SURBLs contain web sites that appear in unsolicited messages. They can be used with programs that can check message body web sites against SURBLs, such as SpamAssassin 3 and others mentioned on the links page.
Here's an overview of the lists and their data sources.
- SC - SpamCop web sites
- WS - sa-blacklist web sites
- AB - AbuseButler web sites
- PH - Phishing sites
- MW - Malware sites
- JP - jwSpamSpy + Prolocation sites
- multi.surbl.org - Combined SURBL list
SC contains message-body web sites processed from SpamCop URI reports, also known as "spamvertised" web sites. The reports are not used directly, but are subject to extensive processing. Entries in SC expire automatically several days after the SpamCop reports decrease.
Note that this list is not the same as bl.spamcop.net, which is a list of mail sender IP addresses.
WS has records from Bill Stearns' SpamAssassin ruleset sa-blacklist plus many other data sources. WS and other SURBL lists seem to detect some different types of sites, so they complement each other well.
Advantages of turning SA rulesets into SURBLs
Using SURBLs derived from SpamAssassin rulesets instead of the rulesets offers several advantages. First, there is much less memory usage in SpamAssassin, since a large set of rules is not loaded, instead being cached as DNS data in your local name server. Second, since data in SURBLs are no longer tied to SpamAssassin, they can be used in other programs that can check message body URIs against a list, such as MTA plugins, other mail filters, etc. Third, updates tend to be more timely since a DNSBL can be updated automatically every few minutes with generally low overhead. So applications using SURBLs gain efficiency, modularity, portability, and automatically updated data.
SURBL strongly recommends using SURBLs instead of sa-blacklist as a SpamAssassin ruleset. Anyone using sa-blacklist should migrate to using SURBLs instead. SURBLs are supported in SpamAssassin version 3 and later.
AbuseButler is kindly providing its Spamvertised Sites which have been most often reported over the past 7 days. The philosophy and data processing methods are similar to the SC data, and the results are similar, but not identical. Data sources for AbuseButler include SpamCop and native AbuseButler reporting.
The Anti-Phishing Working Group has a good definition of phishing on their web site. Phishing data from multiple sources are included in the PH Phishing data source. Phishing data were first provided by MailSecurity. As of October 2006, we are including PhishTank data in our phishing list. As of September 2007, we are also listing OITC phishing data. As of November 2012, PhishLabs are very kindly providing phishing data also. This is only a sampling of many data sources used in PH.
As of 1 May 2013 malware data are separated from PH into their own malware list MW. In December 2007, we added The DNS blackhole malicious site data from malwaredomains.com to our malware list. As of April 2008, the list also includes Malware Block List data from malware.com.br. As of June 2009, the malware list includes ZeuS Tracker malware host data. As of October 2009, data from Malware Domain List has been added to the malware list. Some cracked hosts are also included in MW since many cracked sites also have malware. Note that the above is only a sampling of many different malware data sources in MW.
Joe Wein's jwSpamSpy program forms the basis of the JP data, being used both by Joe's own systems and also Raymond Dijkxhoorn and his colleagues at Prolocation. Prolocation is processing more than 300,000 likely unsolicited messages per day using jwSpamSpy plus their own policies and adding them to Joe's data. The resulting list has a very good detection rate around 80% and a very low false positive rate around 0.01%.
All of the SURBL data sources are combined into a single, bitmasked list: multi.surbl.org. Bitmasking means that there is only one entry per domain name or IP address, but that entry will resolve into an address (DNS A record) whose last octet indicates which lists it belongs to. The bit positions in that last octet for membership in the different lists are:
2 = comes from SC
4 = comes from WS
8 = comes from PH
16 = comes from MW
32 = comes from AB
64 = comes from JP
If an entry belongs to just one list it will have an address where the last octet has that value. For example 127.0.0.8 means it comes from the phishing list, while 127.0.0.2 means it's in the data from SC. An entry on multiple lists gets the sum of those list numbers as the last octet, so 127.0.0.6 means a record is on both WS and SC (comes from: 2 + 4 = 6). In this way, membership in multiple lists is encoded into a single response.
We recommend using multi with programs that can decode the responses into specific lists according to bitmasks, such as SpamAssassin 3's urirhssub or SpamCopURI version 0.22 or later for use with SpamAssassin 2.64.
Default TTL for the live data in the multi list is 3 minutes.
Each entry also has a TXT record mentioning which lists it is on, and pointing to this page. While we expect the TXT records to be relatively stable, we recommend that automatic processing be based on the A record only.
More information about how to use SURBL data can be found in the Implementation Guidelines.
Other lists may become available as future SURBLs. Please check back here occasionally, but be sure to subscribe to the low-volume Announce mailing list for important updates.
To request removal from a SURBL list, please start with the the SURBL Lookup page and follow the instructions on the removal form.
For the Phishing PH or Malware MW lists or any cracked (breached) web sites, please be sure to remove and secure all phishing sites, cracked accounts, viruses, malware loaders, trojan horses, unpatched operating systems, insecure PHP boards, insecure Wordpress, insecure Joomla, insecure third party plugins, cracked SQL, insecure ftp passwords, password sniffers, etc., from the site and all computers used to upload content to the web site before contacting us. If you need help, please contact a security expert to do a full security audit on the web site and all computers used to connect to it. Systems that are not properly secured may be broken into again.
lists.html version 2.50 on 10/27/12
SURBL Data Feed Request
SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.
Data feeds are available in three formats:
Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.
For more information, please contact your SURBL reseller or see the references in Links.
Sign up for SURBL Data Feed Access.