A PhishDetect Node is a server running a PhishDetect service, offering the web interface and the REST API that PhishDetect clients, such as the browser extension and others, can interact with.
For example, by default the extension is configured to use a PhishDetect Node located at node.phishdetect.io that is operated by the cretors of PhishDetect. However, we encourage the creation of independent Phishdetect Nodes whenever possible.
There are multiple reasons why you would want to setup your own PhishDetect Node.
While there might be several ways for an attacker to identify a PhishDetect Node connecting to the phishing kits (for example by fingerprinting the instrumented headless Google Chrome browser), the most obvious way is by blocklisting the originating IP address. Because the default
node.phishdetect.io is publicly accessible and is not meant to be resistant to fingerprinting, it might be the case that careful attackers might notice it and block it. By running your own PhishDetect Node you will be able to diversify and reduce the risk of getting blocklisted.
If you work for an organization or are part of a group of people who might benefit from using PhishDetect, you might want to run your own Node in order to more directly support your peers and have some visibility over the suspicious links they might receive. Because PhishDetect is free software, you can also modify to better suit yours or your organization's needs and perhaps integrate it in other existing workflows and processes.
A PhishDetect Node can offer a list of hashed known bad indicators, such as bad email addresses and bad domains. These indicators can be used by the clients to monitor and block any known bad content. By running your own PhishDetect Node you will be able to distribute your own private indicators to your users.