SURBL Lists

SURBLs contain web sites that appear in unsolicited messages. They can be used with programs that can check message body web sites against SURBLs, such as SpamAssassin 3 and others mentioned on the links page.

Here's an overview of the lists and their data sources.

ABUSE - spam and other abuse sites

From 1 May 2016 the ABUSE list will combine data from the SC, AB, WS and JP lists. Until then some of these sublists will still return separate bitmask values. ABUSE includes malicious sites not specifically listed as phishing (PH), malware (MW) or cracked (CR) sites. It contains mainly general spam sites (pills, dating, etc).

JP - jwSpamSpy + Prolocation sites

Joe Wein's jwSpamSpy program along with systems operated by Raymond Dijkxhoorn and his colleagues at Prolocation provide JP data. The resulting list has a very good detection rate and a very low false positive rate.

WS - sa-blacklist web sites

WS started off with records from Bill Stearns' SpamAssassin ruleset sa-blacklist but nowadays holds data from many different data sources.

SC - SpamCop web sites

SC contains message-body web sites processed from SpamCop URI reports, also known as "spamvertised" web sites. The reports are not used directly, but are subject to extensive processing. Entries in SC expire automatically several days after the SpamCop reports decrease.

Note that this list is not the same as bl.spamcop.net, which is a list of mail sender IP addresses.

AB - AbuseButler web sites

AbuseButler is kindly providing its Spamvertised Sites which have been most often reported over the past 7 days. The philosophy and data processing methods are similar to the SC data, and the results are similar, but not identical. Data sources for AbuseButler include SpamCop and native AbuseButler reporting.

PH - Phishing sites

Phishing data from multiple sources is included in the PH Phishing data source. Phishing data was first provided by MailSecurity, later joined by PhishTank data, OITC phishing data, PhishLabs data and several other sources.

MW - Malware sites

This list contains data from multiple sources that cover sites hosting malware. This includes OITC, The DNS blackhole malicious site data from malwaredomains.com and Malware Domain List. Some cracked hosts are also included in MW since many cracked sites also have malware. Note that the above is only a sampling of many different malware data sources in MW.

CR - Cracked sites

From 1 Feb 2016 this new list will contain data from multiple sources that cover cracked sites. Criminals steal credentials or abuse vulnerabilities in CMS such as Wordpress or Joomla to break into websites and add malicious content. Often cracked pages will redirect to spam sites or to other cracked sites. Cracked sites usually still contain the original legitimate content and may still be mentioned in legitimate emails, besides the malicious pages referenced in spam.

multi.surbl.org - Combined SURBL list

All of the SURBL data sources are combined into a single, bitmasked list: multi.surbl.org. Bitmasking means that there is only one entry per domain name or IP address, but that entry will resolve into an address (DNS A record) whose last octet indicates which lists it belongs to. The bit positions in that last octet for membership in the different lists are:

2 = deprecated (previously SC)
4 = listed on WS (will migrate to ABUSE on 1 May 2016)
8 = listed on PH
16 = listed on MW
32 = deprecated (previously AB)
64 = listed on ABUSE: JP, SC, AB
128 = listed on CR (active from 1 February 2016)

If an entry belongs to just one list it will have an address where the last octet has that value. For example 127.0.0.8 means it's on the phishing list, while 127.0.0.64 means it's listed on the ABUSE list. An entry on multiple lists gets the sum of those list numbers as the last octet, so 127.0.0.68 means a record is on both WS and ABUSE (comes from: 4 + 64 = 68). In this way, membership in multiple lists is encoded into a single response. Octets other than the first and last one are reserved for future use and should be ignored.

We recommend using multi with programs that can decode the responses into specific lists according to bitmasks, such as SpamAssassin 3's urirhssub or SpamCopURI version 0.22 or later for use with SpamAssassin 2.64.

Default TTL for the live data in the multi list is 3 minutes. The multi.surbl.org data is highly dynamic and on average gets updated more than once a minute.

Each entry also has a TXT record mentioning which lists it is on, and pointing to this page. While the TXT records are relatively stable, they are meant for human readers (e.g. in non-delivery messages) and not for parsing by software. We highly recommend that automatic processing be based on the A record only.

More information about how to use SURBL data can be found in the Implementation Guidelines.

Other SURBLs

Other lists and data feeds may become available as future SURBLs. Please check back here occasionally, but be sure to subscribe to the low-volume Announce mailing list for important updates.

List Removal

To request removal from a SURBL list, please start with the the SURBL Lookup page and follow the instructions on the removal form.

For the Phishing PH or Malware MW lists or any cracked (breached) web sites, please be sure to remove and secure all phishing sites, cracked accounts, viruses, malware loaders, trojan horses, unpatched operating systems, insecure PHP boards, insecure Wordpress, insecure Joomla, insecure third party plugins, cracked SQL, insecure ftp passwords, password sniffers, etc., from the site and all computers used to upload content to the web site before contacting us. If you need help, please contact a security expert to do a full security audit on the web site and all computers used to connect to it. Systems that are not properly secured may be broken into again.


lists.html version 2.51 on 2015-12-22

SURBL Data Feed Request

SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.

The main data set is available in different formats:

Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.

For more information, please contact your SURBL reseller or see the references in Links.

Sign up for SURBL Data Feed Access.

  • Sign up for data feed access

    Direct data feed access offers better filtering performance with fresher data than is available on the public mirrors. Sign up for SURBL Data Feed Access.

  • Applications supporting SURBL

  • Learn about SURBL lists