MW malware sublist added to multi, replaces OB
May 1, 2013
As announced last October, malware data has been moved from PH to a new list MW, taking the bit of OB, which was deprecated last year. Along with malware data, limited set of cracked hosts also has been moved from PH to MW, in part because cracked sites often have or can have malware on them.
The bitmask bit 16 therefore is no longer used by OB, but is used by MW now. Please update configurations appropriately. For example in SpamAssassin, change:
urirhssub URIBL_OB_SURBL multi.surbl.org. A 16 body URIBL_OB_SURBL eval:check_uridnsbl('URIBL_OB_SURBL') describe URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist tflags URIBL_OB_SURBL net reuse URIBL_OB_SURBL score URIBL_OB_SURBL 0 0.785 0 0.122
urirhssub URIBL_MW_SURBL multi.surbl.org. A 16 body URIBL_MW_SURBL eval:check_uridnsbl('URIBL_MW_SURBL') describe URIBL_MW_SURBL Contains an URL listed in the MW SURBL blocklist tflags URIBL_MW_SURBL net reuse URIBL_MW_SURBL score URIBL_MW_SURBL 0 0.001 0 0.610
Please direct followup discussion to the SURBL Discussion list.
SURBL Data Feed Request
SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.
The main data set is available in different formats:
Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.
For more information, please contact your SURBL reseller or see the references in Links.
Sign up for SURBL Data Feed Access.