Best Practices Recommended for ESPs

ESPs (Email Service Providers) face a number of difficult challenges. This brief document is meant to offer some positive and effective suggestions, particularly for mitigating data breaches, but also for general email best practices.

What are SURBLs?

SURBLs are lists of web sites in unsolicited messages, including those that are phishing or malware.

  • http://foo.domain.com/path/file.html - domain.com gets listed
  • http://1.2.3.4/path/path/file.html - 4.3.2.1 gets listed

SURBLs are widely used in mail filters, security applications, etc.

How can ESPs use SURBLs?

Vet Customers

  • Particularly for high-volume, low-price services, SURBL data can help automatically identify potential abusers for human review.

Monitor outflows

  • Monitor outbound mail flows for SURBLed URIs as a security method to detect compromised accounts.
  • Neil Schwartzman and John Levine blog about using SURBL data to mitigate data breaches.

General Good Practices for ESPs

Messages

  • Have a fully-functional and descriptive From: .
  • Include a link to the customer's own web site.
  • Disallow shortener, forwarder and web search links.
  • Include full customer contact information.

Good practices

  • Use SPF, DKIM appropriately.
  • Use multi-factor authentication for customer and employee access control.
  • Use email authentication and brand monitoring services.

SURBL Data Feed Request

SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.

The main data set is available in different formats:

Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.

For more information, please contact your SURBL reseller or see the references in Links.

Sign up for SURBL Data Feed Access.

  • Sign up for data feed access

    Direct data feed access offers better filtering performance with fresher data than is available on the public mirrors. Sign up for SURBL Data Feed Access.

  • Applications supporting SURBL

  • Learn about SURBL lists