Best Practices Recommended for ESPs
ESPs (Email Service Providers) face a number of difficult challenges. This brief document is meant to offer some positive and effective suggestions, particularly for mitigating data breaches, but also for general email best practices.
What are SURBLs?
SURBLs are lists of web sites in unsolicited messages, including those that are phishing or malware.
- http://foo.domain.com/path/file.html - domain.com gets listed
- http://22.214.171.124/path/path/file.html - 126.96.36.199 gets listed
SURBLs are widely used in mail filters, security applications, etc.
How can ESPs use SURBLs?
- Particularly for high-volume, low-price services, SURBL data can help automatically identify potential abusers for human review.
- Monitor outbound mail flows for SURBLed URIs as a security method to detect compromised accounts.
- Neil Schwartzman and John Levine blog about using SURBL data to mitigate data breaches.
General Good Practices for ESPs
- Have a fully-functional and descriptive From: .
- Include a link to the customer's own web site.
- Disallow shortener, forwarder and web search links.
- Include full customer contact information.
- Use SPF, DKIM appropriately.
- Use multi-factor authentication for customer and employee access control.
- Use email authentication and brand monitoring services.
SURBL Data Feed Request
SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.
The main data set is available in different formats:
Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.
For more information, please contact your SURBL reseller or see the references in Links.
Sign up for SURBL Data Feed Access.