SURBL Lists
SURBLs contain web sites which appear in unsolicited messages.
They can be used with programs that can check message body URIs
(web sites mentioned in the message body)
against a list such as SpamAssassin 3 and others mentioned on
the links page.
Here's an overview of the lists and their data sources.
sc.surbl.org contains domains and a few web site IP addresses processed from
SpamCop
URI reports, also known as
"spamvertised"
sites.
The reports are not used directly, but are subject to extensive processing.
Entries in sc.surbl.org expire automatically several days after
the SpamCop reports decrease.
Note that this list is not the same as
bl.spamcop.net,
which is a list of mail sender IP addresses found in message headers.
ws.surbl.org has records from Bill Stearns'
former SpamAssassin ruleset
sa-blacklist,
plus some other manual lists. Bill's
policy
for inclusion and cleaning of the sa-blacklist
is quite sound, though it differs somewhat from some of the other
SURBLs.
ws and sc seem to detect some
different types of sites so by using both lists together
they should to complement each other well.
Advantages of turning SA rulesets into SURBLs
Using SURBLs derived from SpamAssassin rulesets
instead of the rulesets offers several advantages.
First, there is less memory usage in SpamAssassin,
since a potentially large set of rules is not loaded,
instead being cached in your local name server.
Second, since data in SURBLs are no longer tied to SpamAssassin,
they can be used in other programs that can check message body URIs against
an list, such as MTA plugins, etc.
Third, updates tend to be more timely since a DNSBL can be updated
automatically in a few minutes with generally low overhead.
So applications using SURBLs gain efficiency,
modularity, portability, and speedy, automatic updates.
SURBL and Bill Stearns strongly recommend using
SURBLs instead of sa-blacklist as a SpamAssassin ruleset.
Anyone using sa-blacklist should migrate to using SURBLs instead.
SURBLs are supported in SpamAssassin version 3 and later.
Outblaze
is kindly providing their internal URI blacklist which
is published as ob.surbl.org. The list is detecting about 70%
of unsolicited messages while triggering about 0.05% false positives.
Outblaze describes the data as
coming from spam trap message body analysis
and from user reports via a "this is spam" button.
SURBL applies additional policies to its version of
the Outblaze URI data that are published as ob.surbl.org.
The user reports are also used, but not directly.
Note that Outblaze's sender IP blacklist, which is visible
on their web site, is not the same as their
URI blacklist.
The SURBL list is based on their separate URI blacklist
which is not visible on their web site.
Please send removal requests for ob.surbl.org to:
postmaster at outblaze dot com.
Be sure to include all of the
list removal information.
AbuseButler
is kindly providing its top 400 or so
Spamvertised Sites
which have been most often reported over the past 7 days.
The philosophy and data processing methods are similar
to the sc.surbl.org data, and the results are similar, but not identical.
Data sources for AbuseButler include SpamCop
and native AbuseButler reporting.
The
Anti-Phishing Working Group
has a good definition of phishing on their web site.
Phishing data from multiple sources are
included in the ph Phishing data source.
It should be useful for identifying phishing messages,
and its use is encouraged.
Unlike other SURBLs, phishing data
includes a few deliberate subdomains, as found in URIs.
(Because SURBL applications are expected to
reduce subdomains to base domains,
an occasional mismatch in domain levels between
data and application should not cause false positives.)
Phishing data
were initially provided by
MailSecurity.
As of November 2004, we have added data from
fraud.rhs.mailpolice.com
into ph.
Thanks to Jay Swackhamer of MailPolice for gathering this data
and making it available to us.
As of mid-2006, were are including phishing data from
Castlecops' PIRT.
As of October 2006, we are also adding
PhishTank data to our phishing list.
As of December 2007, we have added
The DNS blackhole
malware, malicious software and phishing site data
from malwaredomains.com to our phishing list.
As of April 2008, the list also includes
Malware Block List
data from malware.com.br.
Joe Wein's
jwSpamSpy
program forms the basis of the JP data,
being used both by Joe's own systems and also
Raymond Dijkxhoorn and his colleagues at
Prolocation.
Prolocation is processing more than
300,000 likely unsolicited messages per day
using jwSpamSpy plus their own policies and adding them to Joe's data.
The resulting list has a very good detection rate around
80% and a very low false positive rate around 0.01%.
JP is included in the default configuration of SpamAssassin 3.1
and other SURBL applications.
All of the SURBL data sources are combined into
a single, bitmasked list: multi.surbl.org.
Bitmasking means that there is only one entry per domain name
or IP address, but that entry will resolve into an address
(DNS A record)
whose last octet indicates which lists it belongs to.
The bit positions in that octet for the different lists are:
2 = comes from sc.surbl.org
4 = comes from ws.surbl.org
8 = comes from phishing data source (labelled as [ph] in multi)
16 = comes from ob.surbl.org
32 = comes from ab.surbl.org
64 = comes from jp data source (labelled as [jp] in multi)
If an entry belongs to just one list it will
have an address where the last octet has that value, for
example 127.0.0.8 means it comes from the phishing list
and 127.0.0.2 means it's in the data used in sc.surbl.org.
An entry on multiple lists gets the sum of those list numbers
as the last octet, so 127.0.0.6 means a record is on both
ws.surbl.org and sc.surbl.org (comes from: 2 + 4 = 6).
In this way, membership in multiple lists is encoded into a single response.
Please use multi and not the individual lists,
since using multi combines potentially several queries into a single one,
reducing DNS overhead.
The individual lists may be deprecated at some point in future.
Every SURBL application should use multi only.
We recommend using this combined list with programs that can
decode the responses into specific lists, such as SpamAssassin 3's
urirhssub
or
SpamCopURI
version 0.22 or later for use with SpamAssassin 2.64.
Default TTL for the live data in the combined list is 15 minutes.
Each entry also has a TXT record mentioning which lists it is on,
and pointing to this page.
While we expect the TXT records to be relatively stable,
we recommend that automatic processing be based on the A record.
Other lists may become available as future SURBLs.
Please check back here occasionally or on our
Announce mailing list for updates.
All of the data in SURBL lists come from external data sources.
None of the SURBL lists come from data created here,
so generally speaking to get a record off a list you should
contact that data source as described earlier under each list.
For the Outblaze URI blacklist which feeds
into ob.surbl.org (OB),
please contact: postmaster at outblaze dot com .
(Please do not contact Outblaze for domains that do not appear on
the Outblaze URI blacklist.)
For the ph.surbl.org phishing list (PH), please be sure to remove all
phishing sites, cracked accounts, viruses, malware loaders, trojan
horses, compromised Windows, unpatched Linux, insecure PHP boards,
cracked SQL, etc.,
from your server and secure it before writing.
For SURBL lists other than OB you may send a removal
request to: whitelist at surbl dot org .
When sending a removal request:
-
Please check that the domain you are reporting is actually on a SURBL list.
This can be done for example
by using
the SURBL+
checker tool
or with
a name resolution.
Note that there is rare bug with SpamAssassin versions before 3.1
that appears to show list inclusion when none actually exists.
(See SpamAssassin Bugzilla id=3997, and
note that this bug is fixed starting with SpamAssassin version 3.1.)
Note also that some
DNS modification services
and spam/phishing protection proxies
may not be compatible with SURBL applications if they change certain responses
to DNS queries.
and please include:
- The domain name you are reporting. Include the domain name
in the subject of your message.
- The SURBL list it appears on
(Note that multi.surbl.org is not the list. The list will have two letters
like WS or OB.)
- Full and complete contact information for your
organization including street address and telephone numbers
- IP address or network of your outbound mail servers
(usually this is not the same as your web server)
- A typical message advertising your site with
full headers
and full message body including URIs all pasted in as inline plain text
and not an attachment
- A description of your organization or the web site
- Your organization's published mail practices,
especially its published policies
against advertising its web site in unsolicited messages,
regardless of how they are sent or who sends them.
(SURBLs are lists of web sites, not lists of mail senders.)
If your organization does not publish and practice
an anti-spam policy, it should.
Search for "spam policy," and you will find many.
- If any of your affiliates, customers, agents,
partners or third party mailers
advertises your domain in unsolicited messages,
then your domain may be blacklisted.
It is your responsibility to control their use of your domains and sites.
This is confirmed in
FTC enforcement
of the
CAN SPAM
law in the U.S. for example.
- You and your affiliates should follow best current practices for mailing
such as those published by the
Canadian
Federal Task Force on Spam,
Messaging Anti-Abuse Working Group (MAAWG)
Sender
Best Communications Practices,
LINX
Best Current Practice for the running of mailing lists,
or MAPS
Guidelines
for proper mailing list management.
A more marketing-oriented site can be found at
ClickZ.
Senders who use well-established standard practices
such as these will be considered for removal.
In particular the safest way to use a mailing list is to confirm
all additions, that is, do not send mail to any address that has not positively
confirmed that it wants to get mail from you.
Buying or renting addresses from a third party definitely should be avoided
since it's often difficult to know whether permission has been obtained.
If organizations have not obtained the express consent of
recipients prior to sending [unsolicited commercial email],
then they are sending spam.
Canadian
Federal Task Force on Spam
- Please send your request from your organization's domain.
Requests sent from Hotmail, Yahoo, gmail, etc., accounts
may not be considered.
- Please use plain text when writing, not proprietary or
encoded formats like Word, pdf, etc.
Do not send attachments.
- If your domain or IP address is on the
ph.surbl.org phishing list,
it usually means that your web server has been cracked and is hosting a
phishing or malware (virus, trojan horse, worm, etc.) site.
Please remove the phishing or malware site
and secure the server before contacting us. Please note that we
cannot provide security consulting or systems administration.
Please contact a security expert if you need help.
- You are urged in the strongest possible terms to positively
confirm subscriptions as described in the best practices
documents above.
Unconfirmed subscriptions are often abused by third parties
to maliciously add other addresses without their consent or permission.
When this happens your mailing lists are
corrupted with addresses that do not want to get your messages.
Confirmations almost always prevent this common type of abuse.
Please send removal requests to whitelist at surbl dot org .
For sites on the ob.surbl.org list, please send requests
to postmaster at outblaze dot com .