
+		t.Errorf("expected evidence [evil.com], got %+v", r.Evidence)
+	}
+	if listed, sev := s.Evaluate(r); !listed || sev != SeverityCrit {
+		t.Errorf("expected (true, crit), got (%v, %q)", listed, sev)
+	}
+}
+
+func TestBotvrijSource_Listed_SubdomainInFeed(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		_, _ = w.Write([]byte(botvrijFakeFeed))
+	}))
+	defer srv.Close()
+
+	// Feed has "malware.example.org"; querying registered "example.org" should match.
+	s := &botvrijSource{cache: newBotvrijCache(srv.URL)}
+	r := s.Query(context.Background(), "sub.example.org", "example.org", sdk.CheckerOptions{"enable_botvrij": true})[0]
+
+	if len(r.Evidence) != 1 || r.Evidence[0].Value != "malware.example.org" {
+		t.Errorf("expected subdomain match, got %+v", r.Evidence)
+	}
+	if listed, _ := s.Evaluate(r); !listed {
+		t.Error("expected listed=true")
+	}
+}
+
+func TestBotvrijSource_NotListed(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		_, _ = w.Write([]byte(botvrijFakeFeed))
+	}))
+	defer srv.Close()
+
+	s := &botvrijSource{cache: newBotvrijCache(srv.URL)}
+	r := s.Query(context.Background(), "safe.com", "safe.com", sdk.CheckerOptions{"enable_botvrij": true})[0]
+
+	if !r.Enabled || r.Error != "" || len(r.Evidence) != 0 {
+		t.Fatalf("expected clean result, got %+v", r)
+	}
+	if listed, _ := s.Evaluate(r); listed {
+		t.Error("expected listed=false")
+	}
+}
+
+func TestBotvrijSource_Disabled(t *testing.T) {
+	s := &botvrijSource{cache: newBotvrijCache("http://nope")}
+	r := s.Query(context.Background(), "evil.com", "evil.com", sdk.CheckerOptions{"enable_botvrij": false})[0]
+	if r.Enabled {
+		t.Errorf("expected disabled, got %+v", r)
+	}
+}
+
+func TestBotvrijSource_HTTPError(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusInternalServerError)
+	}))
+	defer srv.Close()
+
+	s := &botvrijSource{cache: newBotvrijCache(srv.URL)}
+	r := s.Query(context.Background(), "evil.com", "evil.com", sdk.CheckerOptions{"enable_botvrij": true})[0]
+
+	if r.Error == "" || r.Error != "botvrij HTTP 500" {
+		t.Errorf("expected HTTP 500 error, got %q", r.Error)
+	}
+}