News & Notes

How you can help

1. Please report any false positives to us so that we can review and remove them as appropriate. For further list removal information please start with the Lookup page.

2. Use multi.surbl.org instead of individual lists since it reduces the number of DNS queries needed if you're using more than one list. Current versions of SpamAssassin use multi.surbl.org by default, as should all SURBL-compatible applications.

3. If you run a high volume mail server (e.g., processing more than a few hundred thousand messages per day), then please set up rbldnsd, then fill out our Data Feed request form to request access to the SURBL zone files. BIND zone files are also available by rsync. Please see Links for some references and instructions on using rbldnsd and rsync. Please do not use public name servers for processing large volumes of mail. This is true for any DNS blacklists you may be using.

4. If you are using SpamAssassin, please upgrade to version 3.1 or later since it uses SURBLs most correctly. You will often get the best overall performance by running the latest version, which is therefore recommended.

5. Please consider helping to port or write applications such as MTA filters or mail filter plug-ins to use SURBLs. Our Implementation Guidelines provide an overview of the functionality needed. The Links page lists some of the existing applications.

6. If you have any information about ccTLDs that are not in our two-level-tld list, please let us know at our contacts.

News

Internal

• 11/2/2009: SURBL has added a report of Most Abused TLDs. This is a daily count of the TLDs most commonly appearing in SURBL data and is an indication of relative abuse levels. The TLD .cn is disproportionately represented, most likely due to persistent and widespread abuse by the "Canadian Pharmacy" botnet-using spam gang.

• 10/18/09: As of October 2009, data from Malware Domain List has been added to the ph list.

• 6/27/09: As of 27 June 2009, the PH list includes ZeuS Tracker malware host data.

• 6/22/09: As of 22 June 2009, NS records have been removed from the SURBL zone files. This should not affect operators of either public or private DNS mirrors, since the records are not needed in either case. The main impact is that private DNS mirrors no longer need to take the extra step of removing the NS records.

• 3/1/09: As of 1 March 2009, public DNS of individual lists such as sc.surbl.org is disabled. Please use multi.surbl.org instead. multi includes all of the individual lists, so the individual lists are obsolete. SpamAssassin 3.0 and later queries multi by default, so it does not need any changes. If you are using SpamAssassin 2.6, then plesae upgrade to version 3 or later.

• 10/1/08: SURBL rsync access is moving to a Sponsored Data Service in order to keep the project operating and improving. Public DNS service for small to medium sized organizations with fewer than 1,000 users remains free. Please see the Usage Policy for more information.

• 4/6/08: The SURBL phishing list now includes malware site data from malware.com.br.

• 12/5/07: As of December 2007, we have added The DNS blackhole malware, malicious software and phishing site data to our phishing list.

• 10/19/06: As of October 2006, we are adding PhishTank data to our phishing list.

• 2/7/05: We have removed the JP data from WS. If you did not have a separate rule or configuration to use JP before, then please add one. Examples for SpamAssassin are in the Quick Start. (Starting with version 3.1, SpamAssassin has a JP rule included in the default configuration. For SA versions prior to 3.1, please add configurations for JP as described in the Quick Start.)

• 2/7/05: SC and WS zone files have been removed from the SURBL web site per below. Please use invURIBL or another SURBL plug in with Declude instead.

• 1/29/05: SC and WS zone files will be removed from the SURBL web site by 1/7/05. This does not affect DNS operation or most SURBL applications which use it, but it does mean that users of Roger Eriksson's Windows command script with Declude Junkmail should use Invariant Systems invURIBL or similar Windows SURBL plug-ins instead.

• 11/12/04: We have added data from fraud.rhs.mailpolice.com into ph, joining our exiting phishing data from mailsecurity.net.au. This has doubled the size of our phishing list to about 1000 records. Thanks to Jay Swackhamer of MailPolice for gathering this data and making it available to us.

• 9/27/04: A new list jp.surbl.org is now part of multi.surbl.org. With a bitmask value of 64, it exists only as part of the combinded SURBL list multi, not as a standalone list. JP is based on trap data from Joe Wein and from Raymond Dijkxhoorn and his colleagues at Prolocation which are then processed using Joe's jwSpamSpy program. JP has a very good detection rate around 80% and a very low false positive rate below 0.02%. For information about the JP list, please see the Lists section.

• 9/17/04: After trying DNS TTLs at 25, 20 and 15 minutes, it appears that 15 minute TTLs optimizes both name server traffic and the quickness of records being added or deleted from the lists. Therefore we are standardizing on 15 minute TTLs for all SURBLs.

• 8/20/04: As part of our continuing TTL experiment, we have set the TTLs on all lists to 25 minutes. If the resulting DNS traffic does not change much, then we will leave the slower-changing lists at 25 minutes and change SC back to 10 minutes.

• 8/17/04: We are deprecating be.surbl.org, the SURBL list made from a stale snapshot of the BigEvil list before it got ws added into it. BE probably isn't too useful anymore since it's not getting updated, so please change to using ws.surbl.org instead. Eventually we would like to get rid of BE entirely.

• 8/17/04: We are cleaning up some of the redundant zone files in the SURBL rsync server:
  1. surbl.rbldnsd - going away, use sc.surbl.org.rbldnsd instead
  2. *.rbldns - going away when no traffic, use *.rbldnsd instead
  3. surbl.bind - going away, use surbl.org.bind instead
  In all cases the replacement files use the preferred names, already exist, and have identical content. If you are using any of the old names, please change them to the new names.

• 8/11/04: We have lowered the TTLs on SURBL zone files to 1 hour. This includes multi.surbl.org, but does not include sc.surbl.org which already had a 10 minute TTL. This should cause new entries to take effect sooner since the negative caching TTL should also be 1 hour.

• 8/1/04: ws.surbl.org now has some additional data sources including: MailSecurity's SURBL lists.

• 7/1/04: Added a new whitelist source: domains of publically-traded companies listed at dmoz and Google. Each yields lists of about 4300 or so of mostly the same domains which are now excluded from SURBLs. Here are the extracted dmoz and Google public company domain lists.

• 6/30/04: Three new SURBL lists are available: ob.surbl.org, ab.surbl.org, multi.surbl.org. The first two match advertised sites kindly provided by Outblaze and AbuseButler respectively. multi is a bitmask-combined list of all the other SURBL lists, for use with programs that can decode these back into their constiuent lists, such as SpamAssassin 3's urirhssub. More information on these additional lists can be found in the Lists sections.

• 6/29/04: be.surbl.org records are now included in ws.surbl.org, so please use ws.surbl.org instead of be. be is now frozen and the content in it may go away eventually.

• 5/6/04: We are now properly removing any subdomains (third or greater level domains or host names) from generic TLDs. (For example, abc.defxyz.com becomes defxyz.com.) This change may result in slightly better matching on both be and sc lists since the clients are supposed to be doing similar things with domains found in message body URIs. The new-style sed expression doing this on the SURBL side is chop-two-level-domains.sed.

• 5/5/04: We've added some notes about setting up local DNS caching of RBL zone files. Bob Cottrell describes setting up rbldnsd and rsync on top of an existing BIND server. Here are my notes about setting up rbldnsd with BIND under FreeBSD. Rick Macdougall writes up how he set up rbldnsd to run on the same name server as dnscache from djbdns. I've written up how to use rsync with BIND to cache RBL zone files, though rbldnsd is a better solution for many reasons. See also NJABL's tips for running rbldnsd and rsync and a (local copy).

• 5/5/04: Zone file refresh times on ws.surbl.org and be.surbl.org have been lowered from several hours to 20 minutes. TTLs for those zones remain at several hours. This change probably will affect few if any users.

• 4/27/04: sa.surbl.org is gone. Please use ws.surbl.org instead, since it is the new name for the domains from Bill Stearns' sa-blacklist.

• 4/24/04: In order to prevent future confusion, we are changing the names of the rbldnsd zone files from .rbldns to .rbldnsd . If you are using rbldnsd, please update your rsync and cron configs to use the slightly revised .rbldnsd names. For now both old and new names are being served, but we may want to stop providing the deprecated names at some point in future. If you're using the old names, please update to the new ones. We expect the new names to be stable. The changes to the rbldnsd zone file names are:

    sc.surbl.org.rbldns  -->  sc.surbl.org.rbldnsd
    ws.surbl.org.rbldns  -->  ws.surbl.org.rbldnsd
    be.surbl.org.rbldns  -->  be.surbl.org.rbldnsd
  

  (For background, there are two RBL name server programs with similar names but different functionality: rbldnsd and rbldns. Zone files in rbldnsd implement a superset of rbldns, most relevantly for SURBLs in the ability to serve domain names, where rbldns can only serve IP addresses. The two programs are therefore only partially compatible, and similar enough to cause potential confusion. SURBL zone files won't work with rbldns. They do work with rbldnsd.)

• 4/24/04: Zone files now only update when the underlying hosts have changed.

• 4/21/04: BigEvil.cf and MidEvil.cf SpamAssassin rule sets are now available in the form of an SURBL as be.surbl.org. Please see the SURBL Lists section for more detailed information.

• 4/20/04: SURBL testpoints "example.com" have been changed to "surbl-org-permanent-test-point.com" to avoid potential detection on sample URIs.

• 4/20/04: TXT record for sc.surbl.org is changed from: "Message body contains recently and multiply-reported SpamCop spamvertised domain." to: "Message body contains SpamCop spamvertised domain."

  TXT record for ws.surbl.org is changed from: "Message body contains domain in sa-blacklist. See: http://www.stearns.org/sa-blacklist/" to: "Blocked, See: http://www.stearns.org/sa-blacklist/".

• Feedback so far on the effectiveness of SURBL is very positive, with hit rates for sc.surbl.org ranging up to 60% with near-zero False Positives. Some results appear below. With some more tuning we may be able to improve that further.

• As you can see from the SURBL Lists section, there's another SURBL to test with message body URIs with: ws.surbl.org. This new list uses domains from Bill Stearns' sa-blacklist, and is available through DNS and rsync like our original SpamCop-derived sc.surbl.org.

• Raymond Dijkxhoorn has kindly set up an rsync server for the SURBL rbldnsd and BIND zone files. Administrators of high volume mail servers, please fill out our Data Feed request form to request access to our rsync server. Gigabit hosting for the rsync of SURBL zone files is kindly donated by Dutch ISP and large open source mirror MultiKabel N.V.. Thanks Raymond and MultiKabel!

• Raymond has also set up three mailing lists for SURBL users and fans: Announce, Discuss, and Zones for announcements, discussion, and DNS zone and rsync server administrators respectively. We encourage anyone using SURBL or interested in keeping up with SURBL news and announcements to subscribe to the low-volume, read-only Announce list. The Discuss list is a good place to bring up questions or issues related to SURBL.

External

• 7/16/08: MxScan is an anti-spam and anti-virus plugin for the MailEnable Windows mail server. It supports SURBLs via SpamAssassin, uses ClamAV, etc.

• 6/2/08: Endersys' antispam and antivirus gateway SurGATE now has SURBL support.

• 7/24/07: Sunbelt Software adds SURBL support to Ninja Email Security(tm). "Ninja Email Security integrates antispam, antivirus, disclaimers, and attachment filtering with a plug-in architecture for Microsoft Exchange environments."

• 8/29/06: Hexamail adds SURBL support to the latest version of their Windows/Linux server-side spam blocker Hexamail Guard.

• 8/16/06: Jörg Zieren mentions that "Camel's Eye, a GPL'd client-side Java POP3/SMTP proxy, has support for SURBL.

• 8/15/06: Christian Stigen Larsen has written a simple C command line program to query SURBLs. The source is available at http://surblhost.sourceforge.net. surblhost is used by memurl.com to deny redirection services to spammers.

• 8/10/06: Jamie Thom announces a wiki page describing how to setup SpamAssassin with SURBL on Qmail using the Qmail Toaster system.

• 7/22/06: Anthony Howe has upgraded his milters to work with Postfix 2.3 and its new Sendmail 8 milter support. This means that Postfix can now filter based on SURBL hits using milter-link. "Also in this update, milter-link/0.3 has been updated to support aggregate list bit masks and added a new option policy-links."

• 5/1/06: Erik Mugele has added MIME support to his Exim script for checking messages against SURBLs.

• 5/1/06: milter-link for Sendmail "extracts URLs from the message body (text, HTML, and/or MIME encoded)" and checks them against SURBLs, or after domain resolution against RBLs. Written in C, milter-link does on-the-fly MIME decoding without using temporary files.

• 4/18/06: MEFilter, a bolt-on for the MailEnable mail server, adds beta SURBL support. Test results are very favorable.

• 4/17/06: milter-uri.pl is a basic Sendmail milter written in Perl using Sendmail::PMilter and SpamAssassin libraries. It uses the 20_uri_tests.cf rules file to strip the URI's from a message, so it is relatively light.

• 3/20/06: Kaspersky Anti-Spam adds SURBL support starting with Open Beta 3.0. Operates as a standalone filter or with sendmail, qmail, CommuniGate Pro, Postfix or Exim.

• 2/3/06: FirstClass, a messaging and groupware system for schools and businesses, adds SURBL support starting with version 8.1.

• 11/18/05: Eric Hammond says that his Notlong.com redirection service "has been protected by SURBL since July 2004."

• 11/17/05: Kevin Gilbertson reports that he has been using SURBLs for "about a year now" to protect his popular redirection site TinyURL.com from abuse by spammers and phishers.

• 9/14/05: SpamAssassin 3.1 is released with default support for all current SURBLs, including JP. (For SA versions prior to 3.1, please add configurations for JP as described in the Quick Start.)

• 6/8/05: GWAVA version 3.5 adds SURBL support to the GroupWise MTA under Novell Netware.

• 5/15/05: LogSat's SPAMFilter ISP spam and virus mail filtering service now has SURBL support.

• 4/30/05: Erik Mugele has updated his Exim perl script that does SURBL checking to add local whitelisting. (First linked 11/7/04.)

• 2/20/06: Erik has updated the Exim SURBL code to be more efficient, doing fewer queries, faster performance, etc. Please use the updated version at the new link above.

• 3/29/05: Vamsoft's ORF Enterprise Edition adds SURBL suppport to Windows 2000 and 2003 versions of Exchange and IIS SMTP Service (IIS 5 or 6).

• 3/28/05: GFI MailEssentials adds SURBL support to Exchange, Lotus Notes and other popular SMTP/POP3 servers.

• 3/6/05: SpamCopURI version 0.24 has been released with improved URI detection, added redirector sites, revised conf file, etc.

• 3/5/05: Jeremy Andrews has added SURBL support to Drupal CMS, a web Content Management System which allows users to publish web content, organize discussion communities, run blogs, collaborate on projects, etc. Here is his announcement.

• 2/12/05: SpamPal, a client-side filter, now has SURBL support via Alain de Camps' version of the URLBody plugin.

• 1/18/05: Yasu is an open source Win32 or Windows 2000 program to check URIs against SURBLs in Clearswift Mailsweeper. It should be usable with other (Windows) mail systems that can run external scripts and interpret return codes.

• 12/31/04: Invariant Systems has written a Windows URI extraction tool invURIBL which can check message body URIs against SURBLs. It can be used standalone or as plugin to any Windows mail server that can call an external application and process the return code. For example, it is finding use with Declude for Imail.

• 12/28/04: MailMarshal SMTP and Exchange protect enterprise mail against viruses and spam and now support SURBL. (Here's their Knowledge Base article about using SURBLs.)

• 12/3/04: Pieter Droogendijk has written qmail and qmail-ldap patches to use SURBLs.

• 11/15/04: ALOAHA is a transparent SMTP Proxy for Windows which now supports SURBLs.

• 9/25/04: Yves Junqueira's Suri does SURBL checks on mail stored in files. It's a general-purpose program usable with amavisd and others.

• 9/12/04: NEMX adds SURBL support to their Power Tools for Exchange Server spam and virus filter.

• 9/10/04: Martijn Jongen has added SURBL support to ORFilter, a free-ware Exchange plug in. It works with SMTP server, Exchange Server 2000 and 2003 under Windows 2000, 2003, XP.

• 9/3/04: Trash Finder is a plugin for the free IMS mail server on Windows. The subscription version of Trash Finder now supports SURBLs.

• 9/1/04: Bob Apthorpe has written an open source Posix text filter that calls SpamAssassin. Called babycart, it is useful as a general spam check on arbitrary text for example from a wiki or blog. It can be used with SURBLs, RBLs or any other SpamAssassin rules.

• 8/19/04: ASTPS adds SURBL support to Clearswift MAILsweeper, NetIQ Mailmarshal, and other Windows mail scanners. "ASTPS is an Anti Spam Tool which can be used as a plug-in for Clearswift MAILsweeper, NetIQ Mailmarshal and any other scanner platform running on Windows 2000/XP/2003 which supports external programs."

• 8/18/04: Red Earth Software has added SURBL support to version 3.5 of their Policy Patrol commercial anti-spam add-on for Exchange. Here's the press release about it.

• 8/18/04: STAT Communications has added open-source SURBL support to their antispam filter set for the freeware Windows mail server Mercury/32. Their STAT AntiSpam rule set is an open-source, perl-based anti-spam system for use with Pegasus Mail's Mercury/32.

• 8/12/04: Paul Robichaux mentions SURBLs in his winnetmag.com article SURBLs: The Upside of Sharing Spam.

• 8/6/04: SpamCopURI version 0.22 has support for the Combined SURBL list: multi.surbl.org.

• 7/23/04: SnipURL is now using SURBLs to deny abusers access to their URL shortening and redirection service.

• 4/30/04: Ask Bjørn Hansen of develooper.com is using SURBL data to block spammer domains in the Metamark Shorten™ Service URI shortening and redirection service. This is the first use of SURBL data to prevent abuse of a redirection site that we've heard of! Great going! Ask explains his motivation as: "I mostly did it to make it less likely that I'll have to deal with abusers of the service manually. Hopefully the other redirection services will realize that benefit soon as well."

• 4/25/04: Roger Eriksson has created a Windows command script to check SUBRL domains against message bodies in Declude Junkmail. He reports that it is catching 70-75% of spam that his server receives. Declude is an add-on to the Windows mail server Ipswitch IMail.

• Frank Ellermann's rxwhois.cmd is an OS/2 'REXX script whois client with options to query abuse.net, some RBLs, rfc-ignorant.org zones, and similar command line tasks for anti-spam purposes, because OS/2 has no "rblcheck" and no whois client if perl isn't installed.'

• Charles Solomon has successfully installed SURBL support via SpamCopURI and SpamAssassin 2.63 and has it up and running in his Win32 environment. He has kindly documented the procedure (original location) for everyone interested. Charles adds: 'My instructions are written from the point of view of a "Guinevere" (www.beginfinite.com) user and are written for users of Guinevere. However, I expect steps 1-7 to work on just about any Win32 implementation of SA (on ActivePerl 5.6.1).' Please see the document itself for the full details.

• Devin Carraway has written a plugin for the Perl-based MTA qpsmtpd to compare domains from message body URIs to SURBL domain lists. Here's his announcement on perl.qpsmtpd, and a link to his uribl plugin. Congratulations to Devin on the first MTA use of SURBL we've heard about.

• 4/12/04: SURBL gets mentioned on Slashdot thusly:

  Glamdrlng writes "The SURBL, or "Spam URI Realtime Blocklist", represents a nexus of RBL's and content filtering that may bring us one step closer to a spam magic bullet. While traditional RBL's perform a DNS lookup on the connecting mail server, SURBL's take this a step further by parsing the text of the email looking for URI's and doing a lookup on those web servers...."

  Some of the resulting comments seemed to indicate an appreciation of the idea, while others were perhaps somewhat underinformed. On the other hand, some people "got it" pretty strongly. Regardless, the publicity gave the project a definite boost.

• Please see the Links page for more programs using SURBLs.

Update on using URIDNSBL with SURBL

'The current SVN trunk now contains URIBL support for RHSBL lookups using the 'urirhsbl' command:

urirhsbl NAME_OF_RULE rhsbl_zone lookuptype

Specify a RHSBL-style domain lookup. "NAME_OF_RULE" is the name of the rule to be used, "rhsbl_zone" is the zone to look up domain names in, and "lookuptype" is the type of lookup (TXT or A). Note that you must also define a header-eval rule calling "check_uridnsbl" to use this.

An RHSBL zone is one where the domain name is looked up, as a string; e.g. a URI using the domain "foo.com" will cause a lookup of "foo.com.uriblzone.net". Note that hostnames are stripped from the domain used in the URIBL lookup, so the domain "foo.bar.com" will look up "bar.com.uriblzone.net", and "foo.bar.co.uk" will look up "bar.co.uk.uriblzone.net".'

urirhsbl	URIBL_SC_SURBL	sc.surbl.org.	A
header		URIBL_SC_SURBL	eval:check_uridnsbl('URIBL_SC_SURBL')
describe	URIBL_SC_SURBL	Contains a URL listed in the SC SURBL blocklist
tflags		URIBL_SC_SURBL	net

SpamAssassin Corpus Test Results

1. Here are some test results from Daniel Quinlan on 6 April 2004 showing a 60% spam hit rate on some four-day recent spams and 0% false positives on ten months' worth of ham (non-spam messages):

   "Justin added a 'urirhsbl' test to the URIBL module, so I retested on my last 4 days of spam (the ham here ranges from 0 to 10 months old) using SURBL and it exceeded my highest expectations.

     OVERALL%   SPAM%     HAM%     S/O    RANK   SCORE  NAME
        6491     1497     4994    0.231   0.00    0.00  (all messages)
     100.000  23.0627  76.9373    0.231   0.00    0.00  (all messages as %)
      13.804  59.8530   0.0000    1.000   1.00    0.01  T_URIBL_SC_SURBL
      14.374  61.5230   0.2403    0.996   0.99    1.00  URIBL_SBL
       0.277   0.8016   0.1201    0.870   0.55    1.00  URIBL_DSBL
   

   I went ahead and promoted T_URIBL_SC_SURBL to URIBL_SC_SURBL"

   Where T_URIBL_SC_SURBL above refers to sc.surbl.org; URIBL_SBL presumably refers to sbl.spamhaus.org (a more conventional numeric RBL); URIBL_DSBL probably refers to a dsbl.org RBL.

2. Here are results on additional lists from Justin Mason on 25 June 2004:

   OVERALL%   SPAM%     HAM%     S/O    RANK   SCORE  NAME
    121405    22516    98889    0.185   0.00    0.00  (all messages)
   100.000  18.5462  81.4538    0.185   0.00    0.00  (all messages as %)
    13.453  70.3766   0.4925    0.993   1.00    1.00  SURBL_WS
     3.807  20.3811   0.0334    0.998   0.50    1.00  SURBL_SC
     2.650  14.2565   0.0071    1.000   0.50    1.00  SURBL_AB
     0.019   0.0933   0.0020    0.979   0.50    1.00  SURBL_PH
    12.624  67.6275   0.1001    0.999   0.50    1.00  SURBL_OB
   

   Note that the spam detection rates for the relatively fast-moving AB and SC lists tend to be much higher when the corpus is constrained to their respective time windows of 7 days and 3 days ago. 60% detection rates have been seen for them in actual production systems.

3. As of 15 September 2005, the default scores for SpamAssassin 3.1.x SURBL rules are commensurately high for SC, JP and AB:

   score URIBL_AB_SURBL 0 3.306 0 3.812
   score URIBL_JP_SURBL 0 3.360 0 4.087
   score URIBL_OB_SURBL 0 2.617 0 3.008
   score URIBL_PH_SURBL 0 2.240 0 2.800
   score URIBL_SC_SURBL 0 3.600 0 4.498
   score URIBL_WS_SURBL 0 1.533 0 2.140
   

4. Here are results of the 6 May 2006 SpamAssassin mass checks:

     SPAM%     HAM%     S/O    RANK   SCORE  NAME
    181939    52229    0.777   0.00    0.00  (all messages)
   77.6959  22.3041    0.777   0.00    0.00  (all messages as %)
   28.8009   0.0000    1.000   1.00    0.00  URIBL_SC_SURBL
   34.2378   0.0134    1.000   1.00    0.00  URIBL_WS_SURBL
   31.9854   0.0115    1.000   1.00    0.00  URIBL_JP_SURBL
   15.9889   0.0000    1.000   0.98    0.00  URIBL_AB_SURBL
   29.9463   0.0479    0.998   0.96    0.00  URIBL_OB_SURBL
    0.3028   0.0038    0.988   0.67    0.00  URIBL_PH_SURBL
   19.7803   0.0383    0.998   0.95    0.00  URIBL_SBL
   38.1606   0.2585    0.993   0.85    0.00  URIBL_BLACK
    0.0264   0.0000    1.000   0.50    0.00  URIBL_RED
    0.4353   0.7946    0.354   0.45    0.00  URIBL_GREY
   

   Of particular relevance are the low false positives of some of the SURBL lists such as SC, AB and PH as shown in the low HAM% numbers. (Note that PH is important to use and score highly in order to detect phishes. It doesn't detect a large percentage of spams, but it likely detects many phishes.) The last three rules use uribl.com lists.

   Note that the SC and JP rules are the highest-ranked (best-performing) of all SpamAssassin rules.

5. The SpamAssassin Rule QA site has current (weekly) scores of rule hits on spam and ham corpora. Spam hits are good, but ham hits are very bad. The goal is to maximize the former while minimizing the latter. Ham hits make a given rule much less useful so it's arguably most important to minimize those as a first priority.

   Here's a snapshot as of 2 June 2008:

     SPAM%    HAM%   S/O%   RANK   SCORE   NAME
   52.3073  0.0103  1.000   1.00    0.00   URIBL_SC_SURBL
   45.3383  0.0159  1.000   0.99    0.00   URIBL_AB_SURBL
   69.8813  0.0286  1.000   0.99    0.00   URIBL_JP_SURBL
   34.9355  0.0404  0.999   0.96    0.00   URIBL_WS_SURBL
    1.4461  0.0024  0.998   0.92 	 0.00   URIBL_PH_SURBL
   54.2485  0.1110  0.998   0.90    0.00   URIBL_OB_SURBL
   

Some SpamCopURI + SURBL results

rule                    spam hitrate
BAYES_99                0.91598
DCC_CHECK               0.61738
RAZOR2_CHECK            0.45551
SPAMCOP_URI_RBL         0.37685
RCVD_IN_BL_SPAMCOP_NET  0.36902
RCVD_IN_SORBS           0.30930
1 or more BIGEVIL       0.28707
RCVD_IN_SPAMHAUS_XBL    0.25700
RCVD_IN_DSBL            0.20964
RCVD_IN_DYNABLOCK       0.19646
RCVD_IN_NJABL           0.16928
RCVD_IN_SBL             0.16310